s e c u r e c o m p u t i n g intrusion tolerant server infrastructure dick o’brien, tammy kappel,...
TRANSCRIPT
S E C U R ES E C U R EC O M P U T I N GC O M P U T I N G
Intrusion Tolerant Server Intrusion Tolerant Server InfrastructureInfrastructure
Dick O’Brien, Tammy Kappel, Clint BitzerDick O’Brien, Tammy Kappel, Clint Bitzer
OASIS PI MeetingOASIS PI Meeting
March 14, 2002March 14, 2002
March 14, 2002March 14, 2002
2
S E C U R ES E C U R EC O M P U T I N GC O M P U T I N G
OASIS PI Meeting
OutlineOutline
• OverviewOverview
• New TechnologiesNew Technologies– Load DistributionLoad Distribution
– PEN AlertsPEN Alerts
– Automated ResponseAutomated Response
March 14, 2002March 14, 2002
3
S E C U R ES E C U R EC O M P U T I N GC O M P U T I N G
OASIS PI Meeting
ITSI ObjectiveITSI Objective
• Develop an Intrusion Tolerant Server Infrastructure that uses Develop an Intrusion Tolerant Server Infrastructure that uses independent independent network layernetwork layer enforcement mechanisms to: enforcement mechanisms to:
– Reduce intrusionsReduce intrusions
– Prevent propagation of intrusions that do occurPrevent propagation of intrusions that do occur
– Provide automated load shifting when intrusions are Provide automated load shifting when intrusions are
detecteddetected
– Support automated server recoverySupport automated server recovery
• Provide uninterrupted service even in the face of malicious
attacks that may be successful against one of the systems
March 14, 2002March 14, 2002
4
S E C U R ES E C U R EC O M P U T I N GC O M P U T I N G
OASIS PI Meeting
ITSI FunctionalityITSI FunctionalityITSI is a combination of existing and new technologiesITSI is a combination of existing and new technologies
• ExistingExisting– Autonomic Distributed Firewall (3Com Embedded Firewall)Autonomic Distributed Firewall (3Com Embedded Firewall)
• Provides network access controlProvides network access control
– Heterogeneous web serversHeterogeneous web servers
– Hardened platformsHardened platforms• Linux platform based on Immunix 7.0 and SELinux LSM Linux platform based on Immunix 7.0 and SELinux LSM • Windows 2000 uses Kernel Loadable WrappersWindows 2000 uses Kernel Loadable Wrappers
– Intrusion Detection SystemsIntrusion Detection Systems
• NewNew– Load distribution Load distribution
– ADF PEN alertsADF PEN alerts
– Automated responseAutomated response
March 14, 2002March 14, 2002
5
S E C U R ES E C U R EC O M P U T I N GC O M P U T I N G
OASIS PI Meeting
ITSI PrototypeITSI Prototype
SELinux Web Server Win2k Web Server
Windows 2000
IIS Web Server & PHPIIS Web Server & PHP
Response/Response/Recovery Recovery
AgentAgent
Detection/Detection/Initiating Initiating
AgentAgent
Intrusion DetectionIntrusion Detection
Embedded Firewall NIC 2
Embedded Firewall NIC 1
SE Linux
Apache & PHPApache & PHP
Response/Response/Recovery Recovery
AgentAgent
Detection/Detection/Initiating Initiating
AgentAgent
Intrusion DetectionIntrusion Detection
Embedded Firewall NIC 2
Embedded Firewall NIC 1AIC
Windows 2000
ADF Policy ServerADF Policy Server
Alert Alert HandlerHandler
Cluster Cluster ManagerManager
ID ManagementID Management
Embedded Firewall NIC
Response/Recovery Response/Recovery ControllerController
Application DB
Clients
March 14, 2002March 14, 2002
6
S E C U R ES E C U R EC O M P U T I N GC O M P U T I N G
OASIS PI Meeting
PEN PolicyPEN Policy
External PEN policy• Incoming – only allow traffic to web server• Outgoing – only allow responses• No sniffing, No spoofing• Audit any violations
