Application and Virus Detecting Firewall on the SPring-8 … · 2018. 11. 14. · Application and...
Transcript of Application and Virus Detecting Firewall on the SPring-8 … · 2018. 11. 14. · Application and...
![Page 1: Application and Virus Detecting Firewall on the SPring-8 … · 2018. 11. 14. · Application and Virus Detecting Firewall on the SPring-8 Experimental User Network Takashi SUGIMOTO,](https://reader035.fdocuments.us/reader035/viewer/2022071500/611e5ecd1b43a961f0026ef4/html5/thumbnails/1.jpg)
Application and Virus Detecting Firewall on
the SPring-8 Experimental User Network
Takashi SUGIMOTO, Miho ISHII, Toru OHATA,
Tatsuaki SAKAMOTO, and Ryotaro TANAKA
(JASRI/SPring-8)
3rd Control System Cyber-Security Workshop,
WTC, Grenoble, France, October 9, 2011
![Page 2: Application and Virus Detecting Firewall on the SPring-8 … · 2018. 11. 14. · Application and Virus Detecting Firewall on the SPring-8 Experimental User Network Takashi SUGIMOTO,](https://reader035.fdocuments.us/reader035/viewer/2022071500/611e5ecd1b43a961f0026ef4/html5/thumbnails/2.jpg)
Contents
• Overview of SPring-8
• Problems on the Experimental User LAN
– VPN, P2P, Virus
– Solution: IPS (2004-)
• Recent Problems
– Tunneling using HTTP(S)
• Replace the IPS by “Next Generation Firewall”
– Evaluation and Install
• Summary
![Page 3: Application and Virus Detecting Firewall on the SPring-8 … · 2018. 11. 14. · Application and Virus Detecting Firewall on the SPring-8 Experimental User Network Takashi SUGIMOTO,](https://reader035.fdocuments.us/reader035/viewer/2022071500/611e5ecd1b43a961f0026ef4/html5/thumbnails/3.jpg)
Overview of SPring-8
![Page 4: Application and Virus Detecting Firewall on the SPring-8 … · 2018. 11. 14. · Application and Virus Detecting Firewall on the SPring-8 Experimental User Network Takashi SUGIMOTO,](https://reader035.fdocuments.us/reader035/viewer/2022071500/611e5ecd1b43a961f0026ef4/html5/thumbnails/4.jpg)
(c) RIKEN/JASRI
8-GeV Storage Ring >50 Beam Lines
Electron Injector (Linac and Booster Synchrotron)
SACLA X-ray Free Electron Laser Facility
SPring-8 : A complex of synchrotron
radiation research facility in Japan
SPring-8 Facility
SCSS Prototype Accelator UV Free Electron Laser Facility
NewSUBARU 1.5-GeV Storage Ring
![Page 5: Application and Virus Detecting Firewall on the SPring-8 … · 2018. 11. 14. · Application and Virus Detecting Firewall on the SPring-8 Experimental User Network Takashi SUGIMOTO,](https://reader035.fdocuments.us/reader035/viewer/2022071500/611e5ecd1b43a961f0026ef4/html5/thumbnails/5.jpg)
We have 55 (operational) and 2 (under construction) beam lines (BLs).
![Page 6: Application and Virus Detecting Firewall on the SPring-8 … · 2018. 11. 14. · Application and Virus Detecting Firewall on the SPring-8 Experimental User Network Takashi SUGIMOTO,](https://reader035.fdocuments.us/reader035/viewer/2022071500/611e5ecd1b43a961f0026ef4/html5/thumbnails/6.jpg)
Experimental Users
• > 10,000 people visit the SPring-8 to perform experiments
every year.
• Many people bring their own PCs
– for experimental use (DAQ)
– for their convenience (WWW, Mail, etc.)
• We prepare two ways to use their PCs.
