Network Security and Information Assurance - IEEE · 2008-02-11 · IEEE Phoenix Section Computer...
Transcript of Network Security and Information Assurance - IEEE · 2008-02-11 · IEEE Phoenix Section Computer...
Network Security and Network Security and Information Assurance:Information Assurance: a broad brusha broad brush
A Discussion of Firewalls, Intrusion Detection Systems, Encryption, and the Common Criteria for evaluating Information Assurance Products
Robert Neal Smith [email protected]
[email protected] 2IEEE Phoenix Section Computer Society Chapter Feb 27, 2003
Order of PresentationOrder of Presentation
! Introduction! Firewalls! Intrusion Detection Systems! Encryption ! Common Criteria! Questions
[email protected] 3IEEE Phoenix Section Computer Society Chapter Feb 28, 2003
IntroductionIntroduction
! Firewalls block or allow selected traffic based on various parameters (typically IP address, TCP or UDP port number)
! Intrusion Detection Systems involve scanning traffic on a network or within a host to determine if an intruder is present.
! Encryption systems involve the distribution of keys used by the encryption algorithm for the encryption/decryption of message and data. (algorithms, keys, key management)
! Common Criteria is the standardization of testing methods for proving information technology systems have security.
[email protected] 4IEEE Phoenix Section Computer Society Chapter Feb 28, 2003
What makes an application secure?What makes an application secure?
[email protected] 5IEEE Phoenix Section Computer Society Chapter Feb 28, 2003
SecuritySecurity
! Privacy / Confidentiality (supported by encryption and firewalls)
! Integrity (supported by signatures)! Authentication! Non-Repudiation (supported by signatures)
! Denial of Service (supported by firewalls)
[email protected] 6IEEE Phoenix Section Computer Society Chapter Feb 28, 2003
Before we begin: R U Familiar Before we begin: R U Familiar with..with..! Sapphire (aka) SQL Slammer
– What could have been done?• Patches to the application• Firewall policy to block
– UDP Selected Addresses on Port 1428• Intrusion detection of UDP traffic on port 1428 and a
Search for the signature• Encryption and signatures of user communications• Better requirements and testing of application to
prevent security holes.•• Know who is connecting to your networkKnow who is connecting to your network
[email protected] 7IEEE Phoenix Section Computer Society Chapter Feb 28, 2003
FIREWALLFIREWALL
[email protected] 8IEEE Phoenix Section Computer Society Chapter Feb 28, 2003
FirewallFirewall
! Firewalls (or internet interface proxies) may be used to provide a secure interface to the Internet.– Firewall blocks or allows traffic– Proxy to filter application traffic and provides
address translation• Main proxies is the web interface proxies
– Providing filtering on normal TCP port 80
[email protected] 9IEEE Phoenix Section Computer Society Chapter Feb 28, 2003
Firewall TechniquesFirewall Techniques
! Policy Based– (based on your security policy)
! Address Filter– Allow or disallow
[email protected] 10IEEE Phoenix Section Computer Society Chapter Feb 28, 2003
Firewall FunctionsFirewall Functions
! Block selected traffic– Security policy
• Address, • Port,• Protocol, • Service,• Direction, and • User.
