INRIA's LHS NGE
Functional Components Description
The High-Security Laboratory (HSL) is designed to host decisive research activities in order to make networks, Internet exchanges and associated telecommunications equipment safer. It allows to collect and store data while ensuring their confidentiality and integrity, both logically and physically, while offering a safe environment for researchers to work.
The HSL relies on “trust zones”, dedicated and isolated environments with limited and controlled interactions with the Internet. Such an environment benefits from all the services offered by the HSL (network and data protection, automatic backup, local services – APT, DNS, LDAP, NTP…) while been always separated from the outside world by two levels of security from different constructors/technologies (two firewalls from different constructors for the logical aspects, two different biometric authentication mechanisms for the physical ones)., as shown in Figure 1.
Such trust zones are deployed for each hosted project, including its own network and VLAN to ensure it is isolated from other hosted projects, but also user accounts and groups dedicated to the project in the HSL LDAP directory, associated firewalling and users/groups access lists policies (ACLs).
These zones are fully integrated to the automatic configuration and software management solution (puppet). The access to such a trust zone is possible through a dedicated Virtual Private Network (VPN), deployed exclusively for each project, and only limited to the user accounts linked to the project’s LDAP groups.
Allow secure hosting and analysis of sensitive data via dedicated trust zones
Data collection and analysis via security sensors for a long term perspective
Place distributed data sensors and probes on the Internet, collect and enrich data automatically, and allow researchers to work on these datasets in the HSL
Large scale experiments
Allow researchers to run Internet-wide experiments such as port scanning
Dissemination and communication
Allow researchers to deploy public services or disseminate results regarding their activities in the HSL
Data collection, securing hosting/storage, collaborative platform, large scale experimentation
Data collection and analysis via security sensors for a long term perspective: Place distributed data sensors and probes on the Internet, collect and enrich data automatically, and allow researchers to work on these datasets in the HSL
Large scale experiments: run Internet-wide experiments such as port scanning
Dissemination and communication: deploy public services or disseminate results regarding their activities in the HSL
Cyber security oriented datacenter. Around 95 servers, organized in per-project clusters and trust zones:
8 to 40 cores per server
32 to 128 GB memory per server
1 to 20 TB disk space per server
Network Telescope (darknet + honeypots). Possibility to access live data streams via message queueing (RabbitMQ) and perform near realtime analysis of these events. Datasets:
Darknet data: passively collecting unsollicited traffic towards unused IP addess space (4K addressess), 370GB compressed PCAP since nov. 2014
Honeypot data: various honeypots attack logs and traces (mainly NetFlow data) collected sinde 2008
Malwares collected through the honeypots
Aggregate, centralize and preprocess (refinement and enrichment) relevant publicly available blacklists (IP, domain, URL) for further use (datasets annotation for example), available via MongoDB or RESTful API
Security Knowledge Base
Knowledge Base containing various security related standars (CPE, CVE, CWE, CAPEC) and their relationships, available through MongoDB or RESTful API
Non profit (NDA and/or acknowledgement required)