intrusion tolerant server infrastructure
DESCRIPTION
Intrusion Tolerant Server Infrastructure. Dick O’Brien OASIS PI Meeting July 25, 2001. Outline. Technical Objective Technical Approach Architecture Load Sharing Detection Hardened Servers Response Technology Transition Demo Scenarios. Technical Objective. - PowerPoint PPT PresentationTRANSCRIPT
Not For Public ReleaseNot For Public Release 1
S E C U R ES E C U R EC O M P U T I N GC O M P U T I N G
Intrusion Tolerant Server Intrusion Tolerant Server InfrastructureInfrastructure
Dick O’BrienDick O’Brien
OASIS PI MeetingOASIS PI Meeting
July 25, 2001July 25, 2001
July 25, 2001July 25, 2001
2
S E C U R ES E C U R EC O M P U T I N GC O M P U T I N G
OASIS PI Meeting - Not For Public Release
OutlineOutline
• Technical ObjectiveTechnical Objective
• Technical ApproachTechnical Approach– ArchitectureArchitecture
– Load SharingLoad Sharing
– DetectionDetection
– Hardened ServersHardened Servers
– ResponseResponse
• Technology TransitionTechnology Transition
• Demo ScenariosDemo Scenarios
July 25, 2001July 25, 2001
3
S E C U R ES E C U R EC O M P U T I N GC O M P U T I N G
OASIS PI Meeting - Not For Public Release
Technical ObjectiveTechnical Objective
• Develop an Intrusion Tolerant Server Infrastructure that uses Develop an Intrusion Tolerant Server Infrastructure that uses independent independent network layernetwork layer enforcement mechanisms to: enforcement mechanisms to:
– Reduce intrusionsReduce intrusions
– Prevent propagation of intrusions that do occurPrevent propagation of intrusions that do occur
– Provide automated load shifting when intrusions are detectedProvide automated load shifting when intrusions are detected
– Support automated server recoverySupport automated server recovery
July 25, 2001July 25, 2001
4
S E C U R ES E C U R EC O M P U T I N GC O M P U T I N G
OASIS PI Meeting - Not For Public Release
Technical ApproachTechnical Approach
• Intrusion tolerant server componentsIntrusion tolerant server components
– Load distribution and network response capability using the Load distribution and network response capability using the ADF Policy Enforcing NICsADF Policy Enforcing NICs
– Server hardening to reduce effectiveness of penetrationsServer hardening to reduce effectiveness of penetrations
– Intrusion detection systems that primarily reside on server Intrusion detection systems that primarily reside on server hostshosts
– An Availability and Integrity Controller (AIC) to manage the system and respond to intrusions reported to it
July 25, 2001July 25, 2001
5
S E C U R ES E C U R EC O M P U T I N GC O M P U T I N G
OASIS PI Meeting - Not For Public Release
ITSI ArchitectureITSI Architecture
Web Server – 2Web Server – 1
Windows 2000
IIS Web ServerIIS Web Server
Response/Response/Recovery Recovery
AgentAgent
Detection/Detection/Initiating Initiating
AgentAgent
Intrusion DetectionIntrusion Detection
Embedded Firewall – NIC 2
Embedded Firewall – NIC 1
SE Linux
Apache Web ServerApache Web Server
Response/Response/Recovery Recovery
AgentAgent
Detection/Detection/Initiating Initiating
AgentAgent
Intrusion DetectionIntrusion Detection
Embedded Firewall – NIC 2
Embedded Firewall – NIC 1
AIC
Windows 2000
ADF Policy ServerADF Policy Server
Alert Alert HandlerHandler
Cluster Cluster ManagerManager
ID ManagementID Management
Embedded Firewall – NIC 2
Response/Recovery Response/Recovery ControllerController
July 25, 2001July 25, 2001
6
S E C U R ES E C U R EC O M P U T I N GC O M P U T I N G
OASIS PI Meeting - Not For Public Release
Policy Enforcing NICsPolicy Enforcing NICs
• ADF PENs are network interface cards that have been ADF PENs are network interface cards that have been enhanced to provide additional controlsenhanced to provide additional controls– Packet FilteringPacket Filtering
