Lockdown: Simplifying Enterprise Network Management

Complex network systems are hard to understand and visualize. The causes for this problem are due to the specific data not being available or the inability to correlate and present the data in a meaningful and understandable way with existing tools or techniques. Unfortunately, most popular management approaches focus on analysis with respect to only addresses (hosts) and ports, missing a considerable portion of the context of the data. Moreover, administrators of the network face an overwhelming amount of data and with the identification of distributed system problems being an exceptionally cumbersome and time consuming task.

There is a tremendous need for tools that allow administrators to sift through massive amounts of traffic information in its appropriate context while doing so in a visually appealing and interactive manner that encourages data exploration, rather than hindering it. Critically, the inclusion of relatively simple context (user, application data) coupled with advanced data analysis techniques can shed significant light on the question of what is really going on in my network?

To that end, we created the ENAVis network visualization tool, a tool in the larger software suite of the Lockdown project. ENAVis brings the notion of local context to visualization through the introduction of a novel HUA control that allows one to explore the network graph from the perspective of Hosts, Users, and Applications, seamlessly adding or removing context as appropriate. Features of the tool include:

• Lightweight agent to gather context (limited CPU impact, limited storage cost)
• Dynamic graph construction / deconstruction – add / remove context exploring relationships of hosts versus applications versus users
• Exploration points for examining relationship links or entity information (ex. tell me more)
• Work currently underway examining our nearly two year pool of agent data with respect to data mining on network graphs

Notable awards for this work include the best paper award for LISA (Large Installation System Administration) 2008 conference and second place at the National Security Innovation Competition (NSIC) 2009.

Media / Screenshots

Demo reel of tool

Further Information

Information directly on the Wiki:

• Source code via Subversion
• Lockdown storage, performance, scaling
• Instructions for setting up / using Lockdown
• Full set of media / reference documents

Research publications:

• J A. Blaich, A. Striegel, D. Thain, "Reflections on The Virtues of Modularity: A Case Study in Linux Security Modules," to appear in Software: Practices and Experience.
• J M. Chapple, A. Striegel, J. D'Arcy, "An Analysis of Firewall Rulebase (Mis)Management Practices," Information System Security Association Journal, February 2009. Link
• Q. Liao, A. Blaich, A. Striegel, D. Thain, "ENAVis: Enterprise Network Activities Visualization," in Proc. of LISA (Large Installation System Administration) Conference, San Diego, CA, Nov. 2008 - Winner of Best Paper Award.
  • Winner of best paper award
• Poster Andrew Blaich, Qi Liao, Brian Sullivan, Greg Allan, Aaron Striegel, Douglas Thain, "Lockdown: Distributed Policy Analysis and Enforcement within the Enterprise Network," poster at USENIX Security, August 2007. Writeup
• Lockdown: Tech Report TR-2007-05*
• Thesis Q. Liao, "Improving Network Insight Through Local Context Gathering and Analysis," Master Thesis, University of Notre Dame. Adviser: Dr. Aaron Striegel, Committee: Dr. Douglas Thain, Dr. Nitesh Chawla.
• Slides for CSE-SRS-2007 Poster Symposium.

Moving Further with the Lockdown Suite of Project

Despite an ever increasing breadth of commercial and academic offerings into the field of security, the adoption of robust, fine granularity solutions by the enterprise has yet to occur on a significant threshold. While common lower end techniques such as virus scanners and firewalls have experienced near ubiquitous adoption, higher end solutions such as integrated endpoint security clients have seen only limited adoption with their adoption rates shrinking in recent years. Given the choice between manageability at the cost of simplicity versus mechanism efficacy / richness of expressiveness at the cost of complexity, network administrators are choosing ease of management with insufficient resources as the primary driving factor.

We posit that new research is needed that places the manageability of the system at the forefront rather than as an issue to be solved after the system is secure. We define manageability of a security approach in that security should streamline the entire process of policy distribution, policy validation, policy auditing, and most importantly, debugging when systems or security components fail. Put simply, we posit that given the implicitly distributed nature of the network, security approaches that create unfriendly obstacles to debugging will always experience adoption difficulties. The goal of this research is to make significant strides with regards to management of the security process, specifically focusing on three issues: management, visualization, and debugging. We focus on delivering an economy of expressiveness for enforcement mechanisms to contain complexity while coupling streamlined, pervasive monitoring to dramatically assist debugging.

The key outgrowths of this research address the following areas:

• Management as a first order property of system design: The work will develop a suite of software tools to visualize the security network and to explore the benefits and trade offs of prioritizing management over coverage with regards to resource impact and risk management. Secondary aspects include bringing experimental studies regarding tool efficacy / productivity improvements with expertise from our collaborators in business (D'Arcy), psychology (Crowell), and our Office of Information Technology Information Security effort (Chapple).
• Novel data mining / visualization: While visualization and exploration are the first steps, we intend to explore how to automate or guide the extraction of meaningful relationships, specifically drawing upon the rich work in social networking to assist with assessing the health of the network. Preliminary aspects include building modules into our visualization tool coupled with distributed execution on the grid of various machine learning algorithms (Chawla).
• Creation of a streamlined framework for security management: Finally, the work will offer commentary on balancing expressiveness versus complexity to demonstrate minimal but effective security mechanisms. More importantly, the work will examine the trade offs of information gain for the monitoring of various properties not only with respect to security but also with respect to management and debugging (i.e. how much does characteristic X improve decision making versus characteristic Y).

People Involved

Faculty:

• Dr. Aaron Striegel (primary contact)
• Dr. Douglas Thain

Students:

• Andrew Blaich : graduate student
• Qi Liao : graduate student

Previous Students:

• Tim Wright: graduate student - initial data gathering concept for risk management
• Brian Sullivan: undergraduate student - PHP / web browsing of database
• Greg Allan: undergraduate student - REU exploration of the usage of SONia for visualization
• Ben Roesch: undergraduate student - Windows agent development

Related Work / Efforts

• Firewalls Ready for Evolutionary Shift