1 / 22

Intrusion Tolerant Server Infrastructure

Intrusion Tolerant Server Infrastructure. Dick O’Brien OASIS PI Meeting July 25, 2001. Outline. Technical Objective Technical Approach Architecture Load Sharing Detection Hardened Servers Response Technology Transition Demo Scenarios. Technical Objective.

nan
Download Presentation

Intrusion Tolerant Server Infrastructure

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Intrusion Tolerant Server Infrastructure Dick O’Brien OASIS PI Meeting July 25, 2001 Not For Public Release

  2. Outline • Technical Objective • Technical Approach • Architecture • Load Sharing • Detection • Hardened Servers • Response • Technology Transition • Demo Scenarios July 25, 2001

  3. Technical Objective • Develop an Intrusion Tolerant Server Infrastructure that uses independent network layer enforcement mechanisms to: • Reduce intrusions • Prevent propagation of intrusions that do occur • Provide automated load shifting when intrusions are detected • Support automated server recovery July 25, 2001

  4. Technical Approach • Intrusion tolerant server components • Load distribution and network response capability using the ADF Policy Enforcing NICs • Server hardening to reduce effectiveness of penetrations • Intrusion detection systems that primarily reside on server hosts • An Availability and Integrity Controller (AIC) to manage the system and respond to intrusions reported to it July 25, 2001

  5. Embedded Firewall – NIC 2 Embedded Firewall – NIC 2 Embedded Firewall – NIC 2 Windows 2000 Detection/Initiating Agent Detection/Initiating Agent Response/Recovery Agent Response/Recovery Agent Cluster Manager Alert Handler ADF Policy Server Intrusion Detection Intrusion Detection Response/Recovery Controller Apache Web Server IIS Web Server ID Management Windows 2000 SE Linux Embedded Firewall – NIC 1 Embedded Firewall – NIC 1 ITSI Architecture AIC Web Server – 1 Web Server – 2 July 25, 2001

  6. Policy Enforcing NICs • ADF PENs are network interface cards that have been enhanced to provide additional controls • Packet Filtering • IPSEC support • Network layer audit • Host independent • Centrally managed • ITSI adds • Load sharing • Blocking and fishbowling • Alerts July 25, 2001

  7. Load Sharing New Rules from AIC • Each server receives all traffic addressed to the shared virtual IP • Rules on the PEN determine what traffic to process and what to throw away based on source IP • Traffic load can be shifted by modifying PEN rules PEN 2 PEN 2 PEN Agent PEN Agent IIS We b Server Apache Web Server PEN 1 Load Sharing Rules PEN 1 Load Sharing Rules July 25, 2001

  8. PEN Enhancements • Blocking • Traffic from specified IP addresses can be blocked • Fishbowling • Traffic from a specified IP address can be handled by a particular web server • All traffic from the specified IP address can be audited • Alerts • On the AIC the Alert Handler can generate alerts in response to specific audit events July 25, 2001

  9. Hardened Servers • SE Linux • Type Enforcement for protecting components • Web Server • Snort ID • ITSI Detection/Response agent • PEN agent • Stackguarded Apache web server • Windows 2000 • Wrapped components using Kernel Loadable Wrappers • IIS • ISS RealSecure • ITSI Detection/Response agent • PEN agent July 25, 2001

  10. Detection • PEN based audit from both web servers • Sniffing attempts • Spoofing attempts • Attempts at initiating unauthorized TCP connections • Intrusion Detection systems • Snort on SE Linux • ISS RealSecure on Windows 2000 • Tripwire • TE violations audited on SE Linux • Wrapper violations audited on Windows 2000 • AIC receives alerts and determines response strategy and actions July 25, 2001

  11. AIC Functions • ADF PEN management • Packet filtering policies, IPSEC policies • ITSI adds • Load sharing/redirection policies • Intrusion detection system interface • Anomaly logging, reporting and analysis • Response strategies • Recovery and restoration July 25, 2001

