A Test-Bed Success Story in Cyber Space - The Security Network

i Network, Inc 

Technology Solutions, Products & Services 

“Providing the right information, 

to the right customer, 

at the right time.”

Virtual Education 

Laboratory 

Testing COTS Technology 

• A Test-Bed Success Story in Cyber Space 

– Building the Cyber Security Lab 

• NU CSIA Master’s Program 

• SETM Cloud Infrastructure 

• Design Requirements, Decisions 

• Functional Capabilities 

• CSIA Advisory Council 

• Collaboration Projects, Test Bed Success Stories 


i Network, Inc

NU CSIA Master’s 

Program 

Planning began in 2009 

• The Security Network 

• eSet 

• SAIC 

• Cubic 

• Vmware 

• AITP 

CAC Founders include 

• FBI 

• SPAWAR 

• CSC 

• Unisys 

• University of Idaho 

– NIATEC 

– Orange Book Repository 



CAC Goals & 

Objectives 

1. Define what is valuable to your organization 

2. Identify/define focus areas for your needs 

3. Identify how you/your organization would like to contribute to 

the initiative 

4. Three areas of contribution 

– Teaching: Curriculum development, content 

– Research: H/W, S/W, resources 

– Administration: CSIA Initiative management

MS CSIA Program 

Awards/Recognition 

• Received The Chairman’s Award for “Fostering 

Innovation Through Collaboration”, from The Security 

Network (February 2011) 

• Designated “Winner of the Education Category” at the 

Cyber Security Conference 2011 that was sponsored 

by Securing Our eCity and the San Diego Union 

Tribune (November 2011) 

• Selected for a full page ad by Securing Our eCity and 

the San Diego Business Journal (November 2011)

S CSI

SETM Cloud Infrastructure 

• Supports multiple Security Enclaves 

• Dynamic Resource Allocation 

• Diverse collection of computing Resources 

– IBM Blades 

– HP, Dell Servers 

– Multiple Storage Appliances 

– Brocade Switches 

– Palo Alto Firewalls 

7

H 

G 

F 

E 

D 

C 

B 

10 

42 

41 

40 

39 

38 

37 

36 

35 

34 

33 

32 

31 

30 

29 

28 

27 

26 

25 

24 

23 

22 

21 

20 

19 

18 

17 

16 

15 

14 

13 

12 

11 

10 

9 

8 

7 

6 

5 

4 

3 

2 

1 

100-240V~, 50-60Hz, 10A 

100-240V~, 50-60Hz, 10A 

100-240V~, 50-60Hz, 10A 

100-240V~, 50-60Hz, 10A 

100-240V~, 50-60Hz, 10A 

PowerEdge 1950 



0 

1 

0 

1 

0 

1 

SETM Cloud Infrastructure 

2 

3 

2 

3 

2 

3 

9 

PowerEdge 

2950 

Virtual 

Education Lab 

42 

41 

40 

39 

38 

37 

36 

35 

34 

33 

32 

31 

30 

29 

28 

27 

26 

25 

24 

23 

22 

21 

20 

19 

18 

17 

16 

15 

14 

13 

12 

11 

10 

9 

8 

7 

6 

5 

4 

3 

2 

1 

Drawing Number: Release Date: 

Part Name: Revision: 

Description: Revision Date: 

A 

iNetwork, Inc. 


Designed By: 

Reviewed By: 

Approved By: 

