Network Security:Network Security:Network Security:Network Security:New Essentials for Safeguarding Network SystemsNew Essentials for Safeguarding Network Systems

IEEE LCN2007IEEE LCN2007

October 16, 2007Alan Crouch

Director and General Manager

Communications Technology Lab

*Other brands and names are the property of their respective owners.*Other brands and names are the property of their respective owners.

Security Concerns are Impacting Business Security Concerns are Impacting Business and Consumers…and Consumers…Security Concerns are Impacting Business Security Concerns are Impacting Business and Consumers…and Consumers…

“Approximately 150 to 200 viruses, trojans and other threats emerge each day.”1

“Underground hackers are hawking zero-day exploits for Microsoft's new Windows Vista operating system at $50,000 a pop”2

Time to exploit vulnerability ~6.8 days. Time from

2

1. McAfee, 20061. McAfee, 20062. eWeek.com, Dec 15, ‘062. eWeek.com, Dec 15, ‘063. Symantec Internet Security Threat 3. Symantec Internet Security Threat Report Trends for July 05 Report Trends for July 05 –– December 05December 05

Country-wide botnet based cyber attacks cause significant disruption4

“50% of consumers are concerned about their financial information being safe online. 24% performed fewer transactions online as a result.”5

Time to exploit vulnerability ~6.8 days. Time from vulnerability exposure to patch availability ~49 days.3

4 http://www.technologynewsdaily.com/node/70324 http://www.technologynewsdaily.com/node/7032

5. 5. Consumer affairs poll, May 2006Consumer affairs poll, May 2006

… and are a Top IT Concern… and are a Top IT Concern… and are a Top IT Concern… and are a Top IT Concern

Computer Security Breaches Worldwide

0 1989

1991

1993

1995

1997

1999

2001

2003

Incidents

Reported

140,000

120,000

100,000

80,000

60,000

40,000

20,000

• New security challenges

– Not just fast spreading worms

– Rising stealthy attacks

– Rootkits & system bots

• Software patch management alone is

insufficient

• Attack virulence makes manual

intervention ineffective

33

Source: Forrester

Source: Computer Security Emergency Response Team

3 3 6

1 8 5

1 5 1

1 71

0

5 0

1 0 0

1 5 0

2 0 0

2 5 0

3 0 0

3 5 0

4 0 0

Days between patch & exploit

Nimba WittyWittySasserASasserAWelchia /

Nachi

SQLSlammer

intervention ineffective

• Device Proliferation: pocket-able

internet devices mean both new

devices and new local nets (CSLL,

ON-MOVE, etc) to attack

Security is Costing Billion's of Dollars in

Operation and Lost Productivity

Security is Costing Billion's of Dollars in

Operation and Lost Productivity

The Problem is Only Getting WorseThe Problem is Only Getting WorseThe Problem is Only Getting WorseThe Problem is Only Getting Worse

•• Intelligent and devious intruders Intelligent and devious intruders

–– Constantly finding and exploiting Constantly finding and exploiting

vulnerabilitiesvulnerabilities

•• Mobile shift adding complexityMobile shift adding complexity

–– Fixed perimeters and physical Fixed perimeters and physical

controls no longer adequatecontrols no longer adequate

Worldwide PC Worldwide PC ShipmentsShipments

150150

200200

250250

MUMU

44

New Security Paradigms Needed New Security Paradigms Needed

•• Insider attacks defeat enterprise Insider attacks defeat enterprise

perimeterperimeter solutionssolutions

•• Financial gain becoming Financial gain becoming

motivation for malwaremotivation for malware20042004 20052005 20062006 20072007 20082008 20092009 20102010 20112011

DeskDesk--basedbased

MobileMobile

00

5050

100100

Security Doesn’t Come for FreeSecurity Doesn’t Come for FreeSecurity Doesn’t Come for FreeSecurity Doesn’t Come for Free

• Performance Impact

– Security Tax = Overhead

– Overhead is not trivial

– Overhead is not one time payment

– Overhead is additive

• System Scalability

55

• System Scalability

– Scalability = consistent protection as system complexity grows

- Number of nodes

- Bandwidth/line rates

- Usages/SW applications

Today’s security solutions optimized for

Performance or ScalabilityPerformance or Scalability

Layers Provide Scaleable PerformanceLayers Provide Scaleable PerformanceLayers Provide Scaleable PerformanceLayers Provide Scaleable Performance

66

4 Collaboration4 Collaboration

Apps.

