Transcript ppt
Monitoring for network security and management Cyber Solutions Inc. Why monitoring? Health check of networked node Usage and load evaluation for optimizing the configuration Illegal access detection for both inbound and outbound traffic All networked information is on the LINE Threats have to be monitored Node alive or dead • Network or node fault? • Attacked? Performance degradation • Network fault? • DoS possibility? • Large-scale incident? Policy enforcement • Detecting policy violation (prohibited communication) • Detecting configuration change Potential attack originator • • • • Exploited / Compromised by attacker? Attacking by insider? Virus polluted? Malicious terminal connected? Monitoring is the first step for security and network management Monitoring basics • Information collection from every networked node • Packet monitoring Advanced topics • High-resolution monitoring • Hash-based traceback • Simple and light weight analysis for practical monitoring • Information collection from mobile node/network • Monitoring network inside High-resolution monitoring Traffic is so dynamic • Peak rate is important for actual performance • Malicious access is in peaky traffic (pulsing DoS) Requirement • Shift minutes, hours, daily measurement to msec, usec, and further precise measurement Monitoring with high-resolution 5 Seconds 34 Hours Current Method 1000 *n MOs/packet Manager Manager time Agent Query and response Query and response Scalability by Aggregation time Agent Delay The drafts http://wwwietf.org/internet-drafts/ draft-glenn-mo-aggr-mib-02.txt Problems in current counter DoS attack solutions Traceback potential Traceback Take the battle to the foe The traceback concept Packet← Trace PP Packet Trace Agent Source Yes ! Target Around Here! Yes ! Internet Do you know ? Yes ! No ! The Architecture PRA PRB PR Packet Query/Response Packet Tracker(PT) The Architecture PRA PRB PR Packet Query/Response Conf: Query/Response Setting Packet Tracker(PT) Requirements: Packet Record Protocol Mapping: PacketRecord (encoded) Packet Additional Data for corroboration Scope of Packet Record which IP header fields are masked) how much of the payload Requirements: Packet Record Protocol Packet Recorder Packet Record Agent IP Datagram Packet Data Key Generation Kg (IP Datagram) Key Generation Key Storage Key Storage Additional data Additional Data Requirements: Communication Protocol Check for existence of a datagram Lightweight Authenticated Privacy, Integrity Non Repudiation Query for Packet Recording parameters The Process: IP Datagram PR Transform Tr (IP Datagram) Packet Data PRA Transform Packet Record Packet Record Base Base Additional Data Additional data IP Datagram PT Yes/No Transform Demonstration: Tracking Attacks using SNMP based packet tracing IETF wired network Attacker2 IETF wireless network Attacker1 PRA2 PRA1 The Internet Query and Response Manager 1. 2. 3. PRA3 4. Attacker1 sends packet to Victim. IDS detects it and sends SNMP trap to manager along with packet’s “record”. Manager queries packet record agents PRA1, PRA2 and PRA3 for packet record Manager receives responses from PRA1, PRA2, PRA3 and traces packet path. PRA Packet Record Agent IDS IDS Victim on remote network Intrusion Detect Sensor Demonstration: Screen shot For practical network monitoring Simple and right weight monitoring • Focusing on stability of traffic • Simple event generation and deep inspection Event notification Monitoring and Stability analysis Packet Sample DB Deep inspection Stability example Observed source address is stable in large scale network Mobility issues Some times disconnected Access to more information changing network changing place/environment Mobility issues (1) not continuously connected Usual polling paradigm will not work Store locally (Offline) Store and forward (Semi-online) Agent initiated polling Agent intitiated informs Current Method Manager time time Current Method Manager time Agent initiated Polling Manager time Agent initiated informs Manager Conventional defense strategy Monitoring access from outside to inside インターネット DMZ WEB seriver Monitoring by IDS Intranet Mail server Firewalling Risks network inside Potential insider attacks インターネット Virus influenced node Prohibited user access From DHCP/Wireless network Exploited and/or compromised Monitoring inside Monitoring • Log collection and audit • DHCP and/or connection activity monitoring • Application traffic from inside to outside インターネット Connectivity and log monitoring Detection non-authorized terminal Prevent illegal outbound access Summary Monitoring is the real base of network security and the management Further advanced monitoring is required • High-resolution New security applications are required • Packet traceback Further practical analysis is required • Stability based analysis Future network environment support is required • Mobile node and network support New monitoring target is required • Network inside