Title: Implementing Distributed Internet Security using a Firewall Collaboration Framework
1Implementing Distributed Internet Security using
a Firewall Collaboration Framework
- Lane Thames and Randal Abler
- Georgia Institute of Technology
- Distributed Network Applications Laboratory
2Outline
- Introduction
- Computer security overview
- Firewall technology overview
- Related Work
- Firewall Collaboration Framework
- Future Work and Conclusions
3Introduction
- The Internet is growing
- The growth appears to be accelerating
4Internet Growth 1
5Internet Growth 2
6Internet Growth and Attack Trends
- As the phenomenal growth of the Internet
continues, malicious activities will continue to
increase as well. - Hacking Computer activity with malicious
intentions.
7(No Transcript)
8Hacking Trends
- Paradigm shift taking place in the Hacking
Community. - Whereas hackers once performed their malicious
deeds for Internet notoriety, there are now large
numbers that do this for profit.
9Hacking Trends
- According to PC World News, Jeanson Ancheta was
arrested by the FBI in 2006 and was the first
hacker to be prosecuted in the US for creating
malicious code for a profit.
10Hacking Trends
- According to Symantec, spammers and phishers pay
on average about 350.00 per week for a botnet of
5500 zombie computers.
11Hacking Trends
- Corporate extortion, information espionage, and
identity theft are Internet commodities for
malicious users. - ProtxBritish online payment processing company.
Attacks brought their system down in 2005. The
extortionists warned that the attacks would
continue unless a 10,000 fee was paid.
12Hacking Trends
- Identity thefthuge ROI for hackers
- According to anti-spam provider Cloudmark, credit
card data sells for up to 100.00 per account.
13The Engineering Need
- What does the data tell us?
-
- There still exists an engineering need to
continue developing reliable and robust computer
security systems that can thwart the actions of
malicious users as their tools and techniques
continue to evolve. - Because of the financial incentives now presented
to hackers, the need is even greater than in the
past.
14Computer Security Overview
- The field of computer security provides the
technologies to prevent users with malicious
intent from doing damage
15Computer Security Services
- The five main services
- Confidentiality
- Authenticity
- Integrity
- Availability
- Access Control
16Computer/Network Attack Types
- Common Attack Types
- Buffer Overflow Exploits
- Denial of Service
- Password Attacks
17Computer/Network Attack Types
- Common Attack Types
- Exponential Attacks
- Trojan Horses, Spyware, Adware
- Spam and Phishing
- TCP/IP protocol exploitation
18Overview of Firewall Technology
- Firewallsdevices that limit network access
- Firewalls are access control mechanisms
- They are components inserted between two networks
that filter network traffic according to a LOCAL
security policy
19Firewall Types
- Packet Filtering Devices
- Application Filtering Devices
- Stateful Packet Filtering Devices
20Firewall Strengths
- Disallows incoming connections to hosts that do
not offer public network services - Reduces the amount of dangerous noise flowing
through networks (probes) - Allows administrators tools to control their
networks from the inside and outside (i.e. do you
allow your users to get access to the Web?)
