DISA Cyclops Program.

Slides:



Advertisements
Similar presentations
Blue Coat and the Blue Coat logo are trademarks of Blue Coat Systems, Inc., and may be registered in certain jurisdictions. All other product or service.
Advertisements

NLIT 09 Presentation Page 1 Vision – Service – Partnership Page 1 WAN Acceleration Using Cisco WAAS Robert Morrow National Security Technologies LLC
 Natural consequence of the way Internet is organized o Best effort service means routers don’t do much processing per packet and store no state – they.
Web Caching Schemes1 A Survey of Web Caching Schemes for the Internet Jia Wang.
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
NetFlow Analyzer Drilldown to the root-QoS Product Overview.
© 2014 Level 3 Communications, LLC. All Rights Reserved. Proprietary and Confidential. Polycom event Security Briefing 12/03/14 Level 3 Managed Security.
Lesson 19 Internet Basics.
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.
Network Topology. Cisco 2921 Integrated Services Router Security Embedded hardware-accelerated VPN encryption Secure collaborative communications with.
Internet Traffic Management. Basic Concept of Traffic Need of Traffic Management Measuring Traffic Traffic Control and Management Quality and Pricing.
Alert Logic Provides a Fully Managed Security and Compliance Solution Based in the Cloud, Powered by the Robust Microsoft Azure Platform MICROSOFT AZURE.
Module 10: How Middleboxes Impact Performance
Switch Features Most enterprise-capable switches have a number of features that make the switch attractive for large organizations. The following is a.
BNL PDN Enhancements. Perimeter Load Balancers Scaleable Performance Fault Tolerance Server Maintainability User Convenience Perimeter Security.
Lesson 2a © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—2-1 Firewall Technologies and the Cisco Security Appliance.
CAMPUS LAN DESIGN GUIDE Design Considerations for the High-Performance Campus LAN.
Ad Hoc – Wireless connection between two devices Backbone – The hardware used in networking Bandwidth – The speed at which the network is capable of sending.
Network Concepts.
Barracuda NG Firewall ™
Fourth Dimension Technologies
Connected Infrastructure
Understanding Web Server Programming
IoT Security Part 2, The Malware
Chapter 6: Securing the Cloud
Lab A: Planning an Installation
Scaling Network Load Balancing Clusters
What is it ? …all via a single, proven Platform-as-a-Service.
Distributed Mobility Management for Future 5G Networks : Overview and Analysis of Existing Approaches IEEE Wireless Communications January 2015 F. Giust,
CCENT Study Guide Chapter 12 Security.
Enabling Secure Internet Access with TMG
CONNECTING TO THE INTERNET
Instructor Materials Chapter 9: Testing and Troubleshooting
Semester 4 - Chapter 3 – WAN Design
Vonage use of Cloud-based Communication
The Internet.
Practical Censorship Evasion Leveraging Content Delivery Networks
Flow Collection and Analytics
Connected Infrastructure
How Smart Networks are Changing Corporate Networks
Web Caching? Web Caching:.
Introducing To Networking
Introduction to Networks
Introduction to Networking
Advanced Security Architecture System Engineer Cisco: practice-questions.html.
Internet Applications
Internet Networking recitation #12
Designing Routing and Switching Architectures. Howard C. Berkowitz
Internet2 Tech Exchange
Is Your Online Security Intelligent? Internet Performance Management
Distributed Content in the Network: A Backbone View
Intro to Ethical Hacking
Sizing …today. T: Here’s how. .
I. Basic Network Concepts
Logsign All-In-One Security Information and Event Management (SIEM) Solution Built on Azure Improves Security & Business Continuity MICROSOFT AZURE APP.
AKAMAI INTELLIGENT PLATFORM™
The Needle in the Haystack
Goals Introduce the Windows Server 2003 family of operating systems
File Transfer Issues with TCP Acceleration with FileCatalyst
E-commerce Infrastructure
HTTP and Abstraction on the Internet / The Need for DNS
Defending high value targets in the cloud using IP Reputation
INTERNET APPLICATIONS
Content Delivery and Remote DNS services
was not invented by Al Gore…
EE 122: Lecture 22 (Overlay Networks)
Lesson 19 Internet Basics.
Computer Networks Protocols
Intro to Data & Internet
Internet Protocol version 6 (IPv6)
Presentation transcript:

DISA Cyclops Program

CENTAUR Background DISA has collected unsampled flow data from every Internet access point for over 15 years through a program called CENTAUR DISA advertises routes for roughly 8% of the Internet’s IPv4 address space, with CenturyLink as their ISP CENTAUR is SiLK-based and has thousands of users globally

2017 Goals Collect unsampled network flow data from the DoD’s ISP infrastructure via “Data as a Service” (DaaS) Focus on visibility into all inbound traffic to harvest threat intelligence Scanning Activity Backscatter Acquire transport for flow data through the ISP Reduce cost Improve scalability and adaptability of metadata collection Test the “Security as a Service” model

Solution: “Cyclops” 200 Mb/s dedicated backhaul network from each IAP Each site can handle maximum theoretical load at the IAP Rapidly expandable by at least 8x Flow data and additional metadata SiLK (CENTAUR) and Argus (NGS) compatible data HTTP Headers DNS Data Client & Server Banners SSL & TLS Certificate collection Indicators & Warnings PCAP if required (it is not at this time)

“Core Values” Tool, data format, and vendor agnostic Requirements are for data and capabilities Data additions, additional processes, and changes take less than 60 days worst case Provides the data feed and streaming analysis of data, not the forensic data store

Cyclops – Concept Leveraged DHS IPSS & Einstein experience Concept Provide managed security service within ISP domain Transfer acquisition burden from DoD to ISP Leverage commercial data centers – only use what’s needed Utilize commercial ISP backbone to deliver data Establish foundation to expand “security and data as a service” model Maintain existing Internet availability SLAs Provide indications & warnings to support threat intelligence

Cyclops Capabilities Dedicated DoD commercial hosting space for each Internet point Open Sensor Platform Infrastructure Exceed performance requirements for multiple 10Gbps connections Designed with fault tolerance Rapid expansion without re-engineering Vendor agnostic and requirements based Copy traffic to RedJack sensors Capabilities Dynamically load balance both active and passive capabilities Filter/drop traffic and still generate flows Tag/Label packets w/ context to sensors

“As-a-Service” Challenges Solutions Outcomes Scalability & Performance Transition the scalability and performance risk via a Single Provider SLA Technologies become scalable with bandwidth increases Funding Pay by the Glass Managed Service; utilize saved resources to advance state-of-the-art Predictable O&M based cost with overall cost reductions; more resources directly address advanced threats Keeping Pace with “State of the Art” Requirements Driven Commercially Agile Solution DISA can focus on how to use the data not how to get it

”General” Security Traffic Flow ISP ? Dropping traffic? FIREWALL Logs for SIEM “Next Gen” Flow Data Web Filter Enterprise

Consequences Flow data is “post-filtering” for a number of practical reasons Records of blocks and filtering typically land “somewhere else” We don’t have ISP insights at all Leveraging Netflow from routers means sampling What we really want is all our Internet communications to understand the threat

”General” Security Traffic Management ISP ISP Insights FIREWALL Logs for SIEM “Next Gen” Flow Data Web Filter Enterprise

Consequences We see flow data from the Internet, before we filter it, with any ISP “insights” We see all the data we send to the Internet after we filter it We have what we need on the inbound feed to understand the entire threat And we have 100X more data now…

What the flow data looks like Routed Scans “Legitimate” Traffic “Distributed Scanning” Scans: Vast, unanswered requests from individual hosts Distributed Scanning: Vast, unanswered requests from roughly as many hosts as there are requests

What are they looking for? *

Technical Challenge: Scaling and Adapting Scans must be summarized! You could see more data from a single scan than you see in a month! The effect of including all scan flows may be an overall reduction DNS context is absolutely essential “amazonaws.com” could be anyone! Support bandwidth expansion with minimal impact

Technical Challenge: Compatibility We support: SiLK Argus* Data serialization formats This is a lot of data to be transforming… Collect it in whatever format you’ll be storing it

Technical Challenge: Malicious Activity Scan records are SiLK flows with the destination addresses masked to a /16 Added bidirectional tagging to SiLK We have not yet determined the optimal way to deal with “distributed scans” and one of the reasons we are here is for ideas

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.