1 Cooperating Security Management for Mutually Trusted Secure Networks Lai-Ming Shiue Department of Applied Mathematics National Chung-Hsing University Taichung 402, Taiwan Shang-Juh Kao Department of Computer Science National Chung-Hsing University Taichung 402, Taiwan Abstract - A network system could be better protected by physically dividing it into administrative management groups according to different access rights. However, to effectively manage a network system, security information sharing is necessary. Since a system could suffer from the same security threats as another system, how to share the security information to prevent a system from the same security flaw is urgently requested. In this paper, we first propose a concept of management domain by differentiating the access rights of network hosts. We then present a global secure management platform by constructing a three-layered security architecture: agent layer, server layer, and manager layer. Through the security information collected by intrusion detection agents, vulnerability assessment agents, and service guard agents, and exchanged among domain servers, mutually trusted network domains can be cooperated to provide a better and effective management system. Keyword: firewall, intrusion detection, vulnerability assessment, security information exchange. 1. Introduction With rapid growth of the Internet, intrusive incidents are also increasing. These incidents may damage the Internet access, or even disable the network services. A network without sufficient protection scheme usually becomes a target for Internet hackers and malicious intruders. How to provide an adequate Internet security is thus strongly requested. From an end user s perspective, Internet security is usually emphasized on host-based security [1,2,3]. While from a network administrator s perspective, domain-based security [1,2,3] is expected, which is supposed to build a defense wall around the physical network. Host-based security is easily achieved by personal security tools, but domain-based security requires integrating advanced security technologies into the management system. In this paper, we first propose a concept of management domain by differentiating the access rights of network hosts. We then present a global secure management platform by constructing a three-layered security architecture: agent layer, server layer, and manager layer. Every management domain crosses both the server layer and agent layer, and all cooperated domains are independent and mutual trusted. Physically, a domain can be divided into Common Users Group, Public Servers Group, Proprietary Servers Group, and Management Group according to the associated access rights. For each group, local monitor agents are deployed at agent layer. In particular, local monitor agents of intrusion detection, vulnerability assessment, and service guard, are collaborated to provide a defense for all network services. After collecting security information from agent layer, the domain servers
2 produce new defense rules and configure the firewall system at the server layer. By exchanging security information between different servers, the area manager at the manager layer can correlate the alarms, recognize the attacks, and produce new global security policies to avoid the potentially future intrusions. Based on information exchanges, every domain can quickly get the new defense rules to prevent from the same attack as another domain. As a result, each monitor agent becomes more powerful in protecting network services and network security is enhanced consequently. 2. Criteria for Security Evaluation How to protect a network system against intrusions and attacks is an imperative task for a network administrator. In general, there are four criteria to be taken into consideration for the protection: security levels, attack modes, defense methods, and cost performance. Security level may be high, medium, or low. With high security level, network connections are strictly restricted and only some public access services, such as HTTP, SSH, and FTP, are allowed, which are usually uni-directional. With low security level, the network administrator doesn t assume the responsibility to protect the network, and thus host-based security is regarded more appropriate than domain-based security. In general, high security level is adopted in private or enterprise network environment [4,5], while low security level is suitable for public networks. In the between high level and low level, the medium security level requires the network administrator more efforts to dynamically adjust the defense policy according to complete security requirements. It is also called the dynamic security . In this paper, we primary focus on the dynamic security to construct a secure network environment. For motivations like benefits, swank, and malice, hackers may lock some specific sites or unsafe targets and direct an attack. Most attacks are based on messages flooding, services disabling, or unsafe programs embedding, which are due to system bugs or protocol flaws [7,8]. Generally, there are three modes for attacks: attack after probing, attack with brute force, and attack with back-doors. An attack could be mixed and has the regional characteristic. A regional attack means that it could happen in the neighboring networks. To defend such a regional attack, exchanging security information among neighboring networks is required. Several defense methods are applied to secure a network system, and some are under development. Famous ones include firewall system [9,10], intrusion detection system [11,12], vulnerability assessment system [13,14], and service guard system. A firewall system provides a single point of defense between the external world and the internal network system. There are three kinds of firewall: packet filtering firewalls, application layer firewalls, and gateway firewalls and they are often constructed using multiple protection mechanisms according to the management scope and requirement of the protected system. An intrusion detection system can monitor anomalous actions, detect network intrusions, and produce relative protection strategies. It can be either host-based or network-based. Both misuse detection and anomaly detection are commonly used in analysis. A vulnerability assessment system is used to discover the system vulnerability before an attack takes place. The service