– IPSEC supportIPSEC support
– Network layer auditNetwork layer audit
– Host independentHost independent
– Centrally managedCentrally managed
• ITSI addsITSI adds– Load sharingLoad sharing
– Blocking and fishbowlingBlocking and fishbowling
– AlertsAlerts
July 25, 2001July 25, 2001
7
S E C U R ES E C U R EC O M P U T I N GC O M P U T I N G
OASIS PI Meeting - Not For Public Release
Load SharingLoad Sharing
• Each server receives all traffic addressed to the shared virtual IP Each server receives all traffic addressed to the shared virtual IP • Rules on the PEN determine what traffic to process and what to throw away Rules on the PEN determine what traffic to process and what to throw away
based on source IPbased on source IP• Traffic load can be shifted by modifying PEN rulesTraffic load can be shifted by modifying PEN rules
PEN Agent
PEN 2
PEN 1
Load Sharing Rules
PEN Agent
PEN 2
PEN 1
Load Sharing Rules
New Rules from AIC
Apache Web ServerIIS We b Server
July 25, 2001July 25, 2001
8
S E C U R ES E C U R EC O M P U T I N GC O M P U T I N G
OASIS PI Meeting - Not For Public Release
PEN EnhancementsPEN Enhancements• BlockingBlocking
– Traffic from specified IP addresses can be blockedTraffic from specified IP addresses can be blocked
• FishbowlingFishbowling– Traffic from a specified IP address can be handled by a Traffic from a specified IP address can be handled by a
particular web serverparticular web server
– All traffic from the specified IP address can be auditedAll traffic from the specified IP address can be audited
• AlertsAlerts– On the AIC the Alert Handler can generate alerts in response On the AIC the Alert Handler can generate alerts in response
to specific audit eventsto specific audit events
July 25, 2001July 25, 2001
9
S E C U R ES E C U R EC O M P U T I N GC O M P U T I N G
OASIS PI Meeting - Not For Public Release
Hardened ServersHardened Servers
• SE LinuxSE Linux– Type Enforcement for protecting componentsType Enforcement for protecting components
• Web ServerWeb Server
• Snort IDSnort ID
• ITSI Detection/Response agentITSI Detection/Response agent
• PEN agentPEN agent
– Stackguarded Apache web serverStackguarded Apache web server
• Windows 2000Windows 2000– Wrapped components using Kernel Loadable WrappersWrapped components using Kernel Loadable Wrappers
• IISIIS
• ISS RealSecureISS RealSecure
• ITSI Detection/Response agent ITSI Detection/Response agent
• PEN agentPEN agent
July 25, 2001July 25, 2001
10
S E C U R ES E C U R EC O M P U T I N GC O M P U T I N G
OASIS PI Meeting - Not For Public Release
DetectionDetection
• PEN based audit from both web serversPEN based audit from both web servers– Sniffing attemptsSniffing attempts
– Spoofing attemptsSpoofing attempts
– Attempts at initiating unauthorized TCP connectionsAttempts at initiating unauthorized TCP connections
• Intrusion Detection systemsIntrusion Detection systems– Snort on SE Linux Snort on SE Linux
– ISS RealSecure on Windows 2000ISS RealSecure on Windows 2000
– TripwireTripwire
• TE violations audited on SE LinuxTE violations audited on SE Linux• Wrapper violations audited on Windows 2000Wrapper violations audited on Windows 2000
• AIC receives alerts and determines response strategy and AIC receives alerts and determines response strategy and actionsactions
July 25, 2001July 25, 2001
11
S E C U R ES E C U R EC O M P U T I N GC O M P U T I N G
OASIS PI Meeting - Not For Public Release
AIC FunctionsAIC Functions
• ADF PEN managementADF PEN management– Packet filtering policies, IPSEC policiesPacket filtering policies, IPSEC policies
• ITSI addsITSI adds– Load sharing/redirection policies Load sharing/redirection policies – Intrusion detection system interfaceIntrusion detection system interface– Anomaly logging, reporting and analysisAnomaly logging, reporting and analysis– Response strategiesResponse strategies– Recovery and restorationRecovery and restoration
