Embed Size (px)
Citation preview
Icarus:A Revolution in Distributed
Security Management
Rob Bird, University of Florida Gregory Marchwinski, Red
Lambda Inc.
Agenda
• The Problem• The Solution - Icarus• Icarus System Architecture• Icarus Features• Use Case• Summary
The Problem
From the SALSA-Netauth document Strategies for Automating Network Policy Enforcement:
“The major security challenge facing university residential networks and other large-scale end-user networks is the thousands of privately owned and unmanaged computers directly connected to an institution's relatively open, high-speed Internet connections. Security policy enforcement is often lax due to a lack of central control over end-user computers and an inability to tie the actions of these computers to particular individuals. A few times a year there are surge events, including the predictable start of each semester and the unpredictable and increasingly frequent reactions to large-scale security incidents, that require massive support intervention.”
• Current security products lack the sophistication to control & stop P2P networks & defend against mass infection by malware/malusers.
• Highly Fragmented Network Security & Management marketplace – many point solutions, many appliances, no central architecture, little automation
• Human intervention is necessary to manage security tasks such as P2P & process vast amounts of data – often overwhelming existing IT Staff members
The Solution - Icarus
• Developed at the University of Florida in December 2002 to automate security and policy enforcement– In production on 10,000 user residential network since
2003– Now on version 2
• Automatically performs policy-based admission control, mitigates P2P networks, complex malware scenarios and manages adherence to university security policy
• Distributed framework – enables security and network management via three key elements - Neuron Microkernel, Collaborative Grid, Peer Management Console
• Patent Pending –developed as an open standards middleware collaborative grid system to utilize all connected resources to defend / manage the network
• Recognized by industry analysts and highlighted in numerous technical publications
Icarus System Architecture
Product Features
• Java 5• XML-based policy and messaging architecture allows
complex workflow automation via graphical or text editor• Lightweight microkernel features component-based
architecture which allows third party applications, libraries (Java and C/C++) and scripts (Perl and Python/Jython) to be combined and used as elements in the workflow– EG: Existing UF implementation integrates into network
registration, security appliances, network hardware, trouble ticketing, billing, judicial management and captive information portal
• Allows the easy combination of L2, L3 and L7 detection, isolation, notification and remediation techniques
• Equally suited to wired or wireless networks• Drives behavioral change of students by sending a clear
and consistent message– Traffic enforcement cameras vs. Citation by policeman
Product Features
• Extensible solution to management issues such as:– P2P network abuse– Viral and worm attacks– Spam relays - automatically contains– Spyware – Botnets – Outbound malicious behavior such as
port scans, exploit scans, etc.
Product Features
• Hierarchical administration levels enables multiple views and span of control via console to reflect organizational boundaries and federated management schemes
• Ability to quickly change automatic behavior of system via graphical work flow interface or built-in command editor
• Extensive reporting engine helps generate compliance and exception reports for internal and third party use
Product Features
Use Case – Icarus @ UF
• In production since 2003• Automates complete registration, detection, isolation,
notification and remediation workflow for P2P, malware and maluser scenarios
• P2P policy enforcement– No DMCA complaints since 2003– 1st Offense: 15 minute campus-only restriction– 2nd Offense: 5 day campus-only restriction– 3rd Offense: Refer to judicial affairs– Automatically generates remediation and education content
for captive information portal• Malware/Maluser policy enforcement
– Classful isolation system, different isolation types depending on situation
– Automatically generates remediation and education content for captive information portal
Use Case – Icarus @ UF
Access Level
Requires Registration?
Destination Restriction
s?
Routed? Notes
Guest No Yes Yes Allows access to registration and information sites only
Restricted Yes Yes Yes Allows access to University resources only
Quarantine Special Yes No Allows access to local network quarantine resources
Black Hole Special Yes No Untrunked, Unrouted
Normal Yes No Yes Typical User
Wireless Guest No Yes Yes Allows access to registration and information sites only
Wireless Restricted
Yes Yes Yes Allows access to University resources only
Wireless Quarantine
Special Yes No Allows access to local network quarantine resources
Wireless Normal
Yes No Yes Typical User
Terminated No Service No Service No Service Last resort
Use Case – P2P @ UF
2003-2004 2004-2005 2005-2006
1st Offense 2052 948 342
2nd Offense 415 245 42
3rd Offense 56 44 10
Total 2523 1237 394
Offender Rates Recidivism Rates
Pre-Icarus
% of residents using P2P 54.67%
Post-Icarus
% of total residents w/1st Offense
27.64%
% of 1st to 2nd Offense 21.01%
% of total residents w/2nd Offense
5.81% % of 2nd to 3rd Offense 15.67%
% of total residents w/3rd Offense
0.91% % of 1st to 3rd Offense 3.29%*NOTE: Offender and Recidivism Rates do not include 2005-2006
Case Study – P2P @ UF
Rate of Violations (2003-2005)
0
100
200
300
400
500
600
700
800
900
10/1
9/20
03
12/1
4/20
03
2/8/
2004
4/4/
2004
5/30
/200
4
7/25
/200
4
9/19
/200
4
11/1
4/20
04
1/9/
2005
3/6/
2005
5/1/
2005
6/26
/200
5
8/21
/200
5
Date
Level 1
Level 2
Level 3 or above
Summary
• Patent-pending technology features fully-distributed collaborative grid architecture for distributed security and network management
• Architecture designed to enable product enhancements and quick addition / distribution of new modules
• Easily leverages security tools and methods thereby increasing the value of existing software/system investments
• P2P Mitigation being deployed in October to early adopters, GA in December
• Pricing per user per year with extensive educational discount structure
• In production for over 2.5 years at the University of Florida managing over 10,000 users
Questions?
• Rob Bird – [email protected]• Greg Marchwinski –
[email protected]• Other information:
www.redlambda.com