– Wi-Fi Access on Office-LAN
– Experimental User LAN
![Page 7: Application and Virus Detecting Firewall on the SPring-8 … · 2018. 11. 14. · Application and Virus Detecting Firewall on the SPring-8 Experimental User Network Takashi SUGIMOTO,](https://reader035.fdocuments.us/reader035/viewer/2022071500/611e5ecd1b43a961f0026ef4/html5/thumbnails/7.jpg)
Schematic View of Beamline Network
BL1 BL1-User
BL2 BL2-User
Machine Control Network
Experimental User Network
Internet Firewall
Firewall
Office Network
NAPT
Filtering
(one-way connection)
Users can use the EXP-LAN for - instrument control - data acquisition and transfer - other use (www, mail)
Each beamline has Machine Control Network (CNTL-LAN) and Experimental User LAN (EXP-LAN).
Institute
![Page 8: Application and Virus Detecting Firewall on the SPring-8 … · 2018. 11. 14. · Application and Virus Detecting Firewall on the SPring-8 Experimental User Network Takashi SUGIMOTO,](https://reader035.fdocuments.us/reader035/viewer/2022071500/611e5ecd1b43a961f0026ef4/html5/thumbnails/8.jpg)
Problem on Experimental User LAN
![Page 9: Application and Virus Detecting Firewall on the SPring-8 … · 2018. 11. 14. · Application and Virus Detecting Firewall on the SPring-8 Experimental User Network Takashi SUGIMOTO,](https://reader035.fdocuments.us/reader035/viewer/2022071500/611e5ecd1b43a961f0026ef4/html5/thumbnails/9.jpg)
Problems on the EXP-LAN
• Unspecified number of people connect unmanaged PCs to
the EXP-LAN
– without any Authentication / Authorization / Accounting.
• Some people use unpermitted softwares
– VPN
– P2P file sharing
• Some PCs are infected by computer viruses.
Such applications threaten SPring-8 control system.
![Page 10: Application and Virus Detecting Firewall on the SPring-8 … · 2018. 11. 14. · Application and Virus Detecting Firewall on the SPring-8 Experimental User Network Takashi SUGIMOTO,](https://reader035.fdocuments.us/reader035/viewer/2022071500/611e5ecd1b43a961f0026ef4/html5/thumbnails/10.jpg)
Machine Control Network
Experimental User Network
Internet Firewall Office Network
Problem1: Off-site Person can Control via
VPN
BL1 BL1-User
BL2 BL2-User
Reverse path via VPN tunnel
Remote control is strictly inhibited from Radiation Safety.
(Except for a dedicate remote experiment system. Please listen the session THBHAUST05, Y.Furukawa et al.)
![Page 11: Application and Virus Detecting Firewall on the SPring-8 … · 2018. 11. 14. · Application and Virus Detecting Firewall on the SPring-8 Experimental User Network Takashi SUGIMOTO,](https://reader035.fdocuments.us/reader035/viewer/2022071500/611e5ecd1b43a961f0026ef4/html5/thumbnails/11.jpg)
Machine Control Network
Experimental User Network
Internet Firewall Office Network
Problem2: Bandwidth Exhaution by P2P
BL1 BL1-User
BL2 BL2-User
P2P traffic
Fair user traffic
![Page 12: Application and Virus Detecting Firewall on the SPring-8 … · 2018. 11. 14. · Application and Virus Detecting Firewall on the SPring-8 Experimental User Network Takashi SUGIMOTO,](https://reader035.fdocuments.us/reader035/viewer/2022071500/611e5ecd1b43a961f0026ef4/html5/thumbnails/12.jpg)
Problem3: Virus Attack
BL1 BL1-User
BL2 BL2-User
Machine Control Network
Experimental User Network
Internet Office Network
Virus
Sometimes router hang up.
![Page 13: Application and Virus Detecting Firewall on the SPring-8 … · 2018. 11. 14. · Application and Virus Detecting Firewall on the SPring-8 Experimental User Network Takashi SUGIMOTO,](https://reader035.fdocuments.us/reader035/viewer/2022071500/611e5ecd1b43a961f0026ef4/html5/thumbnails/13.jpg)
Install Transparent IPS (2004-)
BL1 BL1-User
BL2 BL2-User
Machine Control Network
Experimental User Network
Internet Office Network
Virus
IPS (CheckPoint InterSpect610)
VLAN Trunked
Using IPS, we can localize virus attacks in a
certain beamline.
