We are interested in setting up an isolated network in order to study the vulnerabilities of many Operating Systems.
Essential to this project is creating a network in which access is given solely to those involved with the project. In order to achieve this measure of security certain fundamental steps were taken. These are listed below:
- The network was contained within a locked room. The entire network is in room 2244 of EUII on the UCDavis campus. 2244 EUII is used primarily for the study of Security within computer systems. Those who have access are: graduate students, computer science faculty, and a select few undergraduates (each of which are involved in the study of network security). This might seem like a trivial aspect of security, but keeping the outside world away also means not letting them walk away with your computers.
- Access to the system was severly limited. Only those directly involved with this project were given accounts or passwords that allowed accesss into the system. Logs were also used in order to keep track of all logins to the system.
- The actual computer network: When setting up the lab we used many of the priciples given in, "An Isolated Network for Research" (pdf format) written by M. Bishop and T. Heberlein. Anyone interested in setting up their own isolated network might want to take a look at this paper. The main guidelines used in our project were:
- Having a single internet host: Any computer attached to the internet is subject to hell and brimstone. No system (at least not one created yet) has been proven to be internet safe. With this in mind, having only one computer plugged into the internet leaves the rest of the network free from network attacks. One key to this plan is that no other computer on the isolated network can have access to the internet host any vice-versa. Thus we have an internet host (used to download attack tools, scripts, etc. from the internet) and another completely seperate network.
- The rest of the network contains only the computers used in this project. : In order to achieve this we set up a new network on a new ethernet hub. Only those computers involved with the project were plugged into the hub. (you might think this a tab bit paranoid, but security with computers must consider everything.) We used a standard 10-network hub that came with 8 open slots. The hub uses the standard broadcast style.
- One computer was used as the vulnerabilities host: This computer is used to store all of the information downloaded from the internet host. When information was downloaded from the internet host, it was transported via zip disk and foot to the vulnerabilities host. The zip disk was the only link between the internet and our isolated network. The vulnerabilities host should not be involved with any attacks. If you attack your vulnerabilities host, you risk corrupting your network setup. The vulnerabilities host could play the parent role if needed. It could store information about each of the other computers, like a listing of all its files. This way, when an attack is done on one of the other computers, we could use the data stored on the vulnerabilities host and compare it with the data given after an attack.
- Computers and Operating systems involved: We are starting out with UNIX boxes, but any other operating systems could easily be added.
|Role||Manufacturer||Version||Operating System||Ethernet Name|
|Internet Host||Sun||SparcStaion 2|| SunOS 5.4||k2.cs.ucdavis.edu|
|Vulnerabilities Host||Sun||SparcStation 20||SunOS 5.5||Zeus|
|Test Box||Sun||SparcStation 5||SunOS 4.1.3||Demeter|
|Test Box||Sun||SparcStation 5||SunOS 5.4||Here|
- some observations about initial setup:
- All initial machines were Sun Stations. This was not by design, just by stock on hand. Any system (HP, Dec, etc.) could have been used.
- All Operating Systems were SunOS. These operating systems were installed on the systems before network setup. Once again any OS could have been used.