Detection of and response to a security breach in progress requires
special attention to legal, regulatory, policy, and ethical matters so
that the needs of security administrators and the forensics
requirements of law enforcement are balanced with the privacy rights
and expectations of users. These matters will be addressed with the
Secure Packet Vault, a tool for rapid response to an intrusion incident
or for continuous oversight of a subnet. CITI will also investigate
the uses of cryptography to address policy-imposed data handling
requirements.
Vault Architecture
The packet vault hardware is composed of two 133 MHz PCI-bus Pentium
machines interconnected via a private 100 Mbps Ethernet. One machine
(the "listener") is also connected to the network under test, and is
used to capture and encrypt the data, which are then sent over the
private Ethernet. The listener stores no packet data on magnetic
disk. The other machine (the "writer") receives the encrypted captured
data and stores them to magnetic disk for subsequent writing to
CD-ROM. The two magnetic disks on the writer are attached to a
dedicated SCSI bus; a second SCSI bus is dedicated to the CD-ROM
recorder (CD-R).
UNIX-derived operating systems were chosen for both platforms because
of our familiarity with UNIX and the flexibility it provides. OpenBSD
2.0 was chosen for the listener because of its kernel BPF support;
Linux 2.0.0 was chosen for the writer because of the early availability
of drivers for the CD-R.
All data are encrypted to allow selective release of conversations,
where a conversation is defined as all communications between a pair of
IP addresses. Packet IP addresses are obscured by substitution, and
packet data are encrypted under a symmetric key unique to each
conversation. Material needed to reconstruct all conversations is
remembered and encrypted under the public key of a trusted third
party.
Project Status
The packet vault project has been completed.
We have secured funding from Dartmouth's Institute of Security Technology
Studies for a follow-on
Advanced Packet Vault project.
Papers and reports
-
"The Packet Vault: Secure Storage of Network Data"
(with M. Undy and P. Honeyman),
CITI Technical Report 98-5,
June 1998.
[Updated USENIX version,
Proc. USENIX Workshop on Intrusion Detection and Network Monitoring,
Santa Clara, April 1999.]
Personnel
| Charles Antonelli |
Principal Investigator |
| Mathhew Undy |
Graduate Student Research Assistant |