M. Ishii et al.,
“Construction and Management of a Secure Network in SPring-8”, ICALEPCS 2005, Geneva, Switzerland, 2005.
![Page 14: Application and Virus Detecting Firewall on the SPring-8 … · 2018. 11. 14. · Application and Virus Detecting Firewall on the SPring-8 Experimental User Network Takashi SUGIMOTO,](https://reader035.fdocuments.us/reader035/viewer/2022071500/611e5ecd1b43a961f0026ef4/html5/thumbnails/14.jpg)
Recent Problem Tunneling Applications
![Page 15: Application and Virus Detecting Firewall on the SPring-8 … · 2018. 11. 14. · Application and Virus Detecting Firewall on the SPring-8 Experimental User Network Takashi SUGIMOTO,](https://reader035.fdocuments.us/reader035/viewer/2022071500/611e5ecd1b43a961f0026ef4/html5/thumbnails/15.jpg)
Machine Control Network
Experimental User Network
Internet Firewall Office Network
Problem1’: Recent VPN Softwares
BL1 BL1-User
BL2 BL2-User
IPS (CheckPoint InterSpect610)
VLAN Trunked
We can block legacy VPN softwares (IPsec), because the IPsec is not tcp/udp and the
IPsec packet can not pass NAPT.
However, recent VPN software can pass IPS and Firewalls,
because such VPN uses HTTPS.
![Page 16: Application and Virus Detecting Firewall on the SPring-8 … · 2018. 11. 14. · Application and Virus Detecting Firewall on the SPring-8 Experimental User Network Takashi SUGIMOTO,](https://reader035.fdocuments.us/reader035/viewer/2022071500/611e5ecd1b43a961f0026ef4/html5/thumbnails/16.jpg)
Machine Control Network
Experimental User Network
Internet Firewall Office Network
Problem2’: Recent P2P Softwares
BL1 BL1-User
BL2 BL2-User
IPS (CheckPoint InterSpect610)
VLAN Trunked
Using HTTP(S) protocol, recent P2P softwares also pass IPS and firewalls.
P2P traffic
![Page 17: Application and Virus Detecting Firewall on the SPring-8 … · 2018. 11. 14. · Application and Virus Detecting Firewall on the SPring-8 Experimental User Network Takashi SUGIMOTO,](https://reader035.fdocuments.us/reader035/viewer/2022071500/611e5ecd1b43a961f0026ef4/html5/thumbnails/17.jpg)
Replace IPS by “Next Generation
Firewall” Evaluation and Install
![Page 18: Application and Virus Detecting Firewall on the SPring-8 … · 2018. 11. 14. · Application and Virus Detecting Firewall on the SPring-8 Experimental User Network Takashi SUGIMOTO,](https://reader035.fdocuments.us/reader035/viewer/2022071500/611e5ecd1b43a961f0026ef4/html5/thumbnails/18.jpg)
Evaluation of Next Generation Firewall
(2010 July, Tap Mode)
BL1 BL1-User
BL2 BL2-User
Machine Control Network
Experimental User Network
Internet Office Network
IPS (CheckPoint InterSpect610)
Next Generation Firewall
(PaloAlto PA-500)
Monitoring Port
![Page 19: Application and Virus Detecting Firewall on the SPring-8 … · 2018. 11. 14. · Application and Virus Detecting Firewall on the SPring-8 Experimental User Network Takashi SUGIMOTO,](https://reader035.fdocuments.us/reader035/viewer/2022071500/611e5ecd1b43a961f0026ef4/html5/thumbnails/19.jpg)
Top 25 Applications (July 1 – 31, 2010) Application Name App Category App Sub Category Sessions Bytes
ssh networking encrypted-tunnel 19950 1.27399E+12
ms-ds-smb business-systems storage-backup 11987 5.0741E+11
ftp general-internet file-sharing 3104107 3.80805E+11
nfs business-systems storage-backup 947 1.96318E+11
msrpc networking infrastructure 152 1.76369E+11
web-browsing general-internet internet-utility 3901184 1.46611E+11
unknown-tcp unknown unknown 224414 32607259839
afp business-systems storage-backup 82 19793808562
ssl networking encrypted-tunnel 823229 13462982181
vnc networking remote-access 77 13400994449
ms-rdp networking remote-access 268 12864823274
