A solution for comprehensive network security

Transcription

1 Applied mathematics in Engineering, Management and Technology 2 (6) 2014: A solution for comprehensive network security Seyed Mehdi Mousavi Payam Noor University (PNU), IRAN m.mousavi55@gmail.com Abstract: There is some security solution that we can use in the network and there are many reports and logs.without a comprehensive solution, network admins cannot analyze network security problem. We need solution with integrated views on security subject. SOC (Security operation center) is a center that can do it. Keywords: Security, Network, SOC, Comprehensive 1-Introduction: with developing everyday using of communications and information transfer in networks and internet, enormous volume of administrative and commercial interactions are being transferred through it. Nowadays internet services and networks are being used as the most trustable, rapid, accessible communicative tools. Security seems so important because big companies use these networks. When we are talking about security, every company needs to it, so security approach should consider solving this problem without changing the companies systems and networks. We intend to introduce a network security operations center (SOC) for management of information security and communications using BS7799 standard as a solution for comprehensive network security. 2-Where is security operation center? Network security operations center (SOC), is a place to monitor and control of 24hours information input and output. Generally every SOC center is divided to three parts which every part has its duty. These parts are: First: contact point of clients and responsibility to reply client s warnings. At this part all warnings that are less complicated are replied. Second: this part is complement of first part and responsible to reply to more complicated problems in network security systems. For more important warning, this part is completely involved. Third: there are master experts and security consultants at this part. This part in fact is supporter of previous parts. If there is not any reply at previous parts, this part is involved to reply to problem shooting. All security approach and network security management are considered at this part. To designing network security management, there are different methodologies. However the bases of all methodologies are technology combination, human forces, processes at the core of network security center activities and surrounding it by administrative processes. These processes are composed of planning, designing, implementing, operating and developing network security center. Next layers of designing SOC, are composed of tools and criteria which all services are examined through. These tools and criteria include landscape, sources, time, cost, communications and risks which are at running of SOC. the most important point in running SOC is flexibility of methodology which by that we can present special solution for clients to network security management. In every part, there is a tool for security systems management. These tools monitor the network security through inner organization and outer organization views. In order to it, every SOC has tools in networks and in center. 22

2 All SOC centers services which are served, are monitored and managed. Other services which are served are as follows: - Developing security approaches - Teaching secure approaches - Firewalls designing - Immediate reply - Avoiding dangers and implementation Services which are served through this center include managed services which protect tools and SOC communications. These services apply methodology and strong hardware and software to manage security. Hardware parts which are used in networks by managed systems to apply secure approaches are: intrusion detection systems, firewall systems, and secure management systems in virtual private networks. 3- Need to managed services: Intrusion to domestic resources and foreign resources, threat networks and its programs every moment. Hackers from all over the world are monitoring secure tools to detect disorders and intrude networks and make entrance. In order to prevent them, it seems to need SOC secure systems. To create a secure system decent for managing a network with various applications, it needs expert personals which are able to manage systems from different virus and hackers. Systems which are run in SOC to network security management have automatically network tools analysis. Tools which are analyzed by this system are not limited to secure systems, and all infrastructure appliances of network are analyzed by this network management. This system in fact analyses all traffic models and servers, firewalls, physical secure systems and use them to prevent entering to the systems. Every odd traffic models observed, by microsystems analyzers are analyzed, and important warnings in network are being sent for every tools. In ordinary state concerning to polling program, all systems are monitored and concerning to secure profiles for every system possible intrusions have detected and thwarted. 4- Types of managed services in SOC 4-1-Firewall: 23

3 firewalls all first obstacle between secret information in a network and outer world of it. In a SOC center, it needs to analyze continually security. To have enough security, usually different brands are used.as an example; in a network with different firewalls usually select these tools from different manufacturer. By a centralized management, control them. To security management of equipment following stages are necessary:-analysis of firewall functions -answer to requests after announcing -analyzing registered logs in firewalls - analyzing software and hardware relevant to firewall. 4-2-Intrusion detection systems (IDS): Systems like IDS in a network are dependent to equipment and processes and staff which in need they respond to warning. Concerning to this fact that IDS sensors at any time create many warnings and that is impossible to respond to all of them it needs that sensibility of IDS regulates in a way that only essential threat would be announced. But this way causes that some intrusion would not be announced. To prevent problems we can appoint every IDS for every application. Using these systems features, we can control intrusion by SOC. In SOC we use features like decrease of false positive and state full signature that an advanced form of detection of intrusion is signature, protocol anomaly detection which has ability to detect traffic and make sure that illegal packet using comparison of protocol portion, would not be in network. Traffic anomaly detection to compare normal traffics and abnormal traffics to avoid naturally and not naturally intrusion, are used. In SOC, with mining of these features, power of intrusion detection has been increased Facility of filtering of content: One of main services in SOC is facility of entrance content to servers. Filtering content in SOC in order to prevent access to non-essential sites, preventing of access to specific types of files and limiting virus intrusion, worms and Trojan (many of dangerous virus like nimda and codered that administrative programs using HTTP or common protocol that firewalls let them enter to network so users unknowingly these contents download secure sites) are used. Software of URL filtering categorizes all pages in modified groups and according to that, makes the access of a page possible or impossible. Also it can provide a list of sites which users can access to them. It needs mainly this software has ability to filter access to categorized content. And also it should be able to present special approach based on different parameters including users groups, users positions, time of use and etc. Software that are used in this center to filter, should have information base categorize in order to prevent access. Also updates should be done in short intervals and it s better to be done completely. Updates should not stop the operation systems. 4-4-Virus detection facilities: Viruses often are being transferred by and internet traffic. So deference at frontline means internet gateway which is the best way to fight, to it. Adding ability of virus scanning on caches, we can do decent activities to fight virus in internet gate. SOC center, controls operations and viruses scan by using decent software AAA services: In SOC center to define and control access to equipment and network services, AAA is used. Servers are used in different centers and different services and network managers and users also have access to network resources through that. One of ways which in SOC are used to detect user identification and exert secure approaches is using CA or certificate authority. CA is general key of a person or organizations which put them 24

