ViSe jpeg
ViSe:
A Virtual Security Testbed
 ViSe jpeg

Introduction:

Traditional means of testing Intrusion Detection Systems (IDSs) require the creation of isolated physical test networks (testbeds) using machines that must be individually configured for each test. This process becomes cumbersome and resource-intensive when malicious attacks, launched against the pre-configured systems, cause significant harm and require the reinstallation of software before testing may continue. Virtual testbeds can minimize many of these costs and greatly increase the testing efficiency while accurately replicating physical environments. ViSe, a virtual security testbed, is a unique solution to the problem of security testing. ViSe's broad base of installed operating systems and vulnerable applications provides an environment where researchers can test real attacks against vulnerable systems in a reliable and efficient manner.

ViSe:

The current version of ViSe contains 10 versions of popular operating systems and 40 exploits against them or programs that run on them arranged in VMware snapshot trees. The images are organized by operating system, but can be divided into three specific types of configured guest images: attacker, a detector, and victim. The Attacker is a specially configured Fedora Core 3 image that contains the exploit code and detailed instructions for the 40 included exploits. Two basic detector images, one built on Windows XP Pro and the other on Fedora Core 3, include the default Snort v2.3.3 install without rule set updates. The rest are victim images, some of which are configured for immediate exploitation using specified exploits. As an added feature, the Fedora Core 3 detector and Fedora Core 3 victims also include the SyscallAnomanly host-based IDS. In all cases, guest OS installations are rooted at the basic install level with minimal modification.

See the diagram below for an example configuration of the testbed:

Example Testbed

The power of ViSe lies in its large repository of OS images and its ability to quickly switch between them during testing. This level of flexibility stems from the fact that previously created images may be reused in future tests or repeated tests. For example, victim images can be quickly swapped during testing to verify the success of an exploit against numerous OS configurations. In an alternate example, IDS detector images could be swapped or run in tandem to test their ability to track an exploit.

Disclaimer:

All ViSe images are configured to use static IP addresses. During development, a mistake was made, and all ViSe images use either 128.111.48.118, 128.111.48.125, or 128.111.48.132. When you first boot one of these images, please reconfigure its network interface to use a different IP address then power it off and take a snapshot of your personalized image. Two different styles of changing the information are given below. The first initializes the ethernet interface through a boot script and the second does so through permanent changes to the interface configuration file. The following instructions assume that you want to change the image's IP address to 192.168.0.118.

To reconfigure a Fedora Core 3 or Redhat 6.2/7.3 image follow these commands: To Reconfigure a Debian 3.0 image: Similar commands should work for the other included Linux images.

End Disclaimer

VMware Images Available for Download:

Publications:

People:

Webpage References: