Lawrence Berkeley National Laboratory 1 James Rothfuss Computer Protection Program Manager Lawrence Berkeley National Lab Internet2 Security at Line Speed.

Slides:



Advertisements
Similar presentations
Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.
Advertisements

Bro: A System for Detecting Network Intruders in Real-Time Vern Paxson Lawrence Berkeley National Laboratory,Berkeley, CA A stand-alone system for detecting.
F3 Collecting Network Based Evidence (NBE)
SIEM Based Intrusion Detection Jim Beechey May 2010 GSEC, GCIA, GCIH, GCFA, GCWN twitter: jim_beechey.
ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.
Intrusion Detection Systems By: William Pinkerton and Sean Burnside.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
LittleOrange Internet Security an Endpoint Security Appliance.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
seminar on Intrusion detection system
Bro: A System for Detecting Network Intruders in Real-Time Presented by Zachary Schneirov CS Professor Yan Chen.
1 The Spread of the Sapphire/Slammer Worm D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford, N. Weaver Presented by Stefan Birrer.
Intrusion Detection Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality, or availability,
COEN 252: Computer Forensics Router Investigation.
Intrusion Detection - Arun Hodigere. Intrusion and Intrusion Detection Intrusion : Attempting to break into or misuse your system. Intruders may be from.
Lecture 11 Intrusion Detection (cont)
Bro: A System for Detecting network Intruders in Real-Time Vern Paxson Klevis Luli.
Network Intrusion Detection Systems Slides by: MM Clements A Adekunle The University of Greenwich.
INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.
A Study of Mass- mailing Worms By Cynthia Wong, Stan Bielski, Jonathan M. McCune, and Chenxi Wang, Carnegie Mellon University, 2004 Presented by Allen.
Penetration Testing.
Lucent Technologies – Proprietary Use pursuant to company instruction Learning Sequential Models for Detecting Anomalous Protocol Usage (work in progress)
Information Systems CS-507 Lecture 40. Availability of tools and techniques on the Internet or as commercially available software that an intruder can.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.
Penetration Testing Security Analysis and Advanced Tools: Snort.
Office of Science U.S. Department of Energy The Bro Intrusion Detection Stephen Lau NERSC/LBNL November 20, 2003 SC2003 Phoenix, AZ.
COEN 252 Computer Forensics
Intrusion Prevention System. Module Objectives By the end of this module, participants will be able to: Use the FortiGate Intrusion Prevention System.
Firewall and Internet Access Mechanism that control (1)Internet access, (2)Handle the problem of screening a particular network or an organization from.
Business Computing 550 Lesson 6. 2 Security Threats on Web Sites Issues and vulnerabilities 1.Illegal Access and Use (Hacking the system or users exposing.
CERN’s Computer Security Challenge
Honeypot and Intrusion Detection System
1 How to 0wn the Internet in Your Spare Time Authors: Stuart Staniford, Vern Paxson, Nicholas Weaver Publication: Usenix Security Symposium, 2002 Presenter:
CIS 450 – Network Security Chapter 3 – Information Gathering.
Intrusion Detection Prepared by: Mohammed Hussein Supervised by: Dr. Lo’ai Tawalbeh NYIT- winter 2007.
Doc.: IEEE ai Submission Paul Lambert, Marvell Security Review and Recommendations for IEEE802.11ai Fast Initial Link Setup Author:
1 CHAPTER 3 CLASSES OF ATTACK. 2 Denial of Service (DoS) Takes place when availability to resource is intentionally blocked or degraded Takes place when.
Securing and Monitoring 10GbE WAN Links Steven Carter Center for Computational Sciences Oak Ridge National Laboratory.
1 CERN’s Computer Security Challenges Denise Heagerty CERN Computer Security Officer Openlab Security Workshop, 27 Apr 2004.
The UCSD Network Telescope A Real-time Monitoring System for Tracking Internet Attacks Stefan Savage David Moore, Geoff Voelker, and Colleen Shannon Department.
1 HoneyNets. 2 Introduction Definition of a Honeynet Concept of Data Capture and Data Control Generation I vs. Generation II Honeynets Description of.
Module 7: Advanced Application and Web Filtering.
Module 12: Responding to Security Incidents. Overview Introduction to Auditing and Incident Response Designing an Audit Policy Designing an Incident Response.
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Network Forensics - III November 3, 2008.
Intrusion Detection Systems Paper written detailing importance of audit data in detecting misuse + user behavior 1984-SRI int’l develop method of.
1 Flexible, High-Speed Intrusion Detection Using Bro Vern Paxson Computational Research Division Lawrence Berkeley National Laboratory and ICSI Center.
James S. Rothfuss, Computer Protection Program COMPUTING SCIENCES NETS Network Equipment Tracking System.
KAPLAN SCHOOL OF INFORMATION SYSTEMS AND TECHNOLOGY Intrusion Detection and Incidence Response Course Name – IT Intrusion Detection and Incidence.
WebWatcher A Lightweight Tool for Analyzing Web Server Logs Hervé DEBAR IBM Zurich Research Laboratory Global Security Analysis Laboratory
I NTRUSION P REVENTION S YSTEM (IPS). O UTLINE Introduction Objectives IPS’s Detection methods Classifications IPS vs. IDS IPS vs. Firewall.
Characteristics of Internet Background Radiation ACM Internet Measurement Conference (IMC), 2004 Authors: Ruoming Pang, Vinod Yegneswaran, Paul Barford,
Web Server Security: Protecting Your Pages NOAA OAR WebShop 2001 August 2 nd, 2001 Jeremy Warren.
Page 1 Viruses. Page 2 What Is a Virus A virus is basically a computer program that has been written to perform a specific set of tasks. Unfortunately,
1 Integrated Site Security Project Denise Heagerty CERN 22 May 2007.
Network Devices and Firewalls Lesson 14. It applies to our class…
IPv6 Security Issues Georgios Koutepas, NTUA IPv6 Technology and Advanced Services Oct.19, 2004.
Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.
Chapter 14.  Upon completion of this chapter, you should be able to:  Identify different types of Intrusion Detection Systems and Prevention Systems.
Common System Exploits Tom Chothia Computer Security, Lecture 17.
SOFTWARE TESTING TRAINING TOOLS SUPPORT FOR SOFTWARE TESTING Chapter 6 immaculateres 1.
Working at a Small-to-Medium Business or ISP – Chapter 8
Critical Security Controls
Principles of Computer Security
Firewalls.
Intrusion Detection & Prevention
11/17/2018 9:32 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN.
Network hardening Chapter 14.
Internet Security by Alan S H Lam 2019/4/9.
Presentation transcript:

Lawrence Berkeley National Laboratory 1 James Rothfuss Computer Protection Program Manager Lawrence Berkeley National Lab Internet2 Security at Line Speed Workshop August 12, 2003 Protection of an Open Computing Environment

Lawrence Berkeley National Laboratory 2 Presentation will cover: Types of Protection Berkeley Lab Philosophy Bro NETS

Lawrence Berkeley National Laboratory 3 Classical Notion of Security Secure Restrict Control Hide

Lawrence Berkeley National Laboratory 4 Often “Classical Security” is not appropriate The tools can be so secure that their value is marginal Consider: When the goal is RESEARCH, a missed scientific breakthrough may be more costly and damaging than the worst “hacker” incident

Lawrence Berkeley National Laboratory 5 Classified Protection Commercial Academic Classified Protection Commercial Academic Protective measures can be different without be less effective

Lawrence Berkeley National Laboratory 6 Service Protection vs Information Protection

Lawrence Berkeley National Laboratory 7 Weapons Research Usenet newsgroups Yahoo Open Research Online Store Banking Service Protection Information Protection Primary protection concerns

Lawrence Berkeley National Laboratory 8 Protective measures are based on the known attacks. System weaknesses are identified and protected. “Threat” Based Protection “Vulnerability” Based Protection Antivirus Intrusion Detection Firewalls Patching BroNETS

Lawrence Berkeley National Laboratory 9 Open by default, restrict as necessary Protect rather than Secure Utilize both Threat and Vulnerability Protection Strive for Dynamic Protection Underling LBNL Philosophies Protecting an Open Environment is NOT EASY Quality People are extremely important

Lawrence Berkeley National Laboratory 10 LBL Intrusion Detection - Bro Analyzes network traffic for attacks and policy violations Operational 24x7 since 1996 (> 4 billion connections monitored & archived) Coupled with border router, provides an adaptive firewall Currently LBNL, NERSC, UCB, JGI, ESNET, ICSI … “Threat” Based Protection

Lawrence Berkeley National Laboratory 11 Taps GigEther fiber link passively, sends up a copy of all network traffic. Network How Bro Works

Lawrence Berkeley National Laboratory 12 Kernel filters down high-volume stream via standard libpcap packet capture library. Network libpcap Packet Stream Filtered Packet Stream Tcpdump Filter How Bro Works

Lawrence Berkeley National Laboratory 13 “Event engine” distills filtered stream into high-level, policy-neutral events reflecting underlying network activity –E.g., connection_attempt, http_reply, user_logged_in Network libpcap Event Engine Packet Stream Filtered Packet Stream Tcpdump Filter Event Stream Event Control How Bro Works