[email protected] 11IEEE Phoenix Section Computer Society Chapter Feb 28, 2003
Fully BlockedRegion Partially Blocked
Partially Enabled
Fully Enabled
Region
Firewall Model BackgroundFirewall Model Background
[email protected] 12IEEE Phoenix Section Computer Society Chapter Feb 28, 2003
Popular ProductsPopular Products
! PIX by Cisco (Ver 6.0)
! Firewall-1 by Checkpoint (http://www.checkpoint.com)
! NetWall by Evidian Inc (www.evidian.com)
[email protected] 13IEEE Phoenix Section Computer Society Chapter Feb 28, 2003
Home Use FirewallHome Use Firewall
! Norton! McAfee
[email protected] 14IEEE Phoenix Section Computer Society Chapter Feb 28, 2003
ENCRYPTIONENCRYPTION
[email protected] 15IEEE Phoenix Section Computer Society Chapter Feb 28, 2003
Encryption Encryption (ref: Applied Cryptography by Bruce Schneier)(ref: Applied Cryptography by Bruce Schneier)
! Algorithm– Symmetric (key distribution is difficult) (DES, BLOWFISH, RC3, etc)– Asymmetric ( 2 parts: private and public parts) (RSA, DSA)– Digital Signatures (one-way hash function)– Certificates
! The Key– 56 bits, – Elliptical
! Key Management– Firefly– PKI (Public Key Infrastructure) (key must be 7 times longer for equivalent 56
bit RSA encryption) evolving into a very Complex Hierarch– X.509 Certificates (trust someone)
[email protected] 16IEEE Phoenix Section Computer Society Chapter Feb 28, 2003
Application of EncryptionApplication of Encryption
! Link Layer Encryption– Voice and – Data(1970’s ARPA)– KG-15, KG-30….– TACLANE (ATM)
! Application– Kerberos– Secure Sockets Layer– Secure Telnet
[email protected] 17IEEE Phoenix Section Computer Society Chapter Feb 28, 2003
PC Disk and Application SecurityPC Disk and Application Security
! Secret Agent– SecretAgent® is the premier file encryption and
digital signature utility, supporting cross-platform interoperability over a wide range of Windows- and UNIX-based systems. ($50)
– Information Security Corp (ISC) www.infoseccorp.com
! SpyProof– automatically encrypts all data blocks written to it
and then transparently decrypts them for any application
– Information Security Corp (ISC) www.infoseccorp.com
[email protected] 18IEEE Phoenix Section Computer Society Chapter Feb 28, 2003
Secure Sockets LayerSecure Sockets Layer
! Public Key! Private Key! Session (secret key)
! Only as secure as– the Length and privacy of the KEY.– <Fill in the line>
[email protected] 19IEEE Phoenix Section Computer Society Chapter Feb 28, 2003
Intrusion Detection SystemsIntrusion Detection Systems
[email protected] 20IEEE Phoenix Section Computer Society Chapter Feb 28, 2003
IDS CategoriesIDS Categories
! Network based! Host based
[email protected] 21IEEE Phoenix Section Computer Society Chapter Feb 28, 2003
IDS TechniquesIDS Techniques
! Artificial Immune System [7]! Control-Loop Measurement [8]! Data Mining [9]! Statistical [24]! Signature-Based (Rule-Based [25]).
[email protected] 22IEEE Phoenix Section Computer Society Chapter Feb 28, 2003
Problem Lists / DatabasesProblem Lists / Databases
! bugtraq (since 1993)– http://www.securityfocus.com/– http://online.securityfocus.com/archive/1– A description of bug / events
! Common Vulnerability Exposure (CVE) (since 1999)– http://www.cve.mitre.org/compatible/enterprise.html– http://www.cve.mitre.org/cve/– A Dictionary Not a database
! WhiteHat– In Jail
[email protected] 23IEEE Phoenix Section Computer Society Chapter Feb 28, 2003
Slammer SignatureSlammer Signature
! http://www.snort.org/snort-db/sid.html?sid=2003
! Signature/Rule– alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"MS-SQL
Worm propagation attempt"; content:"|04|"; depth:1; content:"|81 F1 03 01 04 9B 81 F1 01|"; content:"sock"; content:"send"; reference:bugtraq,5310; classtype:misc-attack; reference:bugtraq,5311; reference:url,vil.nai.com/vil/content/v_99992.htm; sid:2003; rev:2;)
– Literal meaning: Any udp from External IP to an home IP at port 1434• If youb see hex 81 F1 03 01 04 9B 81 F1 01 and “sock” and “send”
[email protected] 24IEEE Phoenix Section Computer Society Chapter Feb 28, 2003
CVE Candidate (CAN)CVE Candidate (CAN)
! CAN-2000-1209– The "sa" account is installed with a default null
password on (1) Microsoft SQL Server 2000, (2) SQL Server 7.0, and (3) Data Engine (MSDE) 1.0, including third party packages that use these products such as (4) Tumbleweed Secure Mail (MMS) (5) Compaq Insight Manager, and (6) Visio 2000, are installed with a default "sa" account with a null password, which allows remote attackers to gain privileges, including worms such as Voyager Alpha Force and Spida.
