1
Overview:Overview:Cyber Defense Technology Cyber Defense Technology
Experimental Research Experimental Research (DETER)(DETER)TestbedTestbed
Terry V. Benzel, C. NeumanTerry V. Benzel, C. NeumanInformation Sciences InstituteInformation Sciences Institute
University of Southern CaliforniaUniversity of Southern California
2
DETER TeamDETER Team
• USC – ISI– Terry Benzel, Bob Braden, Dongho Kim, Cliff
Neuman
• UC Berkeley– Eric Fraser, Anthony Joseph, Keith Sklower
• Sparta – Ron Ostrenga, Steve Schwab
3
AGENDAAGENDA
8:30 Welcome: Dr. Joseph Evans, NSF, and Dr. Douglas Maughan, DHS8:45 DETER/EMIST Overview: Terry Benzel, USC – ISI, George Kesidis, Penn
State 9:30 DETER Workbench: Bob Braden, USC – ISI ESVT: A Toolkit Facilitating use of DETER: Peng Lui, Penn State[10:00 – 4:00] Parallel Hands-on Demo and Experiments in Conf room 10:00 Using Source Models to Evaluate Enterprise Worm Defenses: Nick Weaver, Vern Paxson, Scott Crosby, ICSI 10:45 Break11:00 Requirements and Tools for Routing Experiments: Sandy Murphy, Sparta, S. Felix Wu, UC Davis11:45 lseb: Trace Drive Modeling of Internet-Scale BGP Attacks
and Countermeasures: Patrick McDaniel, Penn State12:15 Lunch
4
AGENDA (continued)AGENDA (continued)
1:15 Evaluation of Worm Defense Systems Through Experimentation: Karl Levitt, Jeff Rowe, UC Davis, Phil Porras, SRI2:30 DDoS Defense Experiment Methodology -- Impact of Traffic
Generation Selection on Precision of Detection and Response
Characterization: Stephen Schwab, Sparta Inc 3:15 Break3:30 Methodology and Tools for High-Fidelity Emulation of DDoS Attacks Sonia Fahmy, Purdue University4:15 Cyber Early WArning System (CEWAS): Abhrajit Ghosh, Rajesh Talpade, Sudha Ramesh, Telcordia4:45 General Discussion and Q&A5:00 Adjourn
5
Project BackgroundProject Background
• DETER and EMIST are two companion efforts• George Kesidis will overview EMIST
• Period of Performance Sept. 03 – Aug. 06
• Funded by NSF and DHS HSARPA
• Joe Evans NSF, Doug Maughan DHS PM’s
• Operating as one unified project
6
DETER+EMIST VisionDETER+EMIST Vision
... to provide the scientific knowledge required to enable the development of solutions to cyber security problems of national importance
Through the creation of an experimental infrastructure network -- networks, tools, methodologies, and supporting processes -- to support national-scale experimentation on research and advanced development of security technologies.
7
DETER Testbed GoalsDETER Testbed Goals
• Facilitate scientific experimentation• Establish baseline for validation of new
approaches• Provide a safe platform for experimental
approaches that involve breaking network infrastructure
• Create researcher- and vendor-neutral environment
• Provide access for wide community of users
8
Experiment Methodology and Experiment Methodology and Security WorkbenchSecurity Workbench
Experimenter’s select from a palette of predefined elements: Topology, Background and Attack Traffic, and Packet Capture and Instrumentation
Our Methodology frames standard, systematic questions that guide an experimenter in selecting and combining the right elements
Experiment Automation increases repeatability and efficiency by integrating the process to the DETER testbed environment
PALETTESs
METHODOLOGY& GUIDANCE
EXPERIMENTAUTOMATION
TOPOLOGY TRAFFIC ATTACK DATA-CAPTURE
?
9
DETER Architectural DETER Architectural PlanPlan
• Construct homogeneous emulation clusters based upon University of Utah’s Emulab
• Implement network services – DNS, BGP• Add containment, security, and usability
features to the software• Add (controlled) hardware heterogeneity • Specialized devices – Routers, IDP, IPS, black
boxes
10
PC 160
N x 4 @1000bTData ports
PC PC
Programmable Patch Panel (VLAN switch)
Switch Control Interface
DETER Experimental DETER Experimental
NetworkNetwork
Based On EmulabBased On Emulab Cluster of N nearly identical experimental
nodes, interconnected dynamically into
arbitrary topologies using VLAN switches.Pool of N processors
11
Example DETER TopologiesExample DETER Topologies
12
Testbed SoftwareTestbed Software
Begin with Utah’s Emulab software. Add containment, security, and usability features Collaborate with Utah on new development
User access: Web interface [Emulab] to define, request, control an experiment.
Encrypted tunnels across Internet (SSL/SSH/IPsec)
No direct IP path into experimental network.
