Kai Hwang Research Projects - USC GridSec...

December 19, 2002 Kai Hwang, USC 1

Kai HwangInternet and Pervasive Computing Laboratory

University of Southern California

Email: [email protected]://ceng.usc.edu/~kaihwang

Wireless PKI and Distributed IDS Research Projects at USC


Current Research Projects� Cost-effective cluster platform for supporting

wireless PKI (WPKI) with high security, scalability, availability, and interoperability

� Distributed Intrusion Detection Systems (IDS) for protecting clusters and Intranets in pervasive computing and mobile E-Commerce applications

� Wireless Gateway architecture with extensive software and middleware development for supporting PKI, AAA, and IDS in achieving proactive intrusion responses


Securing Clusters, LANs, Intranets,WANs, Grids, and Internet Resources

with intrusion detection and automatic recovery from malicious attacks

Design Goals: Distributed dynamic security and privacy to support

fine-grain resource access with automatic

intrusion prevention, detection, and

responses

Intranets or WANsprotected by firewalls

under a static policy, fixed cryptography

and limited scalability

Server Clusters or Web siteswith no securityprotection

Incr

easin

g Se

curi

ty

Cluster/LANs Intranet/WANs Grid/InternetIncreasing scalability

No protection

Fullysecured

Core Technology in Wireless Internet

Multi-Mode

Mobile Station

RAN 1(WLAN)

RAN 2(CDMA)

RAN 3(WCDMAor UMTS)

RAN n(other access technology)

Unified All-IP Core Network

IP Backhaul

Intranets

Internet

Mobile Internet Edge :

• Mobile Internet Edge Product• WTCP and WTLS Software Suites• Cluster Platform for Wireless Gateway • Storage-area Networking and RAID

Multi-mode Mobile Station:

• WTCP• WTLS• 1x EV DO + WLAN• Chipset

MobileInternetEdge


Market Analysis of PKI and WPKI in Internet Security Arena


Basic Wireless Security Requirements:

� Confidentiality of exchanges – make sure that nobody can listen in.

� Authentication – Certify the identities of the parties involved.

� Data Integrity - assurance that data is not tampered on its journey.

� Non-repudiation of transactions –assure agreements are legally binding.

Wireless Internet access and WAP Gateway Functionality Based on WTLS

Technology

WTLS: Wireless Transport Layer Security

The Protocol to implement wireless security in the WPKI (Wireless Public Key

Infrastructure)


Wireless PKI (WPKI) Platform: Software and System Development

for Securing Mobile E-Commerce


W TLS Stack over W ireless G atew ay

Browser

W TLS

W D P

Phone W ireless G atew ay W eb Server

B earer

W TLS

W DP

Bearer

Server

TLS

TCP

IP

TLS

TCP

IP

Data in the C lear

W irelessN etw ork

Lin kLin k

W iredN etw ork

W ireless Transport Layer Security


Interoperability of WPKIwith Traditional PKI

SSL/TLS

WTLS

WPKIExpansion

X.509

Mobile ServicesServer

Mobile ServicesServer

RA for Mobile

PKI portal

RA for Mobile

PKI portal

WAP GatewayWAP

GatewayMobil

DevicesMobil

Devices

X.500/LDAP

WTLS SSL/TLS

PKCS #10

Traditional PKI

MobilClient

MobilClient

SmartCardsSmartCards

WPKICA

Server

WPKICA

Server

TraditionalRA

TraditionalRA

DirectoryServer

DirectoryServer

Other CAServers

Other CAServers

OCSPOCSP PKCS #7

PKCS15

Conventional CAServers

Conventional CAServers

PUBLISH

WTLS CERTIFICATE REQUEST PKCS #10

WTLSCERT.

WTLSCERT.

X.509CERT

X.509CERT


Layered Development of the WPKI Portal


Distributed Micro-Firewalls for Protecting Intranets .

M. Gangadharan and K. Hwang, “ Intranet Security with Micro Firewalls and Mobile Agents for Proactive Intrusion Response”, IEEE International Conference on Computer Networks and Mobile Computing, Beijing, China October 16-19, 2001.


