Secure Network Access System (SNAS) Indigenous Next Generation Network Security Solutions Gigi Joseph, Computer Division,BARC. Gigi@barc.gov.in
Intranet Security Components Network Admission Control (NAC) 1a. Network Authentication 1b. End Point Compliance Check NAC server Ethernet Switch
Intranet Security Components Intranet DMZ (Servers) Firewall Network Admission Control (NAC) 1a. Network Authentication 1b. End Point Compliance Check 2. Access Control (Firewall) NAC server Ethernet Switch
Intranet Security Components Intranet DMZ (Servers) Firewall Network Admission Control (NAC) 1a. Network Authentication 1b. End Point Compliance Check 2. Access Control (Firewall) NAC server Ethernet Switch 3. Network Behavioral Anomaly Detection (IDS)
Intranet Security Components Intranet DMZ (Servers) Firewall Network Admission Control (NAC) 1a. Network Authentication 1b. End Point Compliance Check 2. Access Control (Firewall) NAC server Ethernet Switch 3. Network Behavioral Anomaly Detection (IDS) 4. NMS
Typical Network Setup Intranet DMZ (Servers) Firewall + IDS Switch Organization s Intranet Application level firewall +IDS/IPS Internet DMZ Internet Servers Perimeter Security systems
Network Backdoor Entry Laptop with WiFi access ( Adhoc Mode) Wireless Access Point Switch User Connected to Public Wireless Network Organization s Intranet Application level firewall (UTM) Internet DMZ Internet Servers Perimeter Security systems
Physically Separated Network for Intranet and Internet Internet User Segment Intranet User Segment Intranet servers
Intranet and Internet Network Bridging Internet User Segment Network Bridging Intranet User Segment Intranet servers
Intranet and Internet Network Bridging Internet User Segment Intranet User Segment Intranet servers
SNAS: End System Identification End System Identification : IP Address of the End system : MAC Address Sr.No Identification Parameters 1 End system s Network levels MAC Address IP Address NIC make & Models Network Applications running on the end system 2 End system s OS OS version & Patch update 3 Software Present in End system Product /Application name Manufacture Date of installation 4 End system hardware Storage (HDD disk / Other media size ), memory details etc. A unique profile based on above parameters - identify a end system a network Parameters selection and threshold level of matching depends on Security Policy.
Enterprise DDOS Handling Intranet DMZ (Servers) FIREWALL Organization Internet servers F I R E W A L L Internet DMZ Perimeter Security systems DDOS Attack Switch
Enterprise DDOS Handling Intranet DMZ (Servers) FIREWALL Organization Internet servers Switch F I R E W A L L DDos Attack Internet DMZ
DOS Attacks : ICMP Flooding (E.g Smurf Attack) IP: 100.0.0.1/A IP:100.0.0.2/A Network Broadcast address www.nkn.in (164.100.56.206) 100.255.255.255 of organization 1 PING <100.255.255.255>, Source IP = www.nkn.in (164.100.56.206 IP - 100.0.0.10/A Destination IP ( 100.255.255.255)
DOS Attacks : ARP-Flooding Source MAC (00:a0:b0:c0:d0:01) Packet type (0x0806) Data part (ARP request) Checksum (CRC) Ethernet Switch IP - 10.0.0.1 IP - 10.0.0.2 MAC-1: 00:a0:b0:c0:d0:01 MAC-2: 00:a0:b0:c0:d0:02 ARP Request (Broadcast) Op code (ARP request) Sender MAC (A: 00:a0:b0:c0:d0:01) Target MAC (00:00:00:00:00:00) Is gratuitous? Sender IP (10.0.0.1) Target IP (10.0.0.2) Sr.no Actions Effects 1 Large ARP requests / Sec Switch Performance degrades 2 Every ARP request will have different Source MAC address Identification will be difficult & Ethernet switch table over flow
Denial of Service attack (TCP SYN Flooding) SYN-SENT Client (100.100.100.100:2000) SEQ=100, SYN Server (164.100.56.206 :80) (www.nkn.in) LISTEN State ESTABLISHED SEQ=200, ACK =101,SYN, ACK SEQ=101, ACK =201, ACK, DATA SYN-RCVD Half Open ESTABLISHED Source IP ( 100.100.100.100) Destination IP ( 164.100.56.206) Source port (2000) Destination port (80) Sequence number ( 101) ACK number ( 201) HL (4) Reserved (6) URG ACK PSH RST SYN FIN Window (16) Check sum (16) Urgent pointer (16)
Denial of Service attack (TCP SYN Flooding) www. nkn.in (164.100.56.206) 100.100.100.100 200.200.200.200 Source IP Source Port Destination IP Destination port 200.200.200.200 2000 164.100.56.206 80 (web) 200.200.200.200 2002 164.100.56.206 80 (web) ------------- -------- A.B.C.D 2001 164.100.56.206 80 (web) Random IPs 2002 164.100.56.206 80 (web)
SNAS DOS attack handling : Block @ Network entry ) NAC Server WAN Ethernet Switch Instruct network device To Block @ network entry DMZ0,1, 2, Intranet Services Zones E.g No. TCP-SYN packet > 200 E.g Non unicast packets / sec > 50
HTTP Client-Side Exploitation Local N/w UTM (Firewall IPS/IDS) Internet Trusted Server (NKN) https: Https: www.gigi.com (Command Control Server) Step 3 : Establish a reverse shell back door using HTTPS Any data on the user will go out, It can monitor traffic or it can collect adjacent PC s data etc. End system is ready to take part in DDOS attack