July 25, 2001July 25, 2001
12
S E C U R ES E C U R EC O M P U T I N GC O M P U T I N G
OASIS PI Meeting - Not For Public Release
ITSI – Demonstration Software ArchitectureITSI – Demonstration Software Architecture
Intrusion Detection Software
Operating System Security
NIC Based Firewall
Availability and Integrity Controller (AIC)
Windows 2000
Embedded Firewall
Response Agent
Initiator Responder
Perl / CGI
IIS
Web Server
ID Software
Host ID Network
ISS Server Sensor
Web Server - 1
SE Linux
Embedded Firewall
Response Agent
Initiator Responder
Perl / CGI
Apache
Web Server
ID Software
Host Network
SE Log Analyzer
Snort
Web Server - 2Layered Security Architecture
ITSI Developed ComponentsITSI Developed Components
Windows 2000
Embedded Firewall
Policy Server
Policy Manager
Audit Manager
Response Server
Event Handler
Event Correlator
Response Initiator
ISS Manager
Cluster Manager
Alert Handler
Response Interface
July 25, 2001July 25, 2001
13
S E C U R ES E C U R EC O M P U T I N GC O M P U T I N G
OASIS PI Meeting - Not For Public Release
Response CapabilitiesResponse Capabilities
Availability & Integrity Controller (AIC)
- Windows 2000
IIS Web Server
- Windows 2000
Apache Web Server
- SE Linux Capabilities:Capabilities:
• Receives Events from Web ServersReceives Events from Web Servers
• Correlates Events Based on PriorityCorrelates Events Based on Priority
• Enables User Customizable Enables User Customizable Responses Based on Event Types Responses Based on Event Types
• Initiates Responses Initiates Responses
• Manages Web Server Load SharingManages Web Server Load Sharing
• Manages ID SoftwareManages ID Software
• Controls Embedded FirewallsControls Embedded Firewalls
Capabilities:Capabilities:
• Detects IntrusionsDetects Intrusions
• Initiates Local ResponsesInitiates Local Responses
• Sends Intrusion Event Data to AICSends Intrusion Event Data to AIC
• Performs Local Responses per AICPerforms Local Responses per AIC
• Localized RecoveryLocalized Recovery
July 25, 2001July 25, 2001
14
S E C U R ES E C U R EC O M P U T I N GC O M P U T I N G
OASIS PI Meeting - Not For Public Release
Response ComponentsResponse Components
Response Response Agent Agent
ResponderResponder
Response Response Agent InitiatorAgent Initiator
Event HandlerEvent Handler
Event CorrelatorEvent Correlator
Response Response InitiatorInitiator
Send Events:Send Events:
• Log EventLog Event
• RestartRestartStore EventsStore Events
Reinitiate Reinitiate Load Share Load Share Thru Policy Thru Policy ServerServer
Read Config Files:Read Config Files:
• Response Response Configuration Configuration
• Server ConfigServer Config
• Service DataService Data
List of List of ResponsesResponses
Send Responses:Send Responses:
• Disable SourceDisable Source
• ShutdownShutdown
• Check & Check & RestoreRestore
Read New Read New EventsEvents
Local Local Response Response FileFile
DisableDisableSourceSource
Execute Execute Custom Custom ResponsesResponses
Check Check & &
RestoreRestore
ShutdownShutdown
July 25, 2001July 25, 2001
15
S E C U R ES E C U R EC O M P U T I N GC O M P U T I N G
OASIS PI Meeting - Not For Public Release
Priority Priority : Tells Correlator What Responses to Perform for Each Server: Tells Correlator What Responses to Perform for Each Server
Values:Values: ( 1-4 ) where 1 is the highest. ( 1-4 ) where 1 is the highest.
Type Type : Type of Event Detected: Type of Event Detected
Values:Values: Intrusion – Event representing known intrusion. Intrusion – Event representing known intrusion.
Suspicious – Event representing known intrusion with false positives or suspiciousSuspicious – Event representing known intrusion with false positives or suspicious activity. activity.