Internal PEN policy• Incoming – only allow traffic from DB and AIC• Outgoing – only allow traffic to DB and AIC• No sniffing, No spoofing• Audit any violations
DB
AIC
March 14, 2002March 14, 2002
7
S E C U R ES E C U R EC O M P U T I N GC O M P U T I N G
OASIS PI Meeting
SummarySummary
• Intrusion tolerance through – Hardened, heterogeneous platforms – Automatic response capabilities– Load sharing between the servers – Extensive auditing and alert capabilities
• No need for additional firewalls • Scalability through the ability to easily add
additional platforms• Maintainability through the ability to easily
remove and service a platform
March 14, 2002March 14, 2002
8
S E C U R ES E C U R EC O M P U T I N GC O M P U T I N G
OASIS PI Meeting
Load DistributionLoad Distribution
SELinux Web Server Win2k Web Server
Windows 2000
IIS Web Server & PHPIIS Web Server & PHP
Response/Response/Recovery Recovery
AgentAgent
Detection/Detection/Initiating Initiating
AgentAgent
Intrusion DetectionIntrusion Detection
Embedded Firewall NIC 2
Embedded Firewall NIC 1
SE Linux
Apache & PHPApache & PHP
Response/Response/Recovery Recovery
AgentAgent
Detection/Detection/Initiating Initiating
AgentAgent
Intrusion DetectionIntrusion Detection
Embedded Firewall NIC 2
Embedded Firewall NIC 1AIC
Windows 2000
ADF Policy ServerADF Policy Server
Alert Alert HandlerHandler
Cluster Cluster ManagerManager
ID ManagementID Management
Embedded Firewall NIC
Response/Recovery Response/Recovery ControllerController
Application DB
Clients
March 14, 2002March 14, 2002
9
S E C U R ES E C U R EC O M P U T I N GC O M P U T I N G
OASIS PI Meeting
Load DistributionLoad Distribution
PEN Agent
PEN 2
PEN 1
Load Sharing Rules
PEN Agent
PEN 2
PEN 1
Load Sharing Rules
New Rules from AIC
Apache Web ServerIIS We b Server
March 14, 2002March 14, 2002
10
S E C U R ES E C U R EC O M P U T I N GC O M P U T I N G
OASIS PI Meeting
ApproachApproach
• Clusters are created with multiple servers sharing Clusters are created with multiple servers sharing a virtual IP addressa virtual IP address
• The shared virtual IP is mapped to a shared MACThe shared virtual IP is mapped to a shared MAC• Each server receives all traffic addressed to the Each server receives all traffic addressed to the
shared MAC shared MAC • Rules on the PEN determine what traffic to process Rules on the PEN determine what traffic to process
and what to throw away based on source IPand what to throw away based on source IP• Traffic load can be shifted by modifying PEN rulesTraffic load can be shifted by modifying PEN rules
March 14, 2002March 14, 2002
11
S E C U R ES E C U R EC O M P U T I N GC O M P U T I N G
OASIS PI Meeting
ConfigurationConfiguration
March 14, 2002March 14, 2002
12
S E C U R ES E C U R EC O M P U T I N GC O M P U T I N G
OASIS PI Meeting
Lessons LearnedLessons Learned• Load distribution can be done using special PEN Load distribution can be done using special PEN
rules with no modification of the PEN firmwarerules with no modification of the PEN firmware• Shared MAC approach works for servers on a Shared MAC approach works for servers on a
shared network segmentshared network segment• More general approach is feasible More general approach is feasible
– Develop a centralized approach to changing the MAC Develop a centralized approach to changing the MAC used by an EFW NIC from the AICused by an EFW NIC from the AIC
– Use a multicast address Use a multicast address – Do load distribution based on source ports as well as Do load distribution based on source ports as well as
