A Test-Bed Success Story in Cyber Space - The Security Network
A Test-Bed Success Story in Cyber Space - The Security Network
A Test-Bed Success Story in Cyber Space - The Security Network
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
i <strong>Network</strong>, Inc<br />
Technology Solutions, Products & Services<br />
“Provid<strong>in</strong>g the right <strong>in</strong>formation,<br />
to the right customer,<br />
at the right time.”
Virtual Education<br />
Laboratory<br />
<strong>Test</strong><strong>in</strong>g COTS Technology<br />
• A <strong>Test</strong>-<strong>Bed</strong> <strong>Success</strong> <strong>Story</strong> <strong>in</strong> <strong>Cyber</strong> <strong>Space</strong><br />
– Build<strong>in</strong>g the <strong>Cyber</strong> <strong>Security</strong> Lab<br />
• NU CSIA Master’s Program<br />
• SETM Cloud Infrastructure<br />
• Design Requirements, Decisions<br />
• Functional Capabilities<br />
• CSIA Advisory Council<br />
• Collaboration Projects, <strong>Test</strong> <strong>Bed</strong> <strong>Success</strong> Stories<br />
i <strong>Network</strong>, Inc<br />
i <strong>Network</strong>, Inc
NU CSIA Master’s<br />
Program<br />
Plann<strong>in</strong>g began <strong>in</strong> 2009<br />
• <strong>The</strong> <strong>Security</strong> <strong>Network</strong><br />
• eSet<br />
• SAIC<br />
• Cubic<br />
• Vmware<br />
• AITP<br />
CAC Founders <strong>in</strong>clude<br />
• FBI<br />
• SPAWAR<br />
• CSC<br />
• Unisys<br />
• University of Idaho<br />
– NIATEC<br />
– Orange Book Repository<br />
i <strong>Network</strong>, Inc<br />
i <strong>Network</strong>, Inc
CAC Goals &<br />
Objectives<br />
1. Def<strong>in</strong>e what is valuable to your organization<br />
2. Identify/def<strong>in</strong>e focus areas for your needs<br />
3. Identify how you/your organization would like to contribute to<br />
the <strong>in</strong>itiative<br />
4. Three areas of contribution<br />
– Teach<strong>in</strong>g: Curriculum development, content<br />
– Research: H/W, S/W, resources<br />
– Adm<strong>in</strong>istration: CSIA Initiative management
MS CSIA Program<br />
Awards/Recognition<br />
• Received <strong>The</strong> Chairman’s Award for “Foster<strong>in</strong>g<br />
Innovation Through Collaboration”, from <strong>The</strong> <strong>Security</strong><br />
<strong>Network</strong> (February 2011)<br />
• Designated “W<strong>in</strong>ner of the Education Category” at the<br />
<strong>Cyber</strong> <strong>Security</strong> Conference 2011 that was sponsored<br />
by Secur<strong>in</strong>g Our eCity and the San Diego Union<br />
Tribune (November 2011)<br />
• Selected for a full page ad by Secur<strong>in</strong>g Our eCity and<br />
the San Diego Bus<strong>in</strong>ess Journal (November 2011)
S CSI
SETM Cloud Infrastructure<br />
• Supports multiple <strong>Security</strong> Enclaves<br />
• Dynamic Resource Allocation<br />
• Diverse collection of comput<strong>in</strong>g Resources<br />
– IBM Blades<br />
– HP, Dell Servers<br />
– Multiple Storage Appliances<br />
– Brocade Switches<br />
– Palo Alto Firewalls<br />
7
H<br />
G<br />
F<br />
E<br />
D<br />
C<br />
B<br />
10<br />
42<br />
41<br />
40<br />
39<br />
38<br />
37<br />
36<br />
35<br />
34<br />
33<br />
32<br />
31<br />
30<br />
29<br />
28<br />
27<br />
26<br />
25<br />
24<br />
23<br />
22<br />
21<br />
20<br />
19<br />
18<br />
17<br />
16<br />
15<br />
14<br />
13<br />
12<br />
11<br />
10<br />
9<br />
8<br />
7<br />
6<br />
5<br />
4<br />
3<br />
2<br />
1<br />
100-240V~, 50-60Hz, 10A<br />
100-240V~, 50-60Hz, 10A<br />
