Intrusion Tolerant Server Infrastructure

Not For Public ReleaseNot For Public Release 1

S E C U R ES E C U R EC O M P U T I N GC O M P U T I N G

Intrusion Tolerant Server Intrusion Tolerant Server InfrastructureInfrastructure

Dick O’BrienDick O’Brien

OASIS PI MeetingOASIS PI Meeting

July 25, 2001July 25, 2001

July 25, 2001July 25, 2001

2


OASIS PI Meeting - Not For Public Release

OutlineOutline

• Technical ObjectiveTechnical Objective

• Technical ApproachTechnical Approach– ArchitectureArchitecture

– Load SharingLoad Sharing

– DetectionDetection

– Hardened ServersHardened Servers

– ResponseResponse

• Technology TransitionTechnology Transition

• Demo ScenariosDemo Scenarios

July 25, 2001July 25, 2001

3



Technical ObjectiveTechnical Objective

• Develop an Intrusion Tolerant Server Infrastructure that uses Develop an Intrusion Tolerant Server Infrastructure that uses independent independent network layernetwork layer enforcement mechanisms to: enforcement mechanisms to:

– Reduce intrusionsReduce intrusions

– Prevent propagation of intrusions that do occurPrevent propagation of intrusions that do occur

– Provide automated load shifting when intrusions are detectedProvide automated load shifting when intrusions are detected

– Support automated server recoverySupport automated server recovery

July 25, 2001July 25, 2001

4



Technical ApproachTechnical Approach

• Intrusion tolerant server componentsIntrusion tolerant server components

– Load distribution and network response capability using the Load distribution and network response capability using the ADF Policy Enforcing NICsADF Policy Enforcing NICs

– Server hardening to reduce effectiveness of penetrationsServer hardening to reduce effectiveness of penetrations

– Intrusion detection systems that primarily reside on server Intrusion detection systems that primarily reside on server hostshosts

– An Availability and Integrity Controller (AIC) to manage the system and respond to intrusions reported to it

July 25, 2001July 25, 2001

5



ITSI ArchitectureITSI Architecture

Web Server – 2Web Server – 1

Windows 2000

IIS Web ServerIIS Web Server

Response/Response/Recovery Recovery

AgentAgent

Detection/Detection/Initiating Initiating

AgentAgent

Intrusion DetectionIntrusion Detection

Embedded Firewall – NIC 2


SE Linux

Apache Web ServerApache Web Server

Response/Response/Recovery Recovery

AgentAgent

Detection/Detection/Initiating Initiating

AgentAgent

Intrusion DetectionIntrusion Detection



AIC

Windows 2000

ADF Policy ServerADF Policy Server

Alert Alert HandlerHandler

Cluster Cluster ManagerManager

ID ManagementID Management


Response/Recovery Response/Recovery ControllerController

July 25, 2001July 25, 2001

6



Policy Enforcing NICsPolicy Enforcing NICs

• ADF PENs are network interface cards that have been ADF PENs are network interface cards that have been enhanced to provide additional controlsenhanced to provide additional controls– Packet FilteringPacket Filtering

– IPSEC supportIPSEC support

– Network layer auditNetwork layer audit

– Host independentHost independent

– Centrally managedCentrally managed

• ITSI addsITSI adds– Load sharingLoad sharing

– Blocking and fishbowlingBlocking and fishbowling

– AlertsAlerts

July 25, 2001July 25, 2001

7



Load SharingLoad Sharing

• Each server receives all traffic addressed to the shared virtual IP Each server receives all traffic addressed to the shared virtual IP • Rules on the PEN determine what traffic to process and what to throw away Rules on the PEN determine what traffic to process and what to throw away

based on source IPbased on source IP• Traffic load can be shifted by modifying PEN rulesTraffic load can be shifted by modifying PEN rules

PEN Agent

PEN 2

PEN 1

Load Sharing Rules

PEN Agent

PEN 2

PEN 1

Load Sharing Rules

New Rules from AIC

Apache Web ServerIIS We b Server

July 25, 2001July 25, 2001

8



PEN EnhancementsPEN Enhancements• BlockingBlocking

– Traffic from specified IP addresses can be blockedTraffic from specified IP addresses can be blocked

• FishbowlingFishbowling– Traffic from a specified IP address can be handled by a Traffic from a specified IP address can be handled by a

particular web serverparticular web server

– All traffic from the specified IP address can be auditedAll traffic from the specified IP address can be audited

