Introduction
If you are going to make war you should practice war. No Marine traverses the line of departure without spending quality time at the rifle range. 
No Army tanker enters the theater of battle without spending time with a tanker bar in one hand and the end of a track in the other hand. There are simply tasks that a soldier must train before moving to the real battle. The Cyber Range though wants to replicate not just the environment of training, but the actuality of conflict. Unfortunately DARPA through the National Cyber Range is less interested in training and more interested in testing new technologies. So instead of the Armor training center in Fort Knox we’re talking about the depot at Anniston. The term National Cyber Range (NCR) is actually a non sequitur. The NCR is presumptively not about cyber warfare.
There are a lot of design considerations that can be looked at for this type of testing system. It is going to be large, it is going to be expensive, and already there are people saying that it will be used for ill-conceived purposes. Likely there is some truth to that. Creating a vast Internet model that encompasses the totality of a highly dynamic system is simply not going to happen. However, you can reach a lot of the desired outcomes. Instead of creating ten city blocks, moving all the people in, and then having the police do live fire exercises you can create the ubiquitous “Hogan’s Alley” or a virtual landscape that replicates the environment of conflict in a more contained area.
At Purdue University Calumet we have virtualized our entire laboratory infrastructure including applications, networks, operating systems, and we did it literally on the cheap. In our effort to meet the needs of students the system allows for anytime, anywhere, high value access to our entire laboratory environment, any place with a broadband connection. Though trivial in measure to the scope of the DARPA project they are similar design considerations and requirements. These test ranges have been built in a variety of locations. Projected through a lens of my experience dealing with large scale systems in dealing with Y2K for MCIWorldcom (250K sites world wide), and other enterprise systems the DARPA “Cyber Range” is large but simple.
If I was running this project I would gather some simple statistics some of which would be easy and others that would be difficult. I would want to know the number of systems world wide using every operating system in the environment, the regionalization (language specifics) of each system, the hardware specifics, and the utilization of those systems. This would help develop the use case scenarios and targets for automation. The general value, number, type, and revision levels of the backbone systems would be of interest and likely easier to gather. A lot of this data exists inside the billing systems of the Internet Service Providers. Then I would build a physical picture based on the data. Sizing the national cyber range would require a statistically significant number of the least populated systems and sizing the rest of the range based on that.
Modeling the Internet really starts at the physical level. Gathering the under-sea cable locations, termination points, and how the physical infrastructure would create the layout of the system on a physical level for the cyber range. Contrary to media hype the Internet is a relatively weak physical network as recent cuts in under-sea cables exposed. Figuring out all of those physical connections would be the first piece in the connectivity modeling. Any one of my first year networking/security students will tell you that a physical full mesh topology is near impossible but a logical full mesh topology is easy. Any network is subject first to a physical disruption and denial of service attack by simply unplugging (cutting) the cable. The squirrels in my neighborhood are the most effective hackers, second only to the guy with a backhoe and no desire to phone “Call before you dig”.
The NCR though isn’t going to be designed to replicate the Internet. The goal it appears will be to replicate the technologies and not the totality of the infrastructure. This analogous to training troops to recognize the weapons systems of an adversary and not the tactics that the adversary will employ against them. The technologies are simply the tools and as we have seen in the past the vision to see past toys is limited. The NCR will fail as currently being implemented unless the vision is inclusive of all the OSI 7-layer model. The seven layer model has an eighth layer and that is the people and politics and behaviors of the users.
Being able to replicate the activities of users is always going to be interesting. A comprehensive method of generating traffic and having users actively integrated into the testing activity is generally not possible. However, it is possible to gather usage data on classifications of users and generate scripts that replicate their behaviors. This is done extensively by software companies who are testing software for usability. The skills, type, and general paradigm of the user is going to be important. Computer scientists are going to have a different usage profile than secretaries. People are not the only users on a network. Devices are also users on a network and they are responding to the different traffic flows as part of their operation.
The physical connections should be implemented as real physical connection in the “Cyber Range” as virtual connections are not subject to the same issues when attacked. One obvious issue is that this network is going to need a “Carnivore” or “Echelon” type of application running on it. We will talk about that later. Simple modeling of the data network of the Internet is not going to be enough though. Much like the Army and the Air Force practice close air support of infantry and armor, and the Navy trains for naval bombardment and amphibious landings with the Marines, this project is going to have to integrate too. The data network is used and integrated with the plain old telephone system (POTS), it is also part and parcel of the microwave repeater systems, the cell phone systems, and now municipal wi-fi (e.g. Wi Max). Every new technology that allows for a leaf of the Internet (user) to connect to the data systems whether it be a T-1, ISDN phone connection, or wireless is a new technique that has to be added to this program.
It is possible to model network connections virtually, but there will arise several issues. For instance the End User License Agreement (EULA) for many systems are restrictive on the possibility of virtualization. CISCO, Apple, and many other companies forbid virtualization completely for their operating systems. So simply putting all of the systems and networking components into a virtual world will likely not work in total. There may be limited development licenses and “government use only” agreements that I am unaware of that will allow for full virtualization.
