Protecting Critical Networks
Reliable, accurate attribution of the source of network events is necessary for rapid and positive identification of suspicious network activity and can be critical to secure operations. Furthermore, proper attribution can enable rapid role-based network re-provisioning and prioritization during emergency response situations.
Today’s enterprises often require bandwidth-limited networks to support their daily operations. Competing requests that temporarily exceed bandwidth capacity on a link can result in staff members being unable to access critical network resources. This may be especially true when a network is temporarily compromised, as in a natural disaster. In addition, cyber attacks can monopolize network resources, having a similar, often exaggerated, effect. Such circumstances may keep an organization from executing its mission. To deal with these, enterprises need the ability to easily ensure that the most important requests for its networked resources are fulfilled and that staff members can continue to do their jobs, even in the face of cyber attack or compromised infrastructure. Equally important, enterprises need the ability to stop malicious or unwitting insiders from attacking their networks and computing resources, without impeding other staff members from performing their duties. Reliable attribution of the source of network events is key to addressing these problems.
SNAP provides three key tightly integrated features: i) Attribution, ii) Prioritization, and iii) Auto-configuration. These, in turn, enable an entire range of new capabilities – analysis and action - ranging from identification of malicious activity, accurate monitoring, emergency response prioritization, as well as survivability against DDoS threats.
Even with tools that are generally available today (e.g. IDS, filtering capabilities, firewalls, priorities) proper analysis and action depends on information that is either not present or easily spoofed, namely knowledge of where an individual packet or a flow originated. When an Intrusion Detection System (IDS) recognizes a suspicious packet, an operator may be alerted to a potential problem, but the operator has no direction for stopping an attack or identifying the point of network penetration if the packet’s originator is unknown. The ability to respect priorities in packet headers may help optimize the use of congested links, but it is effective only to the extent that priority assignment cannot be spoofed or abused.
SNAP provides network operators with a reliable means of determining the origin of a packet (or flow), so they can devise network controls that provide real protection to their networks. SNAP also provides a means to quickly devise and configure solutions to observed problems.
SNAP Assures Reliable Attribution
The SNAP protocol provides a means of reliably identifying where each packet in the network originates. SNAP identifies the actual user, if the user has a Smartcard (e.g., CAC, PIV), or the entry interface on the first SNAP router the packet traverses. The attribution information attached to each packet is cryptographically protected, making it extremely difficult to manipulate. Every SNAP router first checks the integrity of the attribution and priority information and drops any packet that fails this check.
Attribution Allows Better Network Control
Dependable attribution enables many new capabilities for network operators. Priorities may be assigned to individual users, to users with certain characteristics, or to all users on a specific LAN without concerns for spoofing or abuse. SNAP prioritization uses operator-configured priority bands, which can overlap to allow complex sharing of available bandwidth. Packets from a specific user or a specific LAN can be filtered. If desired, traffic can be restricted to logged in users. Priorities can reflect relative importance of users’ flows.
Autoconfiguration Makes Control of Network Traffic Easy and Fast
SNAP includes the ability to quickly configure or reconfigure a network to reflect changing priorities or conditions. SNAP Autoconfiguration lets an operator quickly (in a single operation) send new policies to SNAP routers. A new policy may, for example, degrade the priority of a user after the operator uses SNAP attribution to detect that user sending (intentionally or not) suspicious packets. Such a policy change can be sent quickly, and it will typically spread through the network in less than a minute.
A critical network experiences temporarily degraded performance. Perhaps a critical fiber was destroyed by a natural disaster and replaced temporarily with a microwave link. With limited link capacity,the network operator wants to assure that the most important users have the bandwidth they need. With SNAP capabilities, the operator can quickly distribute a revision to the network configuration that gives first responders the highest priority. Alternatively, the operator may decide to completely filter traffic from all users who are not logged into the SNAP network.
A suspicious packet was observed by an Intrusion Detection System. The SNAP network operator can identify who was responsible for that packet and temporarily filter packets from that user, thus providing time to make further investigations.
Using a SNAP forensic analysis tool, the operator may analyze logs of user activity. Since user-sourced traffic is attributed, no matter which computer the user logs in from, the operator may observe an exfiltration attempt in progress – one that might have been invisible without user-specific attribution.
Technology Background and Current Status
SNAP technology was developed by BBN as part of a program originally funded by DARPA, beginning in 2009. Successful phases 1 and 2 developed the system architecture and reliable software and hardware implementations. The program has since been transitioned to the Department of Homeland Security Science and Technology Directorate’s Cyber Security Division for technology transition into various operational entities.
11.14.13 Approved for public release; distribution unlimited.