Icarus: A Revolution in Distributed Security Management Rob Bird, University of Florida Gregory Marchwinski, Red Lambda Inc.

Agenda The Problem The Solution - Icarus Icarus System Architecture Icarus Features Use Case Summary

The Problem From the SALSA-Netauth document Strategies for Automating Network Policy Enforcement: “The major security challenge facing university residential networks and other large-scale end-user networks is the thousands of privately owned and unmanaged computers directly connected to an institution's relatively open, high- speed Internet connections. Security policy enforcement is often lax due to a lack of central control over end-user computers and an inability to tie the actions of these computers to particular individuals. A few times a year there are surge events, including the predictable start of each semester and the unpredictable and increasingly frequent reactions to large-scale security incidents, that require massive support intervention.” Current security products lack the sophistication to control & stop P2P networks & defend against mass infection by malware/malusers. Highly Fragmented Network Security & Management marketplace – many point solutions, many appliances, no central architecture, little automation Human intervention is necessary to manage security tasks such as P2P & process vast amounts of data – often overwhelming existing IT Staff members

The Solution - Icarus Developed at the University of Florida in December 2002 to automate security and policy enforcement –In production on 10,000 user residential network since 2003 –Now on version 2 Automatically performs policy-based admission control, mitigates P2P networks, complex malware scenarios and manages adherence to university security policy Distributed framework – enables security and network management via three key elements - Neuron Microkernel, Collaborative Grid, Peer Management Console Patent Pending –developed as an open standards middleware collaborative grid system to utilize all connected resources to defend / manage the network Recognized by industry analysts and highlighted in numerous technical publications

Icarus System Architecture

Product Features Java 5 XML-based policy and messaging architecture allows complex workflow automation via graphical or text editor Lightweight microkernel features component-based architecture which allows third party applications, libraries (Java and C/C++) and scripts (Perl and Python/Jython) to be combined and used as elements in the workflow –EG: Existing UF implementation integrates into network registration, security appliances, network hardware, trouble ticketing, billing, judicial management and captive information portal Allows the easy combination of L2, L3 and L7 detection, isolation, notification and remediation techniques Equally suited to wired or wireless networks Drives behavioral change of students by sending a clear and consistent message –Traffic enforcement cameras vs. Citation by policeman

Product Features Extensible solution to management issues such as: –P2P network abuse –Viral and worm attacks –Spam relays - automatically contains –Spyware –Botnets –Outbound malicious behavior such as port scans, exploit scans, etc.

Product Features Hierarchical administration levels enables multiple views and span of control via console to reflect organizational boundaries and federated management schemes Ability to quickly change automatic behavior of system via graphical work flow interface or built-in command editor Extensive reporting engine helps generate compliance and exception reports for internal and third party use

Product Features

Use Case – UF In production since 2003 Automates complete registration, detection, isolation, notification and remediation workflow for P2P, malware and maluser scenarios P2P policy enforcement –No DMCA complaints since 2003 –1 st Offense: 15 minute campus-only restriction –2 nd Offense: 5 day campus-only restriction –3 rd Offense: Refer to judicial affairs –Automatically generates remediation and education content for captive information portal Malware/Maluser policy enforcement –Classful isolation system, different isolation types depending on situation –Automatically generates remediation and education content for captive information portal

Use Case – UF Access Level Requires Registration? Destination Restrictions ? Routed?Notes GuestNoYes Allows access to registration and information sites only RestrictedYes Allows access to University resources only QuarantineSpecialYesNoAllows access to local network quarantine resources Black HoleSpecialYesNoUntrunked, Unrouted NormalYesNoYesTypical User Wireless GuestNoYes Allows access to registration and information sites only Wireless Restricted Yes Allows access to University resources only Wireless Quarantine SpecialYesNoAllows access to local network quarantine resources Wireless Normal YesNoYesTypical User TerminatedNo Service Last resort

Use Case – UF st Offense nd Offense rd Offense Total Offender RatesRecidivism Rates Pre-Icarus % of residents using P2P54.67% Post-Icarus % of total residents w/1 st Offense27.64% of 1 st to 2 nd Offense21.01% % of total residents w/2 nd Offense5.81% of 2 nd to 3 rd Offense15.67% % of total residents w/3 rd Offense0.91% of 1 st to 3 rd Offense3.29% *NOTE: Offender and Recidivism Rates do not include

Case Study – UF

Summary Patent-pending technology features fully-distributed collaborative grid architecture for distributed security and network management Architecture designed to enable product enhancements and quick addition / distribution of new modules Easily leverages security tools and methods thereby increasing the value of existing software/system investments P2P Mitigation being deployed in October to early adopters, GA in December Pricing per user per year with extensive educational discount structure In production for over 2.5 years at the University of Florida managing over 10,000 users

Questions? Rob Bird – Greg Marchwinski – Other information: