Lockdown: Simplifying Enterprise Network Management

Project Premise

What is going on in my network? Why is it behaving how it does? The answer to these relatively innocuous questions provides the foundation for our research. Namely, how can we quickly convey a situational awareness of the network displaying the who, what, and where of communications that are going on in the network in order to better understand why it is behaving the way that it is.

The problem is complicated by the fact that complex network systems are hard to understand and visualize. In particular, when networks approach hundreds, thousands, or even tens of thousands of nodes, the problems seem nearly insurmountable. The causes for these problems are due to the specific data not being available or the inability to correlate and present the data in a meaningful and understandable way with existing tools or techniques. Unfortunately, most popular management approaches focus on analysis with respect to only addresses (hosts) and ports, providing the where of a connection but missing a considerable portion of the context of the data. Moreover, administrators of the network face an overwhelming amount of data and with the identification of distributed system problems being an exceptionally cumbersome and time consuming task.

There is a tremendous need for tools that allow administrators to sift through massive amounts of traffic information in its appropriate context while doing so in a visually appealing and interactive manner that encourages data exploration, rather than hindering it. Critically, the inclusion of relatively simple context (user, application data) coupled with advanced data analysis techniques can shed significant light on the question of what is really going on in my network?

To that end, we created the ENAVis network visualization tool (see movie here), a tool in the larger software suite of the Lockdown project. ENAVis brings the notion of local context to visualization through the introduction of a novel HUA (Host, User, Application) control that allows one to explore the network graph from the perspective of the essential elements, seamlessly adding or removing context as appropriate. Features of the tool include:

• Lightweight agent to gather context (limited CPU impact, limited storage cost)
• Dynamic graph construction / deconstruction – add / remove context exploring relationships of hosts versus applications versus users
• Exploration points for examining relationship links or entity information (ex. tell me more)
• Work currently underway examining our nearly two year pool of agent data with respect to data mining on network graphs

A typical application of the tool might involve the following scenarios:

• Capture any events and report whenever > 100 files are accessed by an application that communicates with an external host
• Display all vectors into a particular host, note any paths with untrusted links
• Display communities of users, i.e. show communities grouped by common applications and even common files
• Show user to user and application to application connectivity, i.e. what users are talking to each other and what applications are talking to each other

Notable awards for this work include the best paper award for LISA (Large Installation System Administration) 2008 conference and second place at the National Security Innovation Competition (NSIC) 2009. Recently, our project was displayed in a booth at the National Homeland Defense Symposium VII. Our current software package sits at the level of TRL 5 / 6 with the data mining / automated analysis portions at a TRL 5 and the visualization / browsing aspects at at a TRL 6.

Moving Further with the Lockdown Suite of Project

Despite an ever increasing breadth of commercial and academic offerings into the field of security, the adoption of robust, fine granularity solutions by the enterprise has yet to occur on a significant threshold. While common lower end techniques such as virus scanners and firewalls have experienced near ubiquitous adoption, higher end solutions such as integrated endpoint security clients have seen only limited adoption with their adoption rates shrinking in recent years. Given the choice between manageability at the cost of simplicity versus mechanism efficacy / richness of expressiveness at the cost of complexity, network administrators are choosing ease of management with insufficient resources as the primary driving factor.

We posit that new research is needed that places the manageability of the system at the forefront rather than as an issue to be solved after the system is secure. We define manageability of a security approach in that security should streamline the entire process of policy distribution, policy validation, policy auditing, and most importantly, debugging when systems or security components fail. Put simply, we posit that given the implicitly distributed nature of the network, security approaches that create unfriendly obstacles to debugging will always experience adoption difficulties. The goal of this research is to make significant strides with regards to management of the security process, specifically focusing on three issues: management, visualization, and debugging. We focus on delivering an economy of expressiveness for enforcement mechanisms to contain complexity while coupling streamlined, pervasive monitoring to dramatically assist debugging.

The key outgrowths of this research address the following areas:

• Management as a first order property of system design: The work will develop a suite of software tools to visualize the security network and to explore the benefits and trade offs of prioritizing management over coverage with regards to resource impact and risk management. Secondary aspects include bringing experimental studies regarding tool efficacy / productivity improvements with expertise from our collaborators in business (D'Arcy), psychology (Crowell), and our Office of Information Technology Information Security effort (Chapple).
• Novel data mining / visualization: While visualization and exploration are the first steps, we intend to explore how to automate or guide the extraction of meaningful relationships, specifically drawing upon the rich work in social networking to assist with assessing the health of the network. Preliminary aspects include building modules into our visualization tool coupled with distributed execution on the grid of various machine learning algorithms (Chawla).
• Creation of a streamlined framework for security management: Finally, the work will offer commentary on balancing expressiveness versus complexity to demonstrate minimal but effective security mechanisms. More importantly, the work will examine the trade offs of information gain for the monitoring of various properties not only with respect to security but also with respect to management and debugging (i.e. how much does characteristic X improve decision making versus characteristic Y).

People Involved

Faculty:

• Dr. Aaron Striegel (primary contact)
• Dr. Douglas Thain

Students:

• Andrew Blaich : graduate student
• Qi Liao : graduate student
• Dirk VanBruggen
• Jerry Kruszcek

Previous Students:

• Tim Wright: graduate student - initial data gathering concept for risk management
• Brian Sullivan: undergraduate student - PHP / web browsing of database
• Greg Allan: undergraduate student - REU exploration of the usage of SONia for visualization
• Ben Roesch: undergraduate student - Windows agent development

Further Information

Information directly on the Wiki:

• Source code via Subversion
• Lockdown storage, performance, scaling
• Instructions for setting up / using Lockdown
• Full set of media / reference documents

Research publications:

• J A. Blaich, A. Striegel, D. Thain, "Reflections on The Virtues of Modularity: A Case Study in Linux Security Modules," to appear in Software: Practices and Experience.
• J M. Chapple, A. Striegel, J. D'Arcy, "An Analysis of Firewall Rulebase (Mis)Management Practices," Information System Security Association Journal, February 2009. Link
• Q. Liao, A. Blaich, A. Striegel, D. Thain, "ENAVis: Enterprise Network Activities Visualization," in Proc. of LISA (Large Installation System Administration) Conference, San Diego, CA, Nov. 2008 - Winner of Best Paper Award.
  • Winner of best paper award
• Poster Andrew Blaich, Qi Liao, Brian Sullivan, Greg Allan, Aaron Striegel, Douglas Thain, "Lockdown: Distributed Policy Analysis and Enforcement within the Enterprise Network," poster at USENIX Security, August 2007. Writeup
• Lockdown: Tech Report TR-2007-05*
• Thesis Q. Liao, "Improving Network Insight Through Local Context Gathering and Analysis," Master Thesis, University of Notre Dame. Adviser: Dr. Aaron Striegel, Committee: Dr. Douglas Thain, Dr. Nitesh Chawla.
• Slides for CSE-SRS-2007 Poster Symposium.

Related Work / Efforts

• Firewalls Ready for Evolutionary Shift
• Allgress
• NEXThink