3 guard system ensures the proper accessibility of Internet services at the application layer [15,16], such , ftp, and news. Regarding with the development of security defense methods, higher performance usually pays for higher price. Therefore, how to balance the cost performance in building a secure network has to be taken into account also. As a summary, security levels, attack modes, defense methods, and cost performance have to be determined before a security system is developed. Several defense methods, such as firewall system, intrusion detection system, vulnerability assessment system, and service guard system, are employed in this paper. By integrating these methods, we construct a secure network environment with dynamic security. Through the exchange of security information, the development cost of building a secure environment will be effectively reduced. 3. Secure Management Platform In this paper, we propose a domain-based secure management platform to enhance the security management. In this platform, a federate network environment, called secure area, is formed. A secure area, as shown in Figure 1, consists of several domains and one secure area manager (SAM). Hierarchically, a secure area can be divided into three layers. On the top layer, the SAM plays the role of coordinator. Each domain, which crosses both server layer and agent layer, has independent management system. After collecting and analyzing security information, and producing its own defense policies, each secure domain gains its local security. When facing with various attacks especially in the same attack in different regions, local security is not enough. Relied upon exchange of security information between each domain, a powerful defense shield can be built against intrusions. In our three-layered architecture, security management exchange area (SMEA) crosses both manager layer and server layer. Below the level of SMEA, secure domains are independent and mutually trusted, and security information is shared among each others. Figure 1 The Architecture of Secure Area. 3.1 Trusted Secure Domain For domain-based management, we are mostly concerned about the accessibility of network services. That is, upon the access rights form internal users and external users, we may classify a domain according various services. Figure 2 is the classification with respect to the access rights of external and internal users. Public services can be accessed by both of users, while proprietary services can only be accessed internally. Management services are the services that are available to managers only.
4 Figure 2 Access Rights of External and Internal Users. Figure 3 Physical perspective of Trusted Secure Domain. Accordingly, we can divide each secure domain into four functional clusters: Common Users Group, Public Servers Group, Proprietary Servers Group, and Management Group, as illustrated in Figure 3. As in the figure, between external world and four clusters, a firewall system is placed to differentiate and to protect domain services. The firewall system is composed of front-end firewall and route-based firewall. The front-end firewall, which could be either a packet filter firewall or an application layer firewall, determines the connectivity from the external request according to the defense policies. The route-based firewall, which is a gateway firewall, translates communication protocols and forwards messages to destined cluster accordingly. In normal, the front-end firewall is adopted by packet filter firewall appropriately. Usually, a stateful or stateless packet filter firewall is adopted as the front-end firewall. Common users group contains general purpose hosts which are most unrestricted. It should be protected from those well-known attacks and be monitored by the security management system. All public services are put located in the group of public servers for all users and proprietary servers group provides for internal users only. Management group exists dedicated for management information processing. 3.2 Three-layered Architecture Our security management architecture is hierarchically divided into manager layer, server layer, and agent layer. There are two perspectives to observe this three-layered architecture. From the physical perspective, each secure domain is independent and deployed across server layer and agent layer, as illustrated in Figure 4a. Any managed component of four clusters is monitored and controlled in the agent layer and its correlative information is collected in server layer. From the functional perspective, there are several management functions according to various servers, as shown in Figure 4b. There exist developing security techniques to enhance the network security, such as intrusion detection (ID), vulnerability assessment (VA), and service guard (SG). The attacks or intrusions, which usually come from external network, can be detected by ID system; the system bugs and protocol flaws in the internal network will be discovered via VA system; and SG system will examine and filter the packet of application services directly. We take three security tech-