100-240V~, 50-60Hz, 10A<br />
100-240V~, 50-60Hz, 10A<br />
100-240V~, 50-60Hz, 10A<br />
PowerEdge 1950<br />
PowerEdge 1950<br />
PowerEdge 1950<br />
0<br />
1<br />
0<br />
1<br />
0<br />
1<br />
SETM Cloud Infrastructure<br />
2<br />
3<br />
2<br />
3<br />
2<br />
3<br />
9<br />
PowerEdge<br />
2950<br />
Virtual<br />
Education Lab<br />
42<br />
41<br />
40<br />
39<br />
38<br />
37<br />
36<br />
35<br />
34<br />
33<br />
32<br />
31<br />
30<br />
29<br />
28<br />
27<br />
26<br />
25<br />
24<br />
23<br />
22<br />
21<br />
20<br />
19<br />
18<br />
17<br />
16<br />
15<br />
14<br />
13<br />
12<br />
11<br />
10<br />
9<br />
8<br />
7<br />
6<br />
5<br />
4<br />
3<br />
2<br />
1<br />
Draw<strong>in</strong>g Number: Release Date:<br />
Part Name: Revision:<br />
Description: Revision Date:<br />
A<br />
i<strong>Network</strong>, Inc.<br />
Technology Solutions, Products & Services<br />
Designed By:<br />
Reviewed By:<br />
Approved By:<br />
Joseph Marsh<br />
Barry Brueseke<br />
Cage Code: 1RM73 Draw<strong>in</strong>g Scale: ¼”=1’ Page: Of<br />
10<br />
Form 2011-1019<br />
9<br />
8<br />
7<br />
42<br />
41<br />
40<br />
39<br />
38<br />
37<br />
36<br />
35<br />
34<br />
33<br />
32<br />
31<br />
30<br />
29<br />
28<br />
27<br />
26<br />
25<br />
24<br />
23<br />
22<br />
21<br />
20<br />
19<br />
18<br />
17<br />
16<br />
15<br />
14<br />
13<br />
12<br />
11<br />
10<br />
9<br />
8<br />
7<br />
6<br />
5<br />
4<br />
3<br />
2<br />
1<br />
8<br />
BladeCenter<br />
CD<br />
CD<br />
CD<br />
CD<br />
CD<br />
CD<br />
CD<br />
CD<br />
CD<br />
CD<br />
JS21<br />
JS21<br />
JS21<br />
JS21<br />
JS21<br />
JS21<br />
JS21<br />
JS21<br />
JS21<br />
JS21<br />
1 2 3 4 5 6 7 8 9 10 11 12 13 14<br />
100-240V~, 50-60Hz, 10A<br />
HP ProLiant ML350<br />
HP TFT7600<br />
AC<br />
OK<br />
HP ProLiant ML350<br />
7<br />
HP Game & Sim<br />
ASIRL<br />
42<br />
41<br />
40<br />
39<br />
38<br />
37<br />
36<br />
35<br />
34<br />
33<br />
32<br />
31<br />
30<br />
29<br />
28<br />
27<br />
26<br />
25<br />
24<br />
23<br />
22<br />
21<br />
20<br />
19<br />
18<br />
17<br />
16<br />
15<br />
14<br />
13<br />
12<br />
11<br />
10<br />
9<br />
8<br />
7<br />
6<br />
5<br />
4<br />
3<br />
2<br />
1<br />
42<br />
41<br />
40<br />
39<br />
38<br />
37<br />
36<br />
35<br />
34<br />
33<br />
32<br />
31<br />
30<br />
29<br />
28<br />
27<br />
26<br />
25<br />
24<br />
23<br />
22<br />
21<br />
20<br />
19<br />
18<br />
17<br />
16<br />
15<br />
14<br />
13<br />
12<br />
11<br />
10<br />
9<br />
8<br />
7<br />
6<br />
5<br />
4<br />
3<br />
2<br />
1<br />
BladeCenter<br />
6<br />
CD<br />
CD<br />
CD<br />
CD<br />
CD<br />
CD<br />
CD<br />
CD<br />
CD<br />
CD<br />
JS21<br />
JS21<br />
JS21<br />
JS21<br />
JS21<br />
JS21<br />
JS21<br />
JS21<br />
JS21<br />
JS21<br />
1 2 3 4 5 6 7 8 9 10 11 12 13 14<br />
HP StorageWorks 2408 FCoE Switch<br />
6<br />
0<br />
1<br />
2<br />
3<br />
8<br />
9<br />
10<br />
11<br />
16<br />
17<br />
18<br />
19<br />
0<br />
1<br />
2<br />
3<br />
4<br />
5<br />
6<br />
7<br />
12<br />
13<br />
14<br />
15<br />
20<br />
21<br />
22<br />
23 4<br />
5<br />
6<br />
7<br />
HP TFT7600<br />
! ! !<br />
! ! !<br />
5<br />
PowerEdge<br />
2950<br />
PowerEdge<br />
2950<br />
5<br />
42<br />
41<br />
40<br />
39<br />
38<br />
37<br />
36<br />
35<br />
34<br />
33<br />
32<br />
31<br />
30<br />
29<br />
28<br />
27<br />
26<br />
25<br />
24<br />
23<br />
22<br />
21<br />
20<br />
19<br />
18<br />
17<br />
16<br />
15<br />
14<br />
13<br />