  12. Policy Server Policy Manager Web Server Web Server Audit Manager Response Server Cluster Manager ID Software Apache IIS Alert Handler Event Handler Host ID Network Response Interface Perl / CGI Perl / CGI Event Correlator ISS Server Sensor Response Initiator Response Agent Response Agent Initiator Responder Initiator Responder ITSI – Demonstration Software Architecture ITSI Developed Components ISS Manager Windows 2000 Embedded Firewall Availability and Integrity Controller (AIC) ID Software Host Network Intrusion Detection Software Snort SE Log Analyzer Operating System Security SE Linux Windows 2000 NIC Based Firewall Embedded Firewall Embedded Firewall Web Server - 1 Layered Security Architecture Web Server - 2 July 25, 2001

  13. Apache Web Server - SE Linux Response Capabilities Availability & Integrity Controller (AIC) - Windows 2000 IIS Web Server - Windows 2000 • Capabilities: • Receives Events from Web Servers • Correlates Events Based on Priority • Enables User Customizable Responses Based on Event Types • Initiates Responses • Manages Web Server Load Sharing • Manages ID Software • Controls Embedded Firewalls • Capabilities: • Detects Intrusions • Initiates Local Responses • Sends Intrusion Event Data to AIC • Performs Local Responses per AIC • Localized Recovery July 25, 2001

  14. Response Components • Send Events: • Log Event • Restart Response Agent Initiator Store Events Read New Events Event Handler • Read Config Files: • Response Configuration • Server Config • Service Data Reinitiate Load Share Thru Policy Server Shutdown Check & Restore Event Correlator Disable Source Execute Custom Responses Local Response File List of Responses Response Initiator Response Agent Responder • Send Responses: • Disable Source • Shutdown • Check & Restore July 25, 2001

  15. Priority Type Severity Source Responses Security Status 2 SUSPICIOUS HIGH NETWORK_IP_ADDRESS CHECK_RESTORE BLOCK_SOURCE_IP SECURITY_IN_QUESTION Response Configuration File Priority : Tells Correlator What Responses to Perform for Each Server Values: ( 1-4 ) where 1 is the highest. Type : Type of Event Detected Values: Intrusion – Event representing known intrusion. Suspicious – Event representing known intrusion with false positives or suspicious activity. Severity: Event Severity Values: High, Medium or Low Source: Source Associated with Event Occurrence Values: NEWORK_IP_ADDRESS, USER_ID, PROCESS_ID July 25, 2001

  16. Priority Type Severity Source Responses Security Status 2 SUSPICIOUS HIGH NETWORK_IP_ADDRESS CHECK_RESTORE BLOCK_SOURCE_IP SECURITY_IN_QUESTION Response Configuration File (cont) • Responses: Responses Performed for the Event • Custom Responses Executed on the Web Server Machine by the Responder : • CHECK_RESTORE - Expected to Check Local Server Integrity and Fix Whatever is Necessary if Possible • DISABLE_SOURCE - Expected to Disable Process ID or USER ID of the Server Machine • SHUTDOWN_REQ - Expected to Shutdown the Server • Responses Executed on the AIC by the Response Initiator : • BLOCK_SOURCE_IP – Call to Policy Server to Block Source IP on Specified Server NIC(s) • SHIFT_ALL – Call to Policy Server to Shift All Traffic From Specified Server SHIFT_EXCL_IP – Call to Policy Server to Shift All Traffic From NIC Except Specified IP & Turn Audit On July 25, 2001

  17. Technology Transition • Hardened Server OPX experiment • Commercial transition of results into Embedded Firewall product July 25, 2001

  18. Demo Scenarios July 25, 2001

  19. Server Unreachable? Receive Heartbeats Send Reset Load Sharing to NIC 1 & 2 NIC2 Server Down = True Redistribute Load to NIC 1 From All Nics To NIC 1 To NIC 1 Receive Rule to Accept Odd Traffic Receive Rule to Accept All Traffic Receive Traffic from Laptop 2 Receive Traffic from Laptop 1 Send Heartbeat Send Heartbeat Browse Web Server From AIC From AIC To AIC To AIC From Web Browsers From Web Browsers Load Sharing Demo • Load Sharing Initialization: • Load is Set via Policy Server • Demonstration is based on Even/Odd IP Address • Even IP’s Are Received by Server 1 • Odd IP’s Are Received by Server 2 ISS Manager Policy Manager Windows 2000 Audit Manager Alert Handler Event Correlator Web Server – 1 Web Server – 2 Cluster Manager Windows 2000 SE Linux IIS Web Server Apache Web Server SE Log Analz – Host ID ISS Host ID Event Handler Response Initiator Response Agent - Initiator Response Agent - Responder Response Agent - Initiator Response Agent - Responder AIC Embedded Firewall ISS Network ID Snort Network ID Embedded Firewall – NIC 1 Embedded Firewall – NIC 2 & 2 Even Traffic Browse Web Server July 25, 2001 Laptop – 1 Laptop - 2

