Monitoring for network security and management. Cyber Solutions Inc.

Transcription

1 Monitoring for network security and management Cyber Solutions Inc.

2 Why monitoring? Health check of networked node Usage and load evaluation for optimizing the configuration Illegal access detection for both inbound and outbound traffic All networked information is on the LINE

3 Threats have to be monitored Node alive or dead Network or node fault? Attacked? Performance degradation Network fault? DoS possibility? Large-scale incident? Policy enforcement Detecting policy violation (prohibited communication) Detecting configuration change Potential attack originator Exploited / Compromised by attacker? Attacking by insider? Virus polluted? Malicious terminal connected?

4 Monitoring is the first step for security and network management Monitoring basics Information collection from every networked node Packet monitoring Advanced topics High-resolution monitoring Hash-based traceback Simple and light weight analysis for practical monitoring Information collection from mobile node/network Monitoring network inside

5 High-resolution monitoring Traffic is so dynamic Peak rate is important for actual performance Malicious access is in peaky traffic (pulsing DoS) Requirement Shift minutes, hours, daily measurement to msec, usec, and further precise measurement

6 Monitoring with high-resolution 5 Seconds 34 Hours

7 Scalability by Aggregation Query and response Current Method Manager Agent time Query and response 1000 *n MOs/packet Manager Agent time Delay

8 The drafts draft-glenn-mo-aggr-mib-02.txt

9 Problems in current counter DoS attack solutions

10 Traceback potential Traceback Take the battle to the foe

11 The traceback concept Source Yes! Packet Trace PP Packet Trace Agent Target Around Here! Yes! Internet Do you know? Yes! No!

12 The Architecture PRA Packet Query/Response Packet Tracker(PT) PRB PR

13 The Architecture PRB PRA Packet Query/Response Conf: Query/Response Setting Packet Tracker(PT) PR

14 Requirements: Packet Record Protocol Mapping: PacketRecord (encoded) Packet Additional Data for corroboration Scope of Packet Record which IP header fields are masked) how much of the payload

15 Requirements: Packet Record Protocol Packet Recorder IP Datagram Packet Record Agent Packet Data Key Generation Kg (IP Datagram) Key Generation Key Storage Additional data Key Storage Additional Data

16 Requirements: Communication Protocol Authenticated Privacy, Integrity Check for existence of a datagram Lightweight Non Repudiation Query for Packet Recording parameters

17 The Process: IP Datagram Packet Data IP Datagram PR PRA PT Yes/No Transform Tr (IP Datagram) Transform Transform Packet Record Packet Record Base Base Additional data Additional Data

18 Demonstration: Tracking Attacks using SNMP based packet tracing IETF wired network Attacker2 IETF wireless network Attacker1 PRA1 PRA2 Manager The Internet Query and Response PRA3 S NMP T rap c k a tta 1. Attacker1 sends packet to Victim. 2. IDS detects it and sends SNMP trap to manager along with packet s record. 3. Manager queries packet record agents PRA1, PRA2 and PRA3 for packet record 4. Manager receives responses from PRA1, PRA2, PRA3 and traces packet path. Victim on remote network IDS PRA Packet Record Agent IDS Intrusion Detect Sensor

19 Demonstration: Screen shot

20 For practical network monitoring Simple and right weight monitoring Focusing on stability of traffic Simple event generation and deep inspection Event notification Monitoring and Stability analysis Packet Sample DB Deep inspection

21 Stability example Observed source address is stable in large scale network

22 Mobility issues Some times disconnected Access to more information changing network changing place/environment

23 Mobility issues (1) not continuously connected Usual polling paradigm will not work Store locally (Offline) Store and forward (Semi-online) Agent initiated polling Agent intitiated informs

24 Current Method Manager time

25 time Current Method Manager

26 Manager time Agent initiated Polling

27 Manager time Agent initiated informs

28 Conventional defense strategy Monitoring access from outside to inside DMZ WEB seriver Mail server Monitoring by IDS Firewalling Intranet

29 Risks network inside Potential insider attacks Prohibited user access From DHCP/Wireless network Exploited and/or compromised Virus influenced node

30 Monitoring inside Monitoring Log collection and audit DHCP and/or connection activity monitoring Application traffic from inside to outside Connectivity and log monitoring Detection non-authorized terminal Prevent illegal outbound access

31 Summary Monitoring is the real base of network security and the management Further advanced monitoring is required High-resolution New security applications are required Packet traceback Further practical analysis is required Stability based analysis Future network environment support is required Mobile node and network support New monitoring target is required Network inside