USMA Information Warfare Analysis and Research (IWAR) Laboratory

Presented to the 13th Annual Federal Information System Security Education

Association (FISSEA) Conference

Lt. Colonel Daniel Ragsdale

Major Joseph Schafer

2

• Lab Organization• CS485 Information

Security• Rules of Engagement• Upcoming Events• Challenges • Conclusion IWAR • Hall of Fame

Agenda

• Purpose• Background Issues• Lab Design Goals• Lab Overview• Cost Saving and Cost

Avoidance • Techniques to

Minimize Risk• Legal Constraints

3

Reasonable Questions

• Ain’t this a cool time to be involved in Information Security?

• Can/Should this type of lab be built in other Environments?

• Can this be done on the cheap?

• Can we trust our system administrators if we give them knowledge of hacker tools and hacker methods?

• Will the construction of a security lab generate greater interest in security?

To all, an emphatic Yes!!

4

Purpose

• The Information Warfare Analysis and Research (IWAR) Laboratory is an initiative of the USMA Information Technology and Operations Center (ITOC)

• The purpose of the lab is to provide a realistic, but isolated, environment for research, analysis, and instruction on topics relevant to information warfare and information operations.

• Infusion of security-relevant topic throughout the USMA curriculum

5

Background Issues

• Funded, in part by the DISC4, C2 Protect Directorate

• IWAR Lab design is inspired by the Network Security Lab at Texas A&M University and the ISOLAB at UC Davis

• Instruction focuses on both offensive and defensive information operations including (but not limited to):– Techniques that intruders use to exploit system

vulnerabilities

– Techniques to prevent, detect, respond to exploitation attempts

6

Lab Design Goals

• Realistic, Sophisticated Environment– Shared Resources– “Normal” Services– Targets inside and outside the local domain– Heterogeneous Systems– Varying levels of security

• Easy System Rebuilds– Ghost Images– Full Tape Backups– Admin Server

• Centralized Lab reconfiguration• Minimize vulnerability to local (USMA) and external attacks• Minimize likelihood of local and external disruption• Maximize Reuse and Minimize Expenditures

7

Lab Overview

• 40+ “systems”

• 10 networking Components

• 2 Firewalls

• Various Intrusion Detection and Vulnerability Scanning Software

• 8 Distinct Operating Systems and Versions

• $270K Lab Facility

8

Cost Saving and Cost Avoidance

Expenditures $11,300Cost Avoidance

– “Rescued” Equipment $48,200– “Repositioned” Equipment $96,900– KVM Switch $6,000– Virtual Machines $14,000– Site Licenses $20,000– GNU/Linux Software 0– Loaned Equipment $70,000

Total Valuation $266,400

9

Techniques to Mitigate Risk

• Fully isolated, fully capable Network• Locked-Down Search Boxes provide safe access to global

resources– Bare minimum services– Removable Storage– Write permission only on /tmp and Zip Drive – Netscape Only– Detailed and Remote Logging– Local and Remote Scanning

• Cipher-locked Doors• Ethics and Legal Briefing

10

Legal Constraints

• Privacy Act of 1974• Computer Fraud Waste and Abuse Act of 1987• US Code Title 18 Sections 1030

Fraud and related activity in connection with computers

• US Code Title 18 Sections 2701Unlawful access to stored communications

• US Code Title 18 Sections 2511Interception and disclosure of wire, oral, or electronic communications

prohibited

• DoD Directive 5200.27 Acquisition of Information Concerning Persons and Organizations not

Affiliated with the Department of Defense

• Numerous Department of the Army Regulations

11

Advantages of Isolated Network

• We’re legal!!• Unlikely that activities in the lab affect others • Not a production environment

– Supports study, analysis, and investigation of the security aspects of Hardware and Software– Supports controlled experimentation

• Types of Software that cadets and faculty will use in the lab:Port Scanners, Trojan Horses, Root Kits, Network Sniffers, Password Crackers, Viruses Creators,

Vulnerability Scanners, Integrity Checker, Encryption, Firewalls, Intrusion Detection, etc.

• We’re legal!!