There is a part of the DARPA proposal that is secret or at least confidential. I do not currently hold a clearance of any kind and it doesn’t look like I will be able to get into the “secret” portion of the workshop either. That section may contain requirements dealing with wire tapping and monitoring. There is a lot of angst about this in the rabid press, but to be honest tapping data communication is relatively easy. Enterprises do it all the time with intrusion detection systems, and in truth host based intrusion detection systems like virus protection serve the same purpose only in a benign way. Any intelligence agency hooking into those main routers/switches we identified earlier that is part of the over-seas connection would allow for the same purpose. Identifying the domestic “senior” node locations like Kansas City, Chicago, New York, Ruston Virginia, LA, Seattle, Dallas, etc. would not take a rocket scientist. Well maybe a computer scientist. The problem is the volume of data. How do you drink from a fire hose? Use a straw and only sip what you need. The trick is knowing what you need.
Besides replicating multi-homed systems the “Cyber Range” is going to need an administrative network, a secure network, and likely an experimentation network that all run in parallel. That is a lot of bits being blown around. If the networks are not separated the fidelity of the systems and any science will be compromised. The goals and objectives of the “Cyber Range” are interesting and give some insight into the issues. After responding to the goals and objectives a proposed solution will be discussed some detail. However, since this will be posted as a public document (but copyrighted) the solution will be partial and not in total depth as it could.
Goals
The following are the goals that have been stated by DARPA for their proposal. Each goal is given and then some limited commentary of the goal.
Conduct unbiased, quantitative and qualitative assessment of information assurance and survivability tools in a representative network environment.
Right off the bat the idea of unbiased is going to be an issue. To really succeed the system is going to have to replicate the world wide environment and the widest possible set of systems or solutions. It is also interesting to note that for assessment of information assurance and security they are going to have to build in chaos and chance. The only way to do that is to replicate the users. To replicate users will require understanding them and that is where most organizations fall down. They model on what the users should do rather than what the users actually do.
The NCR is going to be representative of some subset of the totality of network design and likely not comprehensive in nature. The time constraints as set forward and scalability numbers provided for phase 4 systems suggest a proposal that leans heavily toward virtualization. That as a requirement will limit some of the testing scenarios. There are a few ways to get further toward the universe of networking equipment but you have to consider that there are thousands of networking device types (based on my experience at MCIW and Y2K I wish I had a copy of the equipment database now). With each equipment type there are many (unknown quantity) revision levels of firmware and operating systems with the considerable matrix of possible configurations. That is just networking hardware and not nearly as chaotic as server and user class systems. Then there is the world of government and military only hardware and software.
This leaves the statement “representative network” still in question. The simplistic statement by the contracting officer to “let the proposers define it” is egregious in error and flawed in pricing. A customer unwilling to set a scope does not know what they want. However, surprisingly there is a way to make the issue moot.
Replicate complex, large-scale, heterogeneous networks and users in current and future Department of Defense (DoD) weapon systems and operations.
.
Any system created that would be of significant value is going to have to be constantly maintained. There are some current enterprise tools that are commercial off the shelf (COTS) solutions that are easily capable of spawning users and server systems rapidly. In other words changes in the environment occurring in a pseudo chaotic mode would be fairly simple to do. Whether it be deep freeze, Ghost, or some custom tool that spawning would have to be done on an administrative network. Making a specific target network within the heterogeneous environment could be done by adapting modeling software like Opnet, NS2, Cisco Config Maker (though they are all to simplistic) so that the network meets a design and is populated through the administrative network side.
Enable multiple, independent, simultaneous experiments on the same infrastructure.
Fidelity of the testing will be an issue if the system cannot be segmented. The nature of any simultaneous use and the specifics of the experiments will drive elements of the design. For the most flexible system the ability to segment, separate, or provide silos of capability are easily going to be the best solutions. Once again this is suggesting that control mechanisms and software are going to be the long pole in this development effort. Small network management software solutions like HP Openview and other common tools can provide some monitoring capability. What will be necessary is active management capability. There are several software vendors that can accomplish this easily, but DARPA says they want something revolutionary. Reaching into the bag of tricks SNMP V3 could be expanded to do a lot of this and If the management network was running on IPV6 much of the security concerns and segmentation issues could be alleviated. Expanding IPV6 so that control could be done without others seeing might also allow for some of the top secret experiments to be done on the same non-secret systems.
Enable realistic testing of Internet/Global Information Grid (GIG) scale research.