SeveritySeverity: Event Severity: Event Severity
Values:Values: High, Medium or Low High, Medium or Low
SourceSource: Source Associated with Event Occurrence: Source Associated with Event Occurrence
Values:Values: NEWORK_IP_ADDRESS, USER_ID, PROCESS_ID NEWORK_IP_ADDRESS, USER_ID, PROCESS_ID
Response Configuration FileResponse Configuration File
22 SUSPICIOUSSUSPICIOUS HIGHHIGH NETWORK_IP_ADDRESSNETWORK_IP_ADDRESS CHECK_RESTORECHECK_RESTORE
BLOCK_SOURCE_IPBLOCK_SOURCE_IP
SECURITY_IN_QUESTIONSECURITY_IN_QUESTION
PriorityPriority TypeType SeveritySeverity SourceSource ResponsesResponses Security StatusSecurity Status
July 25, 2001July 25, 2001
16
S E C U R ES E C U R EC O M P U T I N GC O M P U T I N G
OASIS PI Meeting - Not For Public Release
ResponsesResponses: Responses Performed for the Event: Responses Performed for the Event
Custom Responses Executed on the Web Server Machine by the Responder :Custom Responses Executed on the Web Server Machine by the Responder :
CHECK_RESTORE - Expected to Check Local Server Integrity and Fix Whatever is CHECK_RESTORE - Expected to Check Local Server Integrity and Fix Whatever is NecessaryNecessary if Possible if Possible
DISABLE_SOURCE - Expected to Disable Process ID or USER ID of the Server MachineDISABLE_SOURCE - Expected to Disable Process ID or USER ID of the Server Machine
SHUTDOWN_REQ - Expected to Shutdown the ServerSHUTDOWN_REQ - Expected to Shutdown the Server
Responses Executed on the AIC by the Response Initiator :Responses Executed on the AIC by the Response Initiator :
BLOCK_SOURCE_IP – Call to Policy Server to Block Source IP on Specified Server NIC(s)BLOCK_SOURCE_IP – Call to Policy Server to Block Source IP on Specified Server NIC(s)
SHIFT_ALL – Call to Policy Server to Shift All Traffic From Specified ServerSHIFT_ALL – Call to Policy Server to Shift All Traffic From Specified Server
SHIFT_EXCL_IP – Call to Policy Server to Shift All Traffic From NIC Except Specified IP &SHIFT_EXCL_IP – Call to Policy Server to Shift All Traffic From NIC Except Specified IP & Turn Audit On Turn Audit On
Response Configuration File (cont)Response Configuration File (cont)
22 SUSPICIOUSSUSPICIOUS HIGHHIGH NETWORK_IP_ADDRESSNETWORK_IP_ADDRESS CHECK_RESTORECHECK_RESTORE
BLOCK_SOURCE_IPBLOCK_SOURCE_IP
SECURITY_IN_QUESTIONSECURITY_IN_QUESTION
PriorityPriority TypeType SeveritySeverity SourceSource ResponsesResponses Security StatusSecurity Status
July 25, 2001July 25, 2001
17
S E C U R ES E C U R EC O M P U T I N GC O M P U T I N G
OASIS PI Meeting - Not For Public Release
Technology TransitionTechnology Transition
• Hardened Server OPX experimentHardened Server OPX experiment
• Commercial transition of results into Embedded Commercial transition of results into Embedded Firewall productFirewall product
July 25, 2001July 25, 2001