  20. Determine Response Retrieve Events Perform Responses Send Block Request on IP Store Event Send NIC 1 Block IP Rule Receive Event: Intrusion Source – IP Send Check & Restore Response – Server 1 Port Scan Detection Receive \ Perform Check & Restore Response Send Event: Intrusion & Source IP From Server 1 To Server 1 To NIC 1 Receive Block IP Rule Port Scan Traffic From AIC Initiate Port Scan From AIC To AIC From Laptop 1 Port Scan Attack Demo - Win 2k Windows 2000 Policy Manager ISS Manager Audit Manager Alert Handler Event Correlator Cluster Manager Web Server – 1 Web Server – 2 Windows 2000 SE Linux Apache Web Server IIS Web Server SE Log Analz – Host ID ISS Host ID Event Handler Response Initiator Response Agent - Initiator Response Agent - Responder Response Agent - Initiator Response Agent - Responder Embedded Firewall AIC ISS Network ID Snort Network ID Embedded Firewall – NIC 1 Embedded Firewall – NIC 2 Laptop – 1 Laptop - 2 July 25, 2001

  21. Determine Response Retrieve Events Perform Responses Send Block Request on IP Store Event Send NIC 2 Block IP Rule Receive Event: Intrusion Source IP Send Check & Restore Response – Server 2 Send Event: Intrusion & Source IP CGI Attack Detection Receive \ Perform Check & Restore Response From Server 2 To Server 2 To NIC 2 CGI Attack Receive Block IP Rule From AIC Initiate CGI Attack To AIC From Laptop 2 From AIC CGI Attack Demo: SE Linux Windows 2000 Policy Manager ISS Manager Audit Manager Alert Handler Event Correlator Cluster Manager Web Server – 1 Web Server – 2 Windows 2000 SE Linux Apache Web Server IIS Web Server SE Log Analz – Host ID ISS Host ID Event Handler Response Initiator Response Agent - Initiator Response Agent - Responder Response Agent - Initiator Response Agent - Responder Embedded Firewall AIC ISS Network ID Snort Network ID Embedded Firewall – NIC 1 Embedded Firewall – NIC 2 Laptop – 1 Laptop - 2 July 25, 2001

  22. Determine Response Audit All Cluster Nics Retrieve Events Perform Responses Send : Shift All Handle IP Audit On Store Event Send NIC 1 – Handle IP, Audit On & Shift All From Send NIC 2 – Shift All To Except Handle IP, Audit On Receive Event: Suspicious Source IP Send Check & Restore Response – Server 1 ASP DOT Detection Receive \ Perform Check & Restore Response Send Event: Suspicious & Source IP To NIC 1 To NIC 2 From Server 1 To Server 1 Receive; Shift All To Except Handle & Audit On Receive: Shift All From, Handle IP& Audit On ASP Dot Attack From AIC Initiate ASP DOT Attack To AIC From Laptop 1 From AIC From AIC IIS Attack Demo : Win2K Windows 2000 Policy Manager Alert Handler ISS Manager Audit Manager Event Correlator Cluster Manager Web Server – 1 Web Server – 2 SE Linux Windows 2000 SE Log Analz – Host ID Apache Web Server IIS Web Server ISS Host ID Event Handler Response Initiator Response Agent - Initiator Response Agent - Responder Response Agent - Initiator Response Agent - Responder Embedded Firewall AIC Snort Network ID ISS Network ID Embedded Firewall – NIC 1 Embedded Firewall – NIC 2 Laptop – 1 Laptop - 2 July 25, 2001

More Related