160 likes | 251 Views
Intrusion Tolerant Server Infrastructure. Dick O’Brien OASIS PI Meeting February 14, 2001. Outline. Technical Objectives Technical Approach Architecture System Components Operational Approach Intrusion Detection Response/Recovery Traffic Rerouting 4 Questions. Technical Objective.
E N D
Intrusion Tolerant Server Infrastructure Dick O’Brien OASIS PI Meeting February 14, 2001
Outline • Technical Objectives • Technical Approach • Architecture • System Components • Operational Approach • Intrusion Detection • Response/Recovery • Traffic Rerouting • 4 Questions 2/14/2001
Technical Objective • Use independent network layer enforcement mechanisms to: • Reduce intrusions • Prevent propagation of intrusions that do occur • Provide automated load shifting when intrusions are detected • Support automated server recovery 2/14/2001
Technical Approach • Intrusion tolerant server components • Policy Enforcing Network Interface Cards (PENs) to provide network layer controls • Availability and Integrity Controller (AIC) to manage policy on the PENs and provide recovery and restoration functions 2/14/2001
Web Server 1 Apache Linux Intel hw Web Server 2 IIS Windows 2K Intel hw AIC Intelligence Control PEN PEN PEN ITSI Architecture Network Client Client 2/14/2001
Policy Enforcing NICs • Using the PEN being developed by SCC on the DARPA funded programs: RDPF and ADF (SWIMM) • ADF PENs are network interface cards that have been enhanced to provide additional controls • Packet Filtering • IPSEC support • Network layer audit • Host independent • Centrally managed • ITSI adds • Load balancing/packet redirection • Additional management capabilities 2/14/2001
AIC Functions • ADF PEN management • Packet filtering policies, IPSEC policies • ITSI adds • Intrusion detection system interface • Anomaly logging, reporting and analysis • Load balancing/redirection policies • Response strategies • Recovery and restoration 2/14/2001
Additional Components • Hardened Servers • Apache on Linux • Use Secure Linux with type enforcement • IIS on Windows 2000 • Use wrapper technology • Web Monitoring and Recovery • Commercial products: e.g. WebAgain • System Monitoring • e.g. OS auditing 2/14/2001
Operational Approach • Heterogeneous servers • Detect intrusions into or faults on a server • Perform selective rerouting to ensure that benign users receive uninterrupted service • Identify corrupted data and restore it • Bring the server back on line and perform load balancing 2/14/2001
Intrusion Detection • AIC receives alerts and determines response strategy and actions • Intrusion identification based on • COTS and GOTS ID systems • via SNMP alerts to the AIC • Audit events from the PEN • such as attempts at initiating disallowed connections • Web monitoring software alerts • OS alerts 2/14/2001
Response/Recovery • Actions taken to recover from an intrusion • Via the PEN • Reroute traffic to the other server • Actively fishbowl the intruder • Once fishbowling is completed, restrict all traffic to the server except authenticated traffic from the AIC • When recovery is completed, return to enforcing the normal policy (with the intruder blocked if possible) 2/14/2001
Response/Recovery • Actions taken to recover from an intrusion • Via the AIC • Determine the best response strategy • Reconfigure the PEN as appropriate • Attempt to identify the source of the intrusion • Inform other system security components of the intrusion • Initiate recovery of critical server and web files • Return the web server to normal operational mode 2/14/2001
Traffic Rerouting • Possible approaches • Network load balancing: each server receives all packets and discards (at the PEN level) those being handled by the other server • algorithm that controls which packets each PEN accepts can be changed dynamically • Packet redirection: round-robin DNS initially but each server monitors its activity level and redirects packets to the other server when the level is too high 2/14/2001
Threats/Attacks Addressed • Attacks aimed at bringing down a server, such as attacks that might cause the server to crash • Attacks aimed at compromising a server’s data, such as modification of web pages • Attacks aimed at taking over a server, so that it can be used as the basis for further attacks • Attacks from a compromised server, so that even if the compromise is unrecognized, the amount of damage that can be done is limited 2/14/2001
Assumptions • Each server has a policy enforcing NIC (PEN) on it • The web servers used are heterogeneous • Current research and commercial intrusion/detection systems (including network based, host based and products such as webagain) and additional PEN auditing can determine when a server has been compromise. 2/14/2001
Policies Enforced • Network access control policies: who can access the servers (at the PEN level) • Confinement policies: network access that a compromised server has is limited (whether or not the compromise is detected). If the compromise is detected, the server can be detached from the network. • Response and Recovery policies: what actions should be taken to recover from the compromise and to prevent similar compromises in the future. • Load balancing/redirection policies: load balanced between servers during normal operation and redirection from one server to another if a compromise is detected 2/14/2001