4 in digital certificate and then sign it. This action confirms the accuracy of information. Digital certificate are files that in fact acts like passport and are issued by CA. Role of CA in this process is confirmation of a person who certificate has been appointed to him. In fact he is the person that confesses. With putting CA in a SOC center, we can support a great deal of applications with high rate security in comparison with username and passport created by users. 5- Security implementation in SOC: By using security equipment in SOC, network intrusion are analyzed from different views which are: visibility, verification and vulnerability which by merging in every part, we can control and manage security of network. In every part there are special activities, which by them we can avoid access to the network. If they enter the network, we prevent improvement of them. In every part there is equipment which can protect network. 5-1-Vulnerability: Equipment that are used, as soon as installation and running, should be updated. Factors which are updated by this way, include figuration of servers, applied programs, secure software packages relevant to operating systems, which concerning to growth of penetration ways, rapidly would be invalid. Concerning this point, this part has the least effect through intrusion conflict. 5-2-Visibility: using this equipment, that is often including firewalls, we can monitor all secure network equipment. At this part, all equipment of firewall is being updated and figurations of them relevant to their approach would be changed. These changes without any timing exert to the network in replace of mechanism change and intrusion trends. Problems which are created by firewalls figuration change are not related to technology only. Every time that figuration of equipment by staff is updated, it s possible that by a mistake in figuration, penetration for hackers created. Concerning to networks dimension and volume and ports which are serviced through IP address, number of points which should be scanned, are defined. To connect secure parts relevant to need of every user, these ports are divided to different groups. So ports which are of importance, by relevant systems in short interval (usually every five minutes) are scanned. Concerning to high volume information which is produced every time interval, should be some mechanism in SOC so by them these high volume of information could be processed and reports should be excavated. 5-3-Verification: the most essential and complicated part in a SOC, is making sure of security of parts which there are not direct control on them. In order to it, should apply equipment which can directly control relevant equipment. Actually should block penetration path. 6- Advanced services in SOC: Advanced services which are presented through this way, actually there are services that by them we can proceed security action according to needs. In SOC in addition to network equipment security management, infrastructures of information are supported in secure way. These infrastructures generally include staff, processes and job trends in networks. In gathered standards of security like BS9977 standards the way of implementation of security management trends in network are defined. At processes security management at SOC, different stages are passed to secure trends in networks. First stage is policy making. After legislation of policies, and corresponding of them with current standard in security 25

5 network, excavated trends in order to implement are given to expert. The other point to reviews is knowledge of staff of security threats. Concerning to great deals of network security software which every of them relevant to their producer, need to specific skills to use, and also technology rapid changes and intrusion way to network equipment, it needs SOC staff have specific skills and always get new knowledge. To update staff information, some training courses are used to detect intrusions. Concerning to importance of duty in SOC, staff of these centers are of high importance. So maintaining and protecting staff and making them satisfied are of most important responsibilities of SOC owners. 7- Conclusion: There are many solution for network security. But analyzing the information of this solution is very important. The information are separated. For a best security, we should see the whole network together. Because there are many complex attack that use various ways. Therefor we need a comprehensive security solution such as SOC that have a whole view to the network security. Reference: 1- Nadel, Barbara A. Building Security: Handbook for Architectural Planning and Design. McGraw-Hill. p. 2.20, ISO/IEC 27003:Information technology,security techniques,information security management implementation guidance, Network Intrusion Detection An Analyst s Handbook Second Edition,Stephen Northcutt, Judy Novak New Riders ISBN: Yulin Wang, Jinheng Wang, Research on security technology of campus network, Advanced Materials Research Vols pp ,