[email protected] 25IEEE Phoenix Section Computer Society Chapter Feb 28, 2003
CVE CandidateCVE Candidate
! CAN-2002-0649– Multiple buffer overflows in SQL Server
2000 Resolution Service allow remote attackers to cause a denial of service or execute arbitrary code via UDP packets to port 1434 in which (1) a 0x04 byte causes the SQL Monitor thread to generate a long registry key name, or (2) a 0x08 byte with a long string causes heap corruption.
[email protected] 26IEEE Phoenix Section Computer Society Chapter Feb 28, 2003
BugTraq BugTraq (Sample)(Sample)
! SQL Sapphire Worm Analysis
! Release Date: 1/25/03
! Severity: High
! Systems Affected: Microsoft SQL Server 2000 pre SP 2
! Description: Late Friday, January 24, 2003 we became aware of a new SQL worm spreading quickly across various networks around the world.
! The worm is spreading using a buffer overflow to exploit a flaw in Microsoft SQL Server 2000. The SQL 2000 server flaw was discovered in July, 2002 by Next Generation Security Software Ltd. The buffer overflow exists because of the way SQL improperly handles data sent to its Microsoft SQL Monitor port
[email protected] 27IEEE Phoenix Section Computer Society Chapter Feb 28, 2003
Monitor / Search TechniquesMonitor / Search Techniques
! User behavior! Network traffic
– Pattern match
[email protected] 28IEEE Phoenix Section Computer Society Chapter Feb 28, 2003
Popular ProductsPopular Products
! Real Secure (Ver 6.0) (www.iss.net)– <$5k
– Related Products• Black ICE ($49.00)
! NFR Security (Ver 5.0) (www.nfr.com)– <$5k
! SNORT (Ver 1.9.0) (http://www.snort.org)– free software
! Tripwire (http://www.tripwire.com)
! Cisco Secure IDS ()
[email protected] 29IEEE Phoenix Section Computer Society Chapter Feb 28, 2003
Home Use IDSsHome Use IDSs
! Black Ice ! Norton! Snort ! may not be compatible with other products
[email protected] 30IEEE Phoenix Section Computer Society Chapter Feb 28, 2003
Common CriteriaCommon Criteria
[email protected] 31IEEE Phoenix Section Computer Society Chapter Feb 28, 2003
Common Criteria Common Criteria http://www.commoncriteria.org/http://www.commoncriteria.org/
! Managed by the National Institute of Standards and Technology (NIST) and the National Security Agency (NSA) (heading towards commercialization)
! Commercialized/Privatized/Nationalized
! Common Criteria is IT security evaluation
[email protected] 32IEEE Phoenix Section Computer Society Chapter Feb 28, 2003
Creation of CCCreation of CC
! National Institute of Standards and Technology (NIST)
! National Security Agency (NSA) – National Information Assurance Partnership
(NIAP) • NIAP Common Criteria Evaluation and Validation
Scheme for IT Security
[email protected] 33IEEE Phoenix Section Computer Society Chapter Feb 28, 2003
Common CriteriaCommon Criteria
! Standards! Training! Tools! Common Criteria
– Part 1, Introduction and general model– Part 2, Security functional requirements– Part 3, Security assurance requirements
! Common Evaluation Methodology– CEM Version 1.0 Part2,
[email protected] 34IEEE Phoenix Section Computer Society Chapter Feb 28, 2003
Very Brief Overview of CCVery Brief Overview of CC
! Common Terms– TOE - Target of Evaluation– Evaluation Assurance Level (EAL) – Protection Profile (PP) requirements of the TOE;
implementation-independent set of security requirements
– Security Target (ST) TOE implementation-dependentrequirement are contained in a construct termed = Security Target (ST).
