Presentation is loading. Please wait.

Presentation is loading. Please wait.

The Return of the Cube: Spinning the Security of SCinet Stephen Lau NERSC Center Division, LBNL November 10, 2004.

Published byAspen Tarbox Modified over 10 years ago

Similar presentations

Presentation on theme: "The Return of the Cube: Spinning the Security of SCinet Stephen Lau NERSC Center Division, LBNL November 10, 2004."— Presentation transcript:

1 The Return of the Cube: Spinning the Security of SCinet Stephen Lau NERSC Center Division, LBNL November 10, 2004

2 SCxy – Annual High Performance Computing and Networking conference – www.sc-conference.org – SC04 in Pittsburgh, PA, Nov 2004 – SC03 in Phoenix, Arizona, Nov 2003 SCinet – High Performance Network at SC conference – scinet.supercomp.org Background

3 SC Conference Attracts academic, industrial and government attendees – ~8000 attended SC03 – DOE very well represented Exhibition – Large research institute component  Government, academic – Many prototype systems and demonstrations

4 SCinet Conference network – Attendees, speakers and exhibitors Volunteers from DOE Labs, industry and educational institutes construct and tear down network Focuses on high performance and unfettered access – NO firewall or filtering

5

6

7 SCinet 2003 NOC

8 Result Many computer security incidents Sampling of SC03 security incidents – 3 root compromises  2 on same system! – 63 Welchia infected systems  2 repeat infections! – 6 Slammer worm infections – 10 Miscellany worm infections

9 Problem The open Internet today is a hostile place Many exhibitors and attendees blissfully security unaware – Come from firewalled institutes – Unpatched demonstration systems – Just plain clueless Security compromises can bring the conference to a halt SCinet’s high bandwidth network can be used against other sites

10 (Partial) Solution Network security group within SCinet – Track down and remove 0nw3d systems (and some users)  Gets real old, real fast Deploy passive monitoring systems – Bro (LBNL) – mon (Sandia-CA) – Wireless monitoring Filter some SC infrastructure networks – Registration, SC office, etc Deploy active wireless “jails” – Infected wireless systems are restricted from network access Active counter measure system – Sandia-CA developed tool – Honeypot to detect and thwart malicious attackers

11 SCinet 2004 Security Infrastructure Syslog RAID Packet Capture Counter measure Packet Capture Core 1 T640 Core 2 T320 Bandwidth Challenge 1x NLR 4 x OC-192 3x TG 3 x OC-192 1x NLR2x Abilene 10G 6509 M7i Commodity OC-3 GigE RexNet GigE mon GigE Hub Bro GigE Packet Capture GigE mon Bro RAID

12 Bro High performance intrusion detection system developed at LBNL and ICRI – Vern Paxson primary developer Grew out of tools developed to optimize and analyze network traffic – Based on operational experience with high performance networks Bro development goals – High speed network monitoring – Low packet loss rate – Mechanism separate from policy

13 Bro Bro maintains and analyzes state – Not like signature based systems, i.e. Snort Keeps track of all network connections – Reacts to network behavior patterns – Allows for in depth analysis and forensics Used as SCinet’s primary security tool since SC2001

14 User Education Painfully obvious that attendees are security unaware – See previous re: security incidents But how to educate ~8000 wandering attendees?

15 Capture Their Passwords! Use Bro to capture and display clear text passwords – telnet, ftp, rlogin Started at SC2001 in Denver, CO – Large screen display of scrolling passwords – No system names or user names – Filtered for bogus (or non G rated) entries

16 Do You See Your Password?

17 Results Predominantly positive – Attendees have come to “expect” it – Some complaints – “That’s my password!” Some attempts to thwart system – Embedded images – Passwords such as “HiScinet!” (or worse) Key Result: Many attendees “shocked” that their passwords could be captured

18 Wall of Shame Passwords Root Passwords NO Passwords Scans SC01 19357095266 SC02 4866N/A756 SC03 2352201118

19 Patch, patch, patch… But why? – Because the open Internet is a hostile place! Scans – Directed searches for vulnerable services Worms – Constantly looking for new victims Problem: – How do you get this point across to attendees?

20 Use Pretty Colors That Move Display Bro data in a graphical format Many “visualization” tools for network and security information – However most developed for network and security types Primary goal: Educate those who are not necessarily security aware

21 The Cube Displays captured Bro data in 4D – Replayed over time TCP connection information – Complete connections  SYN/FIN – Rejected or incomplete connections  SYN/RST  SYN and no response

22 The Cube Axes X Axis (red) – SCinet IP address space Z Axis (blue) – Global IP address space – 0.0.0.0 – 223.255.255.255 (no multicast) Y Axis (green) – Port number (0 – 65535) – Well known port numbers (22/ssh, 80/http, etc.)