18
S E C U R ES E C U R EC O M P U T I N GC O M P U T I N G
OASIS PI Meeting - Not For Public Release
Demo ScenariosDemo Scenarios
July 25, 2001July 25, 2001
19
S E C U R ES E C U R EC O M P U T I N GC O M P U T I N G
OASIS PI Meeting - Not For Public Release
Windows 2000
IIS IIS Web ServerWeb Server
ISS Network ID
Response Response Agent -Agent -
ResponderResponder
Response Response Agent - Agent - InitiatorInitiator
ISS Host IDISS Host ID
Embedded Firewall – NIC 1
Load Sharing DemoLoad Sharing Demo
AIC
Windows 2000
Policy ManagerPolicy Manager
Audit ManagerAudit Manager
Event Event HandlerHandler
ISS ManagerISS Manager
Embedded Firewall
Cluster ManagerCluster Manager
Alert HandlerAlert Handler
Event Event CorrelatorCorrelator
Response Response InitiatorInitiator
SE Linux
ApacheApacheWeb ServerWeb Server
Snort Network ID
Response Response Agent -Agent -
ResponderResponder
Response Response Agent - Agent - InitiatorInitiator
SE Log SE Log Analz – Host IDAnalz – Host ID
Embedded Firewall – NIC 2
Web Server – 2
Browse Web ServerBrowse Web Server
Laptop – 1
Web Server – 1
Laptop - 2
Browse Web ServerBrowse Web Server
Load Sharing Initialization:Load Sharing Initialization:
• Load is Set via Policy ServerLoad is Set via Policy Server
• Demonstration is based on Even/Odd IP AddressDemonstration is based on Even/Odd IP Address
• Even IP’s Are Received by Server 1 Even IP’s Are Received by Server 1
• Odd IP’s Are Received by Server 2Odd IP’s Are Received by Server 2Server Server Unreachable?Unreachable?
To NIC 1To NIC 1
NIC
2 S
erve
r D
ow
n =
Tru
e
NIC
2 S
erve
r D
ow
n =
Tru
e
Red
istr
ibu
te L
oad
to
NIC
1
Red
istr
ibu
te L
oad
to
NIC
1
From Web From Web BrowsersBrowsers
Rec
eive
Tra
ffic
R
ecei
ve T
raff
ic
fro
m L
apto
p 1
fro
m L
apto
p 1
&
2&
2
To NIC 1To NIC 1
Sen
d R
eset
Lo
ad S
har
ing
to
NIC
1
Sen
d R
eset
Lo
ad S
har
ing
to
NIC
1
& 2
& 2
From AICFrom AIC
Rec
eive
Ru
le t
o
Rec
eive
Ru
le t
o
Acc
ept
Acc
ept
All
Tra
ffic
All
Tra
ffic
Eve
n T
raff
icE
ven
Tra
ffic
From AICFrom AIC
Rec
eive
Ru
le t
o
Rec
eive
Ru
le t
o
Acc
ept
Acc
ept
Od
d T
raff
icO
dd
Tra
ffic
Rec
eive
R
ecei
ve
Hea
rtb
eats
Hea
rtb
eats
From All NicsFrom All Nics
To AICTo AIC
Sen
d H
eart
bea
tS
end
Hea
rtb
eat
To AICTo AIC
Sen
d H
eart
bea
tS
end
Hea
rtb
eat
From Web From Web BrowsersBrowsers
Rec
eive
Tra
ffic
R
ecei
ve T
raff
ic
fro
m L
apto
p 2
fro
m L
apto
p 2
July 25, 2001July 25, 2001
20
S E C U R ES E C U R EC O M P U T I N GC O M P U T I N G
OASIS PI Meeting - Not For Public Release
Windows 2000
IIS IIS Web ServerWeb Server
ISS Network ID
Response Response Agent -Agent -
ResponderResponder
Response Response Agent - Agent - InitiatorInitiator
ISS Host IDISS Host ID
Embedded Firewall – NIC 1
Po
rt S
can
Det
ecti
on
P
ort
Sca
n D
etec
tio
n
Port Scan Attack Demo - Win 2kPort Scan Attack Demo - Win 2k