[email protected] 35IEEE Phoenix Section Computer Society Chapter Feb 28, 2003
CC DocumentsCC Documents
! Part 1: Introduction and General Model! Part 2: Security functional components ! Part 3: EALs and Security assurance
components
[email protected] 36IEEE Phoenix Section Computer Society Chapter Feb 28, 2003
How to Use CC DocumentsHow to Use CC DocumentsConsumers Evaluators Evaluators
Part 1: Introduction and General Model
For background information and reference purposes
For background information and reference for the development of requirements and formulating security specifications for TOEs
For background information and reference purposes. Guidance structure for PPs and STs
Part 2: Security Functional Requirements
For guidance and reference when formulating statements of requirements for security functions
For reference when interpreting statements of requirements and formulating functional specifications of TOEs
Mandatory statement of evaluation criteria when determining whether TOE effectively meets claimed security functions
Part 3: Security Assurance Requirements
For guidance when determining required levels of assurance
For reference when interpreting statements of assurance requirements and determining assurance approaches of TOEs
Mandatory statement of evaluation criteria when determining the assurance of TOEs and when evaluating PPs and STs
[email protected] 37IEEE Phoenix Section Computer Society Chapter Feb 28, 2003
Common CriteriaCommon Criteria
! The CC, or more precisely the Common Criteria for Information Technology Security Evaluation, version 2.1 [CC99-P1, CC99-P2, and CC99-P3],
! The CC provides extensive flexibility in selecting components to satisfy security objectives.
[email protected] 38IEEE Phoenix Section Computer Society Chapter Feb 28, 2003
CC Requirements ConstructionCC Requirements Construction
! Classes– most general grouping of security equirements.
! Families– a grouping of sets of security requirements that
share security objectives! Components
– a specific set of security requirements! Package
– intermediate combination of components
[email protected] 39IEEE Phoenix Section Computer Society Chapter Feb 28, 2003
Evaluation Assurance Levels (Evaluation Assurance Levels (EALsEALs))
! an increasing scale that balances the level of assurance obtained with the cost and feasibility of acquiring that degree of assurance.
! EAL 1 through 7– Typical Windows 2000 is rated EAL 4+
[email protected] 40IEEE Phoenix Section Computer Society Chapter Feb 28, 2003
More on Common CriteriaMore on Common Criteria
– The Common Criteria (CC) provides a grammar for describing Information Technology (IT) system security.
• The CC is a language you can use to describe IT product and system security requirements or specifications.
– The Common Criteria (CC) Toolbox provides an automated process for identifying Information Technology (IT) security requirements
– Use the Users Guide, Touring the CC Toolbox, and Reference Manual together.
[email protected] 41IEEE Phoenix Section Computer Society Chapter Feb 28, 2003
CC CC ToolBoxToolBox
! The CC Toolbox helps you to write a PP! Download from National Information
Assurance Partnership (NIAP) website (http://niap.nist.gov/tools/cctool.html).
! NIAP provides a database of security engineering information. – CC Profiling Knowledge Base.
[email protected] 42IEEE Phoenix Section Computer Society Chapter Feb 28, 2003
Products Tested by NISTProducts Tested by NISTDefend the
Network andInfrasturcture
Defend the Enclave Boundary
Defend the Computing
Environment
Supporting the Infrastructure(PKI, Detect,
Mgmt)
Switches & Routers Firewalls Operating
Systems Network Mgmt
Routers VPNs Biometrics Certificate Management
WLANS Remote Access Secure Messaging Key Recovery
Mobile Code Tokens Smart CardsMultiple Domain
Solutions Single-Level Web
ServersPKI/KMI
Guards Sensitive Data Protection IDS
Trusted DBMSMisc.
PC Access Control
Mobile Code
Peripheral Switch
Misc.
[email protected] 43IEEE Phoenix Section Computer Society Chapter Feb 28, 2003
Product InformationProduct Information
! Product Name ! Manufacturer! Conformance Claim! Validation Date! CC Scheme
[email protected] 44IEEE Phoenix Section Computer Society Chapter Feb 28, 2003
The CC Toolbox The CC Toolbox helps you do the following:helps you do the following:
! Describe the assumptions, policies, and threats that make up the TOE security environment.
