Capture of Mission Assets



Similar documents
EECS 489 Winter 2010 Midterm Exam

ACHILLES CERTIFICATION. SIS Module SLS 1508

Basic & Advanced Administration for Citrix NetScaler 9.2

On the Deficiencies of Active Network Discovery Systems

Network Security. Dr. Ihsan Ullah. Department of Computer Science & IT University of Balochistan, Quetta Pakistan. April 23, 2015

Demystifying the Myth of Passive Network Discovery and Monitoring Systems

Transport and Network Layer

INTRODUCTION TO FIREWALL SECURITY

Creating the Conceptual Design by Gathering and Analyzing Business and Technical Requirements

The Trivial Cisco IP Phones Compromise

Tools for penetration tests 1. Carlo U. Nicola, HT FHNW With extracts from documents of : Google; Wireshark; nmap; Nessus.

Advanced Administration for Citrix NetScaler 9.0 Platinum Edition

Final exam review, Fall 2005 FSU (CIS-5357) Network Security

Configuring Health Monitoring

MOC 6435A Designing a Windows Server 2008 Network Infrastructure

Internet Infrastructure Measurement: Challenges and Tools

A Standard Modest WebSite

Layer 4-7 Server Load Balancing. Security, High-Availability and Scalability of Web and Application Servers

SANE: A Protection Architecture For Enterprise Networks

Detecting rogue systems

Packet Sniffer Detection with AntiSniff

Lab 2. CS-335a. Fall 2012 Computer Science Department. Manolis Surligas

XPROBE. Building Efficient Network Discovery Tools. Fyodor Yarochkin

Set Up a VM-Series Firewall on the Citrix SDX Server

DNS ROUND ROBIN HIGH-AVAILABILITY LOAD SHARING

co Characterizing and Tracing Packet Floods Using Cisco R

Outline VLAN. Inter-VLAN communication. Layer-3 Switches. Spanning Tree Protocol Recap

CMPT 471 Networking II

Load Balancing and Sessions. C. Kopparapu, Load Balancing Servers, Firewalls and Caches. Wiley, 2002.

Firewall Load Balancing

XPROBE-NG. What s new with upcoming version of the tool. Fyodor Yarochkin Armorize Technologies

2. What is the maximum value of each octet in an IP address? A. 28 B. 255 C. 256 D. None of the above

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

Availability Digest. Redundant Load Balancing for High Availability July 2013

DATA CENTER. Best Practices for High Availability Deployment for the Brocade ADX Switch

PROFESSIONAL SECURITY SYSTEMS

CLE202 Introduction to ServerIron ADX Application Switching and Load Balancing

Top-Down Network Design

Digi Certified Transport Technician Training Course (DCTT)

20-CS X Network Security Spring, An Introduction To. Network Security. Week 1. January 7

Networking and High Availability

Creating Web Farms with Linux (Linux High Availability and Scalability)

Architecture Overview

WhatsUpGold. v3.0. WhatsConnected User Guide

Network Virtualization and Data Center Networks Data Center Virtualization - Basics. Qin Yin Fall Semester 2013

TCP/IP Fundamentals. OSI Seven Layer Model & Seminar Outline

Guide to DDoS Attacks December 2014 Authored by: Lee Myers, SOC Analyst

Fundamentals of Windows Server 2008 Network and Applications Infrastructure

HP Load Balancing Module

Content Switching Module for the Catalyst 6500 and Cisco 7600 Internet Router

Deploying IP Anycast. Core DNS Services for University of Minnesota Introduction and General discussion

Microsoft Office Communications Server 2007 R2

Secure Software Programming and Vulnerability Analysis

Smart Tips. Enabling WAN Load Balancing. Key Features. Network Diagram. Overview. Featured Products. WAN Failover. Enabling WAN Load Balancing Page 1

Scalable Extraction, Aggregation, and Response to Network Intelligence

Networking and High Availability

Session Hijacking Exploiting TCP, UDP and HTTP Sessions

Flow Analysis Versus Packet Analysis. What Should You Choose?

