1 / 16

Intrusion Tolerant Server Infrastructure

Intrusion Tolerant Server Infrastructure. Dick O’Brien OASIS PI Meeting February 14, 2001. Outline. Technical Objectives Technical Approach Architecture System Components Operational Approach Intrusion Detection Response/Recovery Traffic Rerouting 4 Questions. Technical Objective.

malachi-cooley
Download Presentation

Intrusion Tolerant Server Infrastructure

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Intrusion Tolerant Server Infrastructure Dick O’Brien OASIS PI Meeting February 14, 2001

  2. Outline • Technical Objectives • Technical Approach • Architecture • System Components • Operational Approach • Intrusion Detection • Response/Recovery • Traffic Rerouting • 4 Questions 2/14/2001

  3. Technical Objective • Use independent network layer enforcement mechanisms to: • Reduce intrusions • Prevent propagation of intrusions that do occur • Provide automated load shifting when intrusions are detected • Support automated server recovery 2/14/2001

  4. Technical Approach • Intrusion tolerant server components • Policy Enforcing Network Interface Cards (PENs) to provide network layer controls • Availability and Integrity Controller (AIC) to manage policy on the PENs and provide recovery and restoration functions 2/14/2001

  5. Web Server 1 Apache Linux Intel hw Web Server 2 IIS Windows 2K Intel hw AIC Intelligence Control PEN PEN PEN ITSI Architecture Network Client Client 2/14/2001

  6. Policy Enforcing NICs • Using the PEN being developed by SCC on the DARPA funded programs: RDPF and ADF (SWIMM) • ADF PENs are network interface cards that have been enhanced to provide additional controls • Packet Filtering • IPSEC support • Network layer audit • Host independent • Centrally managed • ITSI adds • Load balancing/packet redirection • Additional management capabilities 2/14/2001

  7. AIC Functions • ADF PEN management • Packet filtering policies, IPSEC policies • ITSI adds • Intrusion detection system interface • Anomaly logging, reporting and analysis • Load balancing/redirection policies • Response strategies • Recovery and restoration 2/14/2001

  8. Additional Components • Hardened Servers • Apache on Linux • Use Secure Linux with type enforcement • IIS on Windows 2000 • Use wrapper technology • Web Monitoring and Recovery • Commercial products: e.g. WebAgain • System Monitoring • e.g. OS auditing 2/14/2001

  9. Operational Approach • Heterogeneous servers • Detect intrusions into or faults on a server • Perform selective rerouting to ensure that benign users receive uninterrupted service • Identify corrupted data and restore it • Bring the server back on line and perform load balancing 2/14/2001

  10. Intrusion Detection • AIC receives alerts and determines response strategy and actions • Intrusion identification based on • COTS and GOTS ID systems • via SNMP alerts to the AIC • Audit events from the PEN • such as attempts at initiating disallowed connections • Web monitoring software alerts • OS alerts 2/14/2001

  11. Response/Recovery • Actions taken to recover from an intrusion • Via the PEN • Reroute traffic to the other server • Actively fishbowl the intruder • Once fishbowling is completed, restrict all traffic to the server except authenticated traffic from the AIC • When recovery is completed, return to enforcing the normal policy (with the intruder blocked if possible) 2/14/2001

  12. Response/Recovery • Actions taken to recover from an intrusion • Via the AIC • Determine the best response strategy • Reconfigure the PEN as appropriate • Attempt to identify the source of the intrusion • Inform other system security components of the intrusion • Initiate recovery of critical server and web files • Return the web server to normal operational mode 2/14/2001

  13. Traffic Rerouting • Possible approaches • Network load balancing: each server receives all packets and discards (at the PEN level) those being handled by the other server • algorithm that controls which packets each PEN accepts can be changed dynamically • Packet redirection: round-robin DNS initially but each server monitors its activity level and redirects packets to the other server when the level is too high 2/14/2001

  14. Threats/Attacks Addressed • Attacks aimed at bringing down a server, such as attacks that might cause the server to crash • Attacks aimed at compromising a server’s data, such as modification of web pages • Attacks aimed at taking over a server, so that it can be used as the basis for further attacks • Attacks from a compromised server, so that even if the compromise is unrecognized, the amount of damage that can be done is limited 2/14/2001

  15. Assumptions • Each server has a policy enforcing NIC (PEN) on it • The web servers used are heterogeneous • Current research and commercial intrusion/detection systems (including network based, host based and products such as webagain) and additional PEN auditing can determine when a server has been compromise. 2/14/2001

  16. Policies Enforced • Network access control policies: who can access the servers (at the PEN level) • Confinement policies: network access that a compromised server has is limited (whether or not the compromise is detected). If the compromise is detected, the server can be detached from the network. • Response and Recovery policies: what actions should be taken to recover from the compromise and to prevent similar compromises in the future. • Load balancing/redirection policies: load balanced between servers during normal operation and redirection from one server to another if a compromise is detected 2/14/2001

More Related