SNAS : Trust Model SNAS identifies trust level of hosts, IPs, ports, service, applications and software products as TRUSTED, UNTRUSTED and UNKNOWN_TRUST. Only TRUSTED entities are allowed to exist in the network, rest all are detected and can be isolated. Any running application, installed product which causes abnormal behaviour should be detected specially after an update SNAS can detect any new application, process, port, remote IP access in the network DDOS Client LAN SNAS APPLIANCE WAN Controlling Hacker Server
SNAS : Network Behavior Monitoring No. of open ports Network Traffic generated Time New service started New software installed Targeted application starts running
SNAS : End System Detection Scanning Trap NAC Server Ethernet Switch
SNAS : Network Authentication/Admission Control NAC (Network Access Control) Using SNAS Access Management Threat Management Detection Identification Authentication Access Right MAC Notification (Trap) & Periodic Network Scanning Unique end system Profile (SNAS) Unique end system Profile based a (SNAS) a) Network device levels b) ACL / Firewall
SNAS -End System Admission Control Parameters Installed products Running applications Antivirus Port Status MAC Address System Location Application Transport Network Data-link Physical Running services IP Address Unicast Traffic Broadcast Traffic NIC Parameters
SNAS -End System Admission Control Parameters Security Policy Network devices End system Get Data from network NAC Server Get Data from End systems Sr.No Authentication Parameters 1 Network levels authentication parameters (L1, L2, L3) 2 Network Transport level parameter (L4) Back door entry (Network Interface added or not ) Network parameters change (MAC Address, IP Address, gateway) Network broadcast storm No. of TCP connection request No. of TCP connection request to un-trusted IP No. of TCP connection Established to un-trusted IP No. of un-trusted network application listening (services) 3 End system s OS Trust level of OS version & Patch 4 Software Present in End system Trust level of Product /Application name Manufacture Authentication Success Actions : Access to Zones as per policy Authentication Failures Actions Network Entry Level Block, DMZ access Block, Alarms Critical, Info, Emergency) 5 Process in the end system Trust level of each process, arguments & process path
SNAS Access Right Management ( Authentication Success ) NAC Server Instruct Host aware SNAS firewall to pass through WAN Host Aware Firewall DMZ0,1, 2, Intranet Services Zones Ethernet Switch
SNAS Access Right Management ( Authentication Fail ) NAC Server Instruct Host aware SNAS firewall To block System A WAN Host Aware Firewall DMZ0,1, 2, Intranet Services Zones Ethernet Switch
SNAS Access Right Management ( Authentication Fail ) NAC Server WAN Instruct Ethernet Switch To block System A Host Aware Firewall DMZ0,1, 2, Intranet Services Zones Ethernet Switch
SNAS: Host Aware Firewall Management port Intranet Services Zone 0 DMZ0 port Intranet Services Zone N DMZ N Port LAN port SNAS Host Aware Firewall Host Aware Firewa WAN port End-Point End-Point Organizational LAN Internet Zone Firewall Rules are dynamic and based on security state of end systems
Blended Threats (When Applications Exploit Each Other ) Different Software package on a single Machine IE (7) load schannel.dll & sqmapi.dll from various location including user s desktop Apple Safari browser encounter unknown content type It downloaded into default location ( i.e. Desktop) Hacker create unknown content type for Safari browser with name schannel.dll & sqmapi.dll
Pirated Software Issues When Software try to update themselves, the organizational IPs appear on software update server logs Legal implications if software banned for purchase Switch Organization s Intranet Application level firewall +IDS/IPS Internet DMZ Perimeter Security systems
USB Detection on user PC by SNAS Sr.No Parameters 1 Detection of presence of USB in user PC Supported by SNAS Supported 2 USB usage details Supported When the USB connected to PC When it is removed from the PC Size of USB, Space used, free etc 3 Any Application running from PC SNAS can detected Application running from USB 4 Any Application uses resource in USB SNAS can detected applications which uses USB data 5 Same USB putting in Multiple PC SNAS can track USB based on Serial number on which systems, the same USB are used 6 Amount data Copied into USB SNAS can find out amount of Data copied into USB 7 Content of Data copied Not supported by present SNAS version (For this SNAS Client required to be on each PC)
SNAS NMS: Network & End System s Security Visualization
SNAS APPLIANCE SNAS Placement in Enterprise Network Security Setup Intranet DMZ (Servers) Internet DMZ Perimeter Security systems (ITMA) Switch Organization Internet servers Appliance
SNAS based Solution for Critical Sector network Switch Internet User Segment SNAS APPLIANCE Appliance Existing Firewall +IDS Internet DMZ Internet Servers Perimeter Security systems Switch Intranet User Segment SNAS APPLIANCE Existing Firewall +IDS Intranet Servers Intranet DMZ Perimeter Security systems Appliance Nationwide Intranet
SNAS Demo Setup 10.10.10.10/c SNAS APPLIANCE DMZ 2 (192.168.2.1/c) Web Server (192.168.2.10/c) DMZ 0 n 10.10.10.2/C Ethernet Switch LAPTOP (10.10.10.60/c) Wireless Access point