Intrusion tolerant Web servers via network layer controls

Summary form only given. This demonstration shows the approach taken on the Intrusion Tolerant Server Infrastructure (ITSI) program to identify and isolate intrusions, prevent them from freely spreading, and continue to provide service to benign users while recovering from the intrusion. The distinguishing feature of the ITSI approach is the use of "smart NIC" to help identify intrusions, and, once an intrusion has been detected, to contain it and ensure that service is uninterrupted by providing a failover capability. These smart NIC are based on the distributed firewall technology developed by Secure Computing on DARPA\´s Autonomic Distributed Firewall (ADF) program. The ADF NIC has been enhanced on the ITSI program to support multi-server load sharing, to enable load shifting in the face of attacks, and to provide an alert capability when unauthorized traffic is detected. The demonstration prototype uses two heterogeneous Web servers: Apache running on SELinux and IIS running on Windows 2000. The demonstration shows how various attacks are detected and how the smart NIC can be used to respond to an attack in a manner that ensures that the Web service will continue to operate.