When we go global in scale that opens the previously discussed scope and scalability issues. Scalability is often used by engineers as a talisman to ward of fear of success. The issue with global scale is no matter what kind of virtualization is considered system failure is going to be a problem. So getting realistic testing is going to require realistic failure. One of the little known problems with commodity clusters and grids is that one or two percent failure rates result in significant degradation as the management task increases. The detection of failure in large commodity super computer clusters can become an issue. So on the one hand we have a requirement for flexibility and on the other large scale scalability issues. To achieve this automation is the only true answer and the vapor ware extended enhancement on SNMP V3 is going to be needed. How that enhancement would look is an issue, but it will be the only way to reach the objective. The testing scenario suggests injecting trouble into the network, using the network as a carrier device, allowing infection to spread along the paths of the network, or modeling particular behaviors of users and system administrators (humanistic). The global aspects of this scenario would be handled by modeling the entirety of the system on the physical and logical network layers.
Develop and deploy revolutionary cyber testing capabilities.
Only I get to engage in hyperbole and saying “Then magic happens”. To get to revolutionary and to model the current state of the network is a dichotomy of ideas. It is achievable in the short term by simply understanding the multiple layers of network that will actually exist. The “model” network (think tincture, atoms, stuff being treated) will be the state to be experimented on, the “management” network will provide the instrumentation of the network and set up functions (it’s the beakers, vials, and Bunsen burners), the “observation” network (think oscilloscopes, volt meters, etc..) is the sensor systems that allow for data to be collected. Doing this is not revolutionary it models the methods used in high-end enterprises currently. What is revolutionary is the utilization model. Add to this the multiple technologies, operating systems, and hardware solutions that would be needed and the scope climbs to the extraordinary.
Enable the use of the scientific method for rigorous cyber testing.
Which scientific method? Treat and measure response, or observe and catalog results? In an inherent system of chaos where the model must break in unknown ways to be truly valuable only trends will truly be reportable. Networks are inherently unstable at the micro level, and inherently stable at the macro level. Attempting to provide true causation between treatment and control is going to be nearly impossible. People may say that it is possible but then they won’t be modeling the Internet. The principles of most protocols are based on the maximal effects of chaos (I know I’ve used that word a lot but it is likely the best), and using it to overcome the possibility of outages, conflict for resources, and delays in transmission.
Objectives
The DARPA Objectives lay out a fairly consistent plan for a data center capable of handling the solution as required. Understanding that this is a $20 BILLION project there are substantial obvious expectations for investment. All I want is a few million dollars but I’m a junior professor from a regional university so I’m lucky if somebody gives me a nickel. If I was building this I would use “green” construction methods building the facility in a semi-rural area , use big-box building techniques, build it above any flood plain, sink most of into the ground, protect it from most man/natural disasters. This would be a good place to ride out a zombie outbreak.
The facility would need to be reconfigurable and have some type of organization that would immediately make sense. I would build it all on one floor. I would lay out the data center as if it were a mercator projected map with systems modeling Asia in a section designated as such (etc.). Obviously Central Africa is not going to have the density of systems that the European Union would have. I would place office, work space, management space, and repair cubicles in those areas. Thus violating the rule of all data centers that you keep the heathens or users out of the data center.
The data center would utilize glassed in racks holding all equipment and grounded equipment (like telephone switches) would be caged. This is to protect the systems, but more importantly create a demarcation point that would replicate the physical space and distance between systems. Solving the wireless communications paradigm while maintaining security is going to require some careful engineering. Whether faraday cages, or simple distance are uses getting the wireless modeled and then implemented could be an interesting part of the data center design.
The following are the DARPA objectives with commentary:
All necessary resources including but not limited to test facilities, utilities (power, water, etc), physical security, and heating, ventilation and air conditioning (HVAC).
To make the “Cyber Range” the most effective the test facilities should be accessible from a variety of locations, but for the sake of security a central facility would be the best option. Though it will be very hard to guarantee or even effectively accomplish the “cyber range” should not be accessible from the regular commercial Internet. This is contrary to other requirements. The various utilities should include conditioned power. Physical security of this facility should be of the highest order. A physical security plan should include at least five concentric rings of protection between uncontrolled public spaces and the machines inside the data center. Heating and air conditioning (HVAC) could include some “green” solutions if the building was built correctly to start.
When looking at the lay out and creation of test facilities the primary suggestion is that the winning bidders on this project visit the AT&T Network Operations Center. If the “Cyber Range” does at least look somewhat like this then it has been done wrong. A primary room overlooking the data center, with different levels to work from and centralized screens relaying SNMP information would make for a great solution. The data representations of this would most closely mimic a national backbone (and from the BAA materials) that would represent the myriad facilities that already exist. Behind this “bridge” would be office spaces (likely two floors worth) of secure areas and work spaces to inject, experiment, and/or pull data from the range.
All personnel necessary to design, operate, and maintain range, to include but not limited to management, administration, system administration and engineering personnel.
The range personnel will not be the primary users but the administrators of it. This range would be a 24/7/365 operation. Looking at the management, scale, intended use, and likely intensity of operations a hierarchical management with subject matter experts (SMEs) on staff to help scientists would be a good solution. SMEs would be in charge of monitoring the current research activities and maintaining the substantial intellectual history of the project. A variety of technologies from SNMP, wikis, forums, and run book solutions would help with keeping the intellectual property available to help solve the repetitive experimentation that might occur.