Non-intrusive, complete network protocol decoding with plain mnemonics in English

Global Server Load Balancing

Lesson Plans Managing a Windows 2003 Network Infrastructure

Routing & Traffic Analysis for Converged Networks. Filling the Layer 3 Gap in VoIP Management

Understanding Slow Start

How to Keep Track of Your Network Configuration

12. Firewalls Content

Virtualized Domain Name System and IP Addressing Environments. White Paper September 2010

CHAPTER 2 MODELLING FOR DISTRIBUTED NETWORK SYSTEMS: THE CLIENT- SERVER MODEL

Visualizations and Correlations in Troubleshooting

Collecting information

Host Discovery with nmap

Visio Enabled Solution: One-Click Switched Network Vision

How To Monitor And Test An Ethernet Network On A Computer Or Network Card

CCNP SWITCH: Implementing High Availability and Redundancy in a Campus Network

Scaling Next-Generation Firewalls with Citrix NetScaler

Content Distribution Networks (CDN)

Networking Overview. (as usual, thanks to Dave Wagner and Vern Paxson)

F5 Configuring BIG-IP Local Traffic Manager (LTM) - V11. Description

L-Series LAN Provisioning Best Practices for Local Area Network Deployment. Introduction. L-Series Network Provisioning

- Basic Router Security -

MICROSOFT CERTIFIED SYSTEMS ENGINEER Windows 2003 Track

Technical Support Information Belkin internal use only

SURE 5 Zone DDoS PROTECTION SERVICE

Internet Control Protocols Reading: Chapter 3

Web App Security Audit Services

How To Prevent Hacker Attacks With Network Behavior Analysis

D. Grzetich 6/26/2013. The Problem We Face Today

IBM QRadar Security Intelligence April 2013

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 6 Network Security

What is a Firewall? A choke point of control and monitoring Interconnects networks with differing trust Imposes restrictions on network services

DMZ Virtualization Using VMware vsphere 4 and the Cisco Nexus 1000V Virtual Switch

Scalable Linux Clusters with LVS

Cisco Application Networking Manager Version 2.0

Firewalls P+S Linux Router & Firewall 2013

Configuring Personal Firewalls and Understanding IDS. Securing Networks Chapter 3 Part 2 of 4 CA M S Mehta, FCA

Application Note Gigabit Ethernet Port Modes

Network Security. Marcus Bendtsen Institutionen för Datavetenskap (IDA) Avdelningen för Databas- och Informationsteknik (ADIT)

Critical Infrastructure Security: The Emerging Smart Grid. Cyber Security Lecture 5: Assurance, Evaluation, and Compliance Carl Hauser & Adam Hahn

Network Address Translation (NAT)

Superior Disaster Recovery with Radware s Global Server Load Balancing (GSLB) Solution

Web Browsing Examples. How Web Browsing and HTTP Works

Transcription:

Capture of Mission Assets Vern Paxson University of California Berkeley, California USA vern@eecs.berkeley.edu June 2009 Presented by Giovanni Vigna

Outline Motivational context Tracking network system assets Passively Actively Vantage-point considerations Tying assets to mission needs Leveraging multiple examples Inferring dependencies Fault injection

The Role of Asset-Capture Assets & relationship to mission functioning crucial for reasoning about: Vulnerability to induced faults / subversion Robustness to incidental failure Assets include network/system components, human actors, required services and service sessions (may include multiple components), accompanying configuration info: Topology, access control Particularly significant: version information Points up attacker exploit opportunities, common failure modes Also, presence of data caching Can mask/induce errors Modeling includes producer/consumer, trust relationships, preconditions

Identifying Assets Simple approach: it s the system/network operator s job to track them But: done manually, this is tedious error-prone due to churn Note: some asset information necessarily tracked E.g., users present in system (defined by authentication mechanisms) E.g., devices potentially connected to network (if MAC address registration employ) Thus, part of research effort: tools & procedures to automate asset tracking Using manually provided information as ground truth

Passive Capture Idea: learn assets by surveillance, i.e., watching what happens Requires widespread visibility + suite of network analysis modules Link/network layer Track MAC IP address bindings to resolve aliasing ARP reveals broadcast domains, routers, switches (to limited degree) TTLs reveal IP hop counts from systems to monitors RTTs suggestive of subnet structure, underlying link technology Packet pair dispersion reveals link capacities Jitter can shed light on cross traffic implicit dependencies Deterministic loss pattern often rooted in internal buffer network sizes ICMPs reveal failure conditions (e.g., Host Unreachable)

