View
9
Download
0
Category
Preview:
Citation preview
Network Security:Network Security:Network Security:Network Security:New Essentials for Safeguarding Network SystemsNew Essentials for Safeguarding Network Systems
IEEE LCN2007IEEE LCN2007
October 16, 2007Alan Crouch
Director and General Manager
Communications Technology Lab
*Other brands and names are the property of their respective owners.*Other brands and names are the property of their respective owners.
Security Concerns are Impacting Business Security Concerns are Impacting Business and Consumers…and Consumers…Security Concerns are Impacting Business Security Concerns are Impacting Business and Consumers…and Consumers…
“Approximately 150 to 200 viruses, trojans and other threats emerge each day.”1
“Underground hackers are hawking zero-day exploits for Microsoft's new Windows Vista operating system at $50,000 a pop”2
Time to exploit vulnerability ~6.8 days. Time from
2
1. McAfee, 20061. McAfee, 20062. eWeek.com, Dec 15, ‘062. eWeek.com, Dec 15, ‘063. Symantec Internet Security Threat 3. Symantec Internet Security Threat Report Trends for July 05 Report Trends for July 05 –– December 05December 05
Country-wide botnet based cyber attacks cause significant disruption4
“50% of consumers are concerned about their financial information being safe online. 24% performed fewer transactions online as a result.”5
Time to exploit vulnerability ~6.8 days. Time from vulnerability exposure to patch availability ~49 days.3
4 http://www.technologynewsdaily.com/node/70324 http://www.technologynewsdaily.com/node/7032
5. 5. Consumer affairs poll, May 2006Consumer affairs poll, May 2006
… and are a Top IT Concern… and are a Top IT Concern… and are a Top IT Concern… and are a Top IT Concern
Computer Security Breaches Worldwide
0 1989
1991
1993
1995
1997
1999
2001
2003
Incidents
Reported
140,000
120,000
100,000
80,000
60,000
40,000
20,000
• New security challenges
– Not just fast spreading worms
– Rising stealthy attacks
– Rootkits & system bots
• Software patch management alone is
insufficient
• Attack virulence makes manual
intervention ineffective
33
Source: Forrester
Source: Computer Security Emergency Response Team
3 3 6
1 8 5
1 5 1
1 71
0
5 0
1 0 0
1 5 0
2 0 0
2 5 0
3 0 0
3 5 0
4 0 0
Days between patch & exploit
Nimba WittyWittySasserASasserAWelchia /
Nachi
SQLSlammer
intervention ineffective
• Device Proliferation: pocket-able
internet devices mean both new
devices and new local nets (CSLL,
ON-MOVE, etc) to attack
Security is Costing Billion's of Dollars in
Operation and Lost Productivity
Security is Costing Billion's of Dollars in
Operation and Lost Productivity
The Problem is Only Getting WorseThe Problem is Only Getting WorseThe Problem is Only Getting WorseThe Problem is Only Getting Worse
•• Intelligent and devious intruders Intelligent and devious intruders
–– Constantly finding and exploiting Constantly finding and exploiting
vulnerabilitiesvulnerabilities
•• Mobile shift adding complexityMobile shift adding complexity
–– Fixed perimeters and physical Fixed perimeters and physical
controls no longer adequatecontrols no longer adequate
Worldwide PC Worldwide PC ShipmentsShipments
150150
200200
250250
MUMU
44
New Security Paradigms Needed New Security Paradigms Needed
•• Insider attacks defeat enterprise Insider attacks defeat enterprise
perimeterperimeter solutionssolutions
•• Financial gain becoming Financial gain becoming
motivation for malwaremotivation for malware20042004 20052005 20062006 20072007 20082008 20092009 20102010 20112011
DeskDesk--basedbased
MobileMobile
00
5050
100100
Security Doesn’t Come for FreeSecurity Doesn’t Come for FreeSecurity Doesn’t Come for FreeSecurity Doesn’t Come for Free
• Performance Impact
– Security Tax = Overhead
– Overhead is not trivial
– Overhead is not one time payment
– Overhead is additive
• System Scalability
55
• System Scalability
– Scalability = consistent protection as system complexity grows
- Number of nodes
- Bandwidth/line rates
- Usages/SW applications
Today’s security solutions optimized for
Performance or ScalabilityPerformance or Scalability
Layers Provide Scaleable PerformanceLayers Provide Scaleable PerformanceLayers Provide Scaleable PerformanceLayers Provide Scaleable Performance
66
4 Collaboration4 Collaboration
Apps.