OS

Drivers

HW Network

2 Secure the Links 2 Secure the Links 3 Leave Nowhere to Hide 3 Leave Nowhere to Hide

1 Harden the 1 Harden the PlatformsPlatforms

1 Harden the Platform1 Harden the Platform1 Harden the Platform1 Harden the Platformiii New Instructions iii New Instructions for Cryptography for Cryptography PerformancePerformance

iv H/Wiv H/W--based based Detection of Detection of

Malicious Attacks Malicious Attacks at Run Timeat Run Time

ii Access Controls to ii Access Controls to Protect from Rogue Protect from Rogue Network ConnectionsNetwork Connections

7

at Run Timeat Run Time

v Protection of v Protection of KnownKnown--Good Good Software from Software from Run Time Run Time AttacksAttacks

i Establish a i Establish a RootRoot--ofof--Trust in Trust in H/W for a H/W for a Secure Secure FoundationFoundation

vi H/W & S/W Protection of Stored vi H/W & S/W Protection of Stored Data at Rest and In TransitData at Rest and In Transit

Applies to all distributed systems: Server, Router/Switch, PC, Notebook, MID

Applies to all distributed systems: Server, Router/Switch, PC, Notebook, MID

2 Securing the Links: End2 Securing the Links: End--toto--End ConfidentialityEnd Confidentiality2 Securing the Links: End2 Securing the Links: End--toto--End ConfidentialityEnd Confidentiality

IPSec IPSec –– EndEnd--toto--End EncryptionEnd EncryptionIPSec IPSec –– EndEnd--toto--End EncryptionEnd Encryption

• End to end solution: Valuable for encrypting IP Layers, not suitable for link layer threats

88

Layers, not suitable for link layer threats

• Issues with scalability and manageability

• Complementary solutions:

– LinkSec

- Converts end-to-end protection into link-by-link protection

– Secure Network Enclaves

- Builds on LinkSec, current area of active research

- Provides end-to-end solution with manageability

Securing the Links: LinkSecSecuring the Links: LinkSecSecuring the Links: LinkSecSecuring the Links: LinkSec

Server Switch Switch Client

• Traffic available for analysis at IT-controlled switching points

• Protects against eavesdropping hackers

99

LinkSecLinkSec –– HopHop--toto--Hop EncryptionHop EncryptionLinkSecLinkSec –– HopHop--toto--Hop EncryptionHop Encryption

Server Switch Switch Client

LinkSec DemoLinkSec DemoLinkSec DemoLinkSec Demo

1010

3 Secure Network Enclaves: Leave Nowhere to Hide3 Secure Network Enclaves: Leave Nowhere to HideCurrent Research EmphasisCurrent Research Emphasis3 Secure Network Enclaves: Leave Nowhere to Hide3 Secure Network Enclaves: Leave Nowhere to HideCurrent Research EmphasisCurrent Research Emphasis

• Integrates the best approaches

– From End-to-End and hop-by-hop encryption

• Derivation mechanisms trade storage for computation

• Permits manageability and IT-visibility into traffic

• Scalability based on coordinated key management

1111

• Scalability based on coordinated key management

Performance based on hardware

support at nodes

Performance based on hardware

support at nodes

4 Collaborative Defense: 4 Collaborative Defense: Step 1: Hardware FiltersStep 1: Hardware Filters4 Collaborative Defense: 4 Collaborative Defense: Step 1: Hardware FiltersStep 1: Hardware Filters

Network

InterfaceAttacks

Traffic

Measurements

&

Patterns

Attacks

• Hardware filters that look for

specific patterns in the data

• Cannot be subverted by

modifying the software

1212

Interface

Hardware

Filters

• Deployed in Intel platforms

today (AMT)

• Rules that encode typical

behavior of malware

• Multi time-scale rules

capture known worms

Network

Interface

Traffic

Measurements

&

Patterns Attacks

Attacks

Collaborative Defense: Collaborative Defense: Step 2: HeuristicsStep 2: HeuristicsCollaborative Defense: Collaborative Defense: Step 2: HeuristicsStep 2: Heuristics

1313

capture known worms

• Worms that remain “hide”

in the background trafficHardware

Filters

Fraction of Traffic

Fraction of Traffic

1010--44

1010--33

1010--22

0.10.1

1.01.0

Blaster

Blaster

local detector thresholdlocal detector threshold

Slapper

Slapper

Code Red II

Code Red II

Slammer

Slammer

Witty Worm

Witty Worm

Observed Connection RatesObserved Connection Rates(5 weeks of Intel enterprise traffic)(5 weeks of Intel enterprise traffic)

