1. Office of Science U.S. Department of Energy The Bro Intrusion Detection Stephen Lau NERSC/LBNL November 20, 2003 SC2003 Phoenix, AZ

2. Office of Science U.S. Department of Energy November 20, 2003SC2003, Phoenix, AZ Bro High performance intrusion detection system developed at LBNL and ACRI –Vern Paxson primary developer Based on operational experience with high performance networks Grew out of tools developed to optimize and analyze network traffic Bro Development Goals –High speed network monitoring –Low packet loss rate –Mechanism separate from policy

3. Office of Science U.S. Department of Energy November 20, 2003SC2003, Phoenix, AZ Bro State Model Bro maintains and analyzes state –Keeps track of all network connections –Reacts to network behavior patterns Signature based systems –i.e. Snort, RealSecure –Matches patterns seen in network streams

4. Office of Science U.S. Department of Energy November 20, 2003SC2003, Phoenix, AZ Bro Structure Packet capture and filter Built on libpcap Event Engine Evaluates packets Maintains state of the network connections Generates events Policy Script Interpreter Executes scripts written in ‘policy language’

5. Office of Science U.S. Department of Energy November 20, 2003SC2003, Phoenix, AZ Bro Structure Network libpcap Event Engine Policy Script Interpreter Packet Stream Filtered Packet Stream Event Stream Real Time Notification / Record to Disk tcpdump filter Event Control Policy Script

6. Office of Science U.S. Department of Energy November 20, 2003SC2003, Phoenix, AZ Bro Structure Real time processing –Analysis of real time traffic –Reaction to any significant events –Traffic filtered to only ‘interesting’ traffic Offline processing –Bro capable of archiving network traffic –Allows for more detailed analysis –Less traffic is filtered

7. Office of Science U.S. Department of Energy November 20, 2003SC2003, Phoenix, AZ Real Time Processing Works in conjunction with border router to drop (shun) hosts at the border Capable of injecting RST packets into stream –Code Red Worm instances –SSH vulnerability exploits Establishes real time alerts based on policy

8. Office of Science U.S. Department of Energy November 20, 2003SC2003, Phoenix, AZ Offline Processing Detects stepping stones –Compromised system used as a gateway Detects “backdoors” –i.e. telnet servers on non-standard port Detects file sharing systems –Gnutella, Napster, KaZaa External Attacker External Victim Compromised Internal System Network DMZ Bro

9. Office of Science U.S. Department of Energy November 20, 2003SC2003, Phoenix, AZ Bro in Practical Use Primary IDS for LBNL/NERSC since 1996 Primary IDS for SC00-03 conferences No specialized hardware needed Low cost allows for multiple deployment Requirements –FreeBSD –Intel platform –Fiber tap –Disk space to archive data

10. Office of Science U.S. Department of Energy November 20, 2003SC2003, Phoenix, AZ Defense in Depth Perimeter Bro / Snort Traffic Filtering Virus Wall Host Filtering Internal Network Network Isolation Firewalls Subnet traffic filtering Host Level Anti Virus Software Active Scanning Unused services disabled Process Accounting Encrypted Passwords Users / staff Staff Security Team Usage Agreements Periodic training Emails on key issues

11. Office of Science U.S. Department of Energy November 20, 2003SC2003, Phoenix, AZ Use of Bro Within NERSC ESNet NERSC Filtering Border Router Network Traffic Tapped Traffic Multiple Bro Systems ACL Insertion Real Time Analysis Redundant Backup Test Box Bulk Traffic Recorder Multiple IDS Snort Bro Heavyweight Protocol Analysis Bro GRID / SSL Analysis Tapped Traffic Internal Traffic Bro Monitor Wireless Network Bro Monitor Wireless Network Tapped Traffic

