1 Overview: Overview: Cyber Defense Technology Cyber Defense Technology Experimental Research Experimental Research (DETER) (DETER) Testbed Testbed Terry V. Benzel, C. Neuman Terry V. Benzel, C. Neuman Information Sciences Institute Information Sciences Institute University of Southern California University of Southern California
24
Embed
1 Overview: Cyber Defense Technology Experimental Research (DETER) Testbed Terry V. Benzel, C. Neuman Information Sciences Institute University of Southern.
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Experimental Research Experimental Research (DETER)(DETER)TestbedTestbed
Terry V. Benzel, C. NeumanTerry V. Benzel, C. NeumanInformation Sciences InstituteInformation Sciences Institute
University of Southern CaliforniaUniversity of Southern California
2
DETER TeamDETER Team
• USC – ISI– Terry Benzel, Bob Braden, Dongho Kim, Cliff
Neuman
• UC Berkeley– Eric Fraser, Anthony Joseph, Keith Sklower
• Sparta – Ron Ostrenga, Steve Schwab
3
AGENDAAGENDA
8:30 Welcome: Dr. Joseph Evans, NSF, and Dr. Douglas Maughan, DHS8:45 DETER/EMIST Overview: Terry Benzel, USC – ISI, George Kesidis, Penn
State 9:30 DETER Workbench: Bob Braden, USC – ISI ESVT: A Toolkit Facilitating use of DETER: Peng Lui, Penn State[10:00 – 4:00] Parallel Hands-on Demo and Experiments in Conf room 10:00 Using Source Models to Evaluate Enterprise Worm Defenses: Nick Weaver, Vern Paxson, Scott Crosby, ICSI 10:45 Break11:00 Requirements and Tools for Routing Experiments: Sandy Murphy, Sparta, S. Felix Wu, UC Davis11:45 lseb: Trace Drive Modeling of Internet-Scale BGP Attacks
and Countermeasures: Patrick McDaniel, Penn State12:15 Lunch
4
AGENDA (continued)AGENDA (continued)
1:15 Evaluation of Worm Defense Systems Through Experimentation: Karl Levitt, Jeff Rowe, UC Davis, Phil Porras, SRI2:30 DDoS Defense Experiment Methodology -- Impact of Traffic
Generation Selection on Precision of Detection and Response
Characterization: Stephen Schwab, Sparta Inc 3:15 Break3:30 Methodology and Tools for High-Fidelity Emulation of DDoS Attacks Sonia Fahmy, Purdue University4:15 Cyber Early WArning System (CEWAS): Abhrajit Ghosh, Rajesh Talpade, Sudha Ramesh, Telcordia4:45 General Discussion and Q&A5:00 Adjourn
5
Project BackgroundProject Background
• DETER and EMIST are two companion efforts• George Kesidis will overview EMIST
• Period of Performance Sept. 03 – Aug. 06
• Funded by NSF and DHS HSARPA
• Joe Evans NSF, Doug Maughan DHS PM’s
• Operating as one unified project
6
DETER+EMIST VisionDETER+EMIST Vision
... to provide the scientific knowledge required to enable the development of solutions to cyber security problems of national importance
Through the creation of an experimental infrastructure network -- networks, tools, methodologies, and supporting processes -- to support national-scale experimentation on research and advanced development of security technologies.
7
DETER Testbed GoalsDETER Testbed Goals
• Facilitate scientific experimentation• Establish baseline for validation of new
approaches• Provide a safe platform for experimental
approaches that involve breaking network infrastructure
• Create researcher- and vendor-neutral environment
• Provide access for wide community of users
8
Experiment Methodology and Experiment Methodology and Security WorkbenchSecurity Workbench
Experimenter’s select from a palette of predefined elements: Topology, Background and Attack Traffic, and Packet Capture and Instrumentation
Our Methodology frames standard, systematic questions that guide an experimenter in selecting and combining the right elements
Experiment Automation increases repeatability and efficiency by integrating the process to the DETER testbed environment
PALETTESs
METHODOLOGY& GUIDANCE
EXPERIMENTAUTOMATION
TOPOLOGY TRAFFIC ATTACK DATA-CAPTURE
?