“Stealthy

“Stealthy

Worm”

Worm”

97%97%

3%3%

Rules are not Enough Rules are not Enough –– Attacks are EvolvingAttacks are EvolvingRules are not Enough Rules are not Enough –– Attacks are EvolvingAttacks are Evolving

14

Fraction of Traffic

Fraction of Traffic

1010--66

1010--55

11 1010 1e51e5 1e61e6

New Connections / 50 sec IntervalNew Connections / 50 sec Interval

100100 10001000 1000010000Blaster

Blaster

Slapper

Slapper

Code Red II

Code Red II

Slammer

Slammer

Witty Worm

Witty Worm

“Stealthy

“Stealthy

Worm”

Worm”

Challenge is to reduce threshold of detection without increasing false alarms

Challenge is to reduce threshold of detection without increasing false alarms

Background Traffic Connection Rate Distribution

Collaborative Defense: Collaborative Defense: Step 3: Inference and Gossip Step 3: Inference and Gossip Collaborative Defense: Collaborative Defense: Step 3: Inference and Gossip Step 3: Inference and Gossip

1

2

•• Employ probabilistic Employ probabilistic inferenceinference

-- Correlate events across Correlate events across multiple machines multiple machines

-- Combine weak hypotheses Combine weak hypotheses into strong evidence into strong evidence

-- Dramatically cut false Dramatically cut false

positivespositives

Local AnomalyDetector

?

Gossip Messaging

InferenceEngine

1515

3

positivespositives

•• Implement scalable, robust Implement scalable, robust messaging protocolsmessaging protocols

•• Design selfDesign self--configuring configuring local anomaly detectorslocal anomaly detectors

!InferenceEngine

Local AnomalyDetector

Gossip Messaging

-- Local Detector

Exploiting the power of scale –

Making Scale work to our benefit

Exploiting the power of scale –

Making Scale work to our benefit

The Results: Gossip is GoodThe Results: Gossip is GoodThe Results: Gossip is GoodThe Results: Gossip is Good

• Collaboration drives false alarms down– Allows many simple, but

imperfect detectors

• Collaboration roots out stealthy attacks– Collect concise local data

Fraction of Infected

0.08

0.20

0.40

0.801.00

Collaboration

No Collab.

1616

– Collect concise local data

– Put in global correlation framework

• Scalability works in our favor– The more participating

nodes, the better the performance

Fraction of Infected

0.02

0.01

0.08

100 102 104 106

False Positive Rate (Number Per Week)

Future DirectionsFuture DirectionsFuture DirectionsFuture Directions

• Adaptation and Learning– end-hosts and networks are dynamic systems

• Messaging optimizations– bias to send “bad news” faster

•Pinpointing suspect systems– exploit topological & historical knowledge

1717

Collaboration between distributed platforms provides major advantages in detecting intrusionsCollaboration between distributed platforms provides major advantages in detecting intrusions

SummarySummarySummarySummary

•• Security remains a top IT problemSecurity remains a top IT problem–– Device Proliferation, Mobility, new LCN classes pose major challengesDevice Proliferation, Mobility, new LCN classes pose major challenges

•• Think about the networked system of platformsThink about the networked system of platforms–– when you consider security vulnerabilitieswhen you consider security vulnerabilities

•• No single solution to rapidly evolving threatsNo single solution to rapidly evolving threats–– Competing tradeoffs: Performance, Scalability, SimplicityCompeting tradeoffs: Performance, Scalability, Simplicity

–– Opportunity: use scalability to our advantage while maintaining Opportunity: use scalability to our advantage while maintaining performance and simplicityperformance and simplicity

1818

performance and simplicityperformance and simplicity

•• New Essentials for safeguarding LCN systems: New Essentials for safeguarding LCN systems: innovate across multiple layersinnovate across multiple layers–– 1 Harden the platform1 Harden the platform

–– 2 Secure the links2 Secure the links

–– 3 Leave nowhere to hide3 Leave nowhere to hide

–– 4 Collaborative defense4 Collaborative defense

Let’s work together in the LCN research community to create the secure local networks of tomorrow!Let’s work together in the LCN research community to create the secure local networks of tomorrow!