lawrence berkeley national laboratory 1 james rothfuss computer protection program manager lawrence...
TRANSCRIPT
1
Lawrence Berkeley National Laboratory
James RothfussComputer Protection Program Manager
Lawrence Berkeley National Lab
Internet2Security at Line Speed Workshop
August 12, 2003
Protection of anOpen Computing Environment
2
Lawrence Berkeley National Laboratory
Presentation will cover:
• Types of Protection• Berkeley Lab Philosophy• Bro• NETS
3
Lawrence Berkeley National Laboratory
Classical Notion of Security
SecureRestrictControl
Hide
4
Lawrence Berkeley National Laboratory
Often “Classical Security” is not appropriate
The tools can be so secure that their value is marginal
Consider:When the goal is RESEARCH,
a missed scientific breakthroughmay be more costly and damaging than
the worst “hacker” incident
5
Lawrence Berkeley National Laboratory
ClassifiedProtection
Commercial
Academic
ClassifiedProtection
Commercial
Academic
Protective measures can be different without be less effective
6
Lawrence Berkeley National Laboratory
Service Protection
vs
Information Protection
7
Lawrence Berkeley National Laboratory
Wea
pons
Res
earc
h
Usene
t new
sgro
ups
Yaho
o
Open
Resea
rch
Onlin
e St
ore
Banking
ServiceProtection
InformationProtection
Primary protection concerns
8
Lawrence Berkeley National Laboratory
Protective measures are based on the
known attacks.
System weaknesses are identified and
protected.
“Threat”Based
Protection
“Vulnerability”Based
Protection
AntivirusIntrusion Detection
FirewallsPatching
Bro NETS
9
Lawrence Berkeley National Laboratory
• Open by default, restrict as necessary
• Protect rather than Secure
• Utilize both Threat and Vulnerability Protection
• Strive for Dynamic Protection
Underling LBNL Philosophies
Protecting an Open Environment is NOT EASY
Quality People are extremely important
10
Lawrence Berkeley National Laboratory
LBL Intrusion Detection - Bro
• Analyzes network traffic for attacks and policy violations
• Operational 24x7 since 1996(> 4 billion connections monitored &
archived)
• Coupled with border router, provides an adaptive firewall
• Currently operational @ LBNL, NERSC, UCB, JGI, ESNET, ICSI …
“Threat”Based
Protection
11
Lawrence Berkeley National Laboratory
• Taps GigEther fiber link passively, sends up a copy of all network traffic.Network
How Bro Works
12
Lawrence Berkeley National Laboratory
• Kernel filters down high-volume stream via standard libpcap packet capture library.
Network
libpcap
Packet Stream
Filtered PacketStream
TcpdumpFilter
How Bro Works
13
Lawrence Berkeley National Laboratory
• “Event engine” distills filtered stream into high-level, policy-neutral events reflecting underlying network activity– E.g., connection_attempt, http_reply, user_logged_in
Network
libpcap
Event Engine
Packet Stream
Filtered PacketStream
TcpdumpFilter
EventStream
EventControl
How Bro Works
14
Lawrence Berkeley National Laboratory
• “Policy script” processes event stream, incorporates:– Context from past events– Site’s particular policies
Network
libpcap
Event Engine
Policy Script Interpreter
Packet Stream
Filtered PacketStream
TcpdumpFilter
EventStream
EventControl
Real-time NotificationRecord To Disk
PolicyScript
How Bro Works
15
Lawrence Berkeley National Laboratory
How Bro Works
• “Policy script” processes event stream, incorporates:– Context from past events– Site’s particular policies
• … and takes action: • Records to disk• Generates alerts via syslog or paging• Executes programs as a form of response
Network
libpcap
Event Engine
Policy Script Interpreter
Packet Stream
Filtered PacketStream
TcpdumpFilter
EventStream
EventControl
Real-time NotificationRecord To Disk
PolicyScript
16
Lawrence Berkeley National Laboratory
Bro policy scripts
• Written in a specialized language for networks– Network types (IP addresses, connections, protocol, etc.)
– Typed constanst, variables
– Network operators (comparison, ranges, etc.)
– Control statements (IF/THEN, etc.)