12<br />
11<br />
10<br />
9<br />
8<br />
7<br />
6<br />
5<br />
4<br />
3<br />
2<br />
1<br />
42<br />
4<br />
1 3<br />
POWER<br />
SFP 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24<br />
2 4 STACK RPS<br />
FWS 624<br />
Console<br />
41<br />
41<br />
FastIron WS<br />
40<br />
39<br />
38<br />
37<br />
36<br />
35<br />
34<br />
33<br />
32<br />
31<br />
30<br />
29<br />
28<br />
27<br />
26<br />
25<br />
24<br />
23<br />
22<br />
21<br />
20<br />
19<br />
18<br />
17<br />
16<br />
15<br />
14<br />
13<br />
12<br />
11<br />
10<br />
9<br />
8<br />
7<br />
6<br />
5<br />
4<br />
3<br />
2<br />
1<br />
SFP 1<br />
SFP 2 SFP 3 SFP 3<br />
PowerEdge SC 1435<br />
1 2 3 4<br />
PowerEdge SC 1435<br />
1 2 3 4<br />
PowerEdge SC 1435<br />
1 2 3 4<br />
HP StorageWorks 2408 FCoE Switch<br />
4<br />
0<br />
1<br />
2<br />
3<br />
8<br />
9<br />
10<br />
11<br />
16<br />
17<br />
18<br />
19<br />
0<br />
1<br />
2<br />
3<br />
4<br />
5<br />
6<br />
7<br />
12<br />
13<br />
14<br />
15<br />
20<br />
21<br />
22<br />
23 4<br />
5<br />
6<br />
7<br />
ASIRL SDI Cloud WAN / LAN<br />
AC<br />
OK<br />
3<br />
3<br />
42<br />
40<br />
39<br />
38<br />
37<br />
36<br />
35<br />
34<br />
33<br />
32<br />
31<br />
30<br />
29<br />
28<br />
27<br />
26<br />
25<br />
24<br />
23<br />
22<br />
21<br />
20<br />
19<br />
18<br />
17<br />
16<br />
15<br />
14<br />
13<br />
12<br />
11<br />
10<br />
9<br />
8<br />
7<br />
6<br />
5<br />
4<br />
3<br />
2<br />
1<br />
42<br />
41<br />
40<br />
39<br />
38<br />
37<br />
36<br />
35<br />
34<br />
33<br />
32<br />
31<br />
30<br />
29<br />
28<br />
27<br />
26<br />
25<br />
24<br />
23<br />
22<br />
21<br />
20<br />
19<br />
18<br />
17<br />
16<br />
15<br />
14<br />
13<br />
12<br />
11<br />
10<br />
9<br />
8<br />
7<br />
6<br />
5<br />
4<br />
3<br />
2<br />
1<br />
2<br />
2<br />
1<br />
1<br />
42<br />
41<br />
40<br />
39<br />
38<br />
37<br />
36<br />
35<br />
34<br />
33<br />
32<br />
31<br />
30<br />
29<br />
28<br />
27<br />
26<br />
25<br />
24<br />
23<br />
22<br />
21<br />
20<br />
19<br />
18<br />
17<br />
16<br />
15<br />
14<br />
13<br />
12<br />
11<br />
10<br />
9<br />
8<br />
7<br />
6<br />
5<br />
4<br />
3<br />
2<br />
1<br />
H<br />
G<br />
F<br />
E<br />
D<br />
C<br />
B<br />
A<br />
8
H<br />
G<br />
F<br />
E<br />
D<br />
C<br />
B<br />
10<br />
Production<br />
Switch 1<br />
9<br />
vKernel<br />
Switch<br />
Draw<strong>in</strong>g Number: Release Date:<br />
Part Name: Revision:<br />
Description: Revision Date:<br />
A<br />
i<strong>Network</strong>, Inc.<br />
Technology Solutions, Products & Services<br />
Designed By:<br />
Reviewed By:<br />
Approved By:<br />
Joseph Marsh<br />
Barry Brueseke<br />
Cage Code: 1RM73 Draw<strong>in</strong>g Scale: ¼”=1’ Page: Of<br />
10<br />
Form 2011-1019<br />
9<br />
8<br />
7<br />
Virtual Education Lab (VEL)<br />
8<br />
AT&T 2Mb<br />
168.215.208.224/28<br />
Room 227 VEL CEE 1<br />
7<br />
ISP 1<br />
DELL 1950 #1<br />
Services Cluster<br />
DELL 1950 #2<br />
DELL 1950 #3<br />
iNV3231 #3<br />
iNV3231 #4<br />
iNV3231 #5<br />
CSIA<br />
iNV3231 #6<br />
iNV3231 #7<br />
iNV3231 #8<br />
CSIA On-L<strong>in</strong>e<br />
SAN1<br />
TL1200i<br />
AT&T 2Mb<br />
168.215.208.224/28<br />
To ASA-5510 <strong>in</strong> KM208<br />
Cisco NETLAB & KM129<br />
vMotion<br />
Switch<br />
vFault<br />
Switch<br />
iNV3231 #9<br />
iNV3231 #10<br />
iNV3231 #11<br />
CSIA On-L<strong>in</strong>e 02<br />
iNV3231 #1<br />
iNV3231 #2<br />
SETM Project<br />
SAN2<br />
DELL MD3000i<br />