Joseph Marsh 

Barry Brueseke 

Cage Code: 1RM73 Drawing Scale: ¼”=1’ Page: Of 

10 

Form 2011-1019 

9 

8 

7 

42 

41 

40 

39 

38 

37 

36 

35 

34 

33 

32 

31 

30 

29 

28 

27 

26 

25 

24 

23 

22 

21 

20 

19 

18 

17 

16 

15 

14 

13 

12 

11 

10 

9 

8 

7 

6 

5 

4 

3 

2 

1 

8 

BladeCenter 

CD 

CD 

CD 

CD 

CD 

CD 

CD 

CD 

CD 

CD 

JS21 

JS21 

JS21 

JS21 

JS21 

JS21 

JS21 

JS21 

JS21 

JS21 

1 2 3 4 5 6 7 8 9 10 11 12 13 14 

100-240V~, 50-60Hz, 10A 

HP ProLiant ML350 

HP TFT7600 

AC 

OK 

HP ProLiant ML350 

7 

HP Game & Sim 

ASIRL 

42 

41 

40 

39 

38 

37 

36 

35 

34 

33 

32 

31 

30 

29 

28 

27 

26 

25 

24 

23 

22 

21 

20 

19 

18 

17 

16 

15 

14 

13 

12 

11 

10 

9 

8 

7 

6 

5 

4 

3 

2 

1 

42 

41 

40 

39 

38 

37 

36 

35 

34 

33 

32 

31 

30 

29 

28 

27 

26 

25 

24 

23 

22 

21 

20 

19 

18 

17 

16 

15 

14 

13 

12 

11 

10 

9 

8 

7 

6 

5 

4 

3 

2 

1 

BladeCenter 

6 

CD 

CD 

CD 

CD 

CD 

CD 

CD 

CD 

CD 

CD 

JS21 

JS21 

JS21 

JS21 

JS21 

JS21 

JS21 

JS21 

JS21 

JS21 

1 2 3 4 5 6 7 8 9 10 11 12 13 14 

HP StorageWorks 2408 FCoE Switch 

6 

0 

1 

2 

3 

8 

9 

10 

11 

16 

17 

18 

19 

0 

1 

2 

3 

4 

5 

6 

7 

12 

13 

14 

15 

20 

21 

22 

23 4 

5 

6 

7 

HP TFT7600 

! ! ! 

! ! ! 

5 

PowerEdge 

2950 

PowerEdge 

2950 

5 

42 

41 

40 

39 

38 

37 

36 

35 

34 

33 

32 

31 

30 

29 

28 

27 

26 

25 

24 

23 

22 

21 

20 

19 

18 

17 

16 

15 

14 

13 

12 

11 

10 

9 

8 

7 

6 

5 

4 

3 

2 

1 

42 

4 

1 3 

POWER 

SFP 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 

2 4 STACK RPS 

FWS 624 

Console 

41 

41 

FastIron WS 

40 

39 

38 

37 

36 

35 

34 

33 

32 

31 

30 

29 

28 

27 

26 

25 

24 

23 

22 

21 

20 

19 

18 

17 

16 

15 

14 

13 

12 

11 

10 

9 

8 

7 

6 

5 

4 

3 

2 

1 

SFP 1 

SFP 2 SFP 3 SFP 3 

PowerEdge SC 1435 

1 2 3 4 


1 2 3 4 


1 2 3 4 

HP StorageWorks 2408 FCoE Switch 

4 

0 

1 

2 

3 

8 

9 

10 

11 

16 

17 

18 

19 

0 

1 

2 

3 

4 

5 

6 

7 

12 

13 

14 

15 

20 

21 

22 

23 4 

5 

6 

7 

ASIRL SDI Cloud WAN / LAN 

AC 

OK 

3 

3 

42 

40 

39 

38 

37 

36 

35 

34 

33 

32 

31 

30 

29 

28 

27 

26 

25 

24 

23 

22 

21 

20 

19 

18 

17 

16 

15 

14 

13 

12 

11 

10 

9 

8 

7 

6 

5 

4 

3 

2 

1 

42 

41 

40 

39 

38 

37 

36 

35 

34 

33 

32 

31 

30 

29 

28 

27 

26 

25 

24 

23 

22 

21 

20 

19 

18 

17 

16 

15 

14 

13 

12 

11 

10 

9 

8 

7 

6 

5 

4 

3 

2 

1 

2 

2 

1 

1 

42 

41 

40 

39 

38 

37 

36 

35 

34 

33 

32 

31 

30 

29 

28 

27 

26 

25 

24 

23 

22 

21 

20 

19 

18 

17 

16 

15 

14 

13 

12 

11 

10 

9 

8 

7 

6 

5 

4 

3 

2 

1 

H 

G 

F 

E 

D 

C 

B 

A 

8

H 

G 

F 

E 

D 

C 

B 

10 

Production 

Switch 1 

9 

vKernel 

Switch 

Drawing Number: Release Date: 

Part Name: Revision: 

Description: Revision Date: 

A 

iNetwork, Inc. 


