Federal Intrusion Detection Network (FIDNet) Concept Overview Darwyn Banks, Program Manager...
-
date post
18-Dec-2015 -
Category
Documents
-
view
218 -
download
0
Transcript of Federal Intrusion Detection Network (FIDNet) Concept Overview Darwyn Banks, Program Manager...
Federal Intrusion Detection Network (FIDNet)
Concept Overview
Darwyn Banks, Program Manager“Protecting the Critical Infrastructure:
Issues & Solutions”Falls Church, VA
9 November 1999
What is FIDNet?A New Initiative
Defending America’s Cyberspace
National Plan for InformationSystems Protection
Version 1.0An Invitation to a Dialogue
The White House1999
DRAFT
DRAFT
• The National Plan (CIAO)
• FY00 Budget Amendment, Sep 99–Federal Cyber Service–FIDNet–PKI–Expert Review Team–State & Local Gov’t ISACs
What is FIDNet?Example Network Security Mgmt
Copyright, Cisco Systems Inc.©, 1999
Agencies own, operate & tune their own sensors; set the policies
FID
Net
Op
sF
IDN
et O
ps
Ag
enci
es’
Op
sA
gen
cies
’ O
ps
What is FIDNet?Short List of IDS Vendors*
Advantor Corp.
Anzen Computing
Axent Technologies Inc.
Cisco Systems Inc.
Computer Associates Inc.
CyberSafe Corp.
DataLynx Inc.
Internet Security Systems Inc.
Network Associates Inc.
Network Flight Recorder Inc.
Network ICE
ODS Networks Inc.
PentaSafe Inc.
PRC
Securant Technologies Inc.
Security Dynamics Technologies Inc.
TASC Inc.
Trident Data Systems
Tripwire Security Systems Inc.
WetStone Technologies Inc.
*Compiled by Information Security Magazine, September 1999
URL: http://www.infosecuritymag.com/sept99/prod_roundup.htm
What is FIDNet?Example Network Security Mgmt (cont’d)
Copyright, Cisco Systems, Inc.©, 1999
Agencies own, operate & tune their own sensors; set the policies
FID
Net
Op
sF
IDN
et O
ps
Ag
enci
es’
Op
sA
gen
cies
’ O
ps
What is FIDNet?FIDNet will:
Be a new capability--pilot proposal– Probably more than current products/services– Certainly more than just new sensors
Incorporate current & future R&D Leverage technical development(s) Include personnel development Work as one with FedCIRC Analyze & correlate IDS output Not usurp agency autonomy
What is FIDNet?FIDNet Assumptions
Participating agencies have an IDS FIDNet will be able to read / accept the output(s) of
the agencies’ disparate systems Program will recommend (if not provide) preferred IDS
configuration(s) r&D ongoing. We are pushing the IDS envelope:
– Industry considers this to be a workable challenge• Intrusion Detection Exchange Format Working Group
(IETF/IDWG)• Common Intrusion Detection Framework (DARPA/CIDF)• Common Vulnerabilities & Exposures (Mitre/CVE)
– Scalability of IDS technologies up to the federal level
What is FIDNet?FIDNet Vendor Offerings
Must address:– False Alarms– Data Overload– Data Visualization– Meaningful Analysis
Must maintain:– Interoperability– Flexibility– Adaptability– Extensibility
What is FIDNet?4 Levels of Data Flow
Level 0:Level 0: Sender, Recipient,AgencySender, Recipient,Agency
Actual network traffic [in/out-bound to/from Internet]Actual network traffic [in/out-bound to/from Internet]
FIDAC (GSA)FedCIRC (GSA)
FIDAC (GSA)FedCIRC (GSA)
Output of Agencies’ IDS Output of Agencies’ IDS Level 1:Level 1:
FIDAC / FedCIRCNIPC/ Analysis & Warning
FIDAC / FedCIRCNIPC/ Analysis & Warning
Suspicious ActivitySuspicious ActivityLevel 2:Level 2:
NIPC/ Law EnforcementFBI/Computer Crime
NIPC/ Law EnforcementFBI/Computer Crime
Criminal ActivityCriminal ActivityLevel 3:Level 3:
Who Sees?Who Sees?
FIDNet
FIDNet
FIDNet
Proposed FIDNet Architecture4 Distinct Levels of Data Flow
Internet
Probable IncidentData
JTF-CND
ISACISAC(Future)(Future)
FIDAC
FedCIRC
NIPCAnalysis
andWarning
IDS Output
Data
IDS Output Data
NSIRC
0100110111010 0100110111010
Sensor0100
110
Level 0
Level 2
Level 1
LegalValidationand Court
Order
NIPCComputerCrimesSection
SuspectedCriminalActivity Level 3
Law EnforcementProcesses
Sensor 1 Sensor 2
Agency #1 Agency #2
SituationalAwareness
CollaborationNet
What is FIDNet?4 Levels of Data Flow
Level 0:Level 0: Sender, Recipient,AgencySender, Recipient,Agency
Actual network traffic [in/out-bound to/from Internet]Actual network traffic [in/out-bound to/from Internet]
FIDAC (GSA)FedCIRC (GSA)
FIDAC (GSA)FedCIRC (GSA)
Output of Agencies’ IDS Output of Agencies’ IDS Level 1:Level 1:
FIDAC / FedCIRCNIPC/ Analysis & Warning
FIDAC / FedCIRCNIPC/ Analysis & Warning
Suspicious ActivitySuspicious ActivityLevel 2:Level 2:
NIPC/ Law EnforcementFBI/Computer Crime
NIPC/ Law EnforcementFBI/Computer Crime
Criminal ActivityCriminal ActivityLevel 3:Level 3:
Who Sees?Who Sees?
Cross-correlation of intrusions / network “events”– “Raise the Bar” of Network Security– Agencies gain new insight– Better Detection of Low Flyers
Economie$ of $cale– Pooling scarce resources
Expected Benefits of FIDNet:
Intrusion Detection Systems: Physical Analogy
AlarmADT®ADT®
Alarm
air So what?
Alarm
False Positives Cost $$
False Positives Cost $$
PoliceStation
Alarm
CentralFacilityADT®ADT®