6<br />
6<br />
Room 127 MPOE<br />
Patch Panel<br />
Room 227 CEE 5<br />
5<br />
External Firewall<br />
PA-2050 #1<br />
DMZ – WEB HOSTS<br />
DELL 2950<br />
Internal Firewall<br />
PA-2050 #2<br />
iSCSI<br />
Switch<br />
KM227 CEE 2<br />
5<br />
ISP 2<br />
ASIRL<br />
Switch<br />
FWS648G #6<br />
ASIRL<br />
IBM BLADE<br />
Chassis 1<br />
Gam<strong>in</strong>g &<br />
Simulation<br />
Capstone<br />
4<br />
4<br />
3<br />
TW Telecom 10Mb<br />
50.58.155.1/24 via<br />
206.169.157.108/30<br />
LEGEND<br />
Red: Gateway<br />
Light Blue: Gigabit Ether WAN/LAN<br />
Dark Green: Classrooms<br />
OD Green: Adm<strong>in</strong> Servers<br />
Dark Blue: ESXi Host Servers<br />
Tan: SAN Node<br />
Purple: Capstone/ASIRL Projects<br />
Light Green: Cisco Netlab<br />
ASIRL<br />
IBM BLADE<br />
Chassis 2<br />
KM227 CEE 3<br />
SDI CLOUD<br />
SETM Project<br />
KM227 CEE 4<br />
3<br />
2<br />
Cat6E<br />
24 Port P / P<br />
Unisys Stealth<br />
Appliance<br />
Palo Alto<br />
NGEN Firewall 1<br />
Palo Alto<br />
NGEN Firewall 2<br />
KM227 CEE 5<br />
2<br />
1<br />
Cisco NETLAB<br />
Production<br />
Switch 3<br />
KM129<br />
Production<br />
Switch 2<br />
WAP 1<br />
Classroom 222<br />
Cisco NETLAB<br />
Demark/EQ<br />
Room 208<br />
WAP 2<br />
DyKnow<br />
Room 220A<br />
1<br />
H<br />
G<br />
F<br />
E<br />
D<br />
C<br />
B<br />
A<br />
i <strong>Network</strong>, Inc<br />
i <strong>Network</strong>, Inc
Design Objectives<br />
• the Virtual Education Laboratory is a product<br />
that provides academic <strong>in</strong>stitutions with the<br />
ability to deliver a computer science<br />
laboratory learn<strong>in</strong>g experience to their<br />
remote students (distance learners)<br />
• Recent educational trends have seen a rapid<br />
adoption of distance learn<strong>in</strong>g methodologies.<br />
To date, the technologies developed to meet<br />
this need have focused on the<br />
implementation of virtual classrooms.<br />
i <strong>Network</strong>, Inc<br />
i <strong>Network</strong>, Inc
Design Objectives<br />
• i<strong>Network</strong>’s Virtual Education Laboratory<br />
(VEL) now takes the virtual classroom to the<br />
next step and provides the<br />
<strong>in</strong>frastructure/support services necessary to<br />
host a virtual computer science laboratory<br />
• Inside the VEL, Professors can create their<br />
own networked environment and assign their<br />
on-site students a variety of complex<br />
laboratory learn<strong>in</strong>g objectives<br />
i <strong>Network</strong>, Inc<br />
i <strong>Network</strong>, Inc
VEL Features<br />
the standard VEL config has the follow<strong>in</strong>g capabilities:<br />
• Two Factor Authentication<br />
• Simultaneous support for 3 student cohorts<br />
• Support for 4 virtual mach<strong>in</strong>es per student<br />
• Capacity to host up to 240 virtual mach<strong>in</strong>es<br />
• Capacity for up to 4 virtual doma<strong>in</strong>s/class<br />
• Ideal for red/blue cell team<strong>in</strong>g<br />
• Support for white cell observation<br />
• Virtual networks <strong>in</strong>clud<strong>in</strong>g LANs, WANs, switches, routers<br />
and firewalls<br />
• Integration of physical Wireless Access Po<strong>in</strong>ts (WAPs) <strong>in</strong> the<br />
virtual environment<br />
• Supports multiple virtual mach<strong>in</strong>e templates (libraries)<br />
i <strong>Network</strong>, Inc<br />
i <strong>Network</strong>, Inc
Design Requirements, Decisions<br />
• Provide Master’s Students with a<br />
computer science laboratory environment<br />