Distributed Firewall Architecture built in Trojans Cluster at USC

Internet

Gateway FirewallPolicy Manager

Nodes with Micro-Firewall

DemilitarizedZone

Router

Router

Nodes with Micro-Firewall

SwitchNetwork


System call interface

User Programs

User Programs

User Programs

User Programs

Micro-firewall

TCP/IP Stack

Network Cards

Memory, file and Process Managers

Disk Drives Main Memory

User Space

Kernel Space

Hardware

Packet Filter

Anomaly Detection

Access Logging

Implementing Micro-Firewall in The Linux Kernel

K. Hwang and M. Gangadharan, “Micro-Firewalls for Dynamic Security with Distributed Intrusion Detection”, IEEE International Symposium of Network Computing and Applications, Cambridge, MA. Oct. 8-12, 2001


Distributed Intrusion Detection and Response in a Linux Cluster

3 3


Wireless Gateway Platformfor Fast prototyping of Various

Gateway Products in All-IP Networks

Wireless Gateway Platform

WLANGGSN PDSNMedia

GatewaySGSN


The Cluster Architecture of A GGSN Gateway in UMTS Network

Gn

Gp

Gi

PDN: Packet Data NetworkGi: Interface to PDNGn: Interface to SGSNGa : Interface to Billing and NMSGp: Interface to PLMNPN: Processing NodeDN: Database NodeRAID: Redundant Array of Independent Disks

Gi

Gn

Ga

Billing System

Network Management

System

Internet, Intranet,

PDN, PLMN

etc.

Back-bone IP Core Network

(SGSN)

Ga Ga

Dispatcher 1

Dispatcher 2PN

PN

P

DN

DN

RAID forOS/BackupEthernet

Switch

IP Database

ROUTER

PN

GGSN


Cluster Middleware, Linux Extensions, and Hardware Support of High-Availability

IP Packet Applications

Hardware Support:Hotswap Devices, Router Interfaces

Linux OS Extensions:HA Interface, HA/HW Drivers

I/O Drivers, Platform Management Drivers

Cluster Management MiddlewareFault Management Availability Management

Failback SupportFailover Support Packet Switching

Linux Linux Linux

CPU CPU CPU

Redundant Cluster InterconnectsRedundant Power Redundant Cooling


Upgrading AAA to Secure Mobile Internet Accesses through Wireless Gateways

• Access equipment include SGSN, GGSN, FA, HA, or PDSN, which can be prototyped on the IST wireless platform.

• To improves RADIUS server in providing AAA services with higher reliability, performance, and scalability in billing, auditing, and network planning.

• Must consider the integration capability, multi-vendor support, multi-access support, and multiple accounting record supports.


Concluding Remarks :• HA clusters and Distributed RAID need

dynamic SAN Reconfiguration and fault-

tolerant Data Storage Management

• Explores wireless access technologies to

build gateways, WPKI, and WTCP platforms

for wireless Internet applications

• Providing superior security, high availability,

and cost-effective scalability in cluster, grid

and pervasive computing for a digital society


USC Linux Clusterwith Middleware for Security

and Checkpoint Recovery

PentiumPC

PentiumPC

Pentium PC

Gigabit Network Interconnect

Security and Checkpointing Middleware

Single-System Image and Availability Infrastructure

Programming Environments(Java, EDI, HTML, XML)

Web WindowsUser Interface

Other Subsystems(Database, OLTP, etc.)

Linux Linux Linux


Policy Update Mechanisms

XMLReport Format

SOAPMessage Exchange Protocol

IptablesFirewall

Snort, LogSentryIDS Software


High-Availability Clusters and SAN Projects

� Distributed Software RAID built with Single I/O Space in Linux/Unix Clusters in SAN Environment

� Developing Software and Middleware Suites for DSM (Data Storage Management) and RAS (Reliability, Availability, and Serviceability) in SAN/RAID Applications


Certificate validation with WTLS and SCVP protocols in Wireless Networks

••The WTLS operates over a datagram protocol and demands end-to-end security through certificate validation.

•The IST team implements a short-lived SCVP (simple certificate validation protocol) to protect.

• The validation will enable faster PKI integration and provide centralized certificate policy management and thus better control over trust


Upgrading AAA to Secure Mobile Internet Accesses through Wireless Gateways

• Access equipment include SGSN, GGSN, FA, HA, or PDSN, which can be prototyped on the IST wireless platform.