ms-update business-systems software-update 63495 12578977829
youtube-base media photo-video 4371 9912155433
t.120 networking infrastructure 75 9314941655
flash general-internet internet-utility 22164 7096398144
symantec-av-update business-systems software-update 360664 6374641953
megaupload general-internet file-sharing 640 5693441130
http-video media photo-video 4037 4047977554
apple-update business-systems software-update 6939 3965761049
ciscovpn networking encrypted-tunnel 150 2517729101
yahoo-douga media photo-video 5668 2295136130
active-directory business-systems auth-service 2 2017950348
dns networking infrastructure 2922411 1916582840
itunes media audio-streaming 1555 1823506527
![Page 20: Application and Virus Detecting Firewall on the SPring-8 … · 2018. 11. 14. · Application and Virus Detecting Firewall on the SPring-8 Experimental User Network Takashi SUGIMOTO,](https://reader035.fdocuments.us/reader035/viewer/2022071500/611e5ecd1b43a961f0026ef4/html5/thumbnails/20.jpg)
VPN (July 1 – 31, 2010)
Application Name App Category App Sub Category Sessions Bytes
ssh networking encrypted-tunnel 19950 1.27399E+12
ssl networking encrypted-tunnel 823229 13462982181
ciscovpn networking encrypted-tunnel 150 2517729101
ike networking encrypted-tunnel 12 114819257
ipsec-esp-udp networking encrypted-tunnel 22 57154472
tor networking encrypted-tunnel 19 5688367
open-vpn networking encrypted-tunnel 2 3602490
![Page 21: Application and Virus Detecting Firewall on the SPring-8 … · 2018. 11. 14. · Application and Virus Detecting Firewall on the SPring-8 Experimental User Network Takashi SUGIMOTO,](https://reader035.fdocuments.us/reader035/viewer/2022071500/611e5ecd1b43a961f0026ef4/html5/thumbnails/21.jpg)
P2P File-sharing (July 1 – 31, 2010)
Application Name App Category App Sub Category Sessions Bytes
ftp general-internet file-sharing 3104107 3.80805E+11
megaupload general-internet file-sharing 640 5693441130
4shared general-internet file-sharing 91 364424179
webdav general-internet file-sharing 1232 293801170
msn-file-transfer general-internet file-sharing 130 13920462
rapidshare general-internet file-sharing 16 13142559
bittorrent general-internet f ile-sharing 31212 11921795
mediafire general-internet file-sharing 13 7734610
docstoc general-internet file-sharing 17 1437825
fs2you general-internet file-sharing 1108 1111203
office-live general-internet file-sharing 156 488310
akamai-client general-internet file-sharing 1903 390295
taku-file-bin general-internet file-sharing 41 335067
divshare general-internet file-sharing 2 295698
filestube general-internet file-sharing 12 190391
xunlei general-internet f ile-sharing 13 180090
nateon-file-transfer general-internet file-sharing 8 92186
emule general-internet f ile-sharing 864 91874
mydownloader general-internet f ile-sharing 1 76070
skydrive general-internet file-sharing 5 73139
flashget general-internet f ile-sharing 175 59396
qq-download general-internet f ile-sharing 49 30157
ares general-internet f ile-sharing 19 4186
![Page 22: Application and Virus Detecting Firewall on the SPring-8 … · 2018. 11. 14. · Application and Virus Detecting Firewall on the SPring-8 Experimental User Network Takashi SUGIMOTO,](https://reader035.fdocuments.us/reader035/viewer/2022071500/611e5ecd1b43a961f0026ef4/html5/thumbnails/22.jpg)
Install the Next Generation Firewall
(2010 Fall -)
BL1 BL1-User
BL2 BL2-User
Machine Control Network
Experimental User Network (Backbone)
NAPT
Internet Firewall
Firewall
Office Network
Next Gen.Firewall (PaloAlto PA-2050)