• Initially, use an exist<strong>in</strong>g (COTS) collection<br />
of diverse equipment (Dell Servers, Cisco<br />
Firewalls and other misc. appliances)<br />
• Implement DOD level security <strong>in</strong>to the<br />
design (<strong>Cyber</strong> <strong>Security</strong> Master’s program)<br />
• Ensure students can not hack system<br />
i <strong>Network</strong>, Inc<br />
i <strong>Network</strong>, Inc
Design Requirements, Decisions<br />
• Phase 2<br />
– Support for multiple cohorts<br />
– Fault Tolerant (FA) Adm<strong>in</strong>istration Cluster<br />
– Highly Available (HA) Lab Clusters<br />
– Redundant <strong>Network</strong> Design<br />
– Support for Multiple ISPs<br />
– ATO level IA Documentation Package<br />
• Perform STIGs on all equipment <strong>in</strong> VEL<br />
i <strong>Network</strong>, Inc<br />
i <strong>Network</strong>, Inc
Design Requirements, Decisions<br />
• Phase 2 (cont’d)<br />
– Multiple Virtual Mach<strong>in</strong>e Templates<br />
– New Lab configurations every month<br />
– Reusable laboratory setups<br />
– Professor Tra<strong>in</strong><strong>in</strong>g<br />
– Student Enrollment<br />
– Storage Allocation, Retention Plans<br />
– Performance Evaluation<br />
i <strong>Network</strong>, Inc<br />
i <strong>Network</strong>, Inc
<strong>Network</strong> Monitor<strong>in</strong>g Lab<br />
i <strong>Network</strong>, Inc<br />
i <strong>Network</strong>, Inc
Design Requirements, Decisions<br />
• Phase 3<br />
– Performance Enhancements<br />
• Increased Bandwidth<br />
• <strong>Network</strong> Redesign (VLAN modifications)<br />
• VDI - Virtual Desktop Infrastructure<br />
– Support, process ref<strong>in</strong>ement<br />
– Professor’s expectations vs. plan<br />
– CYB 699 – F<strong>in</strong>al Project<br />
• Simulate three enterprises connected via WAN<br />
i <strong>Network</strong>, Inc<br />
i <strong>Network</strong>, Inc
(3) Enterprises – WW WAN<br />
i <strong>Network</strong>, Inc<br />
i <strong>Network</strong>, Inc
Virtual Mach<strong>in</strong>e Assignment<br />
i <strong>Network</strong>, Inc<br />
i <strong>Network</strong>, Inc
Virtual Education Laboratory Adm<strong>in</strong>istration<br />
i <strong>Network</strong>, Inc<br />
i <strong>Network</strong>, Inc
Functional Capabilities<br />
• Support for multiple, simultaneous labs<br />
• Support for 80 students us<strong>in</strong>g up to 240<br />
virtual mach<strong>in</strong>es<br />
• Large variety of VM templates<br />
• Endless variety of lab configurations<br />
• Two factor authentication<br />
• Nested design to ensure isolation<br />
between classes<br />
i <strong>Network</strong>, Inc<br />
i <strong>Network</strong>, Inc
Practical Use Cases<br />
• Penetration <strong>Test</strong><strong>in</strong>g<br />
• Certified Ethical Hack<strong>in</strong>g<br />
• Red/Blue Team Scenarios<br />
• <strong>Network</strong> Monitor<strong>in</strong>g (What’s Up Gold)<br />
• Android SDK Instruction<br />
• Information Assurance Exercises<br />
• Cloud Comput<strong>in</strong>g Tra<strong>in</strong><strong>in</strong>g<br />
i <strong>Network</strong>, Inc<br />
i <strong>Network</strong>, Inc
VEL <strong>Test</strong> <strong>Bed</strong> – COTS (or almost)<br />
Completed Collaboration Projects<br />
• ItsMe! (w<strong>in</strong>ner, TSN Best Product, 2011)<br />
• Unisys – Stealth<br />
• Rapid7 – Metsploit<br />
i <strong>Network</strong>, Inc<br />
i <strong>Network</strong>, Inc
New User/Password Paradigm<br />
i <strong>Network</strong>, Inc<br />
i <strong>Network</strong>, Inc
i <strong>Network</strong>, Inc<br />