12

Lab Organization

• Black Systems (Attack)– Up to 20 Systems

• Gray Systems (Research)– 3-5 Systems for Research and Instructor Use

• Gold Systems (Targets)– 15-20 Systems– Potential Targets

• Green Systems – 2-5 Army Battle Command Systems– For Security Analysis

• Network Components– Various hubs, switches, and routers to simulate a sophisticated production

environment

13

Team Resources

• Shared – HP 5000 Printer– Projector– Search Systems

• Systems Hardware– 400MHz AMD Processor– 196MB RAM– 3GB Hard drives– Zip Drives

• Linux Software– Red Hat 6.1– GNU Software– Numerous Software

Development Tools

• NT Software– NT 4.0 (Service pack 6)– MS Office 97, SR2– Outlook 98– GNAT– Netscape– Tcl/Tk– Visual Studio – RAPID– Emacs– MSDN– TechNet

• Solaris Software (User accounts)– Solaris 2.5/2.7– GNU Software

WAS SLIDE 23

14

15

Black Components

16

Search Systems

17

Gold Systems I

18

Gray Systems

19

Gold Systems II

20

Networking Components

21

CS485 Information Security

• 8 CS Faculty volunteered to assist with the instruction

• 40 Lessons

• Hands-on and technically-oriented

• Guest Lecturers

• Class Trip

• Topic projects

• Research Paper

• Course Project (2-person teams)

22

Typical Topic Class(es)

• Duration: 1-4 lessons

• Assigned Reading(s)

• Active Learning Lecture(s)

• Hands–on Exercise(s)

• Topic Project

23

Course Project

• Conduct Offensive Information Operation Missions– Gain resources and secure data

– No intentionally destructive actions

• Employment of offensive information operations methodology

• Identify countermeasures

• Continuous web-based reporting using attack reports (SITREPs)

• Final Report and Presentation

24

1998 USMA Graduate Comments (CS Major)

“The Information Security course will also be an excellent [addition to the curriculum]. That is the one area I really wish I had a better knowledge of. I can usually get servers and applications set up, but when it comes to security, I’m not too sure about it.”

“When I go to Bosnia, I might see some security issues. It sounds like they will be handled by civilian contractors, but it sure would help to know how well they are doing their job.”

1LT Stephen HamiltonG-6, Battlefield Information Systems123d Signal Battalion

25

IWAR Rules of Engagement

• Always remember, you are a representative of USCC, USMA and the US Army. Act accordingly.

• You must not use any of techniques that you learn to commit unlawful or unethical acts

• You are given specific authorization to access all of the nonpublic DoD-owned computer systems in the lab

• Never attempt to connect any of the systems in the isolated IWAR lab network to the any other network, including the USMA network

• Never hide the fact that you are a service member in the United States Army

• Do not boast to others about your activities in the IWAR lab• Always remember -- you are a representative of USCC, USMA and

the US Army. Act accordingly

26

Upcoming Events

• Course projects for initial Information Security class

• CS105, Introduction to Computing Science, Tech Tour – 1200+ Cadets– Early exposure to security

relevant topics

• Demonstration Site for IEEE SMC Information Assurance Workshop in June 1999

• Primary Lab for at least 2 IW Courses

• Ongoing research for:– DISC4 C2 Protect Program– PM for an Army Battle

Control System (ABCS)

• Support for numerous other CS Courses, including:– Operating Systems– Computer Networks– Computer Systems– Artificial Intelligence– Information Systems Design

Infusion of se

curit

y relev

ant topics

throughout th

e USMA cu

rricu

lum

27

Challenges

• Heterogeneous nature of the lab increase the difficulty of:– Initial Lab Setup

– Ongoing network and system administration

• Important tradeoff consideration for all lab components: – Provide necessary functionality

– Serve as a target

• Demand for lab use might exceed lab capacity

28

Reasonable Questions

• Ain’t this a cool time to be involved in Information Security?

• Can/Should this type of lab be built in other Environments?

• Can this be done on the cheap?

• Can we trust our system administrators if we give them knowledge of hacker tools and hacker methods?

• Will the construction of a security lab generate greater interest in security?

To all, an emphatic Yes!!

29

Conclusion• We have achieved our initial goals

– Research– Analysis– Instruction

• Generating tremendous interest among cadets, faculty, and outside agencies

• Provides a facility to evaluate and “test drive” software before putting it into a production environment

• To the best of our knowledge, this is one of the best equipped information security labs for undergraduate-level instruction

• Challenges ahead include:– System administration– Incorporation of new offensive and defensive techniques