AIC
Windows 2000
Policy ManagerPolicy Manager
Audit ManagerAudit Manager
Event Event HandlerHandler
ISS ManagerISS Manager
Embedded Firewall
Cluster Cluster ManagerManager
Alert HandlerAlert Handler
Event Event CorrelatorCorrelator
ResponsResponse e
InitiatorInitiator
SE Linux
ApacheApacheWeb ServerWeb Server
Snort Network ID
Response Response Agent -Agent -
ResponderResponder
Response Response Agent - Agent - InitiatorInitiator
SE Log SE Log Analz – Host IDAnalz – Host ID
Embedded Firewall – NIC 2
Web Server – 2
Initiate Port Scan Initiate Port Scan
From Laptop 1From Laptop 1
Po
rt S
can
Tra
ffic
Po
rt S
can
Tra
ffic
Store EventStore Event
Retrieve Retrieve EventsEvents
Determine Determine ResponseResponse
Perform Perform ResponsesResponses Send Block Send Block
Request on IPRequest on IP
Sen
d N
IC 1
Blo
ck
Sen
d N
IC 1
Blo
ck
IP R
ule
IP R
ule
To NIC 1To NIC 1
Rec
eive
E
ven
t:
Rec
eive
E
ven
t:
Intr
usi
on
In
tru
sio
n
So
urc
e –
IP
So
urc
e –
IP
From Server 1From Server 1
Sen
d E
ven
t:
Sen
d E
ven
t:
Intr
usi
on
&
In
tru
sio
n
&
So
urc
e IP
S
ou
rce
IP
To AICTo AICFrom AICFrom AIC
Rec
eive
Blo
ck
Rec
eive
Blo
ck
IP R
ule
IP R
ule
Laptop – 1
Web Server – 1
Laptop - 2
Sen
d C
hec
k &
S
end
Ch
eck
&
Res
tore
R
esto
re
Res
po
nse
–
Res
po
nse
–
Ser
ver
1S
erve
r 1
To Server 1 To Server 1
From AICFrom AIC
Rec
eive
\ P
erfo
rm
Rec
eive
\ P
erfo
rm
Ch
eck
& R
esto
re
Ch
eck
& R
esto
re
Res
po
nse
R
esp
on
se
July 25, 2001July 25, 2001
21
S E C U R ES E C U R EC O M P U T I N GC O M P U T I N G
OASIS PI Meeting - Not For Public Release
Windows 2000
IIS IIS Web ServerWeb Server
ISS Network ID
Response Response Agent -Agent -
ResponderResponder
Response Response Agent - Agent - InitiatorInitiator
ISS Host IDISS Host ID
Embedded Firewall – NIC 1
CGI Attack Demo: SE LinuxCGI Attack Demo: SE Linux
AIC
Windows 2000
Policy ManagerPolicy Manager
Audit ManagerAudit Manager
Event Event HandlerHandler
ISS ManagerISS Manager
Embedded Firewall
Cluster Cluster ManagerManager
Alert HandlerAlert Handler
Event Event CorrelatorCorrelator
ResponsResponse e
InitiatorInitiator
SE Linux
ApacheApacheWeb ServerWeb Server
Snort Network ID
Response Response Agent -Agent -
ResponderResponder
Response Response Agent - Agent - InitiatorInitiator
SE Log SE Log Analz – Host IDAnalz – Host ID
Embedded Firewall – NIC 2
Web Server – 2
Initiate CGI Attack Initiate CGI Attack
From Laptop 2From Laptop 2
CG
I A
ttac
kC
GI
Att
ack
Store EventStore Event
Retrieve Retrieve EventsEvents
Determine Determine ResponseResponse
Perform Perform ResponsesResponses Send Block Send Block
Request on IPRequest on IP
Sen
d N
IC 2
Blo
ck
Sen
d N
IC 2
Blo
ck
IP R
ule
IP R
ule
To NIC 2To NIC 2
Rec
eive
E
ven
t:
Rec
eive
E
ven
t:
Intr
usi
on
In
tru
sio
n
So
urc
e IP
S
ou
rce
IP
From Server 2From Server 2
