Infosecwriters.com - Hitchhiker's World

ISEAGE

Hitchhiker's World (Issue #8)
http://www.infosecwriters.com/hhworld/

Overview

The initiative proposes to create an Internet-Scale Event and Attack Generation Environment (ISEAGE) (pronounced “ice age”) at Iowa State University. ISEAGE will be a first of its kind facility in a public university dedicated to creating a virtual Internet for the purpose of researching, designing, and testing cyber defense mechanisms as well as analysis of cyber attacks. Unlike computer-based simulations, real attacks will be played out against real equipment.

Researchers and vendors are working hard to provide products and services to help defend against cyber attacks, but users of these technologies often do not have any mechanisms to test or even try out these defenses. Law enforcement agencies and forensics analysts have no way to replay attacks or recreate a cyber crime scene. The proposed facility will provide a controlled environment where real world attacks can be played out against different configurations of equipment. ISEAGE will contain a vast warehouse of attack tools that will be able to simulate point-to-point and distributed attacks. The creation of ISEAGE will represent a new paradigm in the area of security research, cyber forensics, and will enable new and innovative research needed to solve the current security problems facing the world today.

As discussed in the report from the NSF workshop on network research testbeds the need for testbed networks is well documented. We believe this is especially true in the area of security research, where too often security research is based on either data from the internet directly or from artificial data. Either way this can lead to results that are hard to recreate or may not apply to the real world. By recreating the internet for the purpose of launching controlled attacks in the presence of known background data the investigators are confident that higher quality research results will be obtained. ISEAGE will provide this environment and will facilitate a level of research well beyond the current state of the art.

Another problem that often faces security researchers and companies producing security technology is the ability to test their theories and solutions in a real life environment. This is often done by trying to convince an organization to beta test a new concept in their environment. This leads to many potential problems for both the researchers and the end users. ISEAGE will provide a place to evaluate the effectiveness of security products by being able to re-create attacks. Another problem with the way security is handled is that we are always in a defense mode waiting for the next attack and hoping that are technology will hold back the attack. In the case of the nation’s critical infrastructure the current method of protection is to try to “break-in” to the live system every so often. ISEAGE can be used to constantly attack a replicate of a critical infrastructure with the goal of finding the problem before it happens to the live system.

Project Goal

The goal of ISEAGE is to provide a world class research and education facility to enhance the current state of the art in information assurance. This one of kind facility will be the catalyst for bringing together top researchers from several disciplines for a common goal of making computing safer. We currently have over 30 faculty members affiliated with the ISU Information Assurance Center (IAC). The ISEAGE will provide an integrated environment to work on synergistic research projects in information assurance and to solve the problems facing industry, government, and law enforcement. The research areas in information assurance at Iowa State University deal with overlapping problems and can benefit from a common laboratory. For example, the group working in intrusion detection and the group working in survivable networks often utilize the same attack data and are concerned about the same types of attacks. The ISEAGE will be a critical element needed to elevate the research efforts and to help provide solutions to these complex problems.

We have already had numerous discussions with government agencies, law enforcement, business, and industry about the potential benefits of the ISEAGE. The following description provides a summary of the potential impact and goals of the ISEAGE:

Critical Infrastructure protection

While we depend on the stable operation of the network for many parts of our daily lives, several parts of the network control critical parts of the infrastructure. This infrastructure can be federal, state, local or corporate. The ISEAGE can be used to recreate critical components of an infrastructure on an ongoing basis. These live models of the infrastructure will be subjected to constant attacks to probe for weaknesses and to try the newest attacks before they become a threat to the actual infrastructure. Any detected weakness will be used to strengthen the actual infrastructure. The goal would be to develop algorithms and methods to harden the networks and computers used to support the critical infrastructure. ISEAGE has also been written into the State of Iowa Homeland Security Plan as a critical resource for securing the state’s critical infrastructure. Lessons learned from the research will be exported to other states.
End-users of security

End users of security are often forced to deploy technology without field-testing. The proposed facility will provide a place for to test out security configurations prior to deployment and to try equipment and configurations from different vendors. Many of the distributed attacks rely on the inherent weaknesses in the end user systems. By looking at the security of end user systems we can develop new methods to provide increased security for all systems.
Developers of security

The facility will provide a test environment for developers to deploy versions of their products. We envision working on jointly funded research projects to create new methods, processes, and algorithms to provide security.
Academic and industrial researchers

The Laboratory will be designed to provide an excellent environment to conduct state of the art research in computer security and security tool development. Four tightly coupled research efforts involving over 30 faculty members will be the initial focus of the laboratory. We envision additional faculty and research efforts will utilize the facilities. This effort is the primary focus of this proposal and is further outlined in this document.
Forensics and Law enforcement agencies

The IAC faculty members have worked with several local law enforcement agencies to provide computer forensics support, advice, and training. The ISEAGE can be used to create new tools and methods to support law enforcement.
Education and Outreach

Iowa State University offers several courses in information assurance and networking that will greatly benefit from access to the lab. We will also use ISEAGE for training for security professionals and to provide a real-world environment to train against attacks. It will also be used as a training group for cyber forensics, giving investigators the ability to examine large cyber attacks in real time.

ISEAGE Design

There have been several successful network testbeds, but ISEAGE is designed specifically for use in security research and offers many advantages over a conventional network testbed. The primary advantage is the tool set that will be designed for ISEAGE. These tools and an overview of the ISEAGE design are outlined following pages.