• AlertsAlerts– On the AIC the Alert Handler can generate alerts in response On the AIC the Alert Handler can generate alerts in response

to specific audit eventsto specific audit events

July 25, 2001July 25, 2001

9



Hardened ServersHardened Servers

• SE LinuxSE Linux– Type Enforcement for protecting componentsType Enforcement for protecting components

• Web ServerWeb Server

• Snort IDSnort ID

• ITSI Detection/Response agentITSI Detection/Response agent

• PEN agentPEN agent

– Stackguarded Apache web serverStackguarded Apache web server

• Windows 2000Windows 2000– Wrapped components using Kernel Loadable WrappersWrapped components using Kernel Loadable Wrappers

• IISIIS

• ISS RealSecureISS RealSecure

• ITSI Detection/Response agent ITSI Detection/Response agent

• PEN agentPEN agent

July 25, 2001July 25, 2001

10



DetectionDetection

• PEN based audit from both web serversPEN based audit from both web servers– Sniffing attemptsSniffing attempts

– Spoofing attemptsSpoofing attempts

– Attempts at initiating unauthorized TCP connectionsAttempts at initiating unauthorized TCP connections

• Intrusion Detection systemsIntrusion Detection systems– Snort on SE Linux Snort on SE Linux

– ISS RealSecure on Windows 2000ISS RealSecure on Windows 2000

– TripwireTripwire

• TE violations audited on SE LinuxTE violations audited on SE Linux• Wrapper violations audited on Windows 2000Wrapper violations audited on Windows 2000

• AIC receives alerts and determines response strategy and AIC receives alerts and determines response strategy and actionsactions

July 25, 2001July 25, 2001

11



AIC FunctionsAIC Functions

• ADF PEN managementADF PEN management– Packet filtering policies, IPSEC policiesPacket filtering policies, IPSEC policies

• ITSI addsITSI adds– Load sharing/redirection policies Load sharing/redirection policies – Intrusion detection system interfaceIntrusion detection system interface– Anomaly logging, reporting and analysisAnomaly logging, reporting and analysis– Response strategiesResponse strategies– Recovery and restorationRecovery and restoration

July 25, 2001July 25, 2001

12



ITSI – Demonstration Software ArchitectureITSI – Demonstration Software Architecture

Intrusion Detection Software

Operating System Security

NIC Based Firewall

Availability and Integrity Controller (AIC)

Windows 2000

Embedded Firewall

Response Agent

Initiator Responder

Perl / CGI

IIS

Web Server

ID Software

Host ID Network

ISS Server Sensor

Web Server - 1

SE Linux

Embedded Firewall

Response Agent

Initiator Responder

Perl / CGI

Apache

Web Server

ID Software

Host Network

SE Log Analyzer

Snort

Web Server - 2Layered Security Architecture

ITSI Developed ComponentsITSI Developed Components

Windows 2000

Embedded Firewall

Policy Server

Policy Manager

Audit Manager

Response Server

Event Handler

Event Correlator

Response Initiator

ISS Manager

Cluster Manager

Alert Handler

Response Interface

July 25, 2001July 25, 2001

13



Response CapabilitiesResponse Capabilities

Availability & Integrity Controller (AIC)

- Windows 2000

IIS Web Server

- Windows 2000

Apache Web Server

- SE Linux Capabilities:Capabilities:

• Receives Events from Web ServersReceives Events from Web Servers

• Correlates Events Based on PriorityCorrelates Events Based on Priority

• Enables User Customizable Enables User Customizable Responses Based on Event Types Responses Based on Event Types

• Initiates Responses Initiates Responses

• Manages Web Server Load SharingManages Web Server Load Sharing

• Manages ID SoftwareManages ID Software

• Controls Embedded FirewallsControls Embedded Firewalls

Capabilities:Capabilities:

• Detects IntrusionsDetects Intrusions

• Initiates Local ResponsesInitiates Local Responses

• Sends Intrusion Event Data to AICSends Intrusion Event Data to AIC

• Performs Local Responses per AICPerforms Local Responses per AIC

• Localized RecoveryLocalized Recovery

July 25, 2001July 25, 2001

14



Response ComponentsResponse Components

Response Response Agent Agent

ResponderResponder

Response Response Agent InitiatorAgent Initiator

Event HandlerEvent Handler

Event CorrelatorEvent Correlator

Response Response InitiatorInitiator

Send Events:Send Events:

• Log EventLog Event

• RestartRestartStore EventsStore Events

Reinitiate Reinitiate Load Share Load Share Thru Policy Thru Policy ServerServer

Read Config Files:Read Config Files:

• Response Response Configuration Configuration

• Server ConfigServer Config

• Service DataService Data

List of List of ResponsesResponses

Send Responses:Send Responses:

• Disable SourceDisable Source

• ShutdownShutdown

• Check & Check & RestoreRestore

Read New Read New EventsEvents

Local Local Response Response FileFile

DisableDisableSourceSource

Execute Execute Custom Custom ResponsesResponses

Check Check & &

RestoreRestore

ShutdownShutdown

July 25, 2001July 25, 2001

15



Priority Priority : Tells Correlator What Responses to Perform for Each Server: Tells Correlator What Responses to Perform for Each Server

Values:Values: ( 1-4 ) where 1 is the highest. ( 1-4 ) where 1 is the highest.