! Capture security objectives to counter threats and satisfy policies and assumptions for the TOE and its environment.
! Identify relevant CC components to satisfy an objective and incorporate them into your PP or ST.
! Apply CC operations (i.e., assignment, iteration, refinement, and selection) to tailor CC components into requirements.
! Select an Evaluation Assurance Level (EAL).! Manage mappings that relate the TOE security
environment to the security objectives and relate security objectives to requirements.
! Build rationale arguments required by the CC.
! Manage details of identification, component dependencies.
[email protected] 45IEEE Phoenix Section Computer Society Chapter Feb 28, 2003
CC ReportsCC Reports
! Protection Profile (PP) Report, helps specify your IT security requirements (PP requirements called security objectives) using CC terminology
! Security Target (ST) Report, which helps vendors indicate the security objectives that a particular product meets, also using CC terminology
[email protected] 46IEEE Phoenix Section Computer Society Chapter Feb 28, 2003
CC Tool Steps for PPCC Tool Steps for PP
! Protection Profile (PP) steps supported by CC Tool include: – Identifying TOE Security Environment (Environment
Interview[R]). – Specifying TOE Security Environment (Context[R]). – Selecting Evaluation Assurance Level (EAL[R]). – Identifying Applicable CC Components (Component
Interview[R]). – Allocating CC Components (Allocation[R]). – Clarifying CC Components (Elaboration[R]). – Completing Draft Report (Report[R]).
[email protected] 47IEEE Phoenix Section Computer Society Chapter Feb 28, 2003
CC ComponentCC Component
!A CC component is the smallest selectable set of security requirements
[email protected] 48IEEE Phoenix Section Computer Society Chapter Feb 28, 2003
CC Tool Steps for STCC Tool Steps for ST
! ST Steps are as follows: – Identifying Applicable CC Components (Component
Interview[R]). – Selecting Evaluation Assurance Level (EAL[R]). – Identifying TOE Security Environment (Environment
Interview[R]). – Specifying TOE Security Environment (Context[R]). – Allocating CC Components (Allocation[R]). – Clarifying CC Components (Elaboration[R]). – Completing Draft Report (Report[R]).
[email protected] 49IEEE Phoenix Section Computer Society Chapter Feb 28, 2003
Tool Knowledge BaseTool Knowledge Base (Grows)(Grows)
! The Knowledge Base contains sample policy, threat, and assumption statements that you can use to describe the TOE security environment.
[email protected] 50IEEE Phoenix Section Computer Society Chapter Feb 28, 2003
The CC ToolThe CC Tool
! Requires Java 1.3
[email protected] 51IEEE Phoenix Section Computer Society Chapter Feb 28, 2003
QuestionsQuestions
[email protected] 52IEEE Phoenix Section Computer Society Chapter Feb 28, 2003
Security TrainingSecurity Training
! SANS (SysAdmin, Audit, Network, Security) Institute
– http://www.sans.org– Since 1989– GIAC (Global Information Assurance Certification) in 1999
! Common Criteria– NAIP (using the tools)
! Certificates– Master Certificate in Computer Security WWW.ITI.EDU– System and Network Security
Certificate Program ) WWW.ITI.EDU! NIST
– http://csrc.nist.gov/ATE/te_full.html#build
[email protected] 53IEEE Phoenix Section Computer Society Chapter Feb 28, 2003
ReferencesReferences
! Common Criteria for Information Technology Security Evaluation (CC 2.1) is a revision that aligns it with International Standard ISO/IEC 15408:1999.