Passive Capture - Net/Trans. Layer Inference of OS type / version Absent servers manifesting as TCP SYN/RST exchanges Firewalls (some forms) manifesting as SYN/SYN-ACK RST Unanswered SYNs reveal expected-but-missing services Baseline of network path characteristics Range of bandwidth/loss/delay conditions over which the mission has successfully run Behavior of TCP senders indicates their congestion-control specifics, allowing prediction of expected performance in alternative/backup environments

Passive Capture - Application Layer Requires rich set of app-protocol parsers Built on top of Bro system and BinPAC Extract app structure: request/response, error codes, data xfer Determine services provided, version Our previous work on Dynamic Protocol Detection unambiguously determines services via app-level parsing Our previous work on Discovery of Session Structure finds sets of interrelated connections (requires extension to > 2 hosts) related to single instance of app activity Based on observation: independent events arrive according to Poisson process Thus, those arriving quicker than Poisson are with high probability nonindependent Technique works in general for discovery causal structure But requires numerous observations of mission in access to build up statistics

Passive Capture - Caching Data items If some sessions lack data-transfer connections present in others, suggestive of possible caching If when we observe the transfer, it s generally the same data item Two-edged sword: Presence of cache may mean mission can continue even if server is down Depending on the caching policy But: presence of cache means we may miss its presence during passive observation, overlook a dependency

Passive Capture - Pros & Cons Pro: non-invasive Can apply to actual networks with minimal disruption Pro: can work retrospectively If we gather traces from a network-of-interest, can be later analyzed/ reanalyzed using passive techniques Con: things change (churn) Need to understand change time scales & reanalyze / incorporate possible change into mission planning Can only characterize what you see Can miss capabilities, quirks, and dependencies that happened not to manifest Option for increasing visibility: deploy simple agents on end hosts Especially for gaining insight into causal links difficult to infer externally

Active Probing By injecting traffic, can potentially address previous issues of missing capabilities: probe for services/hosts present but not active Because they are backups for the observed missions Tricky because revealing their presence may require correct authentication quirks: how in particular will given end system respond to cornercase/ambiguous packets used for evasion? dependencies: can potentially inject faults Degradation or interruption of network/service functionality Can identify both backup components and failover strategy/delay Can capture ensuing degradation, which may or may not affect mission

Extracting Mission Models First, analyze existing missions to develop task-based model of mission workflow Includes capturing dependencies Some tasks generic: e.g., day-to-day support for network services Others detailed: specific to particular mission s structure & objectives Models captured in mission-model database

Tying Mission Activity to Assets Establish mapping between tasks in cyber-missions w/ corresponding required assets Historically, a difficult/error-prone manual step Starting point: estimated mapping supplied by domain experts Likely incomplete and subject to some spurious errors Next: develop tools to automate discovery of relationships Based on observing event history over a number of runs Capture dependencies in a form that supports automated reasoning Ideally, observe numerous runs, including some with failures Need to also recognize and factor out routine background traffic

Inferring Types of Dependencies Some dependencies are indirect E.g., use of a URL for coordination results in a dependency on DNS Caching can hide the DNS lookup in example runs, but we can infer it when we see use of the URL Some dependencies have complex failover behavior E.g., a videoconference might fail over to audio-only Manifests as use of quite different service elements Requires hierarchical modeling to identify subtasks that differ while maintaining the same overall task structure

Abstracting Types of Dependencies Any member of a pool of services can provide the service with the same performance/cost An asset relies on a partition of services (of different types) when it requires an instance of each service to achieve full performance However, may operate at a degraded level if only can access a subset Assets rely on alternate services when multiple elements provide the service, but at varying performance/cost levels An asset requires a composition of services if each is vital for the asset being available

Classes of Dependencies, con t Each dependency type (pool, alternate, etc.) has different implications for mission availability Research target: develop algorithms for inferring type of dependency Based on observing failures during in situ mission runs Challenge #1: robustly recognizing service failure Failed network connections Application-specific error messages Failure codes Alteration of task structure Challenge #2: failures are rare If we don t observe them in situ, we may need to inject faults in a controlled fashion Requires highly cooperative mission operators

Summary We require a methodical approach to (1) understanding what assets are available including issues of churn and rarely-seen backup services for which we can apply both passive and active techniques to then (2) extracting dependencies among assets and their ties to mission progression based on observing multiple mission runs across which we apply inference techniques Given these dependencies, we then abstract them based how they play sole and/or critical roles, capturing both: models of missions, and formalism to reason across the structure of the different types of dependencies

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information