23 The Data TCP connection instances represented by a point – (src IP addr, dst IP addr, port number) Rainbow colormap for points – Easier to locate in 3 space – Color of points have no meaning – Except: Grey points are completed connections

24 INSERT DEMO HERE

25 Under the Hood Written in C++ Uses OpenGL – Runs on platforms that support OpenGL – Either hardware or software emulation Runs on FreeBSD, OSX, Linux, Windows Uses Bro data files for source data No real time data updates during SC03

26 The Cube at SC03

27 Such Pretty Colors…

28 Cube Mesmerization It may turn you translucent if you are not careful!

29 Lessons Learned People like pretty colors that move Key Result: Many attendees stated they never realized malicious traffic constantly occurred on the open Internet The Cube can be useful for security analysis – Lots and lots of interesting patterns – Potential for use as security analysis tool Can’t please everyone – Several complaints lodged against the Cube

30 The Future Many requested features – #1 requested: Screensaver mode – Ability to modify time playback – Logarithmic axes – Ability to “drill down” into the data SC2004 – Cube on display at SCinet booth – Real Time monitoring of SCinet traffic at SC04

31 Contact Information Stephen Lau Lawrence Berkeley National Labs / NERSC 1 Cyclotron Road, M/S 943 Berkeley, CA 94720 Phone: +1 (510) 486-7178 Email: slau@lbl.gov PGP: 44C8 C9CB C15E 2AE1 7B0A 544E 9A04 AB2B F63F 748B Cube Info: http://www.nersc.gov/security/TheSpinningCube.html

Download ppt "The Return of the Cube: Spinning the Security of SCinet Stephen Lau NERSC Center Division, LBNL November 10, 2004."

Similar presentations

WEB AND WIRELESS AUTOMATION connecting people and processes InduSoft Web Solution Welcome.

WEB AND WIRELESS AUTOMATION connecting people and processes InduSoft Web Solution Welcome.
Bro: A System for Detecting Network Intruders in Real-Time Vern Paxson Lawrence Berkeley National Laboratory,Berkeley, CA A stand-alone system for detecting.

Bro: A System for Detecting Network Intruders in Real-Time Vern Paxson Lawrence Berkeley National Laboratory,Berkeley, CA A stand-alone system for detecting.
Denial of Service Attack History What is a Denial of Service Attack? Modes of Attack Performing a Denial of Service Attack Distributed Denial of Service.

Denial of Service Attack History What is a Denial of Service Attack? Modes of Attack Performing a Denial of Service Attack Distributed Denial of Service.
Nicholas Weaver Vern Paxson Stuart Staniford UC Berkeley ICIR

Nicholas Weaver Vern Paxson Stuart Staniford UC Berkeley ICIR
 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,

 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,
Snort & ACID. UTSA IS 6973 Computer Forensics SNORT.

Snort & ACID. UTSA IS 6973 Computer Forensics SNORT.
Leveraging Good Intentions to Reduce Unwanted Network Traffic Marianne Shaw (U. Washington) USENIX 2nd Workshop on Steps to Reducing Unwanted Traffic on.

Leveraging Good Intentions to Reduce Unwanted Network Traffic Marianne Shaw (U. Washington) USENIX 2nd Workshop on Steps to Reducing Unwanted Traffic on.
1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.

1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.
1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?

1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?
Packet Analyzers, a Threat to Network Security. Agenda Introduction The background of packet analyzers LAN technologies & network protocols Communication.

Packet Analyzers, a Threat to Network Security. Agenda Introduction The background of packet analyzers LAN technologies & network protocols Communication.
Web Server Administration TEC 236 Securing the Web Environment.

Web Server Administration TEC 236 Securing the Web Environment.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
System and Network Security Practices COEN 351 E-Commerce Security.

System and Network Security Practices COEN 351 E-Commerce Security.
Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia

Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia
Intruder Trends Tom Longstaff CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 Sponsored by.

Intruder Trends Tom Longstaff CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Sponsored by.
NAV Project Update By: Meghan Allen and Peter McLachlan.

NAV Project Update By: Meghan Allen and Peter McLachlan.
IT Security Doug Brown Jeff Bollinger. What is security? P.H.P. People Have Problems Security is the mitigation and remediation of human error in information.

IT Security Doug Brown Jeff Bollinger. What is security? P.H.P. People Have Problems Security is the mitigation and remediation of human error in information.
Network Analyzer Example

Network Analyzer Example
Bro: A System for Detecting Network Intruders in Real-Time Presented by Zachary Schneirov CS 395-0 Professor Yan Chen.

Bro: A System for Detecting Network Intruders in Real-Time Presented by Zachary Schneirov CS Professor Yan Chen.
Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard

Similar presentations

Ads by Google