5 niques into our system to enhance our defense capability. Figure 4a The three-layered architecture from the physical perspective. Figure 4b The three-layered architecture from the functional perspective. At the agent layer, local agents are deployed at corresponding managed nodes and responsible for monitoring, examining, and filtering. All output, sent by local agents, are collected by related functional servers at the sever layer for analysis and further security information generation. At this layer, there exists another important server, the domain server. Domain server integrates all kinds of security information, analyzes possible attacks, and produces new defense policies. Each mutually trusted domain provides latest security information to the secure area manger. The secure area manger resided at the top layer analyzes the collection from all domains, produces new security knowledge, and shares security information to avoid suffering from the same attack. Based on sharing of security information in SMEA, we are able to build a defense shield and gain a more powerful defense capability. 4. Security Information Exchanges In order to avoid the same security threats as incurred in neighboring networks and improve the protective capability of defense methods, security information exchange is necessary. There are two types of security information to exchange: public information and private information. Public information refers to the analysis rules of security knowledge in the security software, such as intrusion detection system, vulnerability assessment system, and service guard system. When analysis rules of security software is public, it can avoid weakness of software design and develop more secure security systems consequently. Exchanges of public information are helpful to build the local security strategy. Private information is shared only among trusted secure domains. It includes security information collection from DSs to SAM and defense suggestions from SAM to DSs. The security information collection covers both already-known attacks which happened in the past and anomalies which are realized by security software. In each domain, the DS can gain the local security by security software and send the security information to SAM. After analyzing the security information collection and defining the degree of urgency, the defense suggestions will be sent to all DSs by SAM. The defense suggestions will prevent the same attacks as occurred in neighboring domains. At the same time,
6 analyzing the anomalies from all domains can produce new defense policies against unknown attacks. Under the cooperation of DSs and SAM, SMEA will process a reliable defense shield and form a global, cooperated security system. The exchanges of security information also occur between local agent and functional servers, and between functional servers and domain server. The differences are that exchanges of between DSs and SAM are under strict authentication and authorization requested and others are not. Figure 5 Secure Area Manager. SAM is located at the top layer and consists of area manager control unit, public information center, registration center, private information center, upload center, authentication center, security analysis engine, knowledge management center, and system management center, as shown in Figure 5. The area manager control unit plays the cooperating role with other components. The public information center and registration center provide interface between external world and trusted secure domains with security rule sets and registration respectively. The private information center and upload center provide trusted secure domains with uploading and downloading private information. All connections between SAM and DS are authenticated and authorized by authentication center. After collecting security information sent by DSs, the security analysis engine analyzes it, and then produces new defense polices and new analysis rules. All new defense polices and analysis rules will be stored in the knowledge management center. The system management center also records all members information within SMEA. With the exchanges of security information, SMEA will be more secure. 5. Summary In a security management area, each trusted secure domain has its own independent security management system based on dynamic security strategy. This dynamic security is accomplished by cooperating firewall, intrusion detection, vulnerability assessment, and service guard system. The security information generated by any available security software will be helpful to build a local secu-
7 rity system in each domain. Through the exchanges of security information among trusted secure domains, we are able to prevent the same attacks as occurred in neighboring domains. Furthermore, local security facilities in each domain can freely download new security information to enhance its defense capability consequently. In this paper, we propose a three-layered security management architecture for mutually trusted networks. Through the sharing of security information and integration of available defense methods, we are able to construct an efficient and flexible secure network environment. 6. References  William Cheswick, Steven Bellovin, and Aviel Rubin, Firewalls and Internet Security 2 nd Edition, Addison Wesley,  Simson Garfinkel and Gene Spafford, Practical Unix & Internet Security, 3 rd Edition, O Reilly,  Matt Curtin, Introduction to Network Security, Kent Information Services, Inc.,  Simon Liu, John Sullivan, and Jerry Ormaner, A practical approach to enterprise IT security, IT Professional, Volume: 3, Issue: 5,  Rongsheng Shan, Shenghong Li, Mingzheng Wang, and Jianhua Li, Network security policy for large-scale VPN, ICCT 2003,  Lai-Ming Shiue, I-Ping Hsieh, and Shang-Juh Kao, Security and Traffic Management for a Department Local Area Network 32 nd ICC&IE,  Kevin Killourhy, Roy Maxion, and Kymie Tan, A defense-centric taxonomy based on attack manifestations, DSN 04,  Anirban Chakrabart and Manimaran Govindarasu, Internet infrastructure security: a taxonomy, Network, IEEE, Volume: 16, Issue: 6,  Robert Zalenski, Firewall Technologies, IEEE Potentials, Volume 21 Issue 1,  Brent Chapman and Elizabeth Zwicky, Building Internet Firewall 2 nd Edition, O Reilly,  Rebecca Gurley Bace, Intrusion detection / Rebecca Gurley Bace, Macmillan Technical Publishing,  Robert Graham, FAQ: Network Intrusion Detection Systems, version 0.8.3,  Cabin Ying; Alan Tsa, and Henry Yu, Vulnerability assessment system (VAS), 37 th ANNUAL CONFERENCE,  Ghulam Mallah and Zubair Shaikh, Vulnerability assessment through mobile agents, E-Tech 2004,  Carnegie Mellon University, TCP Wrapper, ftp://ftp.porcupine.org/pub/security/.  Central Command Inc., Vexira Antivirus for Mail Servers,