Thinking about the management, design, assistance aspects it is imperative that both academic and vendor disciplines be included in the staff of the facility. As an example senior vendor trained personnel from Cisco (CCIE, CCNP) would support normal management of the facility, but academics are not bound by vendor specificity or blinded by training. Holistic networking and system views for personnel at all levels should be encouraged along with a healthy dose of skepticism. Acceptance of a paradigm without challenging it on a daily basis will degrade the usefulness of the “Cyber Range” rapidly. This should be a facility that is managed as unaccepting of the status quo and that may be hard to do with normal information technology staff personnel.
All necessary administration to include necessary certification/accreditation, Concept of Operation (CONOP) development, security management, test scheduling, and processes.
Individual elements of the network would have to be created to adhere to specific certifications that are industry specific such as credit card transaction systems, banking transaction systems, and check clearance systems. Some of the standards are not documented but are considered best practices or are defined by the currency of the way things are being done. Libraries and media repositories do not have specific standards that are written (library of congress being a counter example), but they do have traditional methods that are part of their culture.
The staff should include project managers with substantive information technology experience, and scientific service experience. The staff should include a permanent joint military presence as representatives to their associated services. One field grade officer and associated staff officers with associated enlisted grades (specializing in information technology) would round out the military presence. A civilian senior executive staff appointment would head the facility. The various governmental civilian services would be required to provide staff and management personnel. For continuity of personnel a cadre of specialists would be permanently assigned.
With this kind of staffing the question immediately comes up as to who is doing what kind of work? Where would the requirements for the work come from? The DARPA BAA discusses continuity of operations yet part of this range would be creating a situation that results in the cessation of operations. Among the computer scientists, information technologists, should be a cadre of forensic scientists. If something gets broken/doesn’t work the answer of why might not be so simple as to what happened a moment before.
The ability to replicate large-scale military and government network enclaves.
This is of course going to require a top secret requirement for the entire network. Consider the standards for security and physical separation requirements and if this type of experiment is going on it would subject the military network to scrutiny that may be considered detrimental. Some specific things that could be done is segments of the network could be embargoed for just this situation.
The use of VPN and IPSec could help in controlling the systems and their cross talk, but without physical separation there is no possible way to be sure that contamination and loss of control will not occur.
The ability to replicate commercial and tactical wireless and control systems.
This is covered by earlier requirements.
The ability to connect to distributed, custom facilities and/or capabilities as necessary to incorporate specialized capabilities, effects, or infrastructures.
This should be fairly easy if the original constraints and construction takes into account the ability to plug in modules of capability on demand. There should be an concerted effort to identify future components but if an application programming interface is defined and available just about any custom tool could be added to the infrastructure. Adding high speed or clustered computers in a clustered computer environment may require external dedicated hardware be purchased.
External hardware will effect the turn around time and the template tools of the system. It should be negotiated with the customer to make sure that external entities are not to be considered as part of the internal service level agreements.
Interactive test suites to design, configure, monitor, analyze, and release tests.
There are a variety of test suites that are currently available on the market. More importantly it should be expected that the different entities will have specialized cases that require tools to be created or adapted.
A robust range management suite.
This particular requirement needs more definiton to differentiate it from earlier requirements.
A large pool of heterogeneous systems (nodes) as well as the ability to rapidly integrate new nodes.
This requirement suggests that virtualization can not be used, but if it is allowed a variety of nodes and systems should be easily integrated.
The ability to rapidly generate and integrate replications of new machines.
TBD
The ability to integrate new research protocols.
TBD
A test toolkit/repository for reuse of recipes and architectures.
This sounds like a redundant requirement from above “interactive test suites”.
Forensic quality data collection, analysis, and presentation.
Forensics is about the use of data or evidence collected in a manner that can sustain a court case. The secondary network, encryption algorithms, and protocols should allow for this level or near it. Controls on the systems are the important part of the requirement.
Realistically replicate human behavior and frailties.
This has been discussed in depth.
Realistic, sophisticated, nation-state quality offensive and defensive opposition forces.
TBD. Interesting but requires more definition.
Dedicated on-site, support for installation, troubleshooting, and testing.
TBD
The ability to accelerate and decelerate relative test time.
TBD
The ability to encapsulate and isolate tests, data storage, and networks.
TBD, Redundant requirement
A knowledge management repository for test case samples and past experiences that can be used for future endeavors.
TBD
A malware repository.
Several of these currently exist but what doesn’t exist is an effective method to create them on the fly. As many different entities create or publish exploits for applications and operating systems the method to move the exploit from known to useable is non-trivial. Open source tools like MetaSploit Framework make the task easier but a more robust user friendly tool capable of following a script of tactics and paths would be better. As stated several entities maintain malware repositories so including tIntroduction
If you are going to make war you should practice war. No Marine traverses the line of departure without spending quality time at the rifle range. No Army tanker enters the theater of battle without spending time with a tanker bar in one hand and the end of a track in the other hand. There are simply tasks that a soldier must train before moving to the real battle. The Cyber Range though wants to replicate not just the environment of training, but the actuality of conflict. Unfortunately DARPA through the National Cyber Range is less interested in training and more interested in testing new technologies. So instead of the Armor training center in Fort Knox we’re talking about the depot at Anniston. The term National Cyber Range (NCR) is actually a non sequitur. The NCR is presumptively not about cyber warfare.
