Implementing Distributed Internet Security using a Firewall Collaboration Framework

1
Implementing Distributed Internet Security using
a Firewall Collaboration Framework

• Lane Thames and Randal Abler
• Georgia Institute of Technology
• Distributed Network Applications Laboratory

2
Outline

• Introduction
• Computer security overview
• Firewall technology overview
• Related Work
• Firewall Collaboration Framework
• Future Work and Conclusions

3
Introduction

• The Internet is growing
• The growth appears to be accelerating

4
Internet Growth 1
5
Internet Growth 2
6
Internet Growth and Attack Trends

• As the phenomenal growth of the Internet
  continues, malicious activities will continue to
  increase as well.
• Hacking Computer activity with malicious
  intentions.

7
(No Transcript)
8
Hacking Trends

• Paradigm shift taking place in the Hacking
  Community.
• Whereas hackers once performed their malicious
  deeds for Internet notoriety, there are now large
  numbers that do this for profit.

9
Hacking Trends

• According to PC World News, Jeanson Ancheta was
  arrested by the FBI in 2006 and was the first
  hacker to be prosecuted in the US for creating
  malicious code for a profit.

10
Hacking Trends

• According to Symantec, spammers and phishers pay
  on average about 350.00 per week for a botnet of
  5500 zombie computers.

11
Hacking Trends

• Corporate extortion, information espionage, and
  identity theft are Internet commodities for
  malicious users.
• ProtxBritish online payment processing company.
  Attacks brought their system down in 2005. The
  extortionists warned that the attacks would
  continue unless a 10,000 fee was paid.

12
Hacking Trends

• Identity thefthuge ROI for hackers
• According to anti-spam provider Cloudmark, credit
  card data sells for up to 100.00 per account.

13
The Engineering Need

• What does the data tell us?
• There still exists an engineering need to
  continue developing reliable and robust computer
  security systems that can thwart the actions of
  malicious users as their tools and techniques
  continue to evolve.
• Because of the financial incentives now presented
  to hackers, the need is even greater than in the
  past.

14
Computer Security Overview

• The field of computer security provides the
  technologies to prevent users with malicious
  intent from doing damage

15
Computer Security Services

• The five main services
• Confidentiality
• Authenticity
• Integrity
• Availability
• Access Control

16
Computer/Network Attack Types

• Common Attack Types
• Buffer Overflow Exploits
• Denial of Service
• Password Attacks

17
Computer/Network Attack Types

• Common Attack Types
• Exponential Attacks
• Trojan Horses, Spyware, Adware
• Spam and Phishing
• TCP/IP protocol exploitation

18
Overview of Firewall Technology

• Firewallsdevices that limit network access
• Firewalls are access control mechanisms
• They are components inserted between two networks
  that filter network traffic according to a LOCAL
  security policy

19
Firewall Types

• Packet Filtering Devices
• Application Filtering Devices
• Stateful Packet Filtering Devices

20
Firewall Strengths

• Disallows incoming connections to hosts that do
  not offer public network services
• Reduces the amount of dangerous noise flowing
  through networks (probes)
• Allows administrators tools to control their
  networks from the inside and outside (i.e. do you
  allow your users to get access to the Web?)

21
Firewall Weaknesses

• Because of increasing line speeds and
  computation-intensive protocols (IPSec), the
  firewall can become a congestion point
• There exist protocols that are difficult to
  process at the firewall
• Classical firewall design assumes that all
  internal users can be trusted

22
Firewall Weaknesses

• Large networks tend to have high numbers of
  ingress points. This makes administration
  difficult, both from a practical point of view
  and with regard to policy consistency
• End-to-end encryption can be a threat to
  firewalls as it prevents the firewalls from
  looking at the packet fields necessary for
  certain types of filtering

23
Related Work

• Bellovin, et alFirst to describe a distributed
  firewall system.
• Many firewalls within an institutes network, all
  being centrally managed
• Overcome issues like multiple ingress points and
  trusting inside users

24
Related Work

• Smith, et alCascade model of distributed
  firewalls
• Zou, et alDefense in Depth model of distributed
  firewalls
• These two works are similar in nature

25
Related Work

• Schnackenberg, et alInfrastructure for Intrusion
  Detection and Response
• Intrusion Detection and Isolation Protocol (IDIP)
• Similar in nature to the FCF, but designed with
  IDS at the core

