Intrusion Tolerant Server Infrastructure

1
Intrusion Tolerant Server Infrastructure

• Dick OBrien
• OASIS PI Meeting
• July 25, 2001

2
Outline

• Technical Objective
• Technical Approach
• Architecture
• Load Sharing
• Detection
• Hardened Servers
• Response
• Technology Transition
• Demo Scenarios

3
Technical Objective

• Develop an Intrusion Tolerant Server
  Infrastructure that uses independent network
  layer enforcement mechanisms to
• Reduce intrusions
• Prevent propagation of intrusions that do occur
• Provide automated load shifting when intrusions
  are detected
• Support automated server recovery

4
Technical Approach

• Intrusion tolerant server components
• Load distribution and network response capability
  using the ADF Policy Enforcing NICs
• Server hardening to reduce effectiveness of
  penetrations
• Intrusion detection systems that primarily reside
  on server hosts
• An Availability and Integrity Controller (AIC) to
  manage the system and respond to intrusions
  reported to it

5
ITSI Architecture
AIC

Web Server 2
Web Server 1
6
Policy Enforcing NICs

• ADF PENs are network interface cards that have
  been enhanced to provide additional controls
• Packet Filtering
• IPSEC support
• Network layer audit
• Host independent
• Centrally managed
• ITSI adds
• Load sharing
• Blocking and fishbowling
• Alerts

7
Load Sharing
New Rules from AIC
PEN 2
PEN 2
PEN Agent
PEN Agent
IIS We b Server
Apache Web Server
PEN 1 Load Sharing Rules
PEN 1 Load Sharing Rules

• Each server receives all traffic addressed to the
  shared virtual IP
• Rules on the PEN determine what traffic to
  process and what to throw away based on source IP
• Traffic load can be shifted by modifying PEN rules

8
PEN Enhancements

• Blocking
• Traffic from specified IP addresses can be
  blocked
• Fishbowling
• Traffic from a specified IP address can be
  handled by a particular web server
• All traffic from the specified IP address can be
  audited
• Alerts
• On the AIC the Alert Handler can generate alerts
  in response to specific audit events

9
Hardened Servers

• SE Linux
• Type Enforcement for protecting components
• Web Server
• Snort ID
• ITSI Detection/Response agent
• PEN agent
• Stackguarded Apache web server
• Windows 2000
• Wrapped components using Kernel Loadable Wrappers
• IIS
• ISS RealSecure
• ITSI Detection/Response agent
• PEN agent

10
Detection

• PEN based audit from both web servers
• Sniffing attempts
• Spoofing attempts
• Attempts at initiating unauthorized TCP
  connections
• Intrusion Detection systems
• Snort on SE Linux
• ISS RealSecure on Windows 2000
• Tripwire
• TE violations audited on SE Linux
• Wrapper violations audited on Windows 2000
• AIC receives alerts and determines response
  strategy and actions

11
AIC Functions

• ADF PEN management
• Packet filtering policies, IPSEC policies
• ITSI adds
• Load sharing/redirection policies
• Intrusion detection system interface
• Anomaly logging, reporting and analysis
• Response strategies
• Recovery and restoration

12
ITSI Demonstration Software Architecture
ITSI Developed Components
ISS Manager
Windows 2000
Embedded Firewall
Availability and Integrity Controller (AIC)
ID Software
Host
Network
Intrusion Detection Software
Snort
SE Log Analyzer
Operating System Security
SE Linux
Windows 2000
NIC Based Firewall
Embedded Firewall
Embedded Firewall
Web Server - 1
Web Server - 2
Layered Security Architecture
13
Response Capabilities
Availability Integrity Controller (AIC) -
Windows 2000
IIS Web Server - Windows 2000

• Capabilities
• Receives Events from Web Servers
• Correlates Events Based on Priority
• Enables User Customizable Responses Based
  on Event Types
• Initiates Responses
• Manages Web Server Load Sharing
• Manages ID Software
• Controls Embedded Firewalls

• Capabilities
• Detects Intrusions
• Initiates Local Responses
• Sends Intrusion Event Data to AIC
• Performs Local Responses per AIC
• Localized Recovery

14
Response Components

• Send Events
• Log Event
• Restart

Response Agent Initiator
Store Events
Read New Events
Event Handler

• Read Config Files
• Response Configuration
• Server Config
• Service Data

Reinitiate Load Share Thru Policy Server
Shutdown
Check Restore
Event Correlator
Disable Source
Execute Custom Responses
Local Response File
List of Responses
Response Initiator
Response Agent Responder

• Send Responses
• Disable Source
• Shutdown
• Check Restore

15
Response Configuration File
Priority Tells Correlator What Responses to
Perform for Each Server Values ( 1-4 ) where 1
is the highest. Type Type of Event
Detected Values Intrusion Event representing
known intrusion. Suspicious Event
representing known intrusion with false positives
or suspicious
activity. Severity Event Severity Values
High, Medium or Low Source Source Associated
with Event Occurrence Values
NEWORK_IP_ADDRESS, USER_ID, PROCESS_ID
16
Response Configuration File (cont)

• Responses Responses Performed for the Event
• Custom Responses Executed on the Web Server
  Machine by the Responder
• CHECK_RESTORE - Expected to Check Local
  Server Integrity and Fix Whatever is Necessary
  if Possible
• DISABLE_SOURCE - Expected to Disable Process
  ID or USER ID of the Server Machine
• SHUTDOWN_REQ - Expected to Shutdown the
  Server
• Responses Executed on the AIC by the Response
  Initiator
• BLOCK_SOURCE_IP Call to Policy Server to
  Block Source IP on Specified Server NIC(s)
• SHIFT_ALL Call to Policy Server to Shift
  All Traffic From Specified Server
• SHIFT_EXCL_IP Call to Policy Server to
  Shift All Traffic From NIC Except Specified IP
  Turn Audit On

17
Technology Transition

• Hardened Server OPX experiment
• Commercial transition of results into Embedded
  Firewall product

18
Demo Scenarios
19
Load Sharing Demo

• Load Sharing Initialization
• Load is Set via Policy Server
• Demonstration is based on Even/Odd IP Address
• Even IPs Are Received by Server 1
• Odd IPs Are Received by Server 2

Policy Manager
ISS Manager
Windows 2000
Audit Manager
Alert Handler
Event Correlator
Web Server 2
Web Server 1
Cluster Manager
Windows 2000
SE Linux
IIS Web Server
Apache Web Server
SE Log Analz Host ID
ISS Host ID
Event Handler
Response Initiator
Response Agent - Responder
Response Agent - Initiator
Response Agent - Responder
Response Agent - Initiator
AIC
Embedded Firewall
ISS Network ID
Snort Network ID
Embedded Firewall NIC 1
Embedded Firewall NIC 2

2
Even Traffic
Browse Web Server
Laptop 1
Laptop - 2
20
Port Scan Attack Demo - Win 2k
Windows 2000
Policy Manager
ISS Manager
Audit Manager
Alert Handler
Event Correlator
Cluster Manager
Web Server 1
Web Server 2
Windows 2000
SE Linux
IIS Web Server
Apache Web Server
SE Log Analz Host ID
ISS Host ID
Event Handler
Response Initiator
Response Agent - Responder
Response Agent - Initiator
Response Agent - Responder
Response Agent - Initiator
Embedded Firewall
AIC
ISS Network ID
Snort Network ID
Embedded Firewall NIC 1
Embedded Firewall NIC 2
Laptop 1
Laptop - 2
21
CGI Attack Demo SE Linux
Windows 2000
Policy Manager
ISS Manager
Audit Manager
Alert Handler
Event Correlator
Cluster Manager
Web Server 1
Web Server 2
Windows 2000
SE Linux
IIS Web Server
Apache Web Server
SE Log Analz Host ID
ISS Host ID
Event Handler
Response Initiator
Response Agent - Responder
Response Agent - Initiator
Response Agent - Responder
Response Agent - Initiator
Embedded Firewall
AIC
ISS Network ID
Snort Network ID
Embedded Firewall NIC 1
Embedded Firewall NIC 2
Laptop 1
Laptop - 2
22
IIS Attack Demo Win2K
Windows 2000
Policy Manager
Alert Handler
ISS Manager
Audit Manager
Event Correlator
Cluster Manager
Web Server 1
Web Server 2
SE Linux
Windows 2000
SE Log Analz Host ID
IIS Web Server
Apache Web Server
ISS Host ID
Event Handler
Response Initiator
Response Agent - Responder
Response Agent - Initiator
Response Agent - Responder
Response Agent - Initiator
Embedded Firewall
AIC
Snort Network ID
ISS Network ID
Embedded Firewall NIC 1
Embedded Firewall NIC 2
Laptop 1
Laptop - 2