Monitoring for network security and management Cyber Solutions Inc.
-
Upload
georgiana-iris-hawkins -
Category
Documents
-
view
222 -
download
5
Transcript of Monitoring for network security and management Cyber Solutions Inc.
Monitoring for network security and management
Cyber Solutions Inc.
Why monitoring?
Health check of networked node Usage and load evaluation for optimizing
the configuration Illegal access detection for both inbound
and outbound traffic
All networked information is on the LINE
Threats have to be monitored Node alive or dead
• Network or node fault?• Attacked?
Performance degradation• Network fault?• DoS possibility?• Large-scale incident?
Policy enforcement• Detecting policy violation (prohibited communication)• Detecting configuration change
Potential attack originator• Exploited / Compromised by attacker?• Attacking by insider?• Virus polluted?• Malicious terminal connected?
Monitoring is the first step for security and network management
Monitoring basics• Information collection from every networked node• Packet monitoring
Advanced topics• High-resolution monitoring• Hash-based traceback• Simple and light weight analysis for practical monitori
ng• Information collection from mobile node/network• Monitoring network inside
High-resolution monitoring
Traffic is so dynamic• Peak rate is important for actual performance• Malicious access is in peaky traffic (pulsing D
oS) Requirement
• Shift minutes, hours, daily measurement to msec, usec, and further precise measurement
34 Hours
5 Seconds
Monitoring with high-resolution
time
Manager
AgentQue
ry a
nd r
esp
onse
Current Method
Delay
time
Manager
Que
ry a
nd r
esp
onse
1000 *n MOs/packet
Agent
Scalability by Aggregation
The drafts
http://wwwietf.org/internet-drafts/
draft-glenn-mo-aggr-mib-02.txt
Problems in current counter DoS attack solutions
Take the battle to the foe
Traceback
Traceback potential
Internet
Source
Do you know?
Target
Yes !
Around Here!
PPPacket Trace Agent
Yes !
No !
←Packet Trace
Yes !
The traceback concept
The Architecture
PRA
PR
PRB
PacketTracker(PT)
Packet Query/Response
The Architecture
PRA
PR
PRB
PacketTracker( PT)
Packet Query/Response
Conf: Query/Response Setting
Requirements: Packet Record Protocol
Mapping: PacketRecord (encoded) Packet
Additional Data for corroboration
Scope of Packet Record
which IP header fields are masked) how much of the payload
Requirements: Packet Record Protocol
Packet Data
Key Generation
Packet Record Agent
Key Storage
IP Datagram
Key GenerationKg (IP Datagram)
Packet Recorder
Additional data
Key Storage
Additional Data
Requirements: Communication Protocol
Authenticated
Non Repudiation
Lightweight
Check for existence of a datagram
Query for Packet Recording parameters
Privacy, Integrity
The Process:
Packet Data
Transform
PRA
Packet Record Base
IP Datagram
TransformTr (IP Datagram)
PR
Additional data
Packet Record Base
Additional Data
IP Datagram
Transform
PTYes/No
Demonstration: Tracking Attacks using SNMP based packet tracing
The Internet
PRAPacket Record Agent
PRA2
IETF wired networkAttacker2
IETF wireless networkAttacker1
Victim on remote network
1. Attacker1 sends packet to Victim.2. IDS detects it and sends SNMP trap
to manager along with packet’s “record”.
3. Manager queries packet record agents PRA1, PRA2 and PRA3 for packet record
4. Manager receives responses from PRA1, PRA2, PRA3 and traces packet path.
atta
ck
IDS
ManagerSNMP Trap
Query and Response
PRA1
PRA3
Intrusion Detect SensorIDS
Demonstration: Screen shot
For practical network monitoring
Simple and right weight monitoring• Focusing on stability of traffic• Simple event generation and deep inspection
Monitoring and Stability analysis
Deep inspectionPacketSample DB
Event notification
Stability example
Observed source address is stable in large scale network
Mobility issues
Some times disconnected
changing network
changing place/environment
Access to more information
Mobility issues (1)
not continuously connected
Usual polling paradigm will not work
Agent initiated polling
Agent intitiated informs
Store locally (Offline)
Store and forward (Semi-online)
time
Manager
Current Method
time
Manager
Current Method
time
Manager
Agent initiated Polling
time
Manager
Agent initiated informs
Conventional defense strategy
インターネット
Intranet
WEB seriver Mail server
Firewalling
DMZ
Monitoring by IDS
Monitoring access from outside to inside
Risks network inside
インターネット
Exploited and/or compromised
Prohibited user accessFrom DHCP/Wireless network
Virus influenced node
Potential insider attacks
Monitoring inside
Detection non-authorized terminalPrevent illegal outbound access
インターネット
Monitoring• Log collection and audit• DHCP and/or connection activity monitoring• Application traffic from inside to outside
Connectivity and log monitoring
Summary Monitoring is the real base of network security and the m
anagement Further advanced monitoring is required
• High-resolution New security applications are required
• Packet traceback Further practical analysis is required
• Stability based analysis Future network environment support is required
• Mobile node and network support New monitoring target is required
• Network inside