OS
Drivers
HW Network
2 Secure the Links 2 Secure the Links 3 Leave Nowhere to Hide 3 Leave Nowhere to Hide
1 Harden the 1 Harden the PlatformsPlatforms
1 Harden the Platform1 Harden the Platform1 Harden the Platform1 Harden the Platformiii New Instructions iii New Instructions for Cryptography for Cryptography PerformancePerformance
iv H/Wiv H/W--based based Detection of Detection of
Malicious Attacks Malicious Attacks at Run Timeat Run Time
ii Access Controls to ii Access Controls to Protect from Rogue Protect from Rogue Network ConnectionsNetwork Connections
7
at Run Timeat Run Time
v Protection of v Protection of KnownKnown--Good Good Software from Software from Run Time Run Time AttacksAttacks
i Establish a i Establish a RootRoot--ofof--Trust in Trust in H/W for a H/W for a Secure Secure FoundationFoundation
vi H/W & S/W Protection of Stored vi H/W & S/W Protection of Stored Data at Rest and In TransitData at Rest and In Transit
Applies to all distributed systems: Server, Router/Switch, PC, Notebook, MID
Applies to all distributed systems: Server, Router/Switch, PC, Notebook, MID
2 Securing the Links: End2 Securing the Links: End--toto--End ConfidentialityEnd Confidentiality2 Securing the Links: End2 Securing the Links: End--toto--End ConfidentialityEnd Confidentiality
IPSec IPSec –– EndEnd--toto--End EncryptionEnd EncryptionIPSec IPSec –– EndEnd--toto--End EncryptionEnd Encryption
• End to end solution: Valuable for encrypting IP Layers, not suitable for link layer threats
88
Layers, not suitable for link layer threats
• Issues with scalability and manageability
• Complementary solutions:
– LinkSec
- Converts end-to-end protection into link-by-link protection
– Secure Network Enclaves
- Builds on LinkSec, current area of active research
- Provides end-to-end solution with manageability
Securing the Links: LinkSecSecuring the Links: LinkSecSecuring the Links: LinkSecSecuring the Links: LinkSec
Server Switch Switch Client
• Traffic available for analysis at IT-controlled switching points
• Protects against eavesdropping hackers
99
LinkSecLinkSec –– HopHop--toto--Hop EncryptionHop EncryptionLinkSecLinkSec –– HopHop--toto--Hop EncryptionHop Encryption
Server Switch Switch Client
LinkSec DemoLinkSec DemoLinkSec DemoLinkSec Demo
1010
3 Secure Network Enclaves: Leave Nowhere to Hide3 Secure Network Enclaves: Leave Nowhere to HideCurrent Research EmphasisCurrent Research Emphasis3 Secure Network Enclaves: Leave Nowhere to Hide3 Secure Network Enclaves: Leave Nowhere to HideCurrent Research EmphasisCurrent Research Emphasis
• Integrates the best approaches
– From End-to-End and hop-by-hop encryption
• Derivation mechanisms trade storage for computation
• Permits manageability and IT-visibility into traffic
• Scalability based on coordinated key management
1111
• Scalability based on coordinated key management
Performance based on hardware
support at nodes
Performance based on hardware
support at nodes
4 Collaborative Defense: 4 Collaborative Defense: Step 1: Hardware FiltersStep 1: Hardware Filters4 Collaborative Defense: 4 Collaborative Defense: Step 1: Hardware FiltersStep 1: Hardware Filters
Network
InterfaceAttacks
Traffic
Measurements
&
Patterns
Attacks
• Hardware filters that look for
specific patterns in the data
• Cannot be subverted by
modifying the software
1212
Interface
Hardware
Filters
• Deployed in Intel platforms
today (AMT)
• Rules that encode typical
behavior of malware
• Multi time-scale rules
capture known worms
Network
Interface
Traffic
Measurements
&
Patterns Attacks
Attacks
Collaborative Defense: Collaborative Defense: Step 2: HeuristicsStep 2: HeuristicsCollaborative Defense: Collaborative Defense: Step 2: HeuristicsStep 2: Heuristics
1313
capture known worms
• Worms that remain “hide”
in the background trafficHardware
Filters
Fraction of Traffic
Fraction of Traffic
1010--44
1010--33
1010--22
0.10.1
1.01.0
Blaster
Blaster
local detector thresholdlocal detector threshold
Slapper
Slapper
Code Red II
Code Red II
Slammer
Slammer
Witty Worm
Witty Worm
Observed Connection RatesObserved Connection Rates(5 weeks of Intel enterprise traffic)(5 weeks of Intel enterprise traffic)
“Stealthy
“Stealthy
