Transcript ppt
Monitoring for network security
and management
Cyber Solutions Inc.
Why monitoring?
Health check of networked node
Usage and load evaluation for optimizing
the configuration
Illegal access detection for both inbound
and outbound traffic
All networked information is on the LINE
Threats have to be monitored
Node alive or dead
• Network or node fault?
• Attacked?
Performance degradation
• Network fault?
• DoS possibility?
• Large-scale incident?
Policy enforcement
• Detecting policy violation (prohibited communication)
• Detecting configuration change
Potential attack originator
•
•
•
•
Exploited / Compromised by attacker?
Attacking by insider?
Virus polluted?
Malicious terminal connected?
Monitoring is the first step for
security and network management
Monitoring basics
• Information collection from every networked node
• Packet monitoring
Advanced topics
• High-resolution monitoring
• Hash-based traceback
• Simple and light weight analysis for practical
monitoring
• Information collection from mobile node/network
• Monitoring network inside
High-resolution monitoring
Traffic is so dynamic
• Peak rate is important for actual performance
• Malicious access is in peaky traffic (pulsing
DoS)
Requirement
• Shift minutes, hours, daily measurement to
msec, usec, and further precise measurement
Monitoring with high-resolution
5 Seconds
34 Hours
Current Method
1000 *n MOs/packet
Manager
Manager
time
Agent
Query and response
Query and response
Scalability by Aggregation
time
Agent
Delay
The drafts
http://wwwietf.org/internet-drafts/
draft-glenn-mo-aggr-mib-02.txt
Problems in current counter DoS
attack solutions
Traceback potential
Traceback
Take the battle to the foe
The traceback concept
Packet←
Trace
PP
Packet Trace Agent
Source
Yes !
Target
Around Here!
Yes !
Internet
Do you know
?
Yes !
No !
The Architecture
PRA
PRB
PR
Packet Query/Response
Packet
Tracker(PT)
The Architecture
PRA
PRB
PR
Packet Query/Response
Conf: Query/Response
Setting
Packet
Tracker(PT)
Requirements: Packet Record Protocol
Mapping: PacketRecord
(encoded) Packet
Additional Data for corroboration
Scope of Packet Record
which IP header fields are masked)
how much of the payload
Requirements: Packet Record Protocol
Packet Recorder
Packet Record Agent
IP Datagram
Packet Data
Key Generation
Kg (IP Datagram)
Key Generation
Key Storage
Key Storage
Additional data
Additional Data
Requirements: Communication Protocol
Check for existence of a datagram
Lightweight
Authenticated
Privacy, Integrity
Non Repudiation
Query for Packet Recording parameters
The Process:
IP Datagram
PR
Transform
Tr (IP Datagram)
Packet Data
PRA
Transform
Packet Record
Packet Record Base
Base
Additional Data
Additional data
IP Datagram
PT
Yes/No
Transform
Demonstration: Tracking Attacks using
SNMP based packet tracing
IETF wired network
Attacker2
IETF wireless network
Attacker1
PRA2
PRA1
The Internet
Query and Response
Manager
1.
2.
3.
PRA3
4.
Attacker1 sends packet to Victim.
IDS detects it and sends SNMP trap to
manager along with packet’s “record”.
Manager queries packet record agents
PRA1, PRA2 and PRA3 for packet record
Manager receives responses from PRA1,
PRA2, PRA3 and traces packet path.
PRA
Packet Record Agent
IDS
IDS
Victim on remote network
Intrusion Detect Sensor
Demonstration: Screen shot
For practical network monitoring
Simple and right weight monitoring
• Focusing on stability of traffic
• Simple event generation and deep inspection
Event notification
Monitoring and
Stability analysis
Packet
Sample DB
Deep inspection
Stability example
Observed source address is stable in large scale network
Mobility issues
Some times disconnected
Access to more information
changing network
changing place/environment
Mobility issues (1)
not continuously connected
Usual polling paradigm will not work
Store locally
(Offline)
Store and forward (Semi-online)
Agent initiated polling
Agent intitiated informs
Current Method
Manager
time
time
Current Method
Manager
time
Agent initiated Polling
Manager
time
Agent initiated informs
Manager
Conventional defense strategy
Monitoring access from outside to inside
インターネット
DMZ
WEB seriver
Monitoring by IDS
Intranet
Mail server
Firewalling
Risks network inside
Potential insider attacks
インターネット
Virus influenced node
Prohibited user access
From DHCP/Wireless network
Exploited and/or compromised
Monitoring inside
Monitoring
• Log collection and audit
• DHCP and/or connection activity monitoring
• Application traffic from inside to outside
インターネット
Connectivity and log monitoring
Detection non-authorized terminal
Prevent illegal outbound access
Summary
Monitoring is the real base of network security and the
management
Further advanced monitoring is required
• High-resolution
New security applications are required
• Packet traceback
Further practical analysis is required
• Stability based analysis
Future network environment support is required
• Mobile node and network support
New monitoring target is required
• Network inside