50 likes | 188 Views
Arrow color indicates specific subset of Security Service Desk Common Backplane API. is DC Backplane API impledmented by the Backplane Services. Incident Investigation Engine. Authentication Manager. Policy Projector. Boundary Manager. Policy Manager. Incident Recovery Engine.
E N D
Arrow color indicates specific subset of Security Service Desk Common Backplane API. is DC Backplane API impledmented by the Backplane Services. Incident Investigation Engine Authentication Manager Policy Projector Boundary Manager Policy Manager Incident Recovery Engine Certification Manager Vulnerability Assessor Response Recommendation Engine Intrusion Correlation Engine • Devices • Users * Certificates • Security Policies • Authorizations CIDF /IDIP Engine Log Query Message Layer Discovery Coordinator Services in Security Service Desk Security Service Desk Discovery Coordinator Authori- zation Manager Response Selector GIDOs Security Service Desk Common Backplane GIDOs Object Mgmt DB Decision Engine Display Manager Network Manager Encrypted GIDOs Sockets VPN VPN or Communication (e.g. Network Layer) 9 Sep 1998
Discovery Coordinator / Security Service Desk Functions Policy Projector The purpose of the policy projector is to receive qualitative policy from the SSD Policy Server, transform it into qualitative policy, taking into account the mission and each assigned operation with their associated information assets and produce a reviewable, editable quantitative policy. The quantitative policy is then projected (distributed) to intrusion detection response components including the following: · Intrusion Correlator(s) · Response Recommendation Engine(s) · Response Selector · Intrusion Detector(s) · Intrusion Responder(s) Intrusion Correlator The purpose of the intrusion correlator is to receive descriptions of "out of the ordinary" network events from distributed intrusion detectors and produce summaries of (potential) attacks. Two types of correlators are identified: "statistical" and "signature". Statistical correlators measure network activity to establish a baseline of "normal" activity as a function of time, and activity type. Signature correlators identify potential intrusions based on a signature that may include dynamic measures and known packet contents. Response Recommendation Engines The purpose of the Response Recommendation Engine is to receive statements of intrusions and based on the current network topology and type of intrusion, produce possible valid responses. 9 Sep 1998
Discovery Coordinator / Security Service Desk Functions Cont. Response Selector The response selection engine receives inputs from all Suggestion Engines within the scope of the Discovery Coordinator. The response recommendation engine applies a weight to each input and using the current network topology and current response policy selects the response that minimizes impact on the missions and supported operations. The response selector is also aware of the status of the Discovery coordinator. If the Response Selector detects that the Discovery Coordinator operation has been compromised in any way, as indicated by DC_Not OK, then . . . If the Response Selector detects that the Security Service Desk operation has been compromised in any way, as indicated by SSD_Not OK, then if the Backup_SSD has been defined, the Response Selector establishes itself with the Backup_SSD and messages from the former primary SSD are ignored. Log Query The Log Query provides the capability to request a search of the Discovery Coordinator Log based on event types and / or time periods. The Log Query also provides the capability to request periodic reports as a function of event type be sent to a system asset. Backplane Server The backplane server provides common services required by Discovery Coordinator applications including: (i) Process registration (v) Response Formatting (ii) Host registration (vi) Logging (iii) Command Routing (vii) Event Triggering (iv) Health Monitoring (viii) Time Triggering 9 Sep 1998
Is runtime OR Gate Policy Projector Intrusion Detection & Response Components Intrusion Detection & Response Components Policy Extractor Network Manager Network Manager Log Query S A C Situation Awareness Component Situation Awareness Component Discovery Coordinator Functions Context and Top Level Flow Object Base GUI Security Administrator Adjustments Editable IDR Policy Coordination & Numerical Weighting Parms ODB API Object Base GUI Local Domain Topology ODB API IDR Coord. Parameters (As GIDOs) Downloaded Intrusion Detection and Response Policy Commands (2), (3),(4), (5), (6) NwM API Refined Numerical Weighting and Response Policy Response Authorization Intrusion Responses (As GIDOs) Heartbeat with InfoCon State and Slide Bar (1) DC API Query Responses To Situation Awareness Component Recommended Intrusion Response Produce Response Recommendations Correlate Intrusions Response Selector Attack Summary Valid, Reasonable Responses DC API Policy Manager ** “Decision Engine” “GrIDS” Intrusion Response Situation Display “Cost Model” NwM API Intrusion Descriptions (As GIDOs) Intrusion Detection Situation Display (i) Process registration (v) Response Formatter (ii) Host registration (vi) Logger (iii) Command Routing (vii) Event Trigger (iv) Health Monitor (viii) Time Trigger Backplane Server Object Base GUI ODB API Event Trigger Requests (7) Service Layer Report_Requests (8) Examine Log Cmds (9) 9 Sep 1998
Nw MgrAPI Response Recommendation Engine(s) Log Query Discovery Coordinator Architecture Application Layer Response Selector Intrusion Correlator(s) DC Policy Projector ODBAPI DC API (i) Process registration (v) Response Formatter (ii) Host registration (vi) Logger (iii) Command Routing (vii) Event Trigger (iv) Health Monitor (viii) Time Trigger DC Backplane Server Service Layer ??? ??? (i) Reliable Transport, (ii) Cryptographic authentication of nodes (iii) Privacy (Encryption) SSD Supplied Assurance protocols CIDF /IDIP Engine Message Layer* Sockets Communication (e.g. Network Layer) with/ without VPN *Note: For the other SSD modules to communicate with DC modules (of the SSD), this architecture requires that (1) the SSD use the DC Backplane services and (2) the SSD use either the CIDF / IDIP Engine or another mutually agreeable Message layer which provides: (i) Reliable Transport, (ii) Cryptographic authentication of nodes, and (iii) Privacy (Encryption). = Indicated pluggable components such as GrIDS, Emerald, . . . 9 Sep 1998