source IPsource IP– Add load balancingAdd load balancing– Have NICs negotiate load distribution by themselvesHave NICs negotiate load distribution by themselves
March 14, 2002March 14, 2002
13
S E C U R ES E C U R EC O M P U T I N GC O M P U T I N G
OASIS PI Meeting
PEN AlertsPEN Alerts
SELinux Web Server Win2k Web Server
Windows 2000
IIS Web Server & PHPIIS Web Server & PHP
Response/Response/Recovery Recovery
AgentAgent
Detection/Detection/Initiating Initiating
AgentAgent
Intrusion DetectionIntrusion Detection
Embedded Firewall NIC 2
Embedded Firewall NIC 1
SE Linux
Apache & PHPApache & PHP
Response/Response/Recovery Recovery
AgentAgent
Detection/Detection/Initiating Initiating
AgentAgent
Intrusion DetectionIntrusion Detection
Embedded Firewall NIC 2
Embedded Firewall NIC 1AIC
Windows 2000
ADF Policy ServerADF Policy Server
Alert Alert HandlerHandler
Cluster Cluster ManagerManager
ID ManagementID Management
Embedded Firewall – NIC
Response/Recovery Response/Recovery ControllerController
Application DB
Clients
March 14, 2002March 14, 2002
14
S E C U R ES E C U R EC O M P U T I N GC O M P U T I N G
OASIS PI Meeting
PEN AlertsPEN Alerts
• Alerts are based on audit from the PENAlerts are based on audit from the PEN• Alerts are raised on Alerts are raised on
– Spoofing violationsSpoofing violations– Sniffing violationsSniffing violations– Matching on any filter rule that has alerting enabledMatching on any filter rule that has alerting enabled
• Such as, no initiation of TCP connectionsSuch as, no initiation of TCP connections
• Alert actions supportedAlert actions supported– Notify Response ServerNotify Response Server– NT event logNT event log– SNMP trapSNMP trap– EmailEmail
March 14, 2002March 14, 2002
15
S E C U R ES E C U R EC O M P U T I N GC O M P U T I N G
OASIS PI Meeting
ApproachApproach
StoreAudit Insert
Alert? 1Audit DB
Initiate Alert
Alert Handler
Threshold Exceeded?
Alert Configurations
Read
Alert Actions
Audit DB
Audit Event
March 14, 2002March 14, 2002
16
S E C U R ES E C U R EC O M P U T I N GC O M P U T I N G
OASIS PI Meeting
ConfigurationConfiguration
March 14, 2002March 14, 2002
17
S E C U R ES E C U R EC O M P U T I N GC O M P U T I N G
OASIS PI Meeting
Lessons LearnedLessons Learned
• By basing the alert functionality on the PEN audit, By basing the alert functionality on the PEN audit, no changes were necessary to the PEN firmwareno changes were necessary to the PEN firmware
• PEN alerts could be used as sensors for other PEN alerts could be used as sensors for other intrusion detection/response systemsintrusion detection/response systems– PEN alerts, such as No Spoofing, No Sniffing, or No TCP PEN alerts, such as No Spoofing, No Sniffing, or No TCP
initiation, will not generate false positivesinitiation, will not generate false positives– Interface is through the AIC which collects all audit and Interface is through the AIC which collects all audit and
generates alertsgenerates alerts
March 14, 2002March 14, 2002
18
S E C U R ES E C U R EC O M P U T I N GC O M P U T I N G
OASIS PI Meeting
ITSI PrototypeITSI Prototype
SELinux Web Server Win2k Web Server
Windows 2000
IIS Web Server & PHPIIS Web Server & PHP
Response/Response/Recovery Recovery
AgentAgent
Detection/Detection/Initiating Initiating
AgentAgent
Intrusion DetectionIntrusion Detection
Embedded Firewall NIC 2
Embedded Firewall NIC 1
SE Linux
Apache & PHPApache & PHP
Response/Response/Recovery Recovery
AgentAgent