![Page 23: Application and Virus Detecting Firewall on the SPring-8 … · 2018. 11. 14. · Application and Virus Detecting Firewall on the SPring-8 Experimental User Network Takashi SUGIMOTO,](https://reader035.fdocuments.us/reader035/viewer/2022071500/611e5ecd1b43a961f0026ef4/html5/thumbnails/23.jpg)
Top 25 Applications (Sep. 18, 2010 – Sep. 17, 2011)
Application Name App Category App Sub Category Sessions Bytes
ssh networking encrypted-tunnel 2250543 1.5949E+13
ms-ds-smb business-systems storage-backup 27323 7.35689E+12
ftp general-internet file-sharing 109264388 6.53462E+12
unknown-tcp unknown unknown 3980123 4.37899E+12
web-browsing general-internet internet-utility 91399894 3.14058E+12
vnc unknown unknown 537 1.84976E+12
megaupload general-internet file-sharing 25566 5.94995E+11
t.120 networking infrastructure 3659 5.04735E+11
mediafire general-internet file-sharing 54593 4.867E+11
ms-rdp networking remote-access 5844 3.55244E+11
ssl networking encrypted-tunnel 18292920 3.28486E+11
ms-update business-systems software-update 1982952 3.14617E+11
msrpc networking infrastructure 587 1.55166E+11
symantec-av-update business-systems software-update 5511127 1.33698E+11
adobe-update business-systems software-update 50568 79289151276
apple-update business-systems software-update 110507 70339902358
flash general-internet internet-utility 174670 66448506565
gmail-base collaboration email 265601 65189109965
ypserv networking infrastructure 23206522 60955251082
nfs business-systems storage-backup 3351 58170163294
dns networking infrastructure 65959951 48338539879
afp business-systems storage-backup 7024 44794302217
sugarsync general-internet file-sharing 6223 31676171151
pop3 collaboration email 405857 30227947749
insufficient-data unknown unknown 34785105 30103697318
We also found many people use on-line storage services.
![Page 24: Application and Virus Detecting Firewall on the SPring-8 … · 2018. 11. 14. · Application and Virus Detecting Firewall on the SPring-8 Experimental User Network Takashi SUGIMOTO,](https://reader035.fdocuments.us/reader035/viewer/2022071500/611e5ecd1b43a961f0026ef4/html5/thumbnails/24.jpg)
1E+09 1E+10 1E+11 1E+12 1E+13 1E+14
sshms-ds-smb
ftpunknown-tcp
web-browsingvnc
megauploadt.120
mediafirems-rdp
sslms-update
msrpcsymantec-av-update
adobe-updateapple-update
flashgmail-base
ypservnfsdnsafp
sugarsyncpop3
insufficient-datayum
http-videogoogle-safebrowsing
apple-appstoredropbox
twitter-base
Bytes Statistics (2010.09.18-2011.09.17)
Log Scale
Dominant Traffic
![Page 25: Application and Virus Detecting Firewall on the SPring-8 … · 2018. 11. 14. · Application and Virus Detecting Firewall on the SPring-8 Experimental User Network Takashi SUGIMOTO,](https://reader035.fdocuments.us/reader035/viewer/2022071500/611e5ecd1b43a961f0026ef4/html5/thumbnails/25.jpg)
1000 10000 100000 1000000 10000000 100000000 1E+09
ftpweb-browsing
dnsinsufficient-data
ypservntpssl
pingportmapper
snmpsymantec-av-update
unknown-tcpnetbios-ns
sshms-update
google-safebrowsingtwitter-base
yumpop3
snmpv1google-analytics
gmail-basefortiguard-webfilter
unknown-udpflash
yahoo-mailfacebook-social-plugin
backwebapple-update
eset-update
Sessions Statistics (2010.09.18-2010.09.17)
Log Scale
Dominant Session
![Page 26: Application and Virus Detecting Firewall on the SPring-8 … · 2018. 11. 14. · Application and Virus Detecting Firewall on the SPring-8 Experimental User Network Takashi SUGIMOTO,](https://reader035.fdocuments.us/reader035/viewer/2022071500/611e5ecd1b43a961f0026ef4/html5/thumbnails/26.jpg)
Top 25 Threats (Viruses and Attacks) (Sep. 18, 2010 – Sep. 17, 2011)
Threat Name Application App Category App Sub Category Count
Microsoft Windows SMB Fragmentation RPC Request Attempt ms-ds-smb business-systems storage-backup 287642
