Ictta687 Dr Adnan Arain

On Implementing Real-time Detection Techniques in Future Network Access Control Engr. Arain, Adnan Ashraf

Mehran University of Engineering & Technology, Pakistan adnanlooking@ieee. Ph.D. (Security Models of Wireless Sensor Networks06/09) M.E. (Communication Systems & Networks-2004) B.E. (Computer Systems Engineering-2003)

ICTTA’08, Damascus, 7th -11th April, 2008

Agenda Introduction of ideal network security/

access control Potential threats to network access control General pitfalls of existing “traditional security techniques”  The proposed network security technique Real-time test results (pros & cons) Future integration Summary

2

Introduction of Ideal network security Fantastic 4s Integrity Authenticity Confidentiality Availability

AUTHENTICATION

FIREWALL (Client-Server)

BORDER ROUTER

SPECIAL FILTERS (server)

ANTIVIRUS (Client-Server)

DIRECT REGULAR UPDATES FOR EACH

LOG MAINTENANCE

ID and IP SENSORS

VPN DEVICES

`

NEED BASE SERVICE

ALERTS/ NOTIFICATIONS

Host or Client

IPS (Host/Server)

IDS (Host/Server)

Fig 1. Ideal security perimeter

3

Potential threats to security Bad 4s Interception Intrusion Modification Fabrication

4

Defense-in-depth (existing) Border routers Firewalls IDS IPS VPN devices Software services of DMZs Server-side/ client-side web filters Server-side/ client-side antivirus services

“Castel without gate is not the security solution” 5

Defense-in-depth (..continued) AUTHENTICATION

AVAILABIITY

VPN DEVICES

ALERTS/ NOTIFICATIONS

LOG MAINTENANCE

INTEGRITY

DIRECT REGULAR UPDATES FOR EACH

FIREWALL (Client-Server)

` ANTIVIRUS (Client-Server)

IPS (Host/Server)

SECURITY

ID and IP SENSORS

SPECIAL FILTERS (server)

CONFIDENTIALITY

BORDER ROUTER

IDS (Host/Server)

Fig 2. Optimal requirements from a traditional network

6

Defense-in-depth (exemplified by ‘antivirus application’) • General Pitfall of traditional security Server farm AV-update

AV-update Gigabit Switch

AV-update M

Router

10 0

M

bp s

AV-update

AV-update

` Client

s Mbp

AV-update Switch

Switch

100

10/ 100 Mbps

0 10

s bp

10/

7

synchronization of network components/ services due to individual/ independent solutions • Higher traffic load due to recursive dictation from the core-servers for administrating the network. • Non-modularized component services due to monopolization of backdoors by the manufacturer/ developer of the security devices/ application.

1 Gbps

• Minimum

AV-update

`

`

`

Client

Fig 3. Updates in a traditional network

Proposed objectives Maximizing synchronization among security

component services. Modularizing the solution for potential

threats. Minimizing the unnecessary traffic load

8

Switch with resident virus updates

Proposed security solution Requires HELLOs?

• Firewall, secure routing

schemes, authentication mechanisms, antivirus applications should be logically, one entity. • Each of the component

services should be clearly identified and run separately. Routing, ACL, cryptography, and likely resource consuming services must be performed before the arrival of the next packet •

9

NO

YES

HELLO handshake

AV-HELLO handshake

ACK error?

NO

Frame for Authenticity

YES

Check if retransmit HELLOs?

YES

Request to retransmit

NO

Discard MAC entry & Report

Fig 4. Switch-based updates

Implementation of the proposed solution •

AV-Client server

1 Gbps

Core Device

Flash update

Switch x1

` Clients 1-30

10 / 10 0

Mbp s

Switch x2

1 0/

100

Flash update Mbps

Mbps 100

s 0 Mbp 10/ 10

Switch 1

Distribution device 4. 100 Mbps

10

100 Mbps

Flash update

Client 1-30

Minimal sinkholes/ continuous pings/ hello

Distribution device 2

Flash update

`

•

Distribution device 3 100 Mbps

•

Web server Mail server

Mb ps

AV datafiles

Distribution device 1

Regular updates, alerts, REQ/ACK, and log are accessible to clients at near-by locations.

DHCP Authentication & Access server

Corporate firewall server

10/ 10 0

Switches does not generate/ direct the redundant traffic every time towards the coreserver.

Internet

` Clients 1-30

Switch 30

` Clients 1-30

Fig 5. Proposed solution: Campuswide security perimeter

Implementation of the proposed.. (continue) Internet

• Gives protection against

backdoors and trapdoors.

Corporate firewall server AV datafiles

AV-Client server

1 Gbps

Core Device

Distribution device 1

11

Switch x1

` Clients 1-30

10 / 10 0

Mbp s 100

Client 1-30

Flash update Switch x2

1 0/

`

Flash update Mbps

Mbps 100

0 Mbp

s

detected as compared to traditional network security threat.

10/ 10

• Higher number of threats

Flash update

Distribution device 4. 100 Mbps

Flash update

Switch 1

100 Mbps

Distribution device 2 100 Mbps

500+ nodes in campuswide network.