Detection/Detection/Initiating Initiating
AgentAgent
Intrusion DetectionIntrusion Detection
Embedded Firewall NIC 2
Embedded Firewall NIC 1AIC
Windows 2000
ADF Policy ServerADF Policy Server
Alert Alert HandlerHandler
Cluster Cluster ManagerManager
ID ManagementID Management
Embedded Firewall – NIC
Response/Recovery Response/Recovery ControllerController
Application DB
Clients
March 14, 2002March 14, 2002
19
S E C U R ES E C U R EC O M P U T I N GC O M P U T I N G
OASIS PI Meeting
PEN ResponsesPEN Responses• Shifting Shifting
– Traffic can be shifted to another server if one goes downTraffic can be shifted to another server if one goes down
• BlockingBlocking– Traffic from specified IP addresses can be blockedTraffic from specified IP addresses can be blocked
• AuditingAuditing– Traffic from a specified IP address can be auditedTraffic from a specified IP address can be audited
• FishbowlingFishbowling– Traffic from a specified IP address can be routed to a Traffic from a specified IP address can be routed to a
particular serverparticular server
March 14, 2002March 14, 2002
20
S E C U R ES E C U R EC O M P U T I N GC O M P U T I N G
OASIS PI Meeting
Host Response AgentsHost Response Agents
• Detection/Initiating AgentDetection/Initiating Agent– Interfaces with local ID systems to detect intrusionsInterfaces with local ID systems to detect intrusions
– Initiates Local ResponsesInitiates Local Responses
– Sends Intrusion Event Data to AICSends Intrusion Event Data to AIC
• Response/Recovery AgentResponse/Recovery Agent– Performs Local Responses per AICPerforms Local Responses per AIC
• Check critical files (using Veracity or Tripwire)Check critical files (using Veracity or Tripwire)
• Disable userDisable user
• Kill processKill process
• ShutdownShutdown
– Local recoveryLocal recovery
• Restore files, restore registryRestore files, restore registry
March 14, 2002March 14, 2002
21
S E C U R ES E C U R EC O M P U T I N GC O M P U T I N G
OASIS PI Meeting
Response ServerResponse Server• Receives Events from AgentsReceives Events from Agents
• Correlates Events Based on PriorityCorrelates Events Based on Priority
• Enables User Customizable Responses Based on Event Enables User Customizable Responses Based on Event TypesTypes
• Initiates Responses Initiates Responses
• Manages Web Server Load SharingManages Web Server Load Sharing
• Manages ID SoftwareManages ID Software
• Controls Embedded FirewallsControls Embedded Firewalls
March 14, 2002March 14, 2002
22
S E C U R ES E C U R EC O M P U T I N GC O M P U T I N G
OASIS PI Meeting
Response ConfigurationResponse Configuration
March 14, 2002March 14, 2002
23
S E C U R ES E C U R EC O M P U T I N GC O M P U T I N G
OASIS PI Meeting
Response ComponentsResponse Components
Response Response Agent Agent
ResponderResponder
Response Response Agent InitiatorAgent Initiator
Event HandlerEvent Handler
Event CorrelatorEvent Correlator
Response Response InitiatorInitiator
Send Events:Send Events:
• Log EventLog Event
• RestartRestartStore EventsStore Events
Reinitiate Reinitiate Load Share Load Share Thru Policy Thru Policy ServerServer
Read Config Files:Read Config Files:
• Response Response Configuration Configuration
• Server ConfigServer Config
• Service DataService Data
List of List of ResponsesResponses
Send ResponsesSend Responses
Read New Read New EventsEvents
Local Local Response Response FileFile
DisableDisableSourceSource
Execute Execute Custom Custom ResponsesResponses
Check Check & &
RestoreRestore
ShutdownShutdown