Network security architecture expert Robert Bird saw the difficulties universities have protecting their systems...
while maintaining an open and collaborative environment.
As director of network services at the University of Florida's 10,000 user residence hall network, Bird began designing a system that could identify users and track their activity on the university network while protecting their privacy. He's built up a cache of more than a dozen patents in the area of network security and traffic inspection and founded Red Lambda Inc., a Longwood, Fla.-based company that is used widely at universities and colleges.
At the heart of Red Lambda's technology is its deep packet inspection (DPI) software engine. The technology is somewhat akin to a network firewall, but it is connected to analysis software that can correlate user identities with the applications being used on the network. DPI makes some privacy advocates cringe, but Bird is quick to point out that while the technology can be used to scan content -- the feature is available and can be turned on by an administrator -- enterprises and universities are not interested in seeing that level of information.
"What they're really focused on is the actual activity," Bird said. "They're not focused on what you are downloading or what you are looking at."
The company is trying to extend its reach to more enterprises. At Black Hat 2010, Bird will tout his identity-aware security platform and a new product called FireCloud, a converged Firewall/IPS based on the company's underlying DPI technology. In this interview, Bird explains how the system works.
How has your work at the University of Florida developed into what you are doing today?
Robert Bird: I was thrust into a very unique opportunity. In fact, the reason why I took the residence hall position was to build that network from scratch. That gave me the opportunity to basically manage the security and the network itself from the ground up. It was a 10,000-user, 50-building network. You really get a very interesting perspective on the concept of a malicious user when you have them living in your network. They are literally living in your network. It really shaped and sculpted my perspective on security and tools.
The university environment is unique in that you've got to keep it open but you have to lock down sensitive systems. Was that a challenge?
Bird: Absolutely. In fact, in the past security has not really been something that has been a high priority at universities for that very reason. There is a perception of the need for openness, which is more of a philosophical thing than an actual way to manage the network itself. What we discovered is that a lot of the weaknesses in security were formulated around this idea of location forming the fundamental element of how you secure something. For example: 'What subnet is it on?' And then, 'What do it do in that subnet?' 'Am I going to statically assign IP addresses?' and stuff like that. When you start thinking about that and try to address some of the real issues in the network, that's where we started with our identity aware concept back in 2003.
What is the identity aware concept? How does it work?
Bird: It's definitely a phrase that has been bantered around lately. I'm proud to say that we implemented the first system many years ago before anyone else. Basically it's a telemetry aware security infrastructure. The gateways that are actually handling traffic and seeing all the user behavior have knowledge of who those users are and their organizational context in real time. When they apply policy to the traffic, they apply it based on the identity, the role and the other third-party information that you connect to the system. It will let you define a real tangible security policy. It's security for people not IP addresses. That's the way you structure your university policies or your organizational policies. They're not written based on subnetting, they're written based on the organizational context and what people are supposed to do and what they're not supposed to do.
Your system seems to be based out of mitigating peer-to-peer file sharing pBirdlems that a lot of universities have to address. Is this correct?
Bird: It was inspired by that. We have a number of new products that we are going to be announcing at Black Hat that don't focus on file sharing whatsoever. But the concept of identity aware security really came as a necessary byproduct of trying to control file sharing in a way that was socially palatable to the university, because the university doesn't want to block things. They want to accommodate research, they want to accommodate fair use and they want to trust their users. The only way to do that is to have some knowledge of the user behavior and some knowledge of past history. You've got to be able to correlate the user with the activity. Plus, universities receive all those legal complaints from outside sources and they've got to be able to go back and document what user was associated with the complaint. So, it's really about pushing that knowledge and that technology down into the traffic gateways.
Are you using deep packet inspection? How does the system work?
Bird: Yes. The Integrity application, which is really the first application that we released on our grid platform does three major things. It inspects traffic using an application aware DPI engine that does full multi-flow reconstruction, cross-protocol reconstruction and application identification. It has full behavior analysis features built-in. It's our own design. It has the ability to look for both behavioral signatures and traditional Snort-style signatures with some enhancements for various needs of different kinds of applications. The second major component is the system that tracks all the identities, which we call Identicloud. The Identicloud application does all the real-time correlation telemetry across the network. That system goes out and correlates the identity with all of the telemetry it receives from routers and switches, directories and external data bases. We can scale up to millions of nodes with no issues whatsoever because it's on our grid infrastructure. That full real time telemetry and identity awareness component will be spun out as a new product at Black Hat. It also correlates with information it receives from the deep packet inspection engine. So it's tracking application bandwidth levels and behavior of the individual applications themselves. It's a completely software-based solution that has carrier-grade scalability on commodity hardware.
How do you address the issue of privacy with perspective customers since you are using ideep packet inspection? Are they concerned about DPI?
Bird: We address it through openness. We don't hide data from our customers. We don't use obscure signature names. They can turn on as much inspection as they want or as little. They can customize any of the inspection rules and behaviors that they want. One of the things we pride ourselves on, especially coming out of the university space, is strictly looking at the applications. We're looking at the applications to basically give grammar recognition. If I saw you issuing a lot of HTTP traffic, I could probably put together that you are using a web browser. But application recognition tells me exactly what browser you are using, your operating system and so on. That's the kind of visibility that could potentially be had with these DPI systems. For the more corporate, hard-core security customers, those options are available. That's what our FireCloud product does. So by focusing on the grammar, we're not focusing on the content. We could inspect the actual files being transferred. We could try and see if they are copyrighted. But when we created the application we really didn't see a reason for that. And in fact most of our customers don't see a reason for that either. What they're really focused on is the actual activity. They're not focused on what you are downloading or what you are looking at.