13
PC
Internet
160 PowerController
Master Server
User Acct & Data logging server
139 x 4 @1000bTData ports
139 Control ports
‘User’ Server
Routerwith Firewall
Boss VLAN
External VLAN
DETER Testbed Cluster Architecture
PC PC
…
Control Network VLAN
User
ControlDB
Node Serial Line Server Power Serial
Line Server
Web/DB/SNMP,switch mgmt
Userfiles
Ethernet Bridge with Firewall
Control Hardware VLAN
Users VLAN
Programmable Patch Panel (VLAN switch)
Switch Control Interface
14
Interconnecting ClustersInterconnecting Clusters
Two clusters: USC -ISI, UCBOne control site (ISI)
– One user entry point, accounts, control
Connection– CENIC: CalREN-HPR
VLAN switches interconnected using IPsec tunnels– Form one pool of nodes to be allocated– User can control whether span multiple clusters
15
PC
‘User’Server
PC
Control Network
ISI Cluster
Userfiles
Cisco and Nortel switch Foundry and Nortel switch
Node Serial Line Server
'Boss' Server
PC PC
UCB Cluster
Node Serial Line Server
DownloadServer
PowerCont’ler
PowerCont’ler
PC … …
trunktrunk
Control Network
Internet
IPsec
IPsec
User
FW FW
CE
NIC
16
Hardware Status and PlanHardware Status and Plan
11 x Sunpc2800
64 x IBMpc733
64 x Dellpc3000
30 x Sunbpc2800
32 x Dellbpc3000
40 x HP
JuniperIDP-200
JuniperM7i
Cloud Shield 2200
McAfee Intrushield 2600
80 x Dell ?
64 x Dell ?
ISI
UCB
Cisco 6509 Nortel 5510
Foundry 1500 Nortel 5510
~150Mbps with IPSec
2 x
5 x
1 x
2 x
8 x 1Gbps
4 x 1Gbps
4 x 1Gbps
2 x 1Gbps
1 GBps (4 later)
1 GBps (4 later)
17
Handling Scary CodeHandling Scary Code
Objective: Variable-safety testbed– Adaptable to threat level of experiment– Supports shared, remote experimenter access for
low-threat code; varying degrees of isolation.– Research question: can we design DETER to safely
handle the entire range of threats, or will really scary stuff have to run in some other isolated containment facility?
Security Usability?
DETER
EmulabIsolatedContainment
18
DETER Testbed Security is CriticalDETER Testbed Security is Critical
• Defenses employed by the test-bed must balance the requirements of containment, isolation, and confidentiality, with the need for remote management of experiments.
• Experiments will be categorized according to the consequences of loss of containment, and procedures applied according to that categorization.
19
AchievingAchieving SecuritySecurity
Operational– Procedures for proposing and reviewing
experiments.– Guidelines for categorizing safety of experiments.– Vetting of investigators and experiments– Procedures used by investigators
Technical– Firewall, routing, intrusion detection and network
isolation techniques.– Data protection, system protection, and state
destruction techniques.
20
Experiment Safety PanelExperiment Safety Panel
• Experiment description provided by investigator:– Identify containment, isolation, confidentiality,
and other security considerations.
• Panel assesses proposed category:– Determines safety category, level of isolation
required– Assesses if isolation can be maintained– Imposes technical measures to assure isolation
requirements are met.
21
Security Consideration MatrixSecurity Consideration Matrix
Threat from experimental agents
A1 -- Attack traffic trace analysis A2 -- Simulations that generate attack traffic A3 -- DDoS attacks and tools in circulation A4 -- Previously released viruses and worms
- still in circulation, eradicated, or defenses deployed
A5 -- Current/new viruses, worms, DDoS, etc- moderate to severe threat
- defenses not broadly deployed
Impact of the experiment I1 -- Minimal traffic generation or
performance degradation I2 -- High but bounded traffic I3 -- Flooding of single link or site I4 -- Floods network and severely
degrades performance
Management requirementsM1 -- Disconnected from InternetM2 -- Self-contained batch mode acceptableM3 -- Remote submission and collectionM4 -- Remote real-time monitoring and control
of parametersM5 -- Full remote control needed
for interactive experimentation with high bandwidth needs
Sensitivity of experiment data S1 -- Results eventually to be openS2 -- Results commercially sensitiveS3 -- Results extremely commercially
sensitive -- disclosure gives a way proprietary approaches
S4 -- Results extremely safety sensitive-- instructive to those trying to breach security
22
Containment MechanismsContainment Mechanisms
• Physical separation– Transfers in and out when experiments not running,
perhaps via physical media.
• Virtual separation– VPN’s and network overlays allow secure connectivity
over Internet.
• Firewalled separation– Connectivity may be reduced when experiments are
running.
• Decontamination procedures– After an experiment runs
– When data is removed from testbed
23
DETER Experimenters Community DETER Experimenters Community
•DETER testbed is itself an important research and engineering problem
•Do not expect a ready-made “turnkey” platform
•Expect to become active participants in the community of security researchers
•Help shape the development of the DETER testbed.
24
Access to TestbedAccess to Testbed
• Open to community – request via emailemail: [email protected]
• Important addresses:– www.isi.edu/deter– www.isi.deterlab.net– http://emist.ist.psu.edu– www.emulab.net
• Hiring – email [email protected]