[email protected] 54IEEE Phoenix Section Computer Society Chapter Feb 28, 2003
Web ReferencesWeb References
! https://www.trusecure.com! http://www.iss.net
[email protected] 55IEEE Phoenix Section Computer Society Chapter Feb 28, 2003
Examples of Common CriteriaExamples of Common Criteria
! Smart Card! Windows 2000
[email protected] 56IEEE Phoenix Section Computer Society Chapter Feb 28, 2003
Acronym/GlossaryAcronym/Glossary
! Common Criteria Testing Laboratory (CCTL)
! security target (ST)! Information Technology (IT)! target of evaluation (TOE)! Information Assurance (IA)
[email protected] 57IEEE Phoenix Section Computer Society Chapter Feb 28, 2003
Web LinksWeb Links
! http://niap.nist.gov/cc-scheme! http://commoncriteria.org! http://niap.nist.gov/
[email protected] 58IEEE Phoenix Section Computer Society Chapter Feb 28, 2003
The Primary DocumentsThe Primary Documents
! http://commoncriteria.org/docs/PDF/CCPART1V21.PDF
! http://commoncriteria.org/docs/PDF/CCPART2V21.PDF
! http://commoncriteria.org/docs/PDF/CCPART3V21.PDF
[email protected] 59IEEE Phoenix Section Computer Society Chapter Feb 28, 2003
Related PapersRelated Papers
! Smith, R. N. and S. Bhattacharya, 1997, ”Firewall Placement In A Large Network Topology,” IEEE FTDCS’97
! Smith, R. N. and S. Bhattacharya, 1998, “Fault and Leak Tolerance in Firewall Engineering,” IEEE HASE’98
! Smith, R. N. and S. Bhattacharya, 1998, “A Protocol and Simulation for Distributed Communicating Firewalls,” IEEE COMPSAC,99
! Smith, R. N. and S. Bhattacharya, 1999, “Operating Firewalls Outside the LAN Perimeter,” IEEE IPCCC’99.
[email protected] 60IEEE Phoenix Section Computer Society Chapter Feb 28, 2003
Related PapersRelated Papers
! Smith, R. N. and S. Bhattacharya, 1999, “Distributed Firewall Protocol, With Simulation and Emulation Tool in Java,”Motorola Inc., SMS’99
! Smith, R. N., R. Feigen, and S. Bhattacharya, 2000, “Securing Communications in an Enterprise Network of LAN and or WAN by Utilizing an Enhanced Encrypting Network Interface Card and Associated Software,” Motorola Inc., Technical Developments, 2000
! Smith, R. N., and S. Bhattacharya, 2003, “Cascade of Distributed and Cooperating Firewalls in a Secure Data Network,” IEEE Transactions on Knowledge AND Data Engineering, VOL. 15, NO. 4, July/August 2003
[email protected] 61IEEE Phoenix Section Computer Society Chapter Feb 28, 2003
Listed ReferencesListed References
[1] S. Staniford, J. Hoagland, J. McAlerney. “Practical Automated Detection of Stealthy Portscans.” In: CCS IDS Workshop Athens. November 1, 2000.
[2] deleted.[3] A. Sundaram. “An Introduction to Intrusion Detection.”
http://www.acm.org/crossroads/xrds2-4/intrus.html[4] H. Debar. “What is knowledge-based intrusion detection?” In: Intrusion
Detection FAQ. http://www.sans.org/newlook/resources/IDFAQ/knowledge_based.htm
[5] H. Debar. “What is behavior-based intrusion detection?” In: Intrusion Detection FAQ. http://www.sans.org/newlook/resources/IDFAQ/behavior_based.htm
[6] D. Lehmann. “What is ID?” In: Intrusion Detection FAQ. http://www.sans.org/newlook/resources/IDFAQ/what_is_ID.htm
[email protected] 62IEEE Phoenix Section Computer Society Chapter Feb 28, 2003
References ContinuedReferences Continued
[7] J. Kim. “An Artificial Immune System for Network Intrusion Detection.”http://www.cs.ucl.ac.uk/staff/J.Kim/GECCO_WS99.html
[8] M. Craymer, J. Cannady, J. Harrell. “New Methods of Intrusion Detection using Control-Loop Measurement.” In: Fourth Technology for Information Security Conference’96. May, 16, 1996.
[9] W. Lee, S. Stolfo. “Data Mining Approaches for Intrusion Detection.” In: Proceedings of the 7th USENIX Security Symposium. 1998.
