Presentation is loading. Please wait.

Presentation is loading. Please wait.

DARPA OASIS PI Meeting – Santa Fe – July 24-27, 2001Slide 1 Aegis Research Corporation Not for Public Release Survivability Validation Framework for Intrusion.

Published byMikel Such Modified over 9 years ago

Similar presentations

Presentation on theme: "DARPA OASIS PI Meeting – Santa Fe – July 24-27, 2001Slide 1 Aegis Research Corporation Not for Public Release Survivability Validation Framework for Intrusion."— Presentation transcript:

1 DARPA OASIS PI Meeting – Santa Fe – July 24-27, 2001Slide 1 Aegis Research Corporation Not for Public Release Survivability Validation Framework for Intrusion Tolerance Using Masking, Redundancy and Dispersion DARPA OASIS PI Meeting – Santa Fe – July 24-27, 2001 Janet Lepanto William Weinstein The Charles Stark Draper Laboratory, Inc. Aegis Research Corporation ® Aegis Research Corporation

2 DARPA OASIS PI Meeting – Santa Fe – July 24-27, 2001Slide 2 Aegis Research Corporation Not for Public Release Overview Technology description and survivability problem addressed Assumptions Impairments: threats, attacks, vulnerabilities –Design/implementation –Configuration/operation Survivability attributes Comparison with other systems Survivability mechanisms Rationale –Goal vs. impairment matrix –Verification techniques Residual risks, limitations, caveats Cost/benefit analysis

3 DARPA OASIS PI Meeting – Santa Fe – July 24-27, 2001Slide 3 Aegis Research Corporation Not for Public Release Technology Description and Survivability Problem Addressed Apply fault-tolerant design concepts to provide intrusion tolerance for a “service” site that supports external clients with web-based access to information, databases, and applications services Minimize loss of data confidentiality and integrity in the face of a successful attack on one of the servers Tolerate attacks whose specific signatures are not known a priori Employ only a small set of trusted components to protect a large set of untrusted unmodified COTS servers and databases Employ redundancy for both intrusion tolerance and performance

4 DARPA OASIS PI Meeting – Santa Fe – July 24-27, 2001Slide 4 Aegis Research Corporation Not for Public Release Nominal Site Configuration External WAN External Firewall Data Base Transaction Mediator Gateway Switched IP Server (1) Server (N) Server (2) Configuration Manager Authenti- cation Server Switched IP COTS Trusted Other

5 DARPA OASIS PI Meeting – Santa Fe – July 24-27, 2001Slide 5 Aegis Research Corporation Not for Public Release Technical Approach Mask fingerprints of gateway and origin servers so that an attacker cannot probe over network to determine –OS of gateway, or origin servers –Implementation of any origin server Distribute each client’s transactions among origin servers such that the client cannot predict which server will handle a transaction Periodically inspect each origin server for configuration anomalies that might indicate that attack transactions have occurred –Reconfigure server to “clean” state if anomalies are detected Log transactions to back-end database so that data written by a compromised origin server can be reconstructed

6 DARPA OASIS PI Meeting – Santa Fe – July 24-27, 2001Slide 6 Aegis Research Corporation Not for Public Release Assumptions

7 DARPA OASIS PI Meeting – Santa Fe – July 24-27, 2001Slide 7 Aegis Research Corporation Not for Public Release Impairments: Threats, Attacks, Vulnerabilities

8 DARPA OASIS PI Meeting – Santa Fe – July 24-27, 2001Slide 8 Aegis Research Corporation Not for Public Release Survivability Attributes Protects the confidentiality (C) and integrity (I) of site data from stealthy attacks emanating from an external network Does not address authentication (AU) Does not address non-repudiation (NR) DoS attack considerations –Redundancy of Origin Servers provides a second order benefit –Taking servers off-line when an anomaly is detected creates a potential vulnerability (which is mitigated by smart configuration management)

9 DARPA OASIS PI Meeting – Santa Fe – July 24-27, 2001Slide 9 Aegis Research Corporation Not for Public Release Comparison with Other Systems Existing systems/practices –Address known threats, attack profiles and vulnerabilities to achieve confidentiality, integrity, authentication and non-repudiation –Require significant/costly modifications to COTS systems, (e. g., operating system modifications, special network cards) –Do not address vulnerabilities or attacks that are unknown a priori

10 DARPA OASIS PI Meeting – Santa Fe – July 24-27, 2001Slide 10 Aegis Research Corporation Not for Public Release Survivability Mechanisms

11 DARPA OASIS PI Meeting – Santa Fe – July 24-27, 2001Slide 11 Aegis Research Corporation Not for Public Release Survivability Mechanisms (cont’d)

12 DARPA OASIS PI Meeting – Santa Fe – July 24-27, 2001Slide 12 Aegis Research Corporation Not for Public Release Rationale: Goal vs. Impairment Matrix

13 DARPA OASIS PI Meeting – Santa Fe – July 24-27, 2001Slide 13 Aegis Research Corporation Not for Public Release Rationale: Verification Verification techniques Subjecting the system to known scanning tools to determine if the mechanisms to thwart those scans are implemented properly Subjecting the system to known attacks to evaluate how it reacts to various types of attacks (e. g., measuring the relative time to success for an attack directly on server X vs. the same attack on server X operating in our OASIS architecture). Subjecting the system to modifications of known attacks developed to exploit knowledge of the architecture and operation of the system Metrics –Impact of Draper-Aegis OASIS mechanisms on resistance to attack –Relative time to achieve successful attacks