Type Type : Type of Event Detected: Type of Event Detected

Values:Values: Intrusion – Event representing known intrusion. Intrusion – Event representing known intrusion.

Suspicious – Event representing known intrusion with false positives or suspiciousSuspicious – Event representing known intrusion with false positives or suspicious activity. activity.

SeveritySeverity: Event Severity: Event Severity

Values:Values: High, Medium or Low High, Medium or Low

SourceSource: Source Associated with Event Occurrence: Source Associated with Event Occurrence

Values:Values: NEWORK_IP_ADDRESS, USER_ID, PROCESS_ID NEWORK_IP_ADDRESS, USER_ID, PROCESS_ID

Response Configuration FileResponse Configuration File

22 SUSPICIOUSSUSPICIOUS HIGHHIGH NETWORK_IP_ADDRESSNETWORK_IP_ADDRESS CHECK_RESTORECHECK_RESTORE

BLOCK_SOURCE_IPBLOCK_SOURCE_IP

SECURITY_IN_QUESTIONSECURITY_IN_QUESTION

PriorityPriority TypeType SeveritySeverity SourceSource ResponsesResponses Security StatusSecurity Status

July 25, 2001July 25, 2001

16



ResponsesResponses: Responses Performed for the Event: Responses Performed for the Event

Custom Responses Executed on the Web Server Machine by the Responder :Custom Responses Executed on the Web Server Machine by the Responder :

CHECK_RESTORE - Expected to Check Local Server Integrity and Fix Whatever is CHECK_RESTORE - Expected to Check Local Server Integrity and Fix Whatever is NecessaryNecessary if Possible if Possible

DISABLE_SOURCE - Expected to Disable Process ID or USER ID of the Server MachineDISABLE_SOURCE - Expected to Disable Process ID or USER ID of the Server Machine

SHUTDOWN_REQ - Expected to Shutdown the ServerSHUTDOWN_REQ - Expected to Shutdown the Server

Responses Executed on the AIC by the Response Initiator :Responses Executed on the AIC by the Response Initiator :

BLOCK_SOURCE_IP – Call to Policy Server to Block Source IP on Specified Server NIC(s)BLOCK_SOURCE_IP – Call to Policy Server to Block Source IP on Specified Server NIC(s)

SHIFT_ALL – Call to Policy Server to Shift All Traffic From Specified ServerSHIFT_ALL – Call to Policy Server to Shift All Traffic From Specified Server

SHIFT_EXCL_IP – Call to Policy Server to Shift All Traffic From NIC Except Specified IP &SHIFT_EXCL_IP – Call to Policy Server to Shift All Traffic From NIC Except Specified IP & Turn Audit On Turn Audit On

Response Configuration File (cont)Response Configuration File (cont)

22 SUSPICIOUSSUSPICIOUS HIGHHIGH NETWORK_IP_ADDRESSNETWORK_IP_ADDRESS CHECK_RESTORECHECK_RESTORE

BLOCK_SOURCE_IPBLOCK_SOURCE_IP

SECURITY_IN_QUESTIONSECURITY_IN_QUESTION

PriorityPriority TypeType SeveritySeverity SourceSource ResponsesResponses Security StatusSecurity Status

July 25, 2001July 25, 2001

17



Technology TransitionTechnology Transition

• Hardened Server OPX experimentHardened Server OPX experiment

• Commercial transition of results into Embedded Commercial transition of results into Embedded Firewall productFirewall product

July 25, 2001July 25, 2001

18



Demo ScenariosDemo Scenarios

July 25, 2001July 25, 2001

19



Windows 2000

IIS IIS Web ServerWeb Server

ISS Network ID

Response Response Agent -Agent -

ResponderResponder

Response Response Agent - Agent - InitiatorInitiator

ISS Host IDISS Host ID


Load Sharing DemoLoad Sharing Demo

AIC

Windows 2000

Policy ManagerPolicy Manager

Audit ManagerAudit Manager

Event Event HandlerHandler

ISS ManagerISS Manager

Embedded Firewall

Cluster ManagerCluster Manager

Alert HandlerAlert Handler

Event Event CorrelatorCorrelator


SE Linux

ApacheApacheWeb ServerWeb Server

Snort Network ID


ResponderResponder


SE Log SE Log Analz – Host IDAnalz – Host ID


Web Server – 2

Browse Web ServerBrowse Web Server

Laptop – 1

Web Server – 1

Laptop - 2

Browse Web ServerBrowse Web Server

Load Sharing Initialization:Load Sharing Initialization:

• Load is Set via Policy ServerLoad is Set via Policy Server

• Demonstration is based on Even/Odd IP AddressDemonstration is based on Even/Odd IP Address

• Even IP’s Are Received by Server 1 Even IP’s Are Received by Server 1

• Odd IP’s Are Received by Server 2Odd IP’s Are Received by Server 2Server Server Unreachable?Unreachable?

To NIC 1To NIC 1

NIC

2 S

erve

r D

ow

n =

Tru

e

NIC

2 S

erve

r D

ow

n =

Tru

e

Red

istr

ibu

te L

oad

to

NIC

1

Red

istr

ibu

te L

oad

to

NIC

1

From Web From Web BrowsersBrowsers

Rec

eive

Tra

ffic

R

ecei

ve T

raff

ic

fro

m L

apto

p 1

fro

m L

apto

p 1

&

2&

2

To NIC 1To NIC 1

Sen

d R

eset

Lo

ad S

har

ing

to

NIC

1

Sen

d R

eset

Lo

ad S

har

ing

to

NIC

1

& 2

& 2

From AICFrom AIC

Rec

eive

Ru

le t

o

Rec

eive

Ru

le t

o

Acc

ept

Acc

ept

All

Tra

ffic

All

Tra

ffic

Eve

n T

raff

icE

ven

Tra

ffic

From AICFrom AIC

Rec

eive

Ru

le t

o

Rec

eive

Ru

le t

o

Acc

ept

Acc

ept

Od

d T

raff

icO

dd

Tra

ffic

Rec

eive

R

ecei

ve

Hea

rtb

eats

Hea

rtb

eats

From All NicsFrom All Nics

To AICTo AIC

Sen

d H

eart

bea

tS

end

Hea

rtb

eat

To AICTo AIC

Sen

d H

eart

bea

tS

end

Hea

rtb

eat

From Web From Web BrowsersBrowsers

Rec

eive

Tra

ffic

R

ecei

ve T

raff

ic

fro

m L

apto

p 2

fro

m L

apto

p 2

July 25, 2001July 25, 2001

20



Windows 2000


ISS Network ID


ResponderResponder




Po

rt S

can

Det

ecti

on

P

ort

Sca

n D

etec

tio

n

Port Scan Attack Demo - Win 2kPort Scan Attack Demo - Win 2k

AIC

Windows 2000





Embedded Firewall




ResponsResponse e

InitiatorInitiator

SE Linux


Snort Network ID


ResponderResponder




Web Server – 2

Initiate Port Scan Initiate Port Scan

From Laptop 1From Laptop 1

Po

rt S

can

Tra

ffic

Po

rt S

can

Tra

ffic

Store EventStore Event

Retrieve Retrieve EventsEvents

Determine Determine ResponseResponse

Perform Perform ResponsesResponses Send Block Send Block

Request on IPRequest on IP

Sen

d N

IC 1

Blo

ck

Sen

d N

IC 1

Blo

ck

IP R

ule

IP R

ule

To NIC 1To NIC 1

Rec

eive

E

ven

t:

Rec

eive

E

ven

t:

Intr

usi

on

In

tru

sio

n

So

urc

e –

IP

So

urc

e –

IP

From Server 1From Server 1

Sen

d E

ven

t:

Sen

d E

ven

t:

Intr

usi

on

&

In

tru

sio

n

&

So

urc

e IP

S

ou

rce

IP

To AICTo AICFrom AICFrom AIC

Rec

eive

Blo

ck

Rec

eive

Blo

ck

IP R

ule

IP R

ule

Laptop – 1

Web Server – 1

Laptop - 2

Sen

d C

hec

k &

S

end

Ch

eck

&

Res

tore

R

esto

re

Res

po

nse

–

Res

po

nse

–

Ser

ver

1S

erve

r 1

To Server 1 To Server 1

From AICFrom AIC

Rec

eive

\ P

erfo

rm

Rec

eive

\ P

erfo

rm

Ch

eck

& R

esto

re

Ch

eck

& R

esto

re

Res

po

nse

R

esp

on

se

July 25, 2001July 25, 2001

21



Windows 2000


ISS Network ID


ResponderResponder




CGI Attack Demo: SE LinuxCGI Attack Demo: SE Linux

AIC

Windows 2000





Embedded Firewall




ResponsResponse e

InitiatorInitiator

SE Linux


Snort Network ID


ResponderResponder




Web Server – 2

Initiate CGI Attack Initiate CGI Attack


CG

I A

ttac

kC

GI

Att

ack




Perform Perform ResponsesResponses Send Block Send Block

Request on IPRequest on IP

Sen

d N

IC 2

Blo

ck

Sen

d N

IC 2

Blo

ck

IP R

ule

IP R

ule

To NIC 2To NIC 2

Rec

eive

E

ven

t:

Rec

eive

E

ven

t:

Intr

usi

on

In

tru

sio

n

So

urc

e IP

S

ou

rce

IP


From AICFrom AIC

Rec

eive

Blo

ck

Rec

eive

Blo

ck

IP R

ule

IP R

ule

Laptop – 1

Web Server – 1

Laptop - 2

Sen

d C

hec

k &

S

end

Ch

eck

&

Res

tore

R

esto

re

Res

po

nse

–

Res

po

nse

–

Ser

ver

2S

erve

r 2


Sen

d E

ven

t:

Sen

d E

ven

t:

Intr

usi

on

&

In

tru

sio

n

&

So

urc

e IP

S

ou

rce

IP

To AICTo AIC

CG

I A

ttac

k C

GI

Att

ack

Det

ecti

on

D

etec

tio

n

From AICFrom AIC

Rec

eive

\ P

erfo

rm

Rec

eive

\ P

erfo

rm

Ch

eck

& R

esto

re

Ch

eck

& R

esto

re

Res

po

nse

R

esp

on

se

July 25, 2001July 25, 2001

22



Windows 2000


ISS Network ID


ResponderResponder




AS

P D

OT

Det

ecti

on

A

SP

DO

T D

etec

tio

n

IIS Attack Demo : Win2KIIS Attack Demo : Win2K

AIC

Windows 2000





Embedded Firewall

Cluster ManagerCluster Manager




SE Linux


Snort Network ID


ResponderResponder


SE Log SE Log Analz – Host Analz – Host

IDID


Web Server – 2

Initiate ASP DOT Attack Initiate ASP DOT Attack


AS

P D

ot

Att

ack

AS

P D

ot

Att

ack




Perform Perform ResponsesResponses

Send : Send : Shift All Shift All Handle IP Handle IP Audit OnAudit On

Sen

d N

IC 1

–

Han

dle

IP

, A

ud

it O

n &

S

end

NIC

1 –

H

and

le I

P,

Au

dit

On

&

Sh

ift

All

Fro

mS

hif

t A

ll F

rom

To NIC 1To NIC 1

Rec

eive

E

ven

t:

Rec

eive

E

ven

t:

Su

spic

iou

s S

usp

icio

us

So

urc

e IP

So

urc

e IP


Sen

d E

ven

t:

Sen

d E

ven

t:

Su

spic

iou

s &

S

usp

icio

us

&

So

urc

e IP

S

ou

rce

IP

To AICTo AICFrom AICFrom AIC

Rec

eive

:

S

hif

t A

ll

Rec

eive

:

S

hif

t A

ll

Fro

m,

Han

dle

IP

&

Fro

m,

Han

dle

IP

&

Au

dit

On

Au

dit

On

Laptop – 1

Web Server – 1

Laptop - 2

Sen

d C

hec

k &

S

end

Ch

eck

&

Res

tore

R

esto

re

Res

po

nse

–

Res

po

nse

–

Ser

ver

1S

erve

r 1


From AICFrom AIC

Rec

eive

\ P

erfo

rm

Rec

eive

\ P

erfo

rm

Ch

eck

& R

esto

re

Ch

eck

& R

esto

re

Res

po

nse

R

esp

on

se

Audit All Audit All Cluster Nics Cluster Nics

Sen

d N

IC 2

–

Sh

ift

All

To

Exc

ept

Sen

d N

IC 2

–

Sh

ift

All

To

Exc

ept

Han

dle

IP

, A

ud

it O

n

Han

dle

IP

, A

ud

it O

n

To NIC 2To NIC 2

From AICFrom AIC

Rec

eive

;

S

hif

t A

ll

Rec

eive

;

S

hif

t A

ll

To

Exc

ept

Han

dle

T

o E

xcep

t H

and

le

& A

ud

it O

n

& A

ud

it O

n

Intrusion Tolerant Server Infrastructure

Documents

Transcript of Intrusion Tolerant Server Infrastructure