Protecting Critical Information Infrastructures



Similar documents
Mobility research group

Packet Level Authentication Overview

Protecting DNS Critical Infrastructure Solution Overview. Radware Attack Mitigation System (AMS) - Whitepaper

Real-time Network Monitoring and Security Platform for Securing Next-Generation Network. Assoc. Prof. Dr. Sureswaran Ramadass

Networks. Connecting Computers. Measures for connection speed. Ethernet. Collision detection. Ethernet protocol

Cybersecurity: Thailand s and ASEAN s priorities. Soranun Jiwasurat

Threats to be considered (1) ERSTE GROUP

DKIM Enabled Two Factor Authenticated Secure Mail Client

SY system so that an unauthorized individual can take over an authorized session, or to disrupt service to authorized users.

Data Centers Protection from DoS attacks. Trends and solutions. Michael Soukonnik, Radware Ltd Riga. Baltic IT&T

Network Security. Protective and Dependable. 52 Network Security. UTM Content Security Gateway CS-2000

PART D NETWORK SERVICES

SIP and VoIP 1 / 44. SIP and VoIP

Achieving Truly Secure Cloud Communications. How to navigate evolving security threats

CS 665: Computer System Security. Network Security. Usage environment. Sources of vulnerabilities. Information Assurance Module

Anthony Minnaar Dept of Criminology & Security Science School of Criminal Justice College of Law University of South Africa

Network Security and the Small Business

Network attack and defense

5 DNS Security Risks That Keep You Up At Night (And How To Get Back To Sleep)

How To Stop A Ddos Attack On A Website From Being Successful

How Traditional Firewalls Fail Today s Networks And Why Next-Generation Firewalls Will Prevail

DDoS Overview and Incident Response Guide. July 2014

HOW TO PREVENT DDOS ATTACKS IN A SERVICE PROVIDER ENVIRONMENT

Network Security - ISA 656 Review

White Paper A SECURITY GUIDE TO PROTECTING IP PHONE SYSTEMS AGAINST ATTACK. A balancing act

20-CS X Network Security Spring, An Introduction To. Network Security. Week 1. January 7

Information Security Threat Trends

TDC s perspective on DDoS threats

Firewalls CSCI 454/554

DOMAIN NAME SECURITY EXTENSIONS

How To Filter From A Spam Filter

G/On. Basic Best Practice Reference Guide Version 6. For Public Use. Make Connectivity Easy

Distributed Denial of Service Attacks

BOTNETS. Douwe Leguit, Manager Knowledge Center GOVCERT.NL

Gigabit Content Security Router

Secured Voice over VPN Tunnel and QoS. Feature Paper

E-Business, E-Commerce

Chapter 9. IP Secure

COSC 472 Network Security

SPAM FILTER Service Data Sheet

Protection against DDoS and WEB attacks. Michael Soukonnik Radware Ltd

CSE331: Introduction to Networks and Security. Lecture 1 Fall 2006

Huawei Eudemon200E-N Next-Generation Firewall

Network Security: 30 Questions Every Manager Should Ask. Author: Dr. Eric Cole Chief Security Strategist Secure Anchor Consulting

Denial of Service. Tom Chen SMU

SECURITY FLAWS IN INTERNET VOTING SYSTEM

CE Advanced Network Security VoIP Security

Yahoo Attack. Is DDoS a Real Problem?

For assistance with your computer, software or router we have supplied the following information: Tech Support , press 1

DDoS Protection. How Cisco IT Protects Against Distributed Denial of Service Attacks. A Cisco on Cisco Case Study: Inside Cisco IT

Kick starting science...

SonicWALL Unified Threat Management. Alvin Mann April 2009

Cisco ASA 5500 Series Content Security Edition for the Enterprise

Network Security. 1 Pass the course => Pass Written exam week 11 Pass Labs

How To Secure My Data

Protecting against DoS Attacks

A Very Incomplete Diagram of Network Attacks

Certified Ethical Hacker Exam Version Comparison. Version Comparison

PowerLink Bandwidth Aggregation Redundant WAN Link and VPN Fail-Over Solutions

Fighting Cyber Crime in the Telecommunications Industry. Sachi Chakrabarty

Network Security. Protective and Dependable. Pioneer of IP Innovation

How To Protect Your Network From Attack From A Hacker On A University Server

Best Practices for Securing IP Telephony

for Critical Infrastructure Protection Supervisory Control and Data Acquisition SCADA SECURITY ADVICE FOR CEOs

Challenges in Industrial IT-Security Dr. Rolf Reinema, Head of Technology Field IT-Security, Siemens AG Siemens AG All rights reserved

IBM Protocol Analysis Module

CISCO IOS NETWORK SECURITY (IINS)

