Nathan S. Evans

Cloud resiliency and security via diversified replica execution and monitoring

The Information Technology industry heavily relies on the cloud computing paradigm for large-scale infrastructures, and more military and critical infrastructure systems are moving towards cloud platforms as well. Leveraging the cloud can reduce the total cost of ownership and allocates resources on demand in order to cope with load. Two key expectations when shifting to cloud-based services are availability and security. However, recent outages with major Platform as a Service (PaaS) providers reportedly widely in the press have proven that even a cloud platform cannot provide perfect availability. In addition, a 2013 Defense Science Board report on “Cyber Security and Reliability in a Digital Cloud” finds that while some security practices can be improved in a cloud environment, some threats are different or exacerbated. In this paper we present an approach to leverage the elasticity and on-demand provisioning features of the cloud to improve resilience to availability concerns and common attacks. Our approach utilizes diversification of lightweight virtualized application servers for redundancy and protection against both application errors and network-based attacks.

NICE: Network Introspection by Collaborating Endpoints

NICE, or Network Introspection by Collaborating Endpoints, is a research project that explores novel approaches to network discovery and topology mapping in enterprise networks. The goal of NICE is to develop and demonstrate a capability for mapping networks without relying on traditional network management tools and protocols (such as SNMP), which presume some knowledge of the network topology a priori and require administrative credentials to managed network devices in order to collect their data. NICE targets the security administrator - who does not have either the knowledge or authority to manage the network infrastructure - as opposed to the network administrator. The security administrator does have authority to manage client security software on every managed endpoint. By leveraging this presence on the endpoints, NICE attempts to extract the security-relevant network information that the security administrator needs in order to prevent, ameliorate, and respond to security incidents. The NICE project consists of research and development in multiple areas. NICE uses low-level network switch properties to locate and map all the switches on a subnet and then associate rogue systems with specific physical switches. NICE also captures a wealth of information about rogue systems, authorized systems/devices, and topology simply by listening to broadcast traffic. Lastly, NICE explores techniques for having pairs of endpoints talk across the network to infer the presence of intermediate devices and processing. We have produced a NICE integrated system prototype addressing these research areas and conducted some experimentation to evaluate the effectiveness and scalability of the approach.

NICE: endpoint-based topology discovery

We present a novel method of layer 2 network topology discovery for Ethernet LANs through the coordinated operation of endpoints/hosts, part of a research project called NICE (Network Introspection by Collaborating Endpoints). Networks are constantly changing, including Ethernet LANs -- machines come and go, network hardware fails, switches are rewired, equipment is reconfigured. The layer 2 network represents a moving target, both for the attacker and the defender alike. It is necessary to understand the network, both before and during these changes. Existing network management approaches based on collecting and correlating SNMP data from managed layer 2 devices cannot see the complete picture of the network and cannot see all changes as they occur, in particular changes related to unmanaged devices. NICE is able discover more information about the topology, including unmanaged devices, without the assistance of traditional network management tools and protocols. NICE requires no administrative access to networking hardware, is multi-platform, and discovers both consumer and enterprise layer 2 devices. The novel contributions of this paper include a layer 2 mapping protocol that does not require SNMP access nor MAC address spoofing, and a working method to discover and locate non-NICE devices in the topology, improving upon existing research. We have performed extensive experimentation to validate our techniques and provide a comparison to existing research.