Monitoring for network security and management

Cyber Solutions Inc.

Why monitoring?

Health check of networked node Usage and load evaluation for optimizing

the configuration Illegal access detection for both inbound

and outbound traffic

All networked information is on the LINE

Threats have to be monitored Node alive or dead

• Network or node fault?• Attacked?

Performance degradation• Network fault?• DoS possibility?• Large-scale incident?

Policy enforcement• Detecting policy violation (prohibited communication)• Detecting configuration change

Potential attack originator• Exploited / Compromised by attacker?• Attacking by insider?• Virus polluted?• Malicious terminal connected?

Monitoring is the first step for security and network management

Monitoring basics• Information collection from every networked node• Packet monitoring

Advanced topics• High-resolution monitoring• Hash-based traceback• Simple and light weight analysis for practical monitori

ng• Information collection from mobile node/network• Monitoring network inside

High-resolution monitoring

Traffic is so dynamic• Peak rate is important for actual performance• Malicious access is in peaky traffic (pulsing D

oS) Requirement

• Shift minutes, hours, daily measurement to msec, usec, and further precise measurement

34 Hours

5 Seconds

Monitoring with high-resolution

time

Manager

AgentQue

ry a

nd r

esp

onse

Current Method

Delay

time

Manager

Que

ry a

nd r

esp

onse

1000 *n MOs/packet

Agent

Scalability by Aggregation

The drafts

 http://wwwietf.org/internet-drafts/

draft-glenn-mo-aggr-mib-02.txt

Problems in current counter DoS attack solutions

Take the battle to the foe

Traceback

Traceback potential

Internet

Source

Do you know?

Target

Yes !

Around Here!

PPPacket Trace Agent

Yes !

No !

←Packet Trace

Yes !

The traceback concept

The Architecture

PRA

PR

PRB

PacketTracker(PT)

Packet Query/Response

The Architecture

PRA

PR

PRB

PacketTracker（ PT)

Packet Query/Response

Conf: Query/Response Setting

Requirements: Packet Record Protocol

Mapping: PacketRecord (encoded) Packet

Additional Data for corroboration

Scope of Packet Record

which IP header fields are masked) how much of the payload

Requirements: Packet Record Protocol

Packet Data

Key Generation

Packet Record Agent

Key Storage

IP Datagram

Key GenerationKg (IP Datagram)

Packet Recorder

Additional data

Key Storage

Additional Data

Requirements: Communication Protocol

Authenticated

Non Repudiation

Lightweight

Check for existence of a datagram

Query for Packet Recording parameters

Privacy, Integrity

The Process:

Packet Data

Transform

PRA

Packet Record Base

IP Datagram

TransformTr (IP Datagram)

PR

Additional data

Packet Record Base

Additional Data

IP Datagram

Transform

PTYes/No

Demonstration:　 Tracking Attacks using 　　　　　　　　　　　 SNMP based packet tracing

The Internet

PRAPacket Record Agent

PRA2

IETF wired networkAttacker2

IETF wireless networkAttacker1

Victim on remote network

1. Attacker1 sends packet to Victim.2. IDS detects it and sends SNMP trap

to manager along with packet’s “record”.

3. Manager queries packet record agents PRA1, PRA2 and PRA3 for packet record

4. Manager receives responses from PRA1, PRA2, PRA3 and traces packet path.

atta

ck

IDS

ManagerSNMP Trap

Query and Response

PRA1

PRA3

Intrusion Detect SensorIDS

Demonstration: Screen shot

For practical network monitoring

Simple and right weight monitoring• Focusing on stability of traffic• Simple event generation and deep inspection

Monitoring and Stability analysis

Deep inspectionPacketSample DB

Event notification

Stability example

Observed source address is stable in large scale network

Mobility issues

Some times disconnected

changing network

changing place/environment

Access to more information

Mobility issues (1)

not continuously connected

Usual polling paradigm will not work

Agent initiated polling

Agent intitiated informs

Store locally (Offline)

Store and forward (Semi-online)

time

Manager

Current Method

time

Manager

Current Method

time

Manager

Agent initiated Polling

time

Manager

Agent initiated informs

Conventional defense strategy

インターネット

Intranet

WEB seriver Mail server

Firewalling

DMZ

Monitoring by IDS

Monitoring access from outside to inside

Risks network inside

インターネット

Exploited and/or compromised

Prohibited user accessFrom DHCP/Wireless network

Virus influenced node

Potential insider attacks

Monitoring inside

Detection non-authorized terminalPrevent illegal outbound access

インターネット

Monitoring• Log collection and audit• DHCP and/or connection activity monitoring• Application traffic from inside to outside

Connectivity and log monitoring

Summary Monitoring is the real base of network security and the m

anagement Further advanced monitoring is required

• High-resolution New security applications are required

• Packet traceback Further practical analysis is required

• Stability based analysis Future network environment support is required

• Mobile node and network support New monitoring target is required

• Network inside