Overview of computer and communications security

: SENIOR DESIGN PROJECT: DDOS ATTACK, DETECTION AND DEFENSE SIMULATION

Peer-to-peer networking. Jupiter Research

ITU WSIS Thematic Meeting on Countering Spam: The Scope of the problem. Mark Sunner, Chief Technical Officer MessageLabs

Cisco IronPort C370 for Medium-Sized Enterprises and Satellite Offices

CS 356 Lecture 16 Denial of Service. Spring 2013

Surviving DDoS. SANOG X 5 September ed.lewis@neustar.biz. 5 Sep '07, SANOG X ed.lewis@neustar.biz 1

Protecting against DoS/DDoS Attacks with FortiWeb Web Application Firewall

Security and Risk Analysis of VoIP Networks

CMPT 471 Networking II

A Brief Overview of VoIP Security. By John McCarron. Voice of Internet Protocol is the next generation telecommunications method.

Lecture 13 - Network Security

Denial of Service (DoS)

Domain 6.0: Network Security

Chapter 11 Manage Computing Securely, Safely and Ethically. Discovering Computers Your Interactive Guide to the Digital World

SECURITY PRACTICES FOR ADVANCED METERING INFRASTRUCTURE Elif Üstündağ Soykan, Seda Demirağ Ersöz , ICSG 2014

Network Security. Computer Security & Forensics. Security in Compu5ng, Chapter 7. l Network Defences. l Firewalls. l Demilitarised Zones

Denial of Service Attacks

Detailed Description about course module wise:

How to Build an Effective Mail Server Defense

DRDoS Attacks: Latest Threats and Countermeasures. Larry J. Blunk Spring 2014 MJTS 4/1/2014

Transcription:

Protecting Critical Information Infrastructures Hannu H. Kari 1.4.2007 Helsinki University of Technology professor on mobility National Defence University professor, research director professor Hannu H. Kari Page 1/32

Security problems in Internet, samples October 2002, Scientific American 9 out of 13 root DNS servers were crippled by DDoS attack November 2004, Damages caused by worms/viruses, Mikko Hyppönen/F-Secure Slammer: Intranet of nuclear power plant in Ohio down Bank of America ATM network down Blaster: Electric power network down in NY, USA Several SCADA systems down Sasser: All train traffic halted in Australia Two hospitals in Sweden infected January 2005, BBC News Internet gambling hit hard by the attacks. Extortionists are targeting net-based betting firms and threatening to cripple their websites with deluges of data unless a ransom is paid. September 2006, Scientific American Attack on DNS (Domain Name System) allows cybercriminal to hijack ordinary netbanking sessions January 2007, www.idg.se Almost 1 Million stolen from a Scandinavian bank by a Russian hacker with a trojan distributed with spam mail The biggest so far.. January 2005, FBI/Tsunami Net criminals used fake web pages of American Red Cross to get credit card data May 2007, IT-Viikko Attacks on Estonian governmental and commercial net sites professor Hannu H. Kari Page 2/32

Security problems in Internet, samples DDoS attacks Design flaws DoS, DDoS attacks Criminal intentions Viruses, worms, mallware Criminal intentions DNS attacks Design flaws Phishing Users stupidity Scams Users stupidity DoS, DDoS attacks Design flaws professor Hannu H. Kari Page 3/32

Internet design flaws Original design principles: The enemy is out there! Everybody can send anything to anybody Security measures are introduced afterwards The new design principles: The enemy is among us! We must be prepared to pay for security/reliability in form of computation power, bandwidth, energy, etc. Strong security as the fundamental building block Legal sanctions against malevolent entities Every packet must have an owner! professor Hannu H. Kari Page 4/32

Security domains professor Hannu H. Kari Page 5/32

Four security domains 4. Virtual communities (Knowledge sharing) Restricted caller groups 3. Content integrity/authenticity/timelyness (information sharing) PGP, S/MIME 2. End-to-end secured communication (Data integrity and confidentiality) IPsec, TLS 1. Reliable operation of the critical network infrastructure Partial solutions: MPLS, Physical protection professor Hannu H. Kari Page 6/32

Weakest point: Infrastructure Info-bulimia Flooding, DoS/DDos, Smurf, Sync,... Info-anemia Link breakage, data corruption, rerouting packet, router attacks, DNS-attacks,... We don t get vital information in time We can t make decisions or we do decisions with incomplete information Reliably operating network is a MUST professor Hannu H. Kari Page 7/32

Solving the problems professor Hannu H. Kari Page 8/32

Securing network infrastructure professor Hannu H. Kari Page 9/32

Traditional Internet usage R R professor Hannu H. Kari Page 10/32

Protecting network infrastructure Need: Communication between two legitimate computers shall be possible despite any hostile attacks, manipulated packets, jammed networks, cut the communication links, etc. Target: The network (i.e., routers) shall distinguish whether a packet is Good: generated by a legitimate computer => forward packet Bad: generated or modified by attackers => discard packet Possibility to prioritize traffic based on importance of packet/user professor Hannu H. Kari Page 11/32

