Internet security . . . writ very small

Miniature version of the 'Net used to assess security schemes.

Iseage illustrationLike a ship in a bottle, the Internet-Simulation Event and Attack Generation Environment is a miniature version of the real thing: It's the vast Internet shrunk to fit onto a high-speed LAN on the floor of a building in a research park adjacent to the Iowa State University campus in Ames.

Iseage (pronounced "ice age") lets you model an attack on your network without having to put your real one on the line.

"It's a test bed for information warfare," says Iowa State University Professor of Computing Doug Jacobson, who heads up the project, which is funded primarily by the Department of Justice. "We'll look at attack tools and defense mechanisms. Our goal is to have this as a point where organizations can test security paradigms."

The school last year snagged a half-million dollar grant from the Justice Department, with another $700,000 promised for this summer, to build the miniature Internet. Agriculture and construction equipment manufacturer John Deere also kicked in $30,000. Iseage, basically a collection of PCs, servers and switches using custom-designed software to simulate routers and network nodes, was ready for its first game of Beat the Hacker last month (see diagram).

Wider Net archive

Our collection of stories that go beyond the speeds and feeds of the network and IT industries.

Iowa State's Cyber Defense Competition pitted teams of university students, who defended Web sites, mainly of their own design, against security professionals playing the part of attacker.

"My role was to break in and crash their servers," says Adam Kaufman, information security analyst for the state of Iowa in Des Moines. "It gave them a taste of what an attack is like."

The Web sites being defended ran on Windows, Unix and open source operating systems. Some of the students who protected the sites used the Snort intrusion-detection system, and assorted firewalls. Competition organizers supplied content for the Web sites.

The competition, which lasted for 20 consecutive hours, began by having Red Team attackers use scanning tools, such as nMap freeware, to find out each student team's software configurations and determine where weaknesses might lie.

"I also used the Web Inspect scanner to find a vulnerability in a PHP page, for instance," Kaufman says. "One team had a server that allowed us to run commands on it. Or we could upload files."

The scoring for the competition proceeded - as in golf - by adding up points for mistakes, making the lowest score the winner.

"The winning team recognized the attack before the other ones," Kaufman says. "You had to send e-mail to the judges to let them know you saw what was happening. Some teams didn't even recognize we had broken into their server."

"We were supposed to configure the Web server to be secure, but mistakes allowed them to run Linux commands on our server," says Iowa State student Sean Howard, who was part of the winning team.

"They managed to get in and send a few e-mails," says Howard, who last month graduated with a bachelor's degree in computer engineering and intends to study information assurance on a graduate level. Overall, the battle on Iseage provided many lessons about how it would feel to have to defend a corporate network, he says.

Red Team members crashed servers many times, and one student team took its server offline to fix a vulnerability. Under the rules, the only offensive disallowed was a distributed denial-of-service attack (DoS), Kaufman says.

Larry Brennan, information security officer for the state of Iowa, who was a competition judge, says the experience was fascinating, especially observing the students' attempts to ward off the array of attacks.

"One Red Team had used a printer to launch an attack," Brennan says. "The students were amazed, saying: 'Even that printer betrayed us.'"

While Iowa State plans to have additional Cyber Defense Competitions, the university also wants to see Iseage used for more than just fun and games.

Jacobson, also the founder and CTO at Palisade Systems, says there's a commercial need to be able to model the complexities of real-world Internet attacks.

"There hasn't been a test bed like this before, with the exception of the Deter test bed at the University of Berkeley, which was funded by the Department of Homeland Security to focus on [distributed] DoS," Jacobson says.

Deter, short for the Cyber Defense Technology Experimental Research, has a number of vendors, including McAfee, participating in it.

Palisade donated to Iseage one of its PacketSure appliances for monitoring network activity usage while an attack is in progress. For an as-yet unspecified fee, Iowa State will make Iseage available to organizations for modeling their networks for defensive purposes. The test bed is expected to be used by the state of Iowa to find out how its network, as recreated on Iseage, might hold up to various attacks under different defense scenarios.

"Everybody has had labs where you can do testing," Kaufman says.

"But here, you can use real Internet addresses and you don't have to change anything. You can look exactly like you're on the Internet," he adds.

Under attack

Learn more about this topic

Hack . . . hack back . . . repeat


Iseage site


Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2005 IDG Communications, Inc.

SD-WAN buyers guide: Key questions to ask vendors (and yourself)