There are a lot of design considerations that can be looked at for this type of testing system. It is going to be large, it is going to be expensive, and already there are people saying that it will be used for ill-conceived purposes. Likely there is some truth to that. Creating a vast Internet model that encompasses the totality of a highly dynamic system is simply not going to happen. However, you can reach a lot of the desired outcomes. Instead of creating ten city blocks, moving all the people in, and then having the police do live fire exercises you can create the ubiquitous “Hogan’s Alley” or a virtual landscape that replicates the environment of conflict in a more contained area.
At Purdue University Calumet we have virtualized our entire laboratory infrastructure including applications, networks, operating systems, and we did it literally on the cheap. In our effort to meet the needs of students the system allows for anytime, anywhere, high value access to our entire laboratory environment, any place with a broadband connection. Though trivial in measure to the scope of the DARPA project they are similar design considerations and requirements. These test ranges have been built in a variety of locations. Projected through a lens of my experience dealing with large scale systems in dealing with Y2K for MCIWorldcom (250K sites world wide), and other enterprise systems the DARPA “Cyber Range” is large but simple.
If I was running this project I would gather some simple statistics some of which would be easy and others that would be difficult. I would want to know the number of systems world wide using every operating system in the environment, the regionalization (language specifics) of each system, the hardware specifics, and the utilization of those systems. This would help develop the use case scenarios and targets for automation. The general value, number, type, and revision levels of the backbone systems would be of interest and likely easier to gather. A lot of this data exists inside the billing systems of the Internet Service Providers. Then I would build a physical picture based on the data. Sizing the national cyber range would require a statistically significant number of the least populated systems and sizing the rest of the range based on that.
Modeling the Internet really starts at the physical level. Gathering the under-sea cable locations, termination points, and how the physical infrastructure would create the layout of the system on a physical level for the cyber range. Contrary to media hype the Internet is a relatively weak physical network as recent cuts in under-sea cables exposed. Figuring out all of those physical connections would be the first piece in the connectivity modeling. Any one of my first year networking/security students will tell you that a physical full mesh topology is near impossible but a logical full mesh topology is easy. Any network is subject first to a physical disruption and denial of service attack by simply unplugging (cutting) the cable. The squirrels in my neighborhood are the most effective hackers, second only to the guy with a backhoe and no desire to phone “Call before you dig”.
The NCR though isn’t going to be designed to replicate the Internet. The goal it appears will be to replicate the technologies and not the totality of the infrastructure. This analogous to training troops to recognize the weapons systems of an adversary and not the tactics that the adversary will employ against them. The technologies are simply the tools and as we have seen in the past the vision to see past toys is limited. The NCR will fail as currently being implemented unless the vision is inclusive of all the OSI 7-layer model. The seven layer model has an eighth layer and that is the people and politics and behaviors of the users.
Being able to replicate the activities of users is always going to be interesting. A comprehensive method of generating traffic and having users actively integrated into the testing activity is generally not possible. However, it is possible to gather usage data on classifications of users and generate scripts that replicate their behaviors. This is done extensively by software companies who are testing software for usability. The skills, type, and general paradigm of the user is going to be important. Computer scientists are going to have a different usage profile than secretaries. People are not the only users on a network. Devices are also users on a network and they are responding to the different traffic flows as part of their operation.
The physical connections should be implemented as real physical connection in the “Cyber Range” as virtual connections are not subject to the same issues when attacked. One obvious issue is that this network is going to need a “Carnivore” or “Echelon” type of application running on it. We will talk about that later. Simple modeling of the data network of the Internet is not going to be enough though. Much like the Army and the Air Force practice close air support of infantry and armor, and the Navy trains for naval bombardment and amphibious landings with the Marines, this project is going to have to integrate too. The data network is used and integrated with the plain old telephone system (POTS), it is also part and parcel of the microwave repeater systems, the cell phone systems, and now municipal wi-fi (e.g. Wi Max). Every new technology that allows for a leaf of the Internet (user) to connect to the data systems whether it be a T-1, ISDN phone connection, or wireless is a new technique that has to be added to this program.
It is possible to model network connections virtually, but there will arise several issues. For instance the End User License Agreement (EULA) for many systems are restrictive on the possibility of virtualization. CISCO, Apple, and many other companies forbid virtualization completely for their operating systems. So simply putting all of the systems and networking components into a virtual world will likely not work in total. There may be limited development licenses and “government use only” agreements that I am unaware of that will allow for full virtualization.