• IST improves RADIUS to performs AAA with higher reliability, performance, and scalabilityin billing, audits, and network planning.

• Must consider the integration capability, multi-vendor support, multi-access support, and multiple accounting record supports.


FLOGCHEK

FCMP

GPG

CERT_MAN

Sender’s Repository

Receiver’s Repository

CS

IPTABLES SNORT LOGCHECK

Key ring

Key ring NOTIFYRECEIVER

TRANSMITENCRYPTED&SIGNEDACs

UPDATED RULES

DATABASE QUERIES

DATABASE QUERIES

USERS

Dynamic Firewall Rule Update in Host-based Micro Firewall


All-IP Backbone Network in 3G/UMTS

Gm

Ga

Gb

RAN

Gi

Gp

Other PLMN

Iu-PS

Ga

Gn

BSC/PCU

RNCSGSN GGSN The

Internet

Intranet

PDN

PSTN

GW

Multimedia Call Server

BS SGSN

Ga

NMS

Ga

IP Backbone Core Network

RADIUS

WAP/PTM Servers

Node B HLR/AC

Gc

Gi

GrLu-bis


Value-Added Middleware Development(Hwang, et al, IEEE Concurrency, March 1999)

Implementationlevel

Managementlevel

Programming level

Job Management System (GLUnix, LSF, Codine)

Single File Hierarchy(NFS,AFS, xFS, Proxy)

Distributed Shared Memory, (TreadMark,

Wind Tunnel)

Checkpointing and Process Migration

Single ProcessSpace

Cluster Hardware and OS Platform

User Applications

Single I/O Space (SIOS)

Increasing Demand of Secure Wirelessand Pervasive Applications:

� LANs, clusters, Intranets, WANs, Grids, and the Internet all demand security protection, fault-tolerance, and hacker-proof operations, which are crucial to a digital society and economy.�Distributed storage-area networks demands HW/SW support of a single I/O space and global file and database management in all network-based computing applications.� Many innovative applications exist in mobile wireless services, E-commerce, telemedicine, distance education, collaborative design, pervasive computing, digital entertainment, etc.


Dynamic Policy Update Cycle

Local attacks are detected

Policy manager Decide proper action

Policy managerBroadcast the updated policy

Report to policy manager

Local node Take actions

Upon the message 1

23

4

5


WPKI Product Line and IP Chart:

The Platform and Software SuiteWPKI Product Line

WPKI Platform Software Suite

The CA Software

KPI Portal Software

Client Toolkits

Crypto LibraryWireless Gateway with enhanced security

CA system

PKI Portal (RA)

Directory Server


Web Model and WAP (Wireless Application Protocol) Architecture


Capabilities Mobile Agents CORBA Middleware RMI Middleware

Central policycoordination

Autonomous and requireno coordination oncedispatched

The policy managercoordinates allcommunications

The policy manager acts asthe RMI registry tocoordinate among all nodes

Reaction timeto policy change

The time increases withthe number of agentsdispatched.

Faster than agents orRMI to react to apolicy change

RMI slower than CORBAand faster than agent basedsystem for policy update

Hosts fortifiedwith micro-

firewalls

Agents carry mostmechanisms required toupdate security policy

Requires the ORBmiddleware support onall hosts in the Intranet

Requires JVM to be presenton all the hosts.

SecurityMechanisms

Use authentication andencryption. Still prone toattacks from hosts/agents.

Security implementedwith the CORBASec.

Security is the best among allthree, implemented with theJava sandbox model.