i <strong>Network</strong>, Inc
VEL <strong>Test</strong> <strong>Bed</strong> – COTS (or almost)<br />
Future Projects<br />
• Blackridge (auth before TCP/IP session)<br />
• ThreatStop<br />
• Titania<br />
• Atlas<br />
• CyVision - Caldron<br />
i <strong>Network</strong>, Inc<br />
i <strong>Network</strong>, Inc
Future Plans<br />
• CLaaS – <strong>Cyber</strong> Lab as a Service<br />
– Applied Eng<strong>in</strong>eer<strong>in</strong>g<br />
• Autocad, ProModel, Solidworks, MatLab<br />
• ELVIS Breadboard, National Instruments<br />
• Research Projects<br />
– Multi-factor Authentication<br />
– Smartphone Usage <strong>in</strong> Health Care Sett<strong>in</strong>g<br />
– Secure transmission of sensitive data<br />
– Suggestions ?<br />
i <strong>Network</strong>, Inc<br />
i <strong>Network</strong>, Inc
CSI-SD<br />
– <strong>Cyber</strong> cluster<br />
identified and<br />
documented by<br />
SDADT for SOeC<br />
and will be<br />
ma<strong>in</strong>ta<strong>in</strong>ed<br />
– CSI-SD will “lead”<br />
research for the<br />
region,<br />
generat<strong>in</strong>g new<br />
bus<strong>in</strong>esses and<br />
support<strong>in</strong>g the<br />
exist<strong>in</strong>g members<br />
5/24/2012<br />
6
CSI-SD<br />
– We will work with all<br />
clusters, seek<strong>in</strong>g a lead for<br />
each to serve as SDADT<br />
does for defense<br />
– We will transition<br />
research to our clusters<br />
for <strong>in</strong>tegration <strong>in</strong>to their<br />
bus<strong>in</strong>esses<br />
– We will seek fund<strong>in</strong>g for<br />
research from public<br />
agencies as well as private<br />
enterprises and will<br />
protect <strong>in</strong>tellectual<br />
property for economic<br />
benefit of the <strong>in</strong>ventors as<br />
well as the region
<strong>Test</strong><strong>in</strong>g COTS Technology<br />
• Virtual Education Laboratory (VEL)<br />
– A <strong>Test</strong>-<strong>Bed</strong> <strong>Success</strong> <strong>Story</strong> <strong>in</strong> <strong>Cyber</strong> <strong>Space</strong><br />
– Questions ?<br />
Thank you for listen<strong>in</strong>g<br />
• Barry Brueseke – i<strong>Network</strong>, Inc.<br />
• bbrueseke@<strong>in</strong>etwork-west.com<br />
i <strong>Network</strong>, Inc<br />
i <strong>Network</strong>, Inc
<strong>Network</strong> Vulnerability Analysis<br />
• New (unpracticed) Presentation<br />
i <strong>Network</strong>, Inc<br />
i <strong>Network</strong>, Inc
Topological Vulnerability<br />
Analysis<br />
Proactive Management<br />
to<br />
Improve your cyber security profile
<strong>Cyber</strong> Challenges<br />
• Threats are expand<strong>in</strong>g – too much surface<br />
area to cover<br />
• Silo solutions address specific problems . . .<br />
• Overwhelmed by data<br />
• Empower<strong>in</strong>g the workforce<br />
• Still need:<br />
– Situational Awareness<br />
– Common Operat<strong>in</strong>g Picture<br />
– Visualization of Vulnerabilities
Time Cycles<br />
Elements of <strong>Cyber</strong> <strong>Security</strong><br />
Scans – once every two weeks<br />
ACL changes – once each week<br />
Evented log files – on demand<br />
– every hour<br />
– every m<strong>in</strong>ute<br />
Rhythms<br />
Different tools to gather<br />
Different purposes<br />
Different skill sets required<br />
Different remediation plans
DHS’ CAESARS Framework<br />
Most vendors focus<br />
on the expand<strong>in</strong>g<br />
toolset for<br />
monitor<strong>in</strong>g.<br />
Gather<strong>in</strong>g the data<br />
is just the<br />