There is a part of the DARPA proposal that is secret or at least confidential. I do not currently hold a clearance of any kind and it doesn’t look like I will be able to get into the “secret” portion of the workshop either. That section may contain requirements dealing with wire tapping and monitoring. There is a lot of angst about this in the rabid press, but to be honest tapping data communication is relatively easy. Enterprises do it all the time with intrusion detection systems, and in truth host based intrusion detection systems like virus protection serve the same purpose only in a benign way. Any intelligence agency hooking into those main routers/switches we identified earlier that is part of the over-seas connection would allow for the same purpose. Identifying the domestic “senior” node locations like Kansas City, Chicago, New York, Ruston Virginia, LA, Seattle, Dallas, etc. would not take a rocket scientist. Well maybe a computer scientist. The problem is the volume of data. How do you drink from a fire hose? Use a straw and only sip what you need. The trick is knowing what you need.
Besides replicating multi-homed systems the “Cyber Range” is going to need an administrative network, a secure network, and likely an experimentation network that all run in parallel. That is a lot of bits being blown around. If the networks are not separated the fidelity of the systems and any science will be compromised. The goals and objectives of the “Cyber Range” are interesting and give some insight into the issues. After responding to the goals and objectives a proposed solution will be discussed some detail. However, since this will be posted as a public document (but copyrighted) the solution will be partial and not in total depth as it could.
Goals
The following are the goals that have been stated by DARPA for their proposal. Each goal is given and then some limited commentary of the goal.
Conduct unbiased, quantitative and qualitative assessment of information assurance and survivability tools in a representative network environment.
Right off the bat the idea of unbiased is going to be an issue. To really succeed the system is going to have to replicate the world wide environment and the widest possible set of systems or solutions. It is also interesting to note that for assessment of information assurance and security they are going to have to build in chaos and chance. The only way to do that is to replicate the users. To replicate users will require understanding them and that is where most organizations fall down. They model on what the users should do rather than what the users actually do.
The NCR is going to be representative of some subset of the totality of network design and likely not comprehensive in nature. The time constraints as set forward and scalability numbers provided for phase 4 systems suggest a proposal that leans heavily toward virtualization. That as a requirement will limit some of the testing scenarios. There are a few ways to get further toward the universe of networking equipment but you have to consider that there are thousands of networking device types (based on my experience at MCIW and Y2K I wish I had a copy of the equipment database now). With each equipment type there are many (unknown quantity) revision levels of firmware and operating systems with the considerable matrix of possible configurations. That is just networking hardware and not nearly as chaotic as server and user class systems. Then there is the world of government and military only hardware and software.
This leaves the statement “representative network” still in question. The simplistic statement by the contracting officer to “let the proposers define it” is egregious in error and flawed in pricing. A customer unwilling to set a scope does not know what they want. However, surprisingly there is a way to make the issue moot.
Replicate complex, large-scale, heterogeneous networks and users in current and future Department of Defense (DoD) weapon systems and operations.
.
Any system created that would be of significant value is going to have to be constantly maintained. There are some current enterprise tools that are commercial off the shelf (COTS) solutions that are easily capable of spawning users and server systems rapidly. In other words changes in the environment occurring in a pseudo chaotic mode would be fairly simple to do. Whether it be deep freeze, Ghost, or some custom tool that spawning would have to be done on an administrative network. Making a specific target network within the heterogeneous environment could be done by adapting modeling software like Opnet, NS2, Cisco Config Maker (though they are all to simplistic) so that the network meets a design and is populated through the administrative network side.
Enable multiple, independent, simultaneous experiments on the same infrastructure.
Fidelity of the testing will be an issue if the system cannot be segmented. The nature of any simultaneous use and the specifics of the experiments will drive elements of the design. For the most flexible system the ability to segment, separate, or provide silos of capability are easily going to be the best solutions. Once again this is suggesting that control mechanisms and software are going to be the long pole in this development effort. Small network management software solutions like HP Openview and other common tools can provide some monitoring capability. What will be necessary is active management capability. There are several software vendors that can accomplish this easily, but DARPA says they want something revolutionary. Reaching into the bag of tricks SNMP V3 could be expanded to do a lot of this and If the management network was running on IPV6 much of the security concerns and segmentation issues could be alleviated. Expanding IPV6 so that control could be done without others seeing might also allow for some of the top secret experiments to be done on the same non-secret systems.
Enable realistic testing of Internet/Global Information Grid (GIG) scale research.
When we go global in scale that opens the previously discussed scope and scalability issues. Scalability is often used by engineers as a talisman to ward of fear of success. The issue with global scale is no matter what kind of virtualization is considered system failure is going to be a problem. So getting realistic testing is going to require realistic failure. One of the little known problems with commodity clusters and grids is that one or two percent failure rates result in significant degradation as the management task increases. The detection of failure in large commodity super computer clusters can become an issue. So on the one hand we have a requirement for flexibility and on the other large scale scalability issues. To achieve this automation is the only true answer and the vapor ware extended enhancement on SNMP V3 is going to be needed. How that enhancement would look is an issue, but it will be the only way to reach the objective. The testing scenario suggests injecting trouble into the network, using the network as a carrier device, allowing infection to spread along the paths of the network, or modeling particular behaviors of users and system administrators (humanistic). The global aspects of this scenario would be handled by modeling the entirety of the system on the physical and logical network layers.