From AICFrom AIC
Rec
eive
Blo
ck
Rec
eive
Blo
ck
IP R
ule
IP R
ule
Laptop – 1
Web Server – 1
Laptop - 2
Sen
d C
hec
k &
S
end
Ch
eck
&
Res
tore
R
esto
re
Res
po
nse
–
Res
po
nse
–
Ser
ver
2S
erve
r 2
To Server 2 To Server 2
Sen
d E
ven
t:
Sen
d E
ven
t:
Intr
usi
on
&
In
tru
sio
n
&
So
urc
e IP
S
ou
rce
IP
To AICTo AIC
CG
I A
ttac
k C
GI
Att
ack
Det
ecti
on
D
etec
tio
n
From AICFrom AIC
Rec
eive
\ P
erfo
rm
Rec
eive
\ P
erfo
rm
Ch
eck
& R
esto
re
Ch
eck
& R
esto
re
Res
po
nse
R
esp
on
se
July 25, 2001July 25, 2001
22
S E C U R ES E C U R EC O M P U T I N GC O M P U T I N G
OASIS PI Meeting - Not For Public Release
Windows 2000
IIS IIS Web ServerWeb Server
ISS Network ID
Response Response Agent -Agent -
ResponderResponder
Response Response Agent - Agent - InitiatorInitiator
ISS Host IDISS Host ID
Embedded Firewall – NIC 1
AS
P D
OT
Det
ecti
on
A
SP
DO
T D
etec
tio
n
IIS Attack Demo : Win2KIIS Attack Demo : Win2K
AIC
Windows 2000
Policy ManagerPolicy Manager
Audit ManagerAudit Manager
Event Event HandlerHandler
ISS ManagerISS Manager
Embedded Firewall
Cluster ManagerCluster Manager
Alert HandlerAlert Handler
Event Event CorrelatorCorrelator
Response Response InitiatorInitiator
SE Linux
ApacheApacheWeb ServerWeb Server
Snort Network ID
Response Response Agent -Agent -
ResponderResponder
Response Response Agent - Agent - InitiatorInitiator
SE Log SE Log Analz – Host Analz – Host
IDID
Embedded Firewall – NIC 2
Web Server – 2
Initiate ASP DOT Attack Initiate ASP DOT Attack
From Laptop 1From Laptop 1
AS
P D
ot
Att
ack
AS
P D
ot
Att
ack
Store EventStore Event
Retrieve Retrieve EventsEvents
Determine Determine ResponseResponse
Perform Perform ResponsesResponses
Send : Send : Shift All Shift All Handle IP Handle IP Audit OnAudit On
Sen
d N
IC 1
–
Han
dle
IP
, A
ud
it O
n &
S
end
NIC
1 –
H
and
le I
P,
Au
dit
On
&
Sh
ift
All
Fro
mS
hif
t A
ll F
rom
To NIC 1To NIC 1
Rec
eive
E
ven
t:
Rec
eive
E
ven
t:
Su
spic
iou
s S
usp
icio
us
So
urc
e IP
So
urc
e IP
From Server 1From Server 1
Sen
d E
ven
t:
Sen
d E
ven
t:
Su
spic
iou
s &
S
usp
icio
us
&
So
urc
e IP
S
ou
rce
IP
To AICTo AICFrom AICFrom AIC
Rec
eive
:
S
hif
t A
ll
Rec
eive
:
S
hif
t A
ll
Fro
m,
Han
dle
IP
&
Fro
m,
Han
dle
IP
&
Au
dit
On
Au
dit
On
Laptop – 1
Web Server – 1
Laptop - 2
Sen
d C
hec
k &
S
end
Ch
eck
&
Res
tore
R
esto
re
Res
po
nse
–
Res
po
nse
–
Ser
ver
1S
erve
r 1
To Server 1 To Server 1
From AICFrom AIC
Rec
eive
\ P
erfo
rm
Rec
eive
\ P
erfo
rm
Ch
eck
& R
esto
re
Ch
eck
& R
esto
re
Res
po
nse
R
esp
on
se
Audit All Audit All Cluster Nics Cluster Nics
Sen
d N
IC 2
–
Sh
ift
All
To
Exc
ept
Sen
d N
IC 2
–
Sh
ift
All
To
Exc
ept
Han
dle
IP
, A
ud
it O
n
Han
dle
IP
, A
ud
it O
n
To NIC 2To NIC 2
From AICFrom AIC
Rec
eive
;
S
hif
t A
ll
Rec
eive
;
S
hif
t A
ll
To
Exc
ept
Han
dle
T
o E
xcep
t H
and
le
& A
ud
it O
n
& A
ud
it O
n