Distribution device 3

10/ 10 0

• Technique was tested for

Web server Mail server

Mb ps

Feasible in existing network infrastructures. •

DHCP Authentication & Access server

` Clients 1-30

Switch 30

` Clients 1-30

Fig 5. Proposed solution: Campuswide security perimeter (Repeat)

Test results of the proposed network security technique Almost 63% better results

2500

Name of attacker

NUMBER OF THREATS DETECTED

Total Number of attacks

Statistic of attacks (blocked) T.N.P.M

P.N.P.M

DOS malware

50

8

16

UNIX viruses

44

8

8

Script malware

232

35

24

Worms

517

111

324

Backdoors

3851

1477

2130

Trojans

3653

725

1461

Other malware

371

279

269

Other OS malware

137

19

8

Total

8855

30.1%

47.9%

TRADITIONAL

2000

PROPOSED

1500

1000

w ar m al O S

ar e

er O th

O th

er

m al

w

Tr

s or ck do

oj an

s

m s or

Ba

tm al rip

W

e wa r

IX N U

Sc

D

O

S

m al

w ar

e

vi ru

se

s

0

e

500

Fig 6 & 7. Traditional versus Proposed network security techniques: Analysis and quantification of malicious codes in the network (Tabular & Graph format)

12

Future extensions UNDERGRAD PROJECTS To develop APIs for CISCO/ Alcatel switches

to update an antivirus application/ firewall policy by some GUI. To re-write flash memory of network switches

in order to reserve memory dedicated for the storage of updates/source in passive mode.

13

Conclusion We discuss the true definition of “network

security perimeter” or “defense-in-depth”.

We

present a hierarchical model with logical separation between different services to analyze the integration possibility of components services.

We show that how synchronization among

14

network component services/ applications may be achieved among clients in their neighborhood core-servers, thus minimizing the traffic load @ core-servers.

Conclusion (..continued) By emulating the proposal we quantify the

results in a real-time network environment. We compare the results of existing and

proposed security technique and found the later one ‘better’. We identify the possible extension to this

research work.

15

Acknowledgement Department of network operations @

Mehran UET, Pakistan Miss: Marvi Mussadiq (IT specialist,

UoSindh, Pakistan)

16

References 



  









17

 Hae-Jin Jeong; Il-Seop Song; et-al; “A Multi-dimension Rule Update in a TCAM-based HighPerformance Network Security System”Advanced Information Networking and Applications, 2006. AINA 2006, 20th International Conference on Volume 2, 18-20 April 2006 Page(s):62 – 66 Al-Shaer, E; “Network Security Policies: Verification, Optimization and Testing” Network Operations and Management Symposium, 2006. NOMS 2006, 10th IEEE/IFIP, 2006 Page(s):584 – 584 Magic quadrant, “Symantec network access control; the key to endpoint security” advertising section report 2006, www.symantec.com/endpoint Hamed, H.; Al-Shaer, E; “Taxonomy of conflicts in network security policies” Communications Magazine, IEEE, Volume 44,  Issue 3,  March 2006 Page(s):134-141 Salim, R.; Rao, G.S.V.R.K;” Design and Development of Network Intrusion Detection System Detection Scheme on Network Processing Unit” Advanced Communication Technology, 2006. ICACT 2006, the 8th International Conference, Volume 2, 20-22 Feb. 2006 Page(s):1023 – 1025 Adnan A. Arain, Marvie, Manzoor Hashmani, “An analytical revelation for a safer network security perimeter”, 2006 proceedings of Intentional Conference on Information and NetworksICOIN2006 Sendai, Japan, 14-17 January 2006 Schaelicke, L.; Freeland, J.C.; “Characterizing sources and remedies for packet loss in network intrusion detection systems” Workload Characterization Symposium, 2005. Proceedings of the IEEE International 6-8 Oct. 2005 Page(s):188 – 196 Jiang-Neng Yi; Wei-Dong Meng; Wei-Min Ma; Jin-Jun Du; “Assess model of network security based on analytic network process” Machine Learning and Cybernetics, 2005. Proceedings of 2005 International Conference on Volume 1, 18-21 Aug. 2005 Page(s):27-32 Vol. 1 Harrison, J.V.; “Enhancing network security by preventing user-initiated malware execution” Information Technology: Coding and Computing, 2005. ITCC 2005, International Conference on Volume 2, 4-6 April 2005 Page(s):597 - 602 Vol. 2

References  Yanhui Guo; Cong Wang; “Autonomous decentralized network security system”

Networking, Sensing and Control, 2005. Proceedings, 2005 IEEE, 19-22 March 2005 Page(s):279-282  Stephen Northcutt, Lenzy, et-al, “Inside network perimeter security: The

definitive guide to firewalls, virtual private networks (VPNs), routers, and intrusion detection systems”, ISBN 0672327376, SAMS; 2nd Edition, March 4, 2005  Brian Monroe, Security Engineer-STILLSECURE, “Demystifying network access

control”, white paper 2005, www.stillsecure.com  Djordjevic, I.; Phillips, C.; Dimitrakos, T; “An architecture for dynamic security

perimeters of virtual collaborative networks” Network Operations and Management Symposium, 2004. NOMS 2004, IEEE/IFIP, Volume 1, 19-23 April 2004 Page(s):249 - 262 Vol.1  Sean Convery, “Network security architectures”, ISBN: 158705115X, Cisco Press;

2nd Edition Edition, April 19, 2004  Stephen Northcutt, Judy Novak, “Network intrusion detection”, ISBN

0735712654, SAMS; 3rd Edition, August 27, 2002  Todd Lammle, Sean Odom, Kevin, “CCNP- Routing (study guide)”; SYBEX press

Exam 640-503Fdsf  Wendell Odom, “CCNA Intro (self study guide)”, CISCO press; Exam 640-821

18

 Glen Kunene, “Perimeter security ain't what it used to be, experts Say” Senior

Editor, DevX, www.devx.com/security/ Article/20472

Thanks Q&A

19