beg<strong>in</strong>n<strong>in</strong>g.<br />
Expanded data sets<br />
are overwhelm<strong>in</strong>g<br />
cyber specialists.<br />
“See – Know – Do” framework<br />
Ref: Department of Homeland <strong>Security</strong> Federal <strong>Network</strong> <strong>Security</strong> Branch<br />
Cont<strong>in</strong>uous Asset Evaluation, Situational Awareness, and Risk Scor<strong>in</strong>g Reference Architecture Report<br />
September 2010
DHS’ CAESARS Framework<br />
Evidence of the<br />
evolution of<br />
security<br />
monitor<strong>in</strong>g.<br />
Cauldron is the<br />
result of 8 years<br />
of R&D.<br />
Cauldron is<br />
functional now,<br />
by aggregat<strong>in</strong>g<br />
data <strong>in</strong>dependently<br />
– or will <strong>in</strong>tegrate<br />
<strong>in</strong>to this framework.
DHS’ CAESARS Framework<br />
Evidence of the<br />
evolution of<br />
security<br />
monitor<strong>in</strong>g.<br />
Cauldron is the<br />
result of 8 years<br />
of R&D.<br />
Cauldron is<br />
functional now,<br />
by aggregat<strong>in</strong>g<br />
data <strong>in</strong>dependently<br />
– or will <strong>in</strong>tegrate<br />
<strong>in</strong>to this framework.
Vulnerability Database<br />
Exploit<br />
Conditions<br />
<strong>Network</strong> Capture<br />
NVD<br />
FoundScan<br />
Vulnerability Scann<strong>in</strong>g<br />
Our Approach<br />
Environment<br />
Model<br />
Asset Inventory<br />
Firewall Rules<br />
Attack<br />
Scenario<br />
Graph<br />
Eng<strong>in</strong>e<br />
Visual<br />
Analysis<br />
Optimal<br />
Counter<br />
Measures<br />
• <strong>Network</strong> Capture<br />
– builds a model of the<br />
network.<br />
– represents data <strong>in</strong> terms of<br />
correspond<strong>in</strong>g elements <strong>in</strong><br />
Vulnerability Report<strong>in</strong>g and<br />
Exploit Specifications.<br />
• Vulnerability Database<br />
– a comprehensive repository<br />
of reported vulnerabilities<br />
• Graph Eng<strong>in</strong>e<br />
– simulates multi-step attacks<br />
through the network, for a<br />
given user-def<strong>in</strong>ed Attack<br />
Scenario.<br />
– analyzes vulnerability<br />
dependencies, match<strong>in</strong>g<br />
exploit preconditions and<br />
post-conditions,<br />
– generates all possible paths<br />
through the network (for a<br />
given attack scenario).
<strong>Cyber</strong> <strong>Security</strong> is an Ecosystem<br />
• Common Operat<strong>in</strong>g<br />
Picture<br />
• Situational<br />
Awareness<br />
• Patch<strong>in</strong>g servers vs<br />
chang<strong>in</strong>g firewalls<br />
• Comb<strong>in</strong>ed<br />
vulnerabilities are<br />
real<br />
Firewalls<br />
Logs, etc<br />
Vulnerability<br />
Scans<br />
Patch Mgmt/<br />
Asset Mgmt
Aggregate/Correlate/Visualize<br />
• We analyze vulnerability<br />
dependencies<br />
– Calculates the impact of <strong>in</strong>dividual and<br />
comb<strong>in</strong>ed vulnerabilities on overall<br />
security<br />
• We show all possible attack paths<br />
<strong>in</strong>to a network<br />
– Transforms raw security data <strong>in</strong>to a<br />
roadmap<br />
– All known attack paths from attacker<br />
to target are succ<strong>in</strong>ctly depicted<br />
– Supports both offensive (e.g.,<br />
penetration test<strong>in</strong>g) and defensive<br />
(e.g., network harden<strong>in</strong>g) applications<br />
• Strategic<br />
– Proactively prepare for attacks,<br />
manage vulnerability risks, and have<br />
current situational awareness<br />
• A response strategy can be more<br />
easily created.