ISEAGE components

The primary design goal is to provide a highly configurable environment than can model any aspect of the Internet. The ISEAGE to be designed such that configuration can be changed quickly and that multiple research experiments can be carried out at the same time. The lab will consist of multiple copies of each component, which will allow either multiple simultaneous experiments or for very large single experiments. Each of the key components is described below along with an anticipated equipment list.

Core data switch & tap point

The core switch is at the heart of the lab and provides connectivity between all of the tools and between the virtual sub networks. This will be a high speed switching center with multiple gigabit switches with port spanning. The core switch will also be outfitted with monitoring devices to help facilitate real-time control over the network. The core switch will consist of multiple gigabit switches all connecting to a central switch. Each connection to the central switch will have a tap point to allow access to the traffic. .

Virtual subnets (VSUB)

Virtual subnets are used to recreate any part of the Internet; they are connected to the core switch via a traffic mapper (described in the tools section). A virtual subnet can contain multiple routers, computers and any of the tools described below. Virtual subnet can be isolated from the other virtual subnets or can communicate with any other virtual subnet. The virtual subnets consist of a rack of computers with swappable drives to allow each computer to boot into one of many different operating systems. Each computer will have two network interfaces with one interface used for the experimental traffic and one interface used to connect to the control network. The connection from the subnet to the core switch will be made through one of the tools described below. The physical connection will have a network tap point to allow monitoring of network traffic.

Monitor control network

The monitor control network is a separate network used to monitor the core switch and the virtual networks. By using a separate network for monitoring and control of the network any traffic generated will not affect the laboratory. This can also allow remote control of the laboratory via the Internet, while still maintaining isolation between the virtual Internet and the real Internet. The control network consists of several command consoles connected to data collection tools and to various control points. Data and control information will be routed through the monitor control network to the individual devices.

Attack Control Network

The attack control network is a separate network used to manage then monitor the attacks and the attack tools. By using a separate network for monitoring and control of the attacks any traffic generated will not affect the laboratory. This can also allow remote control of the laboratory via the Internet, while still maintaining isolation between the virtual Internet and the real Internet. The attack control network will be identical to the Monitor Control Network.

Custom Tools

There are multiple tools that will be designed as part of the laboratory. These tools create the virtual Internet and allow the researcher to introduce and monitor attacks. Each tool will use the same hardware platform consisting of a high-speed pc-based rack mounted computer with three network interface cards (two interfaces for traffic and one interface for monitoring and control. Each tool represents a research and development effort to design and implement. They will use a common command and control protocol to allow easy integration into the virtual internet command and control network. We currently have a team of students working on the specification and design documents for the tools. Many of the tools design projects will become thesis topics for the students.

Timeline

The initial funding is seed money to get ISEAGE started with a three year time line shown for the full implementation of ISEAGE. Even though ISEAGE has a three year completion cycle, it will be usable after year one.

Deliverables

There are two primary sets of deliverables from this project. The first set will be the tools designed to support ISEAGE. We will make the tools and the source code available to the research community. The research used in the design and creation of several of the tools will result in a masters thesis and publications Many of the tools can be used in a small network environment to test a particular aspect of security and will prove useful to the general research community.

The second set of deliverables is the research results for the projects enabled by the creation of ISEAGE and the usage of ISEAGE for forensics work and support of Business and industry. These results will be disseminated though journal publications, conference papers, technical reports and usage data. We will also create documentation on the overall design of ISEAGE and will make ISEAGE available to the community.

Metrics for measuring success

There are numerous metrics for measuring the success of ISEAGE. The four dominant metrics are tools usage, ISEAGE usage, increases in funding, increases in scholarship. Many of the tools will be able to be used in smaller lab environments and even as stand alone devices. As mentioned before, we plan on making the tools available to the research community and a measure of success will be based on the level of adoption for the tools. One of the primary measures of success will be the overall usage of ISEAGE. Since the ISEAGE is being designed to handle many different types of security problems and many different users we anticipate heavy use. We anticipate that once ISEAGE is fully implemented the facility will be used continuously. Many of the activities are synergistic and can coexist. The last two metrics are traditional metrics used to measure the success of any research project. The difference in the case of ISEAGE is that we will measure success based on the funding of both research projects and the ongoing funding of ISEAGE. ISEAGE will also increase the level of scholarly publications through the increase in research and through publications based on the research into the building of ISEAGE. We believe that when ISEAGE is completed that it will be a model for security testbed networks in academia, industry, and certification organizations.

Sustainability

On key aspect to any testbed network is how to keep it running and how to fund additional equipment and upgrades. There have been numerous groups interested in ISEAGE including state government, private industry, and law enforcement. We will be able to develop a plan to keep the lab operational. Several key components of the operational plan are listed below.

The operation of ISEAGE will be managed by the Iowa State University Information Assurance Center which reports to the vice provost of research. This allows ISEAGE to become a university resource and should reduce any potential friction between departments and colleges over ownership.

Ongoing maintenance of the lab during the startup phase will be handled by a combination of time from the current computer support staff and graduate students. We also have several undergraduate students who work on research projects and in the current lab. We often have these students involved with setting up experiments and working on projects.

The seed funding will be used to help secure space and to fund some of the initial equipment needed to bring in additional funding for the ISEAGE, through equipment donations and other state and local funding sources. Due to the creation of the ISEAGE we envision an increase an increase in external funding from government and private sources. When appropriate costs of lab upkeep and enhancement will be included in the proposals.

We will develop a charge back system to allow private industry to use ISEAGE which will help fund the support staff needed to keep the lab running. As we see an increase in external use that will provide an increase in funding this will allow an increase in staff support.

Additional information on ISEAGE can be found here.

- Doug Jacobson