Develop and deploy revolutionary cyber testing capabilities.
Only I get to engage in hyperbole and saying “Then magic happens”. To get to revolutionary and to model the current state of the network is a dichotomy of ideas. It is achievable in the short term by simply understanding the multiple layers of network that will actually exist. The “model” network (think tincture, atoms, stuff being treated) will be the state to be experimented on, the “management” network will provide the instrumentation of the network and set up functions (it’s the beakers, vials, and Bunsen burners), the “observation” network (think oscilloscopes, volt meters, etc..) is the sensor systems that allow for data to be collected. Doing this is not revolutionary it models the methods used in high-end enterprises currently. What is revolutionary is the utilization model. Add to this the multiple technologies, operating systems, and hardware solutions that would be needed and the scope climbs to the extraordinary.
Enable the use of the scientific method for rigorous cyber testing.
Which scientific method? Treat and measure response, or observe and catalog results? In an inherent system of chaos where the model must break in unknown ways to be truly valuable only trends will truly be reportable. Networks are inherently unstable at the micro level, and inherently stable at the macro level. Attempting to provide true causation between treatment and control is going to be nearly impossible. People may say that it is possible but then they won’t be modeling the Internet. The principles of most protocols are based on the maximal effects of chaos (I know I’ve used that word a lot but it is likely the best), and using it to overcome the possibility of outages, conflict for resources, and delays in transmission.
Objectives
The DARPA Objectives lay out a fairly consistent plan for a data center capable of handling the solution as required. Understanding that this is a $20 BILLION project there are substantial obvious expectations for investment. All I want is a few million dollars but I’m a junior professor from a regional university so I’m lucky if somebody gives me a nickel. If I was building this I would use “green” construction methods building the facility in a semi-rural area , use big-box building techniques, build it above any flood plain, sink most of into the ground, protect it from most man/natural disasters. This would be a good place to ride out a zombie outbreak.
The facility would need to be reconfigurable and have some type of organization that would immediately make sense. I would build it all on one floor. I would lay out the data center as if it were a mercator projected map with systems modeling Asia in a section designated as such (etc.). Obviously Central Africa is not going to have the density of systems that the European Union would have. I would place office, work space, management space, and repair cubicles in those areas. Thus violating the rule of all data centers that you keep the heathens or users out of the data center.
The data center would utilize glassed in racks holding all equipment and grounded equipment (like telephone switches) would be caged. This is to protect the systems, but more importantly create a demarcation point that would replicate the physical space and distance between systems. Solving the wireless communications paradigm while maintaining security is going to require some careful engineering. Whether faraday cages, or simple distance are uses getting the wireless modeled and then implemented could be an interesting part of the data center design.
The following are the DARPA objectives with commentary:
All necessary resources including but not limited to test facilities, utilities (power, water, etc), physical security, and heating, ventilation and air conditioning (HVAC).
To make the “Cyber Range” the most effective the test facilities should be accessible from a variety of locations, but for the sake of security a central facility would be the best option. Though it will be very hard to guarantee or even effectively accomplish the “cyber range” should not be accessible from the regular commercial Internet. This is contrary to other requirements. The various utilities should include conditioned power. Physical security of this facility should be of the highest order. A physical security plan should include at least five concentric rings of protection between uncontrolled public spaces and the machines inside the data center. Heating and air conditioning (HVAC) could include some “green” solutions if the building was built correctly to start.
When looking at the lay out and creation of test facilities the primary suggestion is that the winning bidders on this project visit the AT&T Network Operations Center. If the “Cyber Range” does at least look somewhat like this then it has been done wrong. A primary room overlooking the data center, with different levels to work from and centralized screens relaying SNMP information would make for a great solution. The data representations of this would most closely mimic a national backbone (and from the BAA materials) that would represent the myriad facilities that already exist. Behind this “bridge” would be office spaces (likely two floors worth) of secure areas and work spaces to inject, experiment, and/or pull data from the range.
All personnel necessary to design, operate, and maintain range, to include but not limited to management, administration, system administration and engineering personnel.
The range personnel will not be the primary users but the administrators of it. This range would be a 24/7/365 operation. Looking at the management, scale, intended use, and likely intensity of operations a hierarchical management with subject matter experts (SMEs) on staff to help scientists would be a good solution. SMEs would be in charge of monitoring the current research activities and maintaining the substantial intellectual history of the project. A variety of technologies from SNMP, wikis, forums, and run book solutions would help with keeping the intellectual property available to help solve the repetitive experimentation that might occur.