– Regular expressions
• Can– Generate alerts
– Reset connections
– Call exterior programs
17
Lawrence Berkeley National Laboratory
Teasers
• Stepping Stone Detection (Telnet to SSH to Host)• Non-standard port backdoor detection• Work with Force Ten and Juniper for tighter
“firewall” integration.• Real Experiences
– Max Butler (aka, MaxVision)
– Worms (Code Red, Nimda)
– Three lettered agency “gray hat”
– Boyz from Brazil
18
Lawrence Berkeley National Laboratory
V. Paxson, Bro: A System for Detecting Network Intruders in Real-Time. Proceedings of the 7th USENIX Security Symposium, San Antonio, TX, January 1998. A later version appears in Computer Networks, 31(23-24), pp. 2435-2463, 14 Dec. 1999.
Y. Zhang and V. Paxson, Detecting Backdoors, Proc. 9th USENIX Security Symposium, August 2000.
Y. Zhang and V. Paxson, Detecting Stepping Stones, Proc. 9th USENIX Security Symposium, August 2000.
M. Handley, C. Kreibich and V. Paxson, Network Intrusion Detection: Evasion, Traffic Normalization, and End-to-End Protocol Semantics. Proc. 10th USENIX Security Symposium, August 2001.
S. Staniford, V. Paxson and N. Weaver, How to 0wn the Internet in Your Spare Time, Proc. 11th USENIX Security Symposium 2002.
D. Donoho, A. G. Flesia, U. Shankar, V. Paxson, J. Coit, and S. Staniford, Multiscale Stepping-Stone Detection: Detecting Pairs of Jittered Interactive Streams by Exploiting Maximum Tolerable Delay, Proc. RAID 2002.
D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford and N. Weaver, The Spread of the Sapphire/Slammer Worm, technical report, February 2003.
Ruoming Pang and Vern Paxson, A High-level Programming Environment for Packet Trace Anonymization and Transformation, Proc. ACM SIGCOMM 2003, to appear.
R. Sommer and V. Paxson, Detecting Network Intruders Using Contextual Signatures, in submission.
Want to know more?
19
Lawrence Berkeley National Laboratory
“Vulnerability”Based
Protection
Network Equipment Tracking System
NETS
20
Lawrence Berkeley National Laboratory
Current Method of Vulnerability Based Protection
Range ofProtection
• Analyze network• Guess at “reasonable” firewall rules• Hope the rules stay current (assume a static network)
SafetySecurity
Protection
CapabilityPerformance
Access
Static
Point of Optimum Protection
21
Lawrence Berkeley National Laboratory
Continuous Optimization
• Constant analysis of network• Protection measures adapt
SafetySecurityProtection
CapabilityPerformanceAccess
Dynamic Point ofOptimization
Optimum balance between protection and access
22
Lawrence Berkeley National Laboratory
Current NETS Prototype
OracleDatabase
DNS forward
Port Locator
ARPwatch
DNS reverse
DHCP Server Logs
Policies &Business
Rules
Reports
ScanDispatcher
Targeted Systems
LBLnet
Control
Future
23
Lawrence Berkeley National Laboratory
NETS VisionFully automated vulnerability
discovery and elimination
• Network information continuously collected
• Systems continuously scanned
• Network vulnerabilities detected as they appear
• Vulnerabilities immediately resolved
•Automatically Blocked
•Automatically alert owners/sys admins
•Automatically remove blocks when vulnerabilities are fixed
Safe systems given full access -Internet access is maximized
24
Lawrence Berkeley National Laboratory
Future Integration With BroNETS uses Bro
information toprioritize
vulnerabilitiesbased a on threat
Bro NETSExtra attentiongiven to vulnerabilities with a high risk of attack
Extra attentionto attacks
againstknown
weaknesses
Bro uses NETS information to prioritize threats based on vulnerabilities
25
Lawrence Berkeley National Laboratory
Views of Protection
“Threat”Based
Protection
“Vulnerability”Based
Protection
26
Lawrence Berkeley National Laboratory
NETS and Bro Integration
Network protection adapts based on both threats and vulnerabilities
“Threat”and
“Vulnerability” Based
Protection