 |
 |
|
|||
![Back to [9]](../all_the_pictures/arrow_left.jpg){kind=icon} [10]
![Forwards to [11]](../all_the_pictures/arrow_right.jpg){kind=icon} Position Paper for ISW'97 Catamaran Resort, San Diego February 12-13, 1997
CERTSM Coordination Center Survivable Network Technology Team The main problem being addressed by the CERT Coordination Center (CERT/CC) Survivable Network Technology Team is how does one analyze and synthesize network architectures that exhibit survivability characteristics? Our team is trying to discover evaluation methods and an architectural description of a networked distributed system with a goal of comparing the survivability characteristics of alternative designs. The analysis technique will be the basis for evaluating the modification of an architecture to address changing threat, or in creating a new design based on managing risk to the distributed assets of the system. The focus on survivability as a superset of security issues for analysis has several important implications. By focusing on maintaining the mission of the system, in addition to classical security issues, we accept the notion that any security measures designed into a system degrade over time and that attack techniques are constantly evolving. By making the assumption that the system will never be completely secure, we balance the quality attributes of integrity, availability, and confidentiality with other properties not usually associated with security such as dependability, performance, and fault-tolerance.
The context in which we will describe survivability architectures is that of an unbounded domain. The primary difference between a bounded and unbounded domain is that in an unbounded domain, an administrator has only local control over a large, distributed system and there is no policy or control structure that spans the entire system. The Internet is a current example of an unbounded domain, as there is local control over the networks that make up the Internet, but no global policy or control over the Internet as a whole. Unfortunately, much of what we know in terms of architectural design and analysis centers around an implicit bounded domain assumption. This leads to systems that behave well in the laboratory or when in use by small numbers of well-defined users, but break down (or are subject to penetration) when distributed to an unbounded community. Examples of unbounded domain problems abound at the CERT/CC (http://www.cert.org) with everything from operating system components to network protocols. Other examples of the problem can be found in the SEI (http://www.sei.cmu.edu) COTS-Based Systems Initiative and the Dependable System Upgrade Initiative, and CMU projects such as NetBill (http://www.netbill.com). In addition to an unbounded domain, there are other factors which complicate local control of a network which may be amenable to an architectural approach. Distributed systems are assembled from components with differing architectural assumptions. Most distributed systems are a mix of legacy, locally implemented, and commercial components with a variety of configuration options and integration mechanisms. The system is evolving in terms of functionality as well as the underlying technology. System design in practice is continuous redesign. The complexity introduced by this breadth of components and mechanisms often exceeds the capability of the supporting staff. A well-designed architecture is a simplifying mechanism. To address architectural analysis and synthesis in unbounded domains, the SEI will use strengths in architectural description and network security to design a new technique or technology that will be the basis of defining survivability from the networked system level of abstraction. The CERT/CC has been helping Internet users, administrators, and managers to secure and address penetrations in their networks since 1988. This history of working with the Internet community has created a basis in reality for understanding network security risks and what it takes to make real systems survive the effects of successful penetrations to these systems. The SEI has been successful at designing the process and architectural basis of software engineering through work in the Capability Maturity Model and its derivatives. The expertise in architectural specification, system development, and evolutionary design of complex software will be used to leverage the development of a technology for survivable systems. Several SEI initiatives are related to this effort. The COTS-Based Systems Initiative targets integrating and evolving systems from previously-built and commercially-available components. The Dependable System Upgrade Initiative is aimed at establishing architectural principles and practices for upgrading systems while guaranteeing that critical system behaviors are maintained. To approach the development of a survivable system analysis technique, the SEI will create a survivability framework that will include
- a survivability taxonomy Another likely approach in 1997 will be the development of a predictive architectural modeling approach to the synthesis and analysis of networked security components against new and emerging threats. This would allow, for example, an approximation of the risk of a new attack script with existing network security components, and a determination of the effectiveness of proposed network security components in meeting known threats. This analysis approach allows the network manager to ask "what if" style questions given a representation of the network elements contributing to the survivability of the network and a description of the ways attackers attempt to penetrate these elements. The team will analyze CERT data to validate any proposed framework and profile the needs of an unbounded community of users and administrators. This is essential to assure that any description has a basis in real-world experience, and thus can have a significant and demonstrable impact on survivability within an unbounded domain.
Footnote: [10]
|