12. Office of Science U.S. Department of Energy November 20, 2003SC2003, Phoenix, AZ Bro at NERSC 24/7 monitoring –Tied into a paging system for on-call security person Bro checkpointed at set intervals –Clears out ‘orphaned’ sessions –Allows for offline data analysis Data archiving –Maintain traffic data for about 3 months Anything beyond that is ‘subpoena bait’ –Maintain network connection data forever

13. Office of Science U.S. Department of Energy November 20, 2003SC2003, Phoenix, AZ NERSC Network Traffic 3 Week Period Type of TrafficNumber of Connections Overall Percentage of Traffic Bulk Data Transfer666,52983.73% Grid Services74,1787.19% Web Related288,37545.30% Database620,1730.27% Mail200,484.04% System Services185,272.04% Interactive116<.1%

14. Office of Science U.S. Department of Energy November 20, 2003SC2003, Phoenix, AZ Total NERSC Connections

15. Office of Science U.S. Department of Energy November 20, 2003SC2003, Phoenix, AZ Valid NERSC Connections

16. Office of Science U.S. Department of Energy November 20, 2003SC2003, Phoenix, AZ Practical Bro Automatic ACL injection has very low false positive rate –At NERSC average about 1 every 6 months Reports generated whenever checkpointed –Results from blocks and odd events –Results from offline analyzer Backdoors and KaZaa traffic –Takes some time to “learn the traffic”

17. Office of Science U.S. Department of Energy November 20, 2003SC2003, Phoenix, AZ What Do We See Usual stuff –Lots and lots and lots and lots of scans Slow scans, flash scans, nmap, nessus, ISS –Many worms and viruses Code Red, Nimda, etc... –Lots of backscatter Fun stuff and stuff we really shouldn’t see –Broken TCP stacks –Private network traffic (192.168.0.0, etc) –Broken NATs –Odd user behaviour –Odd OS/application behaviour

18. Office of Science U.S. Department of Energy November 20, 2003SC2003, Phoenix, AZ Bro at SC03 Bro primary IDS for SC conference since SC00 –Used to monitor SCinet traffic Maximum observed bandwidth –16.8Gbps at SC2002 (Bandwidth Challenge) –Used router hardware BPF Passive monitoring only –Automatic countermeasures disabled

19. Office of Science U.S. Department of Energy November 20, 2003SC2003, Phoenix, AZ Bro at SC03 IDS for SCinet –Ensure conference network does not get taken down by attacks –Detect 0wned systems –Monitor for “odd” behavior Educational tool for attendees –Password capture and display –Alert exhibitors to “risky behavior” i.e..rhosts with root enabled

20. Office of Science U.S. Department of Energy November 20, 2003SC2003, Phoenix, AZ SCinet Bro Infrastructure

21. Office of Science U.S. Department of Energy November 20, 2003SC2003, Phoenix, AZ Bro Future Directions Grid related technologies –Ability to detect Grid related protocols –X.509 Certificate Analyzer SSL Analyzer Verify certificates are legitimate Router Shunting –Primary bottleneck in moving packets into user space –Leverage router based hardware filtering to analyze “packets of interest” –Proof of concept demo at SC01-03 Utilizing Bro and Juniper router Hardware based BPF to filter traffic

22. Office of Science U.S. Department of Energy November 20, 2003SC2003, Phoenix, AZ Port Mirroring External Network Juniper GigE Interface Bro Internal Network Mirrored Traffic

23. Office of Science U.S. Department of Energy November 20, 2003SC2003, Phoenix, AZ Filter-based Forwarding Bro Juniper GigE Interface Filtered Traffic External Network Internal Network Filter

24. Office of Science U.S. Department of Energy November 20, 2003SC2003, Phoenix, AZ Contact Information Stephen Lau 1 Cyclotron Road, M/S 943 Berkeley, CA 94720 Phone: +1 (510) 486-7178 Email: slau@lbl.gov PGP: 44C8 C9CB C15E 2AE1 7B0A 544E 9A04 AB2B F63F 748B