Darrell Kienzle

Endpoint Configuration Compliance Monitoring via Virtual Machine Introspection

We describe a system for externally monitoring endpoint configuration compliance of an end user system that provides a high assurance monitoring function and data. Typical approaches to monitoring for endpoint configuration compliance rely on the integrity of the endpoints operating system and do not protect the monitoring function from subversion or spoofing by threats from within the monitored system. Our approach utilizes (1) a virtual machine architecture on the endpoint system to protect the monitoring function and (2) virtual machine introspection of the end users environment. In this paper we describe our approach to external monitoring of endpoint configuration compliance, present the technical details of our monitoring system, provide a description of some experimentation and observations, and discuss some of the issues associated with external monitoring.

NICE: Network Introspection by Collaborating Endpoints

NICE, or Network Introspection by Collaborating Endpoints, is a research project that explores novel approaches to network discovery and topology mapping in enterprise networks. The goal of NICE is to develop and demonstrate a capability for mapping networks without relying on traditional network management tools and protocols (such as SNMP), which presume some knowledge of the network topology a priori and require administrative credentials to managed network devices in order to collect their data. NICE targets the security administrator - who does not have either the knowledge or authority to manage the network infrastructure - as opposed to the network administrator. The security administrator does have authority to manage client security software on every managed endpoint. By leveraging this presence on the endpoints, NICE attempts to extract the security-relevant network information that the security administrator needs in order to prevent, ameliorate, and respond to security incidents. The NICE project consists of research and development in multiple areas. NICE uses low-level network switch properties to locate and map all the switches on a subnet and then associate rogue systems with specific physical switches. NICE also captures a wealth of information about rogue systems, authorized systems/devices, and topology simply by listening to broadcast traffic. Lastly, NICE explores techniques for having pairs of endpoints talk across the network to infer the presence of intermediate devices and processing. We have produced a NICE integrated system prototype addressing these research areas and conducted some experimentation to evaluate the effectiveness and scalability of the approach.

NICE: endpoint-based topology discovery

We present a novel method of layer 2 network topology discovery for Ethernet LANs through the coordinated operation of endpoints/hosts, part of a research project called NICE (Network Introspection by Collaborating Endpoints). Networks are constantly changing, including Ethernet LANs -- machines come and go, network hardware fails, switches are rewired, equipment is reconfigured. The layer 2 network represents a moving target, both for the attacker and the defender alike. It is necessary to understand the network, both before and during these changes. Existing network management approaches based on collecting and correlating SNMP data from managed layer 2 devices cannot see the complete picture of the network and cannot see all changes as they occur, in particular changes related to unmanaged devices. NICE is able discover more information about the topology, including unmanaged devices, without the assistance of traditional network management tools and protocols. NICE requires no administrative access to networking hardware, is multi-platform, and discovers both consumer and enterprise layer 2 devices. The novel contributions of this paper include a layer 2 mapping protocol that does not require SNMP access nor MAC address spoofing, and a working method to discover and locate non-NICE devices in the topology, improving upon existing research. We have performed extensive experimentation to validate our techniques and provide a comparison to existing research.

External monitoring of endpoint configuration compliance

We describe a system for externally monitoring endpoint configuration compliance of an end user system that provides a high assurance monitoring function and data. Typical approaches to monitoring for endpoint configuration compliance rely on the integrity of the endpoints operating system and do not protect the monitoring function from subversion or spoofing by threats from within the monitored system. Our approach utilizes (1) a virtual machine architecture on the endpoint system to protect the monitoring function and (2) virtual machine introspection of the end users environment. In this paper we describe our approach to external monitoring of endpoint configuration compliance, present the technical details of our monitoring system, and discuss some of the issues associated with external monitoring.