[10] M. Gerken. “Statistical-Based Intrusion Detection.”http://www.sei.cmu.edu/str/descriptions/sbid_body.html
[email protected] 63IEEE Phoenix Section Computer Society Chapter Feb 28, 2003
References ContinuedReferences Continued
[11] http://www.nfr.com/products/NID/[12] http://www.checkpoint.com/products/firewall-1/realsecure.html[13] http://www.portcullis-security.com/products/index.htm[14] http://www.snort.org[15] http://www.cisco.com/warp/public/cc/pd/sqsw/sqidsz/[16] S. Northcutt. Network Intrusion Detection: An Analyst’s Handbook. New
Riders, Indianapolis, 1999. p. 125.
[email protected] 64IEEE Phoenix Section Computer Society Chapter Feb 28, 2003
References ContinuedReferences Continued
[17] http://www.silicondefense.com/software/spice/index.htm[18] http://www.tcpdump.org[19] http://www.ethereal.com[20] http://www.gnu.org/copyleft/gpl.html[21] R. Permeh, M. Maiffret. “.ida “Code Red” Worm.”
http://www.eeye.com/html/Research/Advisories/AL20010717.html.[22] R. Lyttle. http://www.sub-seven.com[23] D. Ruiu. “Snort FAQ Version 1.8.”
http://snort.sourcefire.com/docs/faq.html[24] M. Prabhaker. “Intrusion Detection.”
http://www.cs.wright.edu/~pmateti/Courses/499/IntrusionDetection/
[email protected] 65IEEE Phoenix Section Computer Society Chapter Feb 28, 2003
References (continued)References (continued)
[25] M. Gerken. “Rule-Based Intrusion Detection.”http://www.sei.cmu.edu/str/descriptions/rbid_body.html
[26] R. Lupton. Statistics In Theory And Practice. Princeton University Press, Princeton, NJ, 1993. p. 50.
[email protected] 66IEEE Phoenix Section Computer Society Chapter Feb 28, 2003
Distributed and Communicating Distributed and Communicating Gateway FirewallsGateway Firewalls (a system of(a system of))
!A system of distributed communicating gateway with firewalls incorporated in each distributed node (DCGFW)
[email protected] 67IEEE Phoenix Section Computer Society Chapter Feb 28, 2003
Architecture TopologyArchitecture Topology
AttackerScout
=Untrusted node=Trusted node=Scout to monitor traffic
Attackee
k=3
k=2
k=1
k=4
[email protected] 68IEEE Phoenix Section Computer Society Chapter Feb 28, 2003
The LAN Node The LAN Node (the main node)(the main node)
! CGFW manager! CGFW aware gateway! Filter commands! Activation heuristics.
[email protected] 69IEEE Phoenix Section Computer Society Chapter Feb 28, 2003
Naïve ActivationNaïve Activation
! Set 1 CGFW active– At the LAN or– At the attacker CGFW
[email protected] 70IEEE Phoenix Section Computer Society Chapter Feb 28, 2003
Ring HeuristicRing Heuristic
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
Attacker
p
o
n
m
g
j
i
k
h
l
f
e
d
c
b
a
Attackee
p
o
n
m
g
j
i
k
h
l
f
e
d
c
b
a
[email protected] 71IEEE Phoenix Section Computer Society Chapter Feb 28, 2003
Path HeuristicPath Heuristic (Shortest Path)(Shortest Path)
! Smallest number of hops
! Smallest delay
[email protected] 72IEEE Phoenix Section Computer Society Chapter Feb 28, 2003
Shortest PathShortest Path
Un-Trusted
CGFW Nodes
CGFW Scout Nodes
Shortest Path(s)
Attacker
- CGFW Nodes
k=1
k=2
k=3
k=4
Attackee(LAN firewall)
Not On Shortest Path
On Shortest Path
[email protected] 73IEEE Phoenix Section Computer Society Chapter Feb 28, 2003
Scouting of other CGFW agentsScouting of other CGFW agents
! Scout benefits– Distributed denial of service
– Accounts for address spoofing.
[email protected] 74IEEE Phoenix Section Computer Society Chapter Feb 28, 2003
Architecture TopologyArchitecture Topology
=Untrusted node=Trusted node
Attacker
Attackee