Update ProcessTermination

Multiple agents usedautonomously, Policyupdate always completes

Implemented atapplication level usingRPC-like semantics

Implemented at applicationlevel using RPC-likesemantics

Comparison of Agents, CORBA, and RMI for Security-Policy Update on Intranets or Clusters


Distributed Intrusion ResponsesSecurity Threats Effectiveness in using Micro-FirewallsInsider attacks Protect hosts against attack from insidersDenial-of-Service attacks

Protect against denial-of-service attacks from any source

Trojan Program Protect hosts from trapdoors by any sourceIP Address Spoofing

Can be reconfigured to prevent IP spoofing at the client host level

Probes and Scans

Use with IDS to block the probes and scans close to their sources

Unauthorized External access

Can prevent unauthorized access to the external networks at the source

Attacks on Intranet Infra-structure

Resist both internal and external attacks and provide fine-grained access control


Adaptive Security Control Agents detect threats, learn from intrusionpatterns, and update security safeguards

SecuritySafeguards

• Firewall• Authentication

• Access control• Encryption

=

DetectThreats

Detect Vulnerabilities

+ +

Response

AdaptiveSecurity


A Sensor Agent for Distributed Intrusion Detection

Host /agentsInteractionSequence

Memory

CommunicationSub-system

Saving

state

Infor

mation

Interactionswith localnodes

Interactionswith remote nodes

Decision Making System


Distributed Intrusion Detection System (DIDS)

Intrusion DatabaseSecurity Policy

Decision Making System

Mobile firewalls on the Cluster Nodes

Subsystem For RMIIDS

SensorController

Intrusion data

storeRequest ResponseResponse

Response dispatch


The DIDS Testbed Architecture

• 6 Pentium II 500 MHz 64 MB RAM Machines

- Redhat Linux 7.3 (kernel 2.4.18)

- 1 Policy Manager

- 4 Nodes

- 1 Attack machine

• Fast Ethernet Connection

• 3com SuperStack II 3300 Ethernet Switch


Attack Generators

• Scanners– IP range scanner– Port Scanner– Ping Scanner

• Penetrators– FTP/ TCP/ UDP Flooder– Mail Spoofing– Buffer overloader


Security Software Support

Intrusion Detection System (IDS)• Snort - NIDS• LogSentry – Log Auditor• Tripwire – File Integrity Check• PortSentry – Port Scan monitoring and auto-blocking

Firewall• IptablesAccess Control • TCP Wrapper – allow/deny host on basis of services


Wireless Security Projects:� Development of wireless security features

in IEEE 802.11b and HiperLAN/2 Standards

� Securing gateways, SAN, clusters, and intranets with distributed micro-firewalls

� Certificate validation with WTLS and SCVP protocols in wireless networks

� Upgrading AAA solutions for securing wireless gateway infrastructure

� Completing the security chain among smart cards, PKI, and digital signatures


Wireless Threats from Viruses and Malicious Mobile Code

• Masquerading - Identity misuse• Denial of Service - Resource occupation• Unauthorized Access - Intrusions• Repudiation - Dispute services provided• Eavesdropping - Secrecy interception• Alteration - Data/code integrity • Copy and Reply - Clone of agents


Security Component Technologies

• Firewall Architecture and Cryptography• Cluster Middleware for Dynamic Security• Anti-virus and Digital Immune Systems• Intrusion Detection Systems (IDS)• Public Key Infrastructure (PKI)• Authentication, Authorization,

and Accounting (AAA)


Wireles LAN Security inIEEE 802.11b and HiperLAN/2

• IEEE 802.11b operates in 2.4 GHz band with highest data rate of 11 Mbps

• HiperLAN/2 by ETSI operates at 5 GHz and support data rate over 50Mbps

• The two WLAN Standards are not interoperable • Security issues :War Driving, MAC Address,

Service Set ID, and Wired Equivalent Privacy (WEP) need to be solved with authentication (RADIUS), third-part products, and firewall gateway control

• Growing use and popularity of WLAN ($2.2 billion market by 2004) require increased focus on security


Securing Gateways, SAN, Clusters, and Intranets with Distributed Firewalls

• Distributed micro firewalls and IDS built in the IST wireless gateway platform

•••• Dynamic security policy update with attributed certificates (AC) and mobile agents (Aglets)

•••• RMI, CORBA, FTP, HTTP, SMTP, and Aglets can be used for transporting security updates

•••• Provide full spectrum of VPN security using IPSec, L2TP, PPTP, and PKI infrastructures


Charles Darwin (1809 - 1882)

“It is not the strongest of species that

survive, nor the most intelligent, but the one most

adaptable to change.”

Kai Hwang Research Projects - USC GridSec...

Documents

Transcript of Kai Hwang Research Projects - USC GridSec...