21Firewall Weaknesses
- Because of increasing line speeds and
computation-intensive protocols (IPSec), the
firewall can become a congestion point - There exist protocols that are difficult to
process at the firewall - Classical firewall design assumes that all
internal users can be trusted
22Firewall Weaknesses
- Large networks tend to have high numbers of
ingress points. This makes administration
difficult, both from a practical point of view
and with regard to policy consistency - End-to-end encryption can be a threat to
firewalls as it prevents the firewalls from
looking at the packet fields necessary for
certain types of filtering
23Related Work
- Bellovin, et alFirst to describe a distributed
firewall system. - Many firewalls within an institutes network, all
being centrally managed - Overcome issues like multiple ingress points and
trusting inside users
24Related Work
- Smith, et alCascade model of distributed
firewalls - Zou, et alDefense in Depth model of distributed
firewalls - These two works are similar in nature
25Related Work
- Schnackenberg, et alInfrastructure for Intrusion
Detection and Response - Intrusion Detection and Isolation Protocol (IDIP)
- Similar in nature to the FCF, but designed with
IDS at the core
26Firewall Collaboration Framework
- Some factors driving the design and development
of this framework
27Spam Statistics 3 (2006)
- Email considered spam 40 of all email
- Daily spam emails sent 12.4 billion
- Daily spam received per person 6
- Email address changes due to spam 16
- Wasted corporate time per spam email 4-5 seconds
- Estimated spam increase by end of 2007 63
28Exponential Attacks-Internet Worms
- The Logistics equation is commonly used to model
worm propagation. It can be derived (not just
assumed) - The logistics equation describes the rate of
growth of epidemics in finite systems when all
entities are equally likely to infect any other
entity
29Worm Propagation Model
- N(t) the number of infected hosts at t
- S the total number of susceptible hosts
- a the rate at which one machine can compromise
another - T the time where ½ of the total number of
susceptible hosts are infected
30Worm Propagation Model
31The Philosophy of this Work
- Limit the impact of malware such as worms,
viruses, and spam as well as the actions of
malicious users by attempting to stop the
malicious behavior as close to the source as
possible thus preserving network resources for
intended applications
32High Level System Description
- Create a federation of firewalls that collaborate
with each other and share a global pool of
information. - Use advanced algorithms to classify malicious
activities in real-time. - Distribute the new attack classification
information to members of the federation
33Firewall Collaboration FrameworkThe Concept
34Framework Components
Federation Management
Trust Relationship Management
Policy Management
Network Traffic Classification
Information Management
Resource Management
35Federation Management
- Control membership of new firewalls to the
federation - Responsible for establishing initial trust
between the new firewall and the federation
36Trust Relationship Management
- Maintain trust relationships between members
- Information authentication
- Credential management
37Policy Management
- Responsible for differentiating Local security
policy from Global security policy
38Network Traffic Classification
- Lets look a little closer at some attack types
39Buffer OverflowCase Study
40Buffer OverflowCase Study
- Abstract view of the memory stack before the call
to strcpy
41Buffer OverflowCase Study
42Denial of ServiceCase StudyICMP Smurf Attack
43Denial of ServiceCase StudyTCP SYN Flood Attack
44Attack Case Studies--Summary
- With each of the previous mentioned case studies,
data flows can be collected from end hosts and
from within the network - The collected data flows can be analyzed with
algorithms, and behavioral classification can be
performed - The behavioral classification allows the
observation of malicious behavior to be made
45Network Traffic Classification
- Classical Types of Classification
- Statistical based anomaly detection
- Rule based anomaly detection
- Signature based anomaly detection
- Artificial intelligence and machine learning
techniques 4 - Main goal Classify traffic in real-time and
send information vectors to the federation
46Information Management
- Information transport
- Centralized, peer-to-peer, hybrid
- Information caching and staleness
- Information confidentiality and integrity
47Resource Management
- Provide mechanisms needed for scalability,
reliability, and robustness
48Experimental Evaluation
- Linux IPtables firewall mechanism
- PortSentry scan detection tool
- netcat and Perl scripting
- nmap scanning tool
49Experimental Evaluation
- Stop at source? YES
- Preemptive protection? YES
- Is denial of service a major threat? YES
50Future Work
- The framework is in its initial design stage
- Solution spaces for the framework components will
be evaluated - In depth analysis of the solution space for the
network traffic classification component as it is
the major component of the framework
51Conclusion
- Computer network attacks evolve on a daily basis.
Financial incentives will drive the evolution of
these attacks. We believe the FCF will be a
useful tool for protecting networks against
attack. The framework will allow malicious data
flows to be stopped at or close to the source,
and it will allow for preemptive protection.
52References
- CERTComputer Emergency Response Team,
http//www.cert.org - Internet traffic growth Sources and
implications, A.M. Odlyzko, Proceedings of SPIE,
2003 - http//spam-filter-review.toptenreviews.com, D.
Evett, 2006 - Hybrid Intelligent Systems for Network
Security, J.L.Thames, R. Abler, A. Saad,
Proceedings of the ACM Southeast Conference, 2006