Internet security test bed goes coast to coast

The experiments remain isolated from the Internet so researchers can model Net attacks safely.

Michael J. Bechetti

A national test bed for Internet security research is under construction with $10.8 million from the Homeland Security Department and National Science Foundation.

'The goal is to put network security research on a firm scientific footing,' NSF program director Joe Evans said. There has been 'nothing on this scale' before, he said.

An initial array of 64 nodes is up and running at the University of Southern California's Information Sciences Institute in Los Angeles. The goal is 1,000 nodes with additional sites at the University of California at Berkeley and at ISI East in Arlington, Va.

The arrays will connect over a high-speed network, said Stephen Schwab, senior research scientist for the research unit of Network Associates Inc. of Santa Clara, Calif.

'We're ramping up nodes as we speak,' Schwab said. 'We will have the capability of throwing a lot of scenarios at this beast.'

McAfee Research will help build the test bed, which is part of a pair of companion programs being funded with the $10.8 million from DHS and NSF.

The Cyber Defense Technology Experimental Research network, or DETER, will focus on physical infrastructure. The Evaluation Methods for Internet Security program, or EMIST, will develop tests.

Little is known about the behavior of self-propagating code and the interaction of elements in an environment as complex as the Internet. 'We want to get repeatable engineering and scientific measurements,' Schwab said.

Controlled research

The test bed will allow controlled research on threats and testing of defenses. UC Berkeley is the project lead for DETER, along with the USC Information Sciences Institute, and they have received $5.46 million in funding for three years. The EMIST segment, led by UC Davis and Pennsylvania State University, has received $5.34 million.

'Both efforts started in the fall,' Evans said. 'The first pieces of the test bed went operational in February. Toward the end of the year, we hope to have wide-area connectivity in place.'

Scale is important to model behavior on the Internet. Having 1,000 nodes, each of which could emulate a subnet or other network component, should provide more granularity than is currently possible, Schwab said. Putting components on opposite sides of the country will also build in realistic latency.

'There actually is value in having 10- to 40-millisecond latency on a high-bandwidth network,' he said.

The separate locations also will make it more convenient for researchers in different parts of the country to run experiments.

Each node on DETER will be PCs racked in clusters with 4-Gbps interfaces to Catalyst 5000-series Gigabit Ethernet routers from Cisco Systems Inc.

The Los Angeles, Berkeley and Arlington sites will link through encrypted tunnels at 1 Gbps. The researchers are adapting management software to set up the necessary network services and place the required software images on each node, rebooting as needed for each experiment.

The existing cluster now has basic network routing. 'You have to be able to set up more complicated network services,' Schwab said. 'We're working our way up the networking stack.'

Because DETER's testers will model attacks and observe the behavior of malicious code, it will be shielded from the Internet and other public networks. Public connections will be necessary, however.

DETER 'is designed to allow remote experimentation,' Evans said, 'but there are pretty elaborate isolation features,' including multiple firewalls. One of the simplest features is an on-off switch to kill power to various elements of the array if necessary.

Other participants in the joint DETER-EMIST programs include Purdue University, systems engineering company Sparta Inc. of Lake Forest, Calif., and SRI International Inc. of Menlo Park, Calif.

Industry partners include Cisco, IBM Corp., Intel Corp., Hewlett-Packard Co. and Juniper Networks Inc. of Sunnyvale, Calif.

The test bed will be open to outside researchers, 'with some level of vetting,' Evans said.

The twin programs should start producing results sooner rather than later. 'As soon as the government turns the money on, they expect to see results,' Schwab said.

'I think we would start to see some benefits within 1 1/2 to two years,' Evans predicted.

About the Author

William Jackson is freelance writer and the author of the CyberEye blog.

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above