Secure Layered Iterative Gateway

Reference#: P02922

By necessity, most computer systems that control critical operational infrastructure have highly controlled hardware and software configurations. Because changes to these systems can introduce instability, updates are applied infrequently. This creates an environment in which security vulnerabilities are not patched in a timely fashion, and systems can become increasingly vulnerable to attack over time.

The Secure Layered Iterative Gateway (SLIG) developed by the Johns Hopkins Applied Physics Laboratory is a novel system that can be placed into a network to protect such systems from cyber attacks. It operates without modifying the software or hardware configuration of the systems it protects and provides detection of and protection against attacks originating from computer systems and remote network nodes.

In operation, the SLIG provides multiple hardware and operating system surfaces that can be attacked in place of the computers that it shields. The system comprises multiple gateways that provide firewall and packet-routing services, a resource manager that controls the gateways, and an attestation server that stores information about known good gateway hardware and software configurations.

Unique to the SLIG design is that each gateway is operational for only a limited amount of time before it is taken out of the network and reset to a known good condition. The resource manger monitors the state of gateway network connections and manages the process of iterating through and regenerating, i.e., rebooting, the SLIG gateways. Before regenerating a gateway, the resource manger controls a switch-over to another gateway in order to move the network traffic to that next gateway. The periodicity of such switching between iterated gateways is determined on the basis of the number of gateways, the reboot time of an individual gateway, and network connection bandwidth. This process limits the time an attacker has to attempt to compromise a gateway before his access to that gateway is eliminated and network traffic is switched to another gateway.

In addition, each gateway uses internal information assurance sensors to determine whether changes have been made to its operating system, system memory, or the firmware associated with its network interface cards, hard drive, or video cards (if applicable). If a persistent attack is detected, the resource manager deactivates the affected gateway, thereby denying hostile cyber control of the gateway, the physical machine, or its network interfaces. As an added layer of security, each gateway and network interface can be configured with different hardware to mitigate against zero-day attacks that target network firmware.

Ms. H. L. Curran
Phone: (443) 778-7262