Thinking about the management, design, assistance aspects it is imperative that both academic and vendor disciplines be included in the staff of the facility. As an example senior vendor trained personnel from Cisco (CCIE, CCNP) would support normal management of the facility, but academics are not bound by vendor specificity or blinded by training. Holistic networking and system views for personnel at all levels should be encouraged along with a healthy dose of skepticism. Acceptance of a paradigm without challenging it on a daily basis will degrade the usefulness of the “Cyber Range” rapidly. This should be a facility that is managed as unaccepting of the status quo and that may be hard to do with normal information technology staff personnel.
All necessary administration to include necessary certification/accreditation, Concept of Operation (CONOP) development, security management, test scheduling, and processes.
Individual elements of the network would have to be created to adhere to specific certifications that are industry specific such as credit card transaction systems, banking transaction systems, and check clearance systems. Some of the standards are not documented but are considered best practices or are defined by the currency of the way things are being done. Libraries and media repositories do not have specific standards that are written (library of congress being a counter example), but they do have traditional methods that are part of their culture.
The staff should include project managers with substantive information technology experience, and scientific service experience. The staff should include a permanent joint military presence as representatives to their associated services. One field grade officer and associated staff officers with associated enlisted grades (specializing in information technology) would round out the military presence. A civilian senior executive staff appointment would head the facility. The various governmental civilian services would be required to provide staff and management personnel. For continuity of personnel a cadre of specialists would be permanently assigned.
With this kind of staffing the question immediately comes up as to who is doing what kind of work? Where would the requirements for the work come from? The DARPA BAA discusses continuity of operations yet part of this range would be creating a situation that results in the cessation of operations. Among the computer scientists, information technologists, should be a cadre of forensic scientists. If something gets broken/doesn’t work the answer of why might not be so simple as to what happened a moment before.
The ability to replicate large-scale military and government network enclaves.
This is of course going to require a top secret requirement for the entire network. Consider the standards for security and physical separation requirements and if this type of experiment is going on it would subject the military network to scrutiny that may be considered detrimental. Some specific things that could be done is segments of the network could be embargoed for just this situation.
The use of VPN and IPSec could help in controlling the systems and their cross talk, but without physical separation there is no possible way to be sure that contamination and loss of control will not occur.
The ability to replicate commercial and tactical wireless and control systems.
This is covered by earlier requirements.
The ability to connect to distributed, custom facilities and/or capabilities as necessary to incorporate specialized capabilities, effects, or infrastructures.
This should be fairly easy if the original constraints and construction takes into account the ability to plug in modules of capability on demand. There should be an concerted effort to identify future components but if an application programming interface is defined and available just about any custom tool could be added to the infrastructure. Adding high speed or clustered computers in a clustered computer environment may require external dedicated hardware be purchased.
External hardware will effect the turn around time and the template tools of the system. It should be negotiated with the customer to make sure that external entities are not to be considered as part of the internal service level agreements.
Interactive test suites to design, configure, monitor, analyze, and release tests.
There are a variety of test suites that are currently available on the market. More importantly it should be expected that the different entities will have specialized cases that require tools to be created or adapted.
A robust range management suite.
This particular requirement needs more definiton to differentiate it from earlier requirements.
A large pool of heterogeneous systems (nodes) as well as the ability to rapidly integrate new nodes.
This requirement suggests that virtualization can not be used, but if it is allowed a variety of nodes and systems should be easily integrated.
The ability to rapidly generate and integrate replications of new machines.
TBD
The ability to integrate new research protocols.
TBD
A test toolkit/repository for reuse of recipes and architectures.
This sounds like a redundant requirement from above “interactive test suites”.
Forensic quality data collection, analysis, and presentation.
Forensics is about the use of data or evidence collected in a manner that can sustain a court case. The secondary network, encryption algorithms, and protocols should allow for this level or near it. Controls on the systems are the important part of the requirement.
Realistically replicate human behavior and frailties.
This has been discussed in depth.
Realistic, sophisticated, nation-state quality offensive and defensive opposition forces.
TBD. Interesting but requires more definition.
Dedicated on-site, support for installation, troubleshooting, and testing.
TBD
The ability to accelerate and decelerate relative test time.
TBD
The ability to encapsulate and isolate tests, data storage, and networks.
TBD, Redundant requirement
A knowledge management repository for test case samples and past experiences that can be used for future endeavors.
TBD
A malware repository.
Several of these currently exist but what doesn’t exist is an effective method to create them on the fly. As many different entities create or publish exploits for applications and operating systems the method to move the exploit from known to useable is non-trivial. Open source tools like MetaSploit Framework make the task easier but a more robust user friendly tool capable of following a script of tactics and paths would be better. As stated several entities maintain malware repositories so including them and updating them would be fairly easy. Since virus signatures are fairly well known they would also be easy to hold and contain. What would be difficult is finding non-known or non-trivial exploits in development. To make this successful a database of historical attacks and diagrams through vulnerable systems might make a malware repository more effective for use. hem and updating them would be fairly easy. Since virus signatures are fairly well known they would also be easy to hold and contain. What would be difficult is finding non-known or non-trivial exploits in development. To make this successful a database of historical attacks and diagrams through vulnerable systems might make a malware repository more effective for use.