Ultimate solution: Packet Level Authentication (PLA) Analogy: Security measures on notes Holograms, Microprint, Watermarks, UV-light Any receiver of notes can verify the authenticity of every note without consulting with banks or other authorities In PLA (designed by HUT) every packet is digitally signed by originator with strong crypto contains all information to validate authority of the sender integrity, timeliness, uniqueness of the packet Project financed by Finnish government s (Tekes) strategic research funding professor Hannu H. Kari Page 12/32

Performance Altera FPGA ECC module With single chip solution: 200 Mbit/s with 150B packets 2 Gbit/s with 1500B packets Gigabit Ethernet IN Front end standard 1GE IP core ECC module ECC module ECC module ECC module HUT s HW implementation (Altera s Stratix II EP 2S180F1020C3 FPGA chips with 150 MHz clock) One ECC digital signature calculation/validation takes 120us With 19 parallel modules, max output is 160 000 signatures/s With special ASIC its possible scale performance over 10 Gbit/s with single chip implementation Guestimated: 50M gates chip running 500 MHz... Back end standard 1GE IP core Gigabit Ethernet OUT professor Hannu H. Kari Page 13/32

Short term solution: Secured Infrastructure Router (SIR) SIR SIR professor Hannu H. Kari Page 14/32

Secured Infrastructure Router (SIR) SIR QoS control, duplication SIR QoS control, duplicate removal QoS reporting, management signaling professor Hannu H. Kari Page 15/32

Alternative SIR operation SIR SIR SIR SIR SIR SIR SIR SIR professor Hannu H. Kari Page 16/32

Securing services professor Hannu H. Kari Page 17/32

Increasing reliability of network services Internet ISP 1 ISP 2 REUNAREITITTIMET IPS / HYÖKKÄYKSEN LIEVENNYS PALOMUURIT SSL-SALAUS / SALAUKSEN PURKU IPS SISÄLTÖKYTKIMET / KUORMANJAKO EDUSTAPALVELIMET Tietokeskus 1 Tietokeskus 2 Varmistuskeskus SOVELLUSPALVELIMET source: Anssi Rajaniemi: Verkkopankin toimintavarmuuden turvaaminen tietoverkon näkökulmasta, HUT, Master s thesis, 2005 Tietokeskus PALOMUURIT KESKUSKONEET professor Hannu H. Kari Page 18/32

Securing content delivery professor Hannu H. Kari Page 19/32

Multichannel data delivery:today Actual data Military networks TETRA/ VIRVE GSM Internet Radio/TV National Defence Authorities University, www.mpkk.fi Citizens professor Hannu H. Kari Page 20/32

Multichannel data delivery: in the future Actual data Military networks TETRA/ VIRVE GSM Internet Radio/TV National Defence Authorities University, www.mpkk.fi Citizens professor Hannu H. Kari Page 21/32

Reliable delivery of a document document Sender Add FEC Signatures multichannel network check signatures Receiver data reconstruction defragmentation...... fragmentation............ document professor Hannu H. Kari Page 22/32

Multichannel data delivery Actual data Military networks TETRA/ VIRVE GSM Internet Radio/TV Information professor Hannu H. Kari Page 23/32

Multichannel data delivery Actual data Military networks TETRA/ VIRVE GSM Internet Radio/TV Information professor Hannu H. Kari Page 24/32

Multichannel data delivery Actual data Military networks TETRA/ VIRVE GSM Internet Radio/TV Information professor Hannu H. Kari Page 25/32

Multichannel data delivery Actual data Military networks TETRA/ VIRVE GSM Internet Radio/TV Information professor Hannu H. Kari Page 26/32

Multichannel data delivery Actual data Military networks TETRA/ VIRVE GSM Internet Radio/TV Information professor Hannu H. Kari Page 27/32

Multichannel data delivery Actual data Military networks TETRA/ VIRVE GSM Internet Radio/TV Regenerating missing data by using error correction information in other packets locally Information professor Hannu H. Kari Page 28/32

Multichannel data delivery Actual data Military networks TETRA/ VIRVE GSM Internet Radio/TV correct and up to date information Information professor Hannu H. Kari Page 29/32

Conclusions professor Hannu H. Kari Page 30/32

Conclusions Risks with Internet are imminent Architecture with several levels of security Plan-B: What shall we do, when our network doesn t work? What is the minimum level of service? professor Hannu H. Kari Page 31/32

NATIONAL DEFENCE UNIVERSITY Do the work that has a meaning Thank you for your Questions? attention! professor Hannu H. Kari Page 32/32

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information