Designed By: 

Reviewed By: 

Approved By: 

Joseph Marsh 

Barry Brueseke 

Cage Code: 1RM73 Drawing Scale: ¼”=1’ Page: Of 

10 

Form 2011-1019 

9 

8 

7 

Virtual Education Lab (VEL) 

8 

AT&T 2Mb 

168.215.208.224/28 

Room 227 VEL CEE 1 

7 

ISP 1 

DELL 1950 #1 

Services Cluster 

DELL 1950 #2 

DELL 1950 #3 

iNV3231 #3 

iNV3231 #4 

iNV3231 #5 

CSIA 

iNV3231 #6 

iNV3231 #7 

iNV3231 #8 

CSIA On-Line 

SAN1 

TL1200i 

AT&T 2Mb 

168.215.208.224/28 

To ASA-5510 in KM208 

Cisco NETLAB & KM129 

vMotion 

Switch 

vFault 

Switch 

iNV3231 #9 

iNV3231 #10 

iNV3231 #11 

CSIA On-Line 02 

iNV3231 #1 

iNV3231 #2 

SETM Project 

SAN2 

DELL MD3000i 

6 

6 

Room 127 MPOE 

Patch Panel 

Room 227 CEE 5 

5 

External Firewall 

PA-2050 #1 

DMZ – WEB HOSTS 

DELL 2950 

Internal Firewall 

PA-2050 #2 

iSCSI 

Switch 

KM227 CEE 2 

5 

ISP 2 

ASIRL 

Switch 

FWS648G #6 

ASIRL 

IBM BLADE 

Chassis 1 

Gaming & 

Simulation 

Capstone 

4 

4 

3 

TW Telecom 10Mb 

50.58.155.1/24 via 

206.169.157.108/30 

LEGEND 

Red: Gateway 

Light Blue: Gigabit Ether WAN/LAN 

Dark Green: Classrooms 

OD Green: Admin Servers 

Dark Blue: ESXi Host Servers 

Tan: SAN Node 

Purple: Capstone/ASIRL Projects 

Light Green: Cisco Netlab 

ASIRL 

IBM BLADE 

Chassis 2 

KM227 CEE 3 

SDI CLOUD 

SETM Project 

KM227 CEE 4 

3 

2 

Cat6E 

24 Port P / P 

Unisys Stealth 

Appliance 

Palo Alto 

NGEN Firewall 1 

Palo Alto 

NGEN Firewall 2 

KM227 CEE 5 

2 

1 

Cisco NETLAB 

Production 

Switch 3 

KM129 

Production 

Switch 2 

WAP 1 

Classroom 222 

Cisco NETLAB 

Demark/EQ 

Room 208 

WAP 2 

DyKnow 

Room 220A 

1 

H 

G 

F 

E 

D 

C 

B 

A 



Design Objectives 

• the Virtual Education Laboratory is a product 

that provides academic institutions with the 

ability to deliver a computer science 

laboratory learning experience to their 

remote students (distance learners) 

• Recent educational trends have seen a rapid 

adoption of distance learning methodologies. 

To date, the technologies developed to meet 

this need have focused on the 

implementation of virtual classrooms. 



Design Objectives 

• iNetwork’s Virtual Education Laboratory 

(VEL) now takes the virtual classroom to the 

next step and provides the 

infrastructure/support services necessary to 

host a virtual computer science laboratory 

• Inside the VEL, Professors can create their 

own networked environment and assign their 

on-site students a variety of complex 

laboratory learning objectives 



VEL Features 

the standard VEL config has the following capabilities: 

• Two Factor Authentication 

• Simultaneous support for 3 student cohorts 

• Support for 4 virtual machines per student 

• Capacity to host up to 240 virtual machines 

• Capacity for up to 4 virtual domains/class 

• Ideal for red/blue cell teaming 

• Support for white cell observation 

• Virtual networks including LANs, WANs, switches, routers 

and firewalls 

• Integration of physical Wireless Access Points (WAPs) in the 

virtual environment 

• Supports multiple virtual machine templates (libraries) 



Design Requirements, Decisions 

• Provide Master’s Students with a 

computer science laboratory environment 

• Initially, use an existing (COTS) collection 

of diverse equipment (Dell Servers, Cisco 

Firewalls and other misc. appliances) 

• Implement DOD level security into the 

design (Cyber Security Master’s program) 

• Ensure students can not hack system 




• Phase 2 

– Support for multiple cohorts 

– Fault Tolerant (FA) Administration Cluster 

– Highly Available (HA) Lab Clusters 

– Redundant Network Design 

– Support for Multiple ISPs 

– ATO level IA Documentation Package 

• Perform STIGs on all equipment in VEL 




• Phase 2 (cont’d) 