26
Firewall Collaboration Framework

• Some factors driving the design and development
  of this framework

27
Spam Statistics 3 (2006)

• Email considered spam 40 of all email
• Daily spam emails sent 12.4 billion
• Daily spam received per person 6
• Email address changes due to spam 16
• Wasted corporate time per spam email 4-5 seconds
• Estimated spam increase by end of 2007 63

28
Exponential Attacks-Internet Worms

• The Logistics equation is commonly used to model
  worm propagation. It can be derived (not just
  assumed)
• The logistics equation describes the rate of
  growth of epidemics in finite systems when all
  entities are equally likely to infect any other
  entity

29
Worm Propagation Model

• N(t) the number of infected hosts at t
• S the total number of susceptible hosts
• a the rate at which one machine can compromise
  another
• T the time where ½ of the total number of
  susceptible hosts are infected

30
Worm Propagation Model
31
The Philosophy of this Work

• Limit the impact of malware such as worms,
  viruses, and spam as well as the actions of
  malicious users by attempting to stop the
  malicious behavior as close to the source as
  possible thus preserving network resources for
  intended applications

32
High Level System Description

• Create a federation of firewalls that collaborate
  with each other and share a global pool of
  information.
• Use advanced algorithms to classify malicious
  activities in real-time.
• Distribute the new attack classification
  information to members of the federation

33
Firewall Collaboration FrameworkThe Concept
34
Framework Components
Federation Management
Trust Relationship Management
Policy Management
Network Traffic Classification
Information Management
Resource Management
35
Federation Management

• Control membership of new firewalls to the
  federation
• Responsible for establishing initial trust
  between the new firewall and the federation

36
Trust Relationship Management

• Maintain trust relationships between members
• Information authentication
• Credential management

37
Policy Management

• Responsible for differentiating Local security
  policy from Global security policy

38
Network Traffic Classification

• Lets look a little closer at some attack types

39
Buffer OverflowCase Study
40
Buffer OverflowCase Study

• Abstract view of the memory stack before the call
  to strcpy

41
Buffer OverflowCase Study
42
Denial of ServiceCase StudyICMP Smurf Attack
43
Denial of ServiceCase StudyTCP SYN Flood Attack
44
Attack Case Studies--Summary

• With each of the previous mentioned case studies,
  data flows can be collected from end hosts and
  from within the network
• The collected data flows can be analyzed with
  algorithms, and behavioral classification can be
  performed
• The behavioral classification allows the
  observation of malicious behavior to be made

45
Network Traffic Classification

• Classical Types of Classification
• Statistical based anomaly detection
• Rule based anomaly detection
• Signature based anomaly detection
• Artificial intelligence and machine learning
  techniques 4
• Main goal Classify traffic in real-time and
  send information vectors to the federation

46
Information Management

• Information transport
• Centralized, peer-to-peer, hybrid
• Information caching and staleness
• Information confidentiality and integrity

47
Resource Management

• Provide mechanisms needed for scalability,
  reliability, and robustness

48
Experimental Evaluation

• Linux IPtables firewall mechanism
• PortSentry scan detection tool
• netcat and Perl scripting
• nmap scanning tool

49
Experimental Evaluation

• Stop at source? YES
• Preemptive protection? YES
• Is denial of service a major threat? YES

50
Future Work

• The framework is in its initial design stage
• Solution spaces for the framework components will
  be evaluated
• In depth analysis of the solution space for the
  network traffic classification component as it is
  the major component of the framework

51
Conclusion

• Computer network attacks evolve on a daily basis.
  Financial incentives will drive the evolution of
  these attacks. We believe the FCF will be a
  useful tool for protecting networks against
  attack. The framework will allow malicious data
  flows to be stopped at or close to the source,
  and it will allow for preemptive protection.

52
References

• CERTComputer Emergency Response Team,
  http//www.cert.org
• Internet traffic growth Sources and
  implications, A.M. Odlyzko, Proceedings of SPIE,
  2003
• http//spam-filter-review.toptenreviews.com, D.
  Evett, 2006
• Hybrid Intelligent Systems for Network
  Security, J.L.Thames, R. Abler, A. Saad,
  Proceedings of the ACM Southeast Conference, 2006