1 Overview: Cyber Defense Technology Experimental Research (DETER) Testbed Terry V. Benzel, C. Neuman Information Sciences Institute University of Southern.

1

Overview:Overview:Cyber Defense Technology Cyber Defense Technology

Experimental Research Experimental Research (DETER)(DETER)TestbedTestbed

Terry V. Benzel, C. NeumanTerry V. Benzel, C. NeumanInformation Sciences InstituteInformation Sciences Institute

University of Southern CaliforniaUniversity of Southern California

2

DETER TeamDETER Team

• USC – ISI– Terry Benzel, Bob Braden, Dongho Kim, Cliff

Neuman

• UC Berkeley– Eric Fraser, Anthony Joseph, Keith Sklower

• Sparta – Ron Ostrenga, Steve Schwab

3

AGENDAAGENDA

8:30 Welcome: Dr. Joseph Evans, NSF, and Dr. Douglas Maughan, DHS8:45 DETER/EMIST Overview: Terry Benzel, USC – ISI, George Kesidis, Penn

State 9:30 DETER Workbench: Bob Braden, USC – ISI ESVT: A Toolkit Facilitating use of DETER: Peng Lui, Penn State[10:00 – 4:00] Parallel Hands-on Demo and Experiments in Conf room 10:00 Using Source Models to Evaluate Enterprise Worm Defenses: Nick Weaver, Vern Paxson, Scott Crosby, ICSI 10:45 Break11:00 Requirements and Tools for Routing Experiments: Sandy Murphy, Sparta, S. Felix Wu, UC Davis11:45 lseb: Trace Drive Modeling of Internet-Scale BGP Attacks

and Countermeasures: Patrick McDaniel, Penn State12:15 Lunch

4

AGENDA (continued)AGENDA (continued)

1:15 Evaluation of Worm Defense Systems Through Experimentation: Karl Levitt, Jeff Rowe, UC Davis, Phil Porras, SRI2:30 DDoS Defense Experiment Methodology -- Impact of Traffic

Generation Selection on Precision of Detection and Response

Characterization: Stephen Schwab, Sparta Inc 3:15 Break3:30 Methodology and Tools for High-Fidelity Emulation of DDoS Attacks Sonia Fahmy, Purdue University4:15 Cyber Early WArning System (CEWAS): Abhrajit Ghosh, Rajesh Talpade, Sudha Ramesh, Telcordia4:45 General Discussion and Q&A5:00 Adjourn

5

Project BackgroundProject Background

• DETER and EMIST are two companion efforts• George Kesidis will overview EMIST

• Period of Performance Sept. 03 – Aug. 06

• Funded by NSF and DHS HSARPA

• Joe Evans NSF, Doug Maughan DHS PM’s

• Operating as one unified project

6

DETER+EMIST VisionDETER+EMIST Vision

... to provide the scientific knowledge required to enable the development of solutions to cyber security problems of national importance

Through the creation of an experimental infrastructure network -- networks, tools, methodologies, and supporting processes -- to support national-scale experimentation on research and advanced development of security technologies.

7

DETER Testbed GoalsDETER Testbed Goals

• Facilitate scientific experimentation• Establish baseline for validation of new

approaches• Provide a safe platform for experimental

approaches that involve breaking network infrastructure

• Create researcher- and vendor-neutral environment

• Provide access for wide community of users

8

Experiment Methodology and Experiment Methodology and Security WorkbenchSecurity Workbench

Experimenter’s select from a palette of predefined elements: Topology, Background and Attack Traffic, and Packet Capture and Instrumentation

Our Methodology frames standard, systematic questions that guide an experimenter in selecting and combining the right elements

Experiment Automation increases repeatability and efficiency by integrating the process to the DETER testbed environment

PALETTESs

METHODOLOGY& GUIDANCE

EXPERIMENTAUTOMATION

TOPOLOGY TRAFFIC ATTACK DATA-CAPTURE

?

9

DETER Architectural DETER Architectural PlanPlan

• Construct homogeneous emulation clusters based upon University of Utah’s Emulab

• Implement network services – DNS, BGP• Add containment, security, and usability

features to the software• Add (controlled) hardware heterogeneity • Specialized devices – Routers, IDP, IPS, black

boxes

10

PC 160

N x 4 @1000bTData ports

PC PC

Programmable Patch Panel (VLAN switch)

Switch Control Interface

DETER Experimental DETER Experimental

NetworkNetwork

Based On EmulabBased On Emulab Cluster of N nearly identical experimental

nodes, interconnected dynamically into

arbitrary topologies using VLAN switches.Pool of N processors

11

Example DETER TopologiesExample DETER Topologies

12

Testbed SoftwareTestbed Software

Begin with Utah’s Emulab software. Add containment, security, and usability features Collaborate with Utah on new development

User access: Web interface [Emulab] to define, request, control an experiment.

Encrypted tunnels across Internet (SSL/SSH/IPsec)

No direct IP path into experimental network.