– Multiple Virtual Machine Templates 

– New Lab configurations every month 

– Reusable laboratory setups 

– Professor Training 

– Student Enrollment 

– Storage Allocation, Retention Plans 

– Performance Evaluation 



Network Monitoring Lab 




• Phase 3 

– Performance Enhancements 

• Increased Bandwidth 

• Network Redesign (VLAN modifications) 

• VDI - Virtual Desktop Infrastructure 

– Support, process refinement 

– Professor’s expectations vs. plan 

– CYB 699 – Final Project 

• Simulate three enterprises connected via WAN 



(3) Enterprises – WW WAN 



Virtual Machine Assignment 



Virtual Education Laboratory Administration 



Functional Capabilities 

• Support for multiple, simultaneous labs 

• Support for 80 students using up to 240 

virtual machines 

• Large variety of VM templates 

• Endless variety of lab configurations 

• Two factor authentication 

• Nested design to ensure isolation 

between classes 



Practical Use Cases 

• Penetration Testing 

• Certified Ethical Hacking 

• Red/Blue Team Scenarios 

• Network Monitoring (What’s Up Gold) 

• Android SDK Instruction 

• Information Assurance Exercises 

• Cloud Computing Training 



VEL Test Bed – COTS (or almost) 

Completed Collaboration Projects 

• ItsMe! (winner, TSN Best Product, 2011) 

• Unisys – Stealth 

• Rapid7 – Metsploit 



New User/Password Paradigm 





VEL Test Bed – COTS (or almost) 

Future Projects 

• Blackridge (auth before TCP/IP session) 

• ThreatStop 

• Titania 

• Atlas 

• CyVision - Caldron 



Future Plans 

• CLaaS – Cyber Lab as a Service 

– Applied Engineering 

• Autocad, ProModel, Solidworks, MatLab 

• ELVIS Breadboard, National Instruments 

• Research Projects 

– Multi-factor Authentication 

– Smartphone Usage in Health Care Setting 

– Secure transmission of sensitive data 

– Suggestions ? 



CSI-SD 

– Cyber cluster 

identified and 

documented by 

SDADT for SOeC 

and will be 

maintained 

– CSI-SD will “lead” 

research for the 

region, 

generating new 

businesses and 

supporting the 

existing members 

5/24/2012 

6

CSI-SD 

– We will work with all 

clusters, seeking a lead for 

each to serve as SDADT 

does for defense 

– We will transition 

research to our clusters 

for integration into their 

businesses 

– We will seek funding for 

research from public 

agencies as well as private 

enterprises and will 

protect intellectual 

property for economic 

benefit of the inventors as 

well as the region

Testing COTS Technology 

• Virtual Education Laboratory (VEL) 

– A Test-Bed Success Story in Cyber Space 

– Questions ? 

Thank you for listening 

• Barry Brueseke – iNetwork, Inc. 

• bbrueseke@inetwork-west.com 



Network Vulnerability Analysis 

• New (unpracticed) Presentation 



Topological Vulnerability 

Analysis 

Proactive Management 

to 

Improve your cyber security profile

Cyber Challenges 

• Threats are expanding – too much surface 

area to cover 

• Silo solutions address specific problems . . . 

• Overwhelmed by data 

• Empowering the workforce 

• Still need: 

– Situational Awareness 

– Common Operating Picture 

– Visualization of Vulnerabilities

Time Cycles 

Elements of Cyber Security 

Scans – once every two weeks 

ACL changes – once each week 

Evented log files – on demand 

– every hour 

– every minute 

Rhythms 

Different tools to gather 

Different purposes 

Different skill sets required 

Different remediation plans

DHS’ CAESARS Framework 

Most vendors focus 

on the expanding 

toolset for 

monitoring. 

Gathering the data 

is just the 

beginning. 

Expanded data sets 

are overwhelming 

cyber specialists. 

“See – Know – Do” framework 

Ref: Department of Homeland Security Federal Network Security Branch 

Continuous Asset Evaluation, Situational Awareness, and Risk Scoring Reference Architecture Report 

September 2010


Evidence of the 

evolution of 

security 


Cauldron is the 

result of 8 years 

of R&D. 

Cauldron is 

functional now, 

by aggregating 

data independently 

– or will integrate 

into this framework.


Evidence of the 

evolution of 

security 


Cauldron is the 

result of 8 years 

of R&D. 

Cauldron is 

functional now, 

by aggregating 

data independently 

– or will integrate 

into this framework.

