QFIRE

Getting Close to theForward-based Defense with QFIRE

June 3, 2011

QFIRE Pilot Lead NSA/Technology Directorate

Derived From: NSA/CSSM 1-52 Dated: 20070108

Declassify On: 20360401

Abstract(TS//SI//REL) The goal of forward-based defense is to detect and mitigate malicious threats in real-time, as close to the source as possible. It is part of a layered defense strategy with four concentric zones: endpoint-, perimeter-, aggregation-, and forward- based defenses. The QUANTUMTHEORY mission leverages NSA's vast system of distributed passive sensors to detect target traffic and tip a centralized command/control node. This node assesses the tip and injects a response towards the target using active TAO assets.(TS//SI//REL) Extremely powerful CNE/CND/CNA network effects are enabled by integrating our passive and active systems:

re se ttin g connections red irec tin g ta rg e ts fo r exp lo ita tio n

* ta k in g co ntro l o f IRC bots " co rrup ting file up loads/dow nloads = More'.

(TS//SI//REL) The success rate of these effects is largely determined by the latency from tip-to-target. OFIRE is a consolidated QUANTUMTHEORY platform under development that reduces latencies by co-locating (1) existing passive sensors with (2) local decision resolution, and (3) the ability to locally inject traffic to achieve the desired network effect.

TopicsLayered Defense Model NSA TURBULENCE A rch itecture ^ TURMOIL passive SIGINT sensors ^ TURBINE active SIGINT command/control

QUANTUMTHEORY** Integrating passive/active systems for

CNE/CND/CNA QFIRE=■ Consolidated low-latency QUANTUMTHEORY

capability under development for forward-based defense

Forward-based Defense NSA TURBULENCE Archit

Distributed Sensors: PassiveU R w r r r (S//SI//REL) High-speed passive collection

systems intercept foreign target satellite, microwave, and cable communications as thev transit the alobe.

(~ ~ 11 r - f - i /^ rAccesses

& TURMOIL I{ £ TUTELAGE

TURBINE: Active Mission Management. (TS//SI//REL) TURBINE provides ^ ^ c e n tra liz e d automated command/control

of a large network of active implants

AccessesTURMOIL

* TUTELAGEImplants (TAO)

QUANTUMTHEORY(TS//SI//REL) Extrem ely powerful CNE/CND/CNA netw ork effects are enabled by in teg ra ting our passive and active systems:

=■ R ese ttin g co nn e c tio ns (QUANTUMSKY)R ed irec tin g ta rg e ts fo r e x p lo ita tio n (QUANTUMINSERT)

=> Taking c o n tro l o f IRC b o ts (QUANTUMBOT)= C o rru p tin g file u p lo a ds /do w n lo a ds (QUANTUMCOPPER)

(T5//SI//REL) QUANTUMTHEORY dynam ica lly in jects packets in to a ta rge t's netw ork session to achieve CNE/CND/CNA netw ork effects.=• D e tect: TURMOIL passive sensors detect ta rge t tra ffic & tip TURBINE com mand/control. => D ecide: TURBINE mission logic constructs response & forwards to TAO node.1 In je c t: TAO node injects response onto Internet towards target.

(TS//SI//REL) The propagation delay from tip -to -ta rg e t determ ines the success rate o f the netw ork e ffect. Less L a te n c y = M o re S u cce ss !

TO P SEC R ET//CO M INT//REL TO USA, AUS, CAN, GBR, NZL

QFIRE: Consolidate fo rI T L ̂ dntjc/Pacific latency

* QUANTUMTHEORY Path: s ite ° NSAW -TURBINE ° ta rg e t

(TS//SI//REL) QFIRE collocates at site: sensor, decision logic, and local/regional injection capability to achieve low latency.

^ Use ex is ting SIGINT sensors fo r a le rting =■ Local decision reso lu tion (local TURBINE)" Local/regional in jection capab ility - QFIRE Path: s ite ° ta rg e t

=■ (TS//SI//REL) A low latency capability substantially increases the variety of achievable CNE/CND/CNA network effects and improves their overall effectiveness.

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL

QFIRE/Forward-Based Defense:

e n c ' e s= Conduct tim e tria ls & eva luate operational effectiveness

^ Develop/deploy QFIRE fo r high-speed SSO cable site(s)

^ D e p e ndenc ies" Grow regional shooter in frastructure (more Points-of-Presence)3 Develop local/regional insertion capability a t SSO cable accesses" Enhance cloud analytics and QUANTUM missions ” Botnet m itiga tion p ilo t e ffo rt

QFIRE Components @

|EveTURBINE

Inject*■—i—

SCS Site SCIF5 / U C

♦Regional Inject node is on Internet.♦♦Local Inject node is collocated with RelayNode in

D io d e ^ RelayNode'

In te rn e t O ption A

SCS Site RMS

-► RF-Tx — ►

Cooperative

RF-Rx

In te rn e t Option B

SCS Site RMS

— Injec

Non-cooperative Wireless Access Point

WAP

In te m e t

NAT-GW

injectCommand

injectCommand

A r i L RPCA or B Wireless

ClientsWiredClients

TOP SECRET//CO M INT//REL TO USA, AUS, CAN, GBR, NZL

QFIRE @ SCS: Physical/Virtual

Network Architecture

ITx W C2STRAIG HTBIZZ

W AN -=»*■------1 t,

Sw itc

j f o t if>g Si te restructure Sw itch

- w ^ C L i-

BLINDDATE

rrTop Secret S C 5 » IW =

t Unclassified TAO /e r t netw ork

VMware ESX Server ...I

Cover

t yvSwitC

.... h....5M BladeCenter HS2

vSv....

vitc

V M l

TURM OIL

iTx Local

r

VM 2

TURBINE-WL

ACLS

VM 3

TURBINE-DB

..VM 4

SH-H ighProxy JMS-to-

ChmRPC

A udit/Logger

VLAN+

VPN

j r

\ACLs

Low-

High-Ke

t ^ M w a r ^ S r ........

rVirtual

Process(es)

r

Network Interface

iW&w/one-way ACL

TOP SECRET//CO M INT//REL TO USA, AUS, CAN, GBR, NZL


izm u rsp a c e itim e co n tm u u m M ip se ttm ga llw o u riB ra viiya n d lu a n tu m s a n d stuffs!

I @nsa.ic.g


HTTP Web Client/Server=> C lie n t in it ia te s request, th e n se rve r rep lies =* TCP socket:

=• Client: TCP SYN - Server: TCP SYN/ACK

=> HTTP 1.1 P ers is ten t C onnection =■ Client: HTTP GET1 =■ Server: HTTP Responsel

=> Client: HTTP GET2 =■ Server: HTTP Response2

QUANTUM INSERT: racing tta&server

- W a it fo r client to in itia te new connection- Observe server-to-client TCP SYN/ACK -S hoo t! (HTTP Payload)- Hope to beat server-to-client HTTP Response

=* The C ha llenge:- Can only win the race on some links/targets- For many links/targets: too slow to win the race!

TOP SECR ET//CO M IN T//R EL TO USA, AUS, CAN, GBR, N ZL

QUANTUM INSERT: racing

client

erec SYN/ACK

TCP SYN

shot

HTTP GET

on server-to-client TCPnL_

. > losew in'

server-TCPSYN/ACK

HTTP RESPONSE

QlH T T P P a w ln a rl

C R ET//C O M INT//R EL TO USA, AUS,


QUANTUMTHEORY*

Node Function M irim m Latency to TotalReach Next Node (ms) Latency(ms)

SAS Ste Access System: Front end & Layer 0/1 ? ?

TUMULT: Demux & Layer 2 ? ?

Sensor TURMOIL Layer 3+Passive Sensor/Event Detection 10 10nx ISLANDTRANSPOPT: Enterprise Message Service 120 130C&C TURBINE: Gornrrend/Control Decision Logc 20 150Diode SURPUUSHANGAR: Hi^i-to-Low Dode 20 170GowNet TAO Covert Network (MIDDLEMAN) 70 240Inject TAO injection implant 75 315Target Destination for CNDCND/CNA network effect - 686

‘ T im ing Measurements, QUANTUMTHEORY Workshop, October 2010


Documents

QFIRE