13

PC

Internet

160 PowerController

Master Server

User Acct & Data logging server

139 x 4 @1000bTData ports

139 Control ports

‘User’ Server

Routerwith Firewall

Boss VLAN

External VLAN

DETER Testbed Cluster Architecture

PC PC

…

Control Network VLAN

User

ControlDB

Node Serial Line Server Power Serial

Line Server

Web/DB/SNMP,switch mgmt

Userfiles

Ethernet Bridge with Firewall

Control Hardware VLAN

Users VLAN

Programmable Patch Panel (VLAN switch)

Switch Control Interface

14

Interconnecting ClustersInterconnecting Clusters

Two clusters: USC -ISI, UCBOne control site (ISI)

– One user entry point, accounts, control

Connection– CENIC: CalREN-HPR

VLAN switches interconnected using IPsec tunnels– Form one pool of nodes to be allocated– User can control whether span multiple clusters

15

PC

‘User’Server

PC

Control Network

ISI Cluster

Userfiles

Cisco and Nortel switch Foundry and Nortel switch

Node Serial Line Server

'Boss' Server

PC PC

UCB Cluster

Node Serial Line Server

DownloadServer

PowerCont’ler

PowerCont’ler

PC … …

trunktrunk

Control Network

Internet

IPsec

IPsec

User

FW FW

CE

NIC

16

Hardware Status and PlanHardware Status and Plan

11 x Sunpc2800

64 x IBMpc733

64 x Dellpc3000

30 x Sunbpc2800

32 x Dellbpc3000

40 x HP

JuniperIDP-200

JuniperM7i

Cloud Shield 2200

McAfee Intrushield 2600

80 x Dell ?

64 x Dell ?

ISI

UCB

Cisco 6509 Nortel 5510

Foundry 1500 Nortel 5510

~150Mbps with IPSec

2 x

5 x

1 x

2 x

8 x 1Gbps

4 x 1Gbps

4 x 1Gbps

2 x 1Gbps

1 GBps (4 later)

1 GBps (4 later)

17

Handling Scary CodeHandling Scary Code

Objective: Variable-safety testbed– Adaptable to threat level of experiment– Supports shared, remote experimenter access for

low-threat code; varying degrees of isolation.– Research question: can we design DETER to safely

handle the entire range of threats, or will really scary stuff have to run in some other isolated containment facility?

Security Usability?

DETER

EmulabIsolatedContainment

18

DETER Testbed Security is CriticalDETER Testbed Security is Critical

• Defenses employed by the test-bed must balance the requirements of containment, isolation, and confidentiality, with the need for remote management of experiments.

• Experiments will be categorized according to the consequences of loss of containment, and procedures applied according to that categorization.

19

AchievingAchieving SecuritySecurity

Operational– Procedures for proposing and reviewing

experiments.– Guidelines for categorizing safety of experiments.– Vetting of investigators and experiments– Procedures used by investigators

Technical– Firewall, routing, intrusion detection and network

isolation techniques.– Data protection, system protection, and state

destruction techniques.

20

Experiment Safety PanelExperiment Safety Panel

• Experiment description provided by investigator:– Identify containment, isolation, confidentiality,

and other security considerations.

• Panel assesses proposed category:– Determines safety category, level of isolation

required– Assesses if isolation can be maintained– Imposes technical measures to assure isolation

requirements are met.

21

Security Consideration MatrixSecurity Consideration Matrix

Threat from experimental agents

A1 -- Attack traffic trace analysis A2 -- Simulations that generate attack traffic A3 -- DDoS attacks and tools in circulation A4 -- Previously released viruses and worms

- still in circulation, eradicated, or defenses deployed

A5 -- Current/new viruses, worms, DDoS, etc- moderate to severe threat

- defenses not broadly deployed

Impact of the experiment I1 -- Minimal traffic generation or

performance degradation I2 -- High but bounded traffic I3 -- Flooding of single link or site I4 -- Floods network and severely

degrades performance

Management requirementsM1 -- Disconnected from InternetM2 -- Self-contained batch mode acceptableM3 -- Remote submission and collectionM4 -- Remote real-time monitoring and control

of parametersM5 -- Full remote control needed

for interactive experimentation with high bandwidth needs

Sensitivity of experiment data S1 -- Results eventually to be openS2 -- Results commercially sensitiveS3 -- Results extremely commercially

sensitive -- disclosure gives a way proprietary approaches

S4 -- Results extremely safety sensitive-- instructive to those trying to breach security

22

Containment MechanismsContainment Mechanisms

• Physical separation– Transfers in and out when experiments not running,

perhaps via physical media.

• Virtual separation– VPN’s and network overlays allow secure connectivity

over Internet.

• Firewalled separation– Connectivity may be reduced when experiments are

running.

• Decontamination procedures– After an experiment runs

– When data is removed from testbed

23

DETER Experimenters Community DETER Experimenters Community

•DETER testbed is itself an important research and engineering problem

•Do not expect a ready-made “turnkey” platform

•Expect to become active participants in the community of security researchers

•Help shape the development of the DETER testbed.

24

Access to TestbedAccess to Testbed

• Open to community – request via emailemail: [email protected]

• Important addresses:– www.isi.edu/deter– www.isi.deterlab.net– http://emist.ist.psu.edu– www.emulab.net

• Hiring – email [email protected]