Worm”
Worm”
97%97%
3%3%
Rules are not Enough Rules are not Enough –– Attacks are EvolvingAttacks are EvolvingRules are not Enough Rules are not Enough –– Attacks are EvolvingAttacks are Evolving
14
Fraction of Traffic
Fraction of Traffic
1010--66
1010--55
11 1010 1e51e5 1e61e6
New Connections / 50 sec IntervalNew Connections / 50 sec Interval
100100 10001000 1000010000Blaster
Blaster
Slapper
Slapper
Code Red II
Code Red II
Slammer
Slammer
Witty Worm
Witty Worm
“Stealthy
“Stealthy
Worm”
Worm”
Challenge is to reduce threshold of detection without increasing false alarms
Challenge is to reduce threshold of detection without increasing false alarms
Background Traffic Connection Rate Distribution
Collaborative Defense: Collaborative Defense: Step 3: Inference and Gossip Step 3: Inference and Gossip Collaborative Defense: Collaborative Defense: Step 3: Inference and Gossip Step 3: Inference and Gossip
1
2
•• Employ probabilistic Employ probabilistic inferenceinference
-- Correlate events across Correlate events across multiple machines multiple machines
-- Combine weak hypotheses Combine weak hypotheses into strong evidence into strong evidence
-- Dramatically cut false Dramatically cut false
positivespositives
Local AnomalyDetector
?
Gossip Messaging
InferenceEngine
1515
3
positivespositives
•• Implement scalable, robust Implement scalable, robust messaging protocolsmessaging protocols
•• Design selfDesign self--configuring configuring local anomaly detectorslocal anomaly detectors
!InferenceEngine
Local AnomalyDetector
Gossip Messaging
-- Local Detector
Exploiting the power of scale –
Making Scale work to our benefit
Exploiting the power of scale –
Making Scale work to our benefit
The Results: Gossip is GoodThe Results: Gossip is GoodThe Results: Gossip is GoodThe Results: Gossip is Good
• Collaboration drives false alarms down– Allows many simple, but
imperfect detectors
• Collaboration roots out stealthy attacks– Collect concise local data
Fraction of Infected
0.08
0.20
0.40
0.801.00
Collaboration
No Collab.
1616
– Collect concise local data
– Put in global correlation framework
• Scalability works in our favor– The more participating
nodes, the better the performance
Fraction of Infected
0.02
0.01
0.08
100 102 104 106
False Positive Rate (Number Per Week)
Future DirectionsFuture DirectionsFuture DirectionsFuture Directions
• Adaptation and Learning– end-hosts and networks are dynamic systems
• Messaging optimizations– bias to send “bad news” faster
•Pinpointing suspect systems– exploit topological & historical knowledge
1717
Collaboration between distributed platforms provides major advantages in detecting intrusionsCollaboration between distributed platforms provides major advantages in detecting intrusions
SummarySummarySummarySummary
•• Security remains a top IT problemSecurity remains a top IT problem–– Device Proliferation, Mobility, new LCN classes pose major challengesDevice Proliferation, Mobility, new LCN classes pose major challenges
•• Think about the networked system of platformsThink about the networked system of platforms–– when you consider security vulnerabilitieswhen you consider security vulnerabilities
•• No single solution to rapidly evolving threatsNo single solution to rapidly evolving threats–– Competing tradeoffs: Performance, Scalability, SimplicityCompeting tradeoffs: Performance, Scalability, Simplicity
–– Opportunity: use scalability to our advantage while maintaining Opportunity: use scalability to our advantage while maintaining performance and simplicityperformance and simplicity
1818
performance and simplicityperformance and simplicity
•• New Essentials for safeguarding LCN systems: New Essentials for safeguarding LCN systems: innovate across multiple layersinnovate across multiple layers–– 1 Harden the platform1 Harden the platform
–– 2 Secure the links2 Secure the links
–– 3 Leave nowhere to hide3 Leave nowhere to hide
–– 4 Collaborative defense4 Collaborative defense
Let’s work together in the LCN research community to create the secure local networks of tomorrow!Let’s work together in the LCN research community to create the secure local networks of tomorrow!
Recommended