Firewall<br />
Data<br />
Cauldron Components<br />
Host Vulnerability Data<br />
Access<br />
Rule<br />
Interpreter<br />
Access<br />
Rules<br />
Access<br />
Rules<br />
Vulnerability<br />
Modeler<br />
<strong>Network</strong><br />
Topology<br />
Policy<br />
Modeler<br />
<strong>Network</strong><br />
Model<br />
<strong>Network</strong><br />
Model<br />
Analyzer/<br />
Visualizer
Visualiz<strong>in</strong>g Just Firewall Policies<br />
visualiz<strong>in</strong>g “back doors”
Comb<strong>in</strong><strong>in</strong>g Dissimilar Data <strong>in</strong> a<br />
• Scans tell you one<br />
th<strong>in</strong>g<br />
• Subnet configurations<br />
support the scan<br />
<strong>in</strong>formation<br />
Proof of Concept
Visualized Comb<strong>in</strong>ed Data Sets
What the Access Control List<br />
• Greater<br />
access than<br />
expected<br />
Outside<br />
the network<br />
really says
Visualiz<strong>in</strong>g/discover<strong>in</strong>g high<br />
Outside<br />
the “known” network<br />
risks
<strong>The</strong> Role of Filter<strong>in</strong>g<br />
Attack Graph<br />
Before Remediation
Focused on Risk Scores<br />
CVSS > 7<br />
Remediated<br />
Attack Graph
Focused on Host Vulnerabilities<br />
Top 3 by Hosts<br />
Remediated<br />
Attack Graph
Focused on Connections<br />
Top 3 by Connections<br />
Remediated<br />
Attack Graph
Remediate<br />
By Host<br />
(Top 3)<br />
No<br />
remediation<br />
Remediate<br />
By CVSS<br />
(Top 15)<br />
Remediate<br />
By Connection<br />
(Top 3)
Visualiz<strong>in</strong>g<br />
Comb<strong>in</strong>ed Vulnerabilities<br />
thru<br />
Multiple Firewalls<br />
Unique to Cauldron: Key Differentiator
Foundational Concepts<br />
• Any “network device”<br />
is filter<strong>in</strong>g data flow<br />
• Devices can connect<br />
to other devices or to<br />
subnets<br />
• Each network device<br />
has unique Access<br />
rules/policies<br />
<strong>Network</strong><br />
Device 1<br />
<strong>Network</strong><br />
Device j<br />
Subnet 1<br />
<strong>Network</strong> Device<br />
Subnet k<br />
Access List<br />
(Rules)
• Firewalls can<br />
be configured a<br />
variety of ways<br />
• Example -<br />
Subnet 1 can<br />
reach Subnet 7<br />
or 10 us<strong>in</strong>g a<br />
variety of paths<br />
– but not<br />
directly<br />
<strong>The</strong> Challenge<br />
SN1<br />
SN2<br />
SN3<br />
ND 1<br />
SN4<br />
ND2<br />
SN5<br />
SN6<br />
ND 3<br />
SN8<br />
SN7<br />
ND 4<br />
ND 5<br />
SN9<br />
SN10
Example: Supply cha<strong>in</strong> management<br />
Partners to 1.2.61.0/25:0
Simple changes – modeled – can<br />
have significant impact<br />
Both firewalls: Partners to 1.2.61.0/25:80 only
DHS’ CAESARS Framework<br />
From Executive Summary<br />
“<strong>The</strong>se tools can<br />
provide current security<br />
status to network<br />
operations centers and<br />
security operations<br />
centers, but they<br />
typically do not support<br />
prioritized remediation<br />
actions and do not<br />
provide direct <strong>in</strong>centive<br />
for improvements <strong>in</strong> risk<br />
posture.”
Cauldron Benefits<br />
• Individual Firewalls can be reviewed faster<br />
• Prioritized remediation plans<br />
• Situational Awareness by programs, etc<br />
• High priority assets are contextual<br />
• <strong>Security</strong> elements become more granular<br />
• More can be done with less