Lawrence Berkeley National Laboratory 14 “Policy script” processes event stream, incorporates: –Context from past events –Site’s particular policies Network libpcap Event Engine Policy Script Interpreter Packet Stream Filtered Packet Stream Tcpdump Filter Event Stream Event Control Real-time Notification Record To Disk Policy Script How Bro Works

Lawrence Berkeley National Laboratory 15 How Bro Works “Policy script” processes event stream, incorporates: –Context from past events –Site’s particular policies … and takes action : Records to disk Generates alerts via syslog or paging Executes programs as a form of response Network libpcap Event Engine Policy Script Interpreter Packet Stream Filtered Packet Stream Tcpdump Filter Event Stream Event Control Real-time Notification Record To Disk Policy Script

Lawrence Berkeley National Laboratory 16 Bro policy scripts Written in a specialized language for networks –Network types (IP addresses, connections, protocol, etc.) –Typed constanst, variables –Network operators (comparison, ranges, etc.) –Control statements (IF/THEN, etc.) –Regular expressions Can –Generate alerts –Reset connections –Call exterior programs

Lawrence Berkeley National Laboratory 17 Teasers Stepping Stone Detection (Telnet to SSH to Host) Non-standard port backdoor detection Work with Force Ten and Juniper for tighter “firewall” integration. Real Experiences –Max Butler (aka, MaxVision) –Worms (Code Red, Nimda) –Three lettered agency “gray hat” –Boyz from Brazil

Lawrence Berkeley National Laboratory 18 V. Paxson, Bro: A System for Detecting Network Intruders in Real-Time. Proceedings of the 7th USENIX Security Symposium, San Antonio, TX, January A later version appears in Computer Networks, 31(23- 24), pp , 14 Dec Y. Zhang and V. Paxson, Detecting Backdoors, Proc. 9th USENIX Security Symposium, August Y. Zhang and V. Paxson, Detecting Stepping Stones, Proc. 9th USENIX Security Symposium, August M. Handley, C. Kreibich and V. Paxson, Network Intrusion Detection: Evasion, Traffic Normalization, and End-to-End Protocol Semantics. Proc. 10th USENIX Security Symposium, August S. Staniford, V. Paxson and N. Weaver, How to 0wn the Internet in Your Spare Time, Proc. 11th USENIX Security Symposium D. Donoho, A. G. Flesia, U. Shankar, V. Paxson, J. Coit, and S. Staniford, Multiscale Stepping-Stone Detection: Detecting Pairs of Jittered Interactive Streams by Exploiting Maximum Tolerable Delay, Proc. RAID D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford and N. Weaver, The Spread of the Sapphire/Slammer Worm, technical report, February Ruoming Pang and Vern Paxson, A High-level Programming Environment for Packet Trace Anonymization and Transformation, Proc. ACM SIGCOMM 2003, to appear. R. Sommer and V. Paxson, Detecting Network Intruders Using Contextual Signatures, in submission. Want to know more?

Lawrence Berkeley National Laboratory 19 “Vulnerability” Based Protection Network Equipment Tracking System NETS

Lawrence Berkeley National Laboratory 20 Current Method of Vulnerability Based Protection Range of Protection Analyze network Guess at “reasonable” firewall rules Hope the rules stay current (assume a static network) Safety Security Protection Capability Performance Access Static Point of Optimum Protection

Lawrence Berkeley National Laboratory 21 Continuous Optimization Constant analysis of network Protection measures adapt Safety Security Protection Capability Performance Access Dynamic Point of Optimization Optimum balance between protection and access

Lawrence Berkeley National Laboratory 22 Current NETS Prototype Oracle Database DNS forward Port Locator ARPwatch DNS reverse DHCP Server Logs Policies & Business Rules Reports Scan Dispatcher Targeted Systems LBLnet Control Future

Lawrence Berkeley National Laboratory 23 NETS Vision Fully automated vulnerability discovery and elimination Network information continuously collected Systems continuously scanned Network vulnerabilities detected as they appear Vulnerabilities immediately resolved Automatically Blocked Automatically alert owners/sys admins Automatically remove blocks when vulnerabilities are fixed Safe systems given full access -Internet access is maximized

Lawrence Berkeley National Laboratory 24 Future Integration With Bro NETS uses Bro information to prioritize vulnerabilities based a on threat BroNETS Extra attention given to vulnerabilities with a high risk of attack Extra attention to attacks against known weaknesses Bro uses NETS information to prioritize threats based on vulnerabilities

Lawrence Berkeley National Laboratory 25 Views of Protection “Threat” Based Protection “Vulnerability” Based Protection

Lawrence Berkeley National Laboratory 26 NETS and Bro Integration Network protection adapts based on both threats and vulnerabilities “Threat” and “Vulnerability” Based Protection