FTP: login brute force attempt ftp general-internet file-sharing 28031
Conficker DNS Request dns networking infrastructure 18621
Trojan-Rustock.Phonehome web-browsing general-internet internet-utility 13990
Rustock.Gen Command and Control Traffic web-browsing general-internet internet-utility 13149
SMB: User Password Brute-force Attempt ms-ds-smb business-systems storage-backup 4047
Trojan-Spy/Win32.spyeyes.nrn java-update business-systems software-update 585
Microsoft Windows SMB Fragmentation RPC Request Attempt ms-ds-smb business-systems storage-backup 339
WhenU_SaveNow Post installation download web-browsing general-internet internet-utility 149
Geral User-Agent Traffic web-browsing general-internet internet-utility 114
Microsoft Visual Basic VBP Project File Handling Buffer Overflow ms-ds-smb business-systems storage-backup 102
Microsoft DCE RPC Big Endian Evasion Vulnerability ms-ds-smb business-systems storage-backup 88
Microsoft DCE RPC Big Endian Evasion Vulnerability msrpc networking infrastructure 87
Trojan/Win32.ruskill.eiq ms-ds-smb business-systems storage-backup 75
MySQL MaxDB Webtool HTTP Request Parsing Buffer Overflow Vulnerability web-browsing general-internet internet-utility 67
SMB: User Password Brute-force Attempt ms-ds-smb business-systems storage-backup 58
TCP Flood not-applicable unknown unknown 55
Trojan-Banker/Win32.banbra.tly web-browsing general-internet internet-utility 53
ClamAV libclamav PE File Handling Integer Overflow Vulnerability ms-ds-smb business-systems storage-backup 49
WhenU_SaveNow Ads data retrieve web-browsing general-internet internet-utility 46
Trojan/Win32.ruskill.eiq ms-ds-smb business-systems storage-backup 44
Microsoft Visual Basic VBP Project File Handling Buffer Overflow ms-ds-smb business-systems storage-backup 42
HTTP Cross Site Scripting Attempt web-browsing general-internet internet-utility 40
FTP evasion attack ftp general-internet file-sharing 34
Microsoft Windows RPC Encrypted Data Detected ms-ds-smb business-systems storage-backup 33
![Page 27: Application and Virus Detecting Firewall on the SPring-8 … · 2018. 11. 14. · Application and Virus Detecting Firewall on the SPring-8 Experimental User Network Takashi SUGIMOTO,](https://reader035.fdocuments.us/reader035/viewer/2022071500/611e5ecd1b43a961f0026ef4/html5/thumbnails/27.jpg)
Performance of the Next Gen. Firewall (Sep. 18, 2010 – Sep. 17, 2011)
• Detect and Filter Applications
– 287 applications are detected.
– No VPN nor P2P applications passed through.
• Detect and Filter Viruses and those Attacks
– 140 viruses/attacks are detected and filtered.
– Virus signature is updated every day.
• Another Merit
– We can plan next service by utilizing the application statistics.
(e.g. Large-bandwidth, large-capacity on-line strorage service)
PaloAlto PA-2050
The updated EXP-LAN with next generation firewall
works good for one year without fatal trouble.
![Page 28: Application and Virus Detecting Firewall on the SPring-8 … · 2018. 11. 14. · Application and Virus Detecting Firewall on the SPring-8 Experimental User Network Takashi SUGIMOTO,](https://reader035.fdocuments.us/reader035/viewer/2022071500/611e5ecd1b43a961f0026ef4/html5/thumbnails/28.jpg)
Summary
• We replaced IPS by “Next Generation Firewall”.
• “Next Generation Firewall” works good.
– The next generation firewall detects and blocks many inhibited
applications.
• VPN software, which break radiation security
• P2P software, which cause bandwidth exhaustion
• Computer Viruses
– We also utilize application statistics for planning next service.
• On-line storage service for experimental users.