Vulnerability Database 

Exploit 

Conditions 

Network Capture 

NVD 

FoundScan 

Vulnerability Scanning 

Our Approach 

Environment 

Model 

Asset Inventory 

Firewall Rules 

Attack 

Scenario 

Graph 

Engine 

Visual 

Analysis 

Optimal 

Counter 

Measures 

• Network Capture 

– builds a model of the 

network. 

– represents data in terms of 

corresponding elements in 

Vulnerability Reporting and 

Exploit Specifications. 

• Vulnerability Database 

– a comprehensive repository 

of reported vulnerabilities 

• Graph Engine 

– simulates multi-step attacks 

through the network, for a 

given user-defined Attack 

Scenario. 

– analyzes vulnerability 

dependencies, matching 

exploit preconditions and 

post-conditions, 

– generates all possible paths 

through the network (for a 

given attack scenario).

Cyber Security is an Ecosystem 

• Common Operating 

Picture 

• Situational 

Awareness 

• Patching servers vs 

changing firewalls 

• Combined 

vulnerabilities are 

real 

Firewalls 

Logs, etc 

Vulnerability 

Scans 

Patch Mgmt/ 

Asset Mgmt

Aggregate/Correlate/Visualize 

• We analyze vulnerability 

dependencies 

– Calculates the impact of individual and 

combined vulnerabilities on overall 

security 

• We show all possible attack paths 

into a network 

– Transforms raw security data into a 

roadmap 

– All known attack paths from attacker 

to target are succinctly depicted 

– Supports both offensive (e.g., 

penetration testing) and defensive 

(e.g., network hardening) applications 

• Strategic 

– Proactively prepare for attacks, 

manage vulnerability risks, and have 

current situational awareness 

• A response strategy can be more 

easily created.

Firewall 

Data 

Cauldron Components 

Host Vulnerability Data 

Access 

Rule 

Interpreter 

Access 

Rules 

Access 

Rules 

Vulnerability 

Modeler 

Network 

Topology 

Policy 

Modeler 


Model 


Model 

Analyzer/ 

Visualizer

Visualizing Just Firewall Policies 

visualizing “back doors”

Combining Dissimilar Data in a 

• Scans tell you one 

thing 

• Subnet configurations 

support the scan 

information 

Proof of Concept

Visualized Combined Data Sets

What the Access Control List 

• Greater 

access than 

expected 

Outside 

the network 

really says

Visualizing/discovering high 

Outside 

the “known” network 

risks

The Role of Filtering 

Attack Graph 

Before Remediation

Focused on Risk Scores 

CVSS > 7 

Remediated 

Attack Graph

Focused on Host Vulnerabilities 

Top 3 by Hosts 

Remediated 

Attack Graph

Focused on Connections 

Top 3 by Connections 

Remediated 

Attack Graph

Remediate 

By Host 

(Top 3) 

No 

remediation 

Remediate 

By CVSS 

(Top 15) 

Remediate 

By Connection 

(Top 3)

Visualizing 

Combined Vulnerabilities 

thru 

Multiple Firewalls 

Unique to Cauldron: Key Differentiator

Foundational Concepts 

• Any “network device” 

is filtering data flow 

• Devices can connect 

to other devices or to 

subnets 

• Each network device 

has unique Access 

rules/policies 


Device 1 


Device j 

Subnet 1 

Network Device 

Subnet k 

Access List 

(Rules)

• Firewalls can 

be configured a 

variety of ways 

• Example - 

Subnet 1 can 

reach Subnet 7 

or 10 using a 

variety of paths 

– but not 

directly 

The Challenge 

SN1 

SN2 

SN3 

ND 1 

SN4 

ND2 

SN5 

SN6 

ND 3 

SN8 

SN7 

ND 4 

ND 5 

SN9 

SN10

Example: Supply chain management 

Partners to 1.2.61.0/25:0

Simple changes – modeled – can 

have significant impact 

Both firewalls: Partners to 1.2.61.0/25:80 only


From Executive Summary 

“These tools can 

provide current security 

status to network 

operations centers and 

security operations 

centers, but they 

typically do not support 

prioritized remediation 

actions and do not 

provide direct incentive 

for improvements in risk 

posture.”

Cauldron Benefits 

• Individual Firewalls can be reviewed faster 

• Prioritized remediation plans 

• Situational Awareness by programs, etc 

• High priority assets are contextual 

• Security elements become more granular 

• More can be done with less

A Test-Bed Success Story in Cyber Space - The Security Network

Create successful ePaper yourself

Delete template?

Save as template?