9
DETER Architectural DETER Architectural PlanPlan
• Construct homogeneous emulation clusters based upon University of Utah’s Emulab
features to the software• Add (controlled) hardware heterogeneity • Specialized devices – Routers, IDP, IPS, black
boxes
10
PC 160
N x 4 @1000bTData ports
PC PC
Programmable Patch Panel (VLAN switch)
Switch Control Interface
DETER Experimental DETER Experimental
NetworkNetwork
Based On EmulabBased On Emulab Cluster of N nearly identical experimental
nodes, interconnected dynamically into
arbitrary topologies using VLAN switches.Pool of N processors
11
Example DETER TopologiesExample DETER Topologies
12
Testbed SoftwareTestbed Software
Begin with Utah’s Emulab software. Add containment, security, and usability features Collaborate with Utah on new development
User access: Web interface [Emulab] to define, request, control an experiment.
Encrypted tunnels across Internet (SSL/SSH/IPsec)
No direct IP path into experimental network.
13
PC
Internet
160 PowerController
Master Server
User Acct & Data logging server
139 x 4 @1000bTData ports
139 Control ports
‘User’ Server
Routerwith Firewall
Boss VLAN
External VLAN
DETER Testbed Cluster Architecture
PC PC
…
Control Network VLAN
User
ControlDB
Node Serial Line Server Power Serial
Line Server
Web/DB/SNMP,switch mgmt
Userfiles
Ethernet Bridge with Firewall
Control Hardware VLAN
Users VLAN
Programmable Patch Panel (VLAN switch)
Switch Control Interface
14
Interconnecting ClustersInterconnecting Clusters
Two clusters: USC -ISI, UCBOne control site (ISI)
– One user entry point, accounts, control
Connection– CENIC: CalREN-HPR
VLAN switches interconnected using IPsec tunnels– Form one pool of nodes to be allocated– User can control whether span multiple clusters
15
PC
‘User’Server
PC
Control Network
ISI Cluster
Userfiles
Cisco and Nortel switch Foundry and Nortel switch
Node Serial Line Server
'Boss' Server
PC PC
UCB Cluster
Node Serial Line Server
DownloadServer
PowerCont’ler
PowerCont’ler
PC … …
trunktrunk
Control Network
Internet
IPsec
IPsec
User
FW FW
CE
NIC
16
Hardware Status and PlanHardware Status and Plan
11 x Sunpc2800
64 x IBMpc733
64 x Dellpc3000
30 x Sunbpc2800
32 x Dellbpc3000
40 x HP
JuniperIDP-200
JuniperM7i
Cloud Shield 2200
McAfee Intrushield 2600
80 x Dell ?
64 x Dell ?
ISI
UCB
Cisco 6509 Nortel 5510
Foundry 1500 Nortel 5510
~150Mbps with IPSec
2 x
5 x
1 x
2 x
8 x 1Gbps
4 x 1Gbps
4 x 1Gbps
2 x 1Gbps
1 GBps (4 later)
1 GBps (4 later)
17
Handling Scary CodeHandling Scary Code
Objective: Variable-safety testbed– Adaptable to threat level of experiment– Supports shared, remote experimenter access for
low-threat code; varying degrees of isolation.– Research question: can we design DETER to safely
handle the entire range of threats, or will really scary stuff have to run in some other isolated containment facility?
Security Usability?
DETER
EmulabIsolatedContainment
18
DETER Testbed Security is CriticalDETER Testbed Security is Critical
• Defenses employed by the test-bed must balance the requirements of containment, isolation, and confidentiality, with the need for remote management of experiments.
• Experiments will be categorized according to the consequences of loss of containment, and procedures applied according to that categorization.
19
AchievingAchieving SecuritySecurity
Operational– Procedures for proposing and reviewing
experiments.– Guidelines for categorizing safety of experiments.– Vetting of investigators and experiments– Procedures used by investigators
Technical– Firewall, routing, intrusion detection and network
isolation techniques.– Data protection, system protection, and state
destruction techniques.
20
Experiment Safety PanelExperiment Safety Panel
• Experiment description provided by investigator:– Identify containment, isolation, confidentiality,