14 DARPA OASIS PI Meeting – Santa Fe – July 24-27, 2001Slide 14 Aegis Research Corporation Not for Public Release Residual Risks, Limitations, Caveats Forms-based HTML provides external client access to back-end database, and also can move files between clients and back-end file systems, and support interactions between clients and back-end applications –S ignificant system functionality and flexibility can be provided by the HTTP protocol –Utility of dispersion w.r.t. other protocols is TBD Need to evaluate if/to what extent Gateway and the Transaction Mediator could be bottlenecks for high performance sites If rollback is done only for transactions from compromised server, no guarantee that information in the database will remain self-consistent

15 DARPA OASIS PI Meeting – Santa Fe – July 24-27, 2001Slide 15 Aegis Research Corporation Not for Public Release Cost/Benefit Analysis Time –Attacker is delayed –Attacker must complete exploit within bounded window to avoid detection Development –One-time development cost of trusted elements and agent software for origin server platforms Implementation –Acquisition and implementation incur cost of redundant origin servers and trusted elements (compared to cost of functionally equivalent site without our mechanisms) Operation –Maintenance cost of maintaining redundant origin servers and trusted elements scales with number of redundant versions Functionality Impact –Development cost to accommodate additional protocols Responsiveness of system –Transaction delays induced by proxy operations have negligible impact due to hardware speed

Download ppt "DARPA OASIS PI Meeting – Santa Fe – July 24-27, 2001Slide 1 Aegis Research Corporation Not for Public Release Survivability Validation Framework for Intrusion."

Similar presentations

Chapter 19: Network Management Business Data Communications, 5e.

Chapter 19: Network Management Business Data Communications, 5e.
Net security - budi rahardjo Overview of Network Security Budi Rahardjo CISCO seminar 13 March 2002.

Net security - budi rahardjo Overview of Network Security Budi Rahardjo CISCO seminar 13 March 2002.
DARPA ITS PI Meeting – Honolulu – July 17-21, 2000Slide 1 Aegis Research Corporation Intrusion Tolerance Using Masking, Redundancy and Dispersion DARPA.

DARPA ITS PI Meeting – Honolulu – July 17-21, 2000Slide 1 Aegis Research Corporation Intrusion Tolerance Using Masking, Redundancy and Dispersion DARPA.
Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 © 2002 Carnegie.

Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA © 2002 Carnegie.
Some general principles in computer security Tomasz Bilski Chair of Control, Robotics and Computer Science Poznań University.

Some general principles in computer security Tomasz Bilski Chair of Control, Robotics and Computer Science Poznań University.
1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.

1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.
System and Network Security Practices COEN 351 E-Commerce Security.

System and Network Security Practices COEN 351 E-Commerce Security.
Randomized Failover Intrusion- Tolerant Systems (RFITS) Ranga Ramanujan, Maher Kaddoura, John Wu, Clint Sanders, Doug Harper, David Baca Architecture Technology.

Randomized Failover Intrusion- Tolerant Systems (RFITS) Ranga Ramanujan, Maher Kaddoura, John Wu, Clint Sanders, Doug Harper, David Baca Architecture Technology.
IS Network and Telecommunications Risks

IS Network and Telecommunications Risks
An Operational Perspective on BGP Security Geoff Huston GROW WG IETF 63 August 2005.

An Operational Perspective on BGP Security Geoff Huston GROW WG IETF 63 August 2005.
1 ITC242 – Introduction to Data Communications Week 12 Topic 18 Chapter 19 Network Management.

1 ITC242 – Introduction to Data Communications Week 12 Topic 18 Chapter 19 Network Management.
©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 30 Slide 1 Security Engineering.

©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 30 Slide 1 Security Engineering.
1 Building with Assurance CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 10, 2004.

1 Building with Assurance CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 10, 2004.
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 9 Performing Vulnerability Assessments.

Security+ Guide to Network Security Fundamentals, Third Edition Chapter 9 Performing Vulnerability Assessments.
Computer Security: Principles and Practice

Computer Security: Principles and Practice
© 2012 IBM Corporation IBM Security Systems 1 © 2014 IBM Corporation IBM Security Network Protection (XGS) Advanced Threat Protection Integration Framework.

© 2012 IBM Corporation IBM Security Systems 1 © 2014 IBM Corporation IBM Security Network Protection (XGS) Advanced Threat Protection Integration Framework.
Risk Management.

Risk Management.
©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 30 Slide 1 Security Engineering.

©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 30 Slide 1 Security Engineering.
Department Of Computer Engineering

Department Of Computer Engineering
Network Security. Trust Relationships (Trust Zones) High trust (internal) = f c (once you gain access); g p Low trust ( ) = more controls; fewer privileges.

Network Security. Trust Relationships (Trust Zones) High trust (internal) = f c (once you gain access); g p Low trust ( ) = more controls; fewer privileges.

Similar presentations

Ads by Google