Secure Network Design: New Directions: Secure Network Design: New Directions Sumit Ghosh
Hattrick Endowed Chaired Professor of Information Systems Engineering
Department of Electrical & Computer Engineering
Stevens Institute of Technology, Hoboken, NJ 07030
E-mail: sghosh2@stevens-tech.edu Manifestation Des Jeunes Chercheurs Stic (MAJECSTIC) Conference 2003
Marseille, France
October 29-31, 2003
Slide2: What are Networks? Networks transport material or messages in electromagnetic (EM) form
Increasingly networks carrying EM messages are gaining importance
Messages represent
Information
Control
Fundamental elements of networks
Networking nodes providing computational intelligence
Links representing medium of transport
Control algorithms – unseen hand that makes networks work correctly
Slide3: Why are Networks Important? Increasingly, civilization evolving from matter-based to abstract (cyber-based)
All systems steadily evolving towards networked computational systems
Networks underlie all systems and are therefore indispensable
Networked systems parallel human civilization
Idea originates in an individual(s) and processed by the brain
Exchanged among different individuals and further processed
Eventually develops into a whole new product, solution, organization
Networked systems bring unique characteristics
Extremely fast processing and transport
Vast geographical coverage
Simultaneously reaches many many individuals
Slide4: Why is Security of a Network Important? Packets are encrypted, so how can they be vulnerable?
First, fundamental weakness is finite distance between source and destination
Millions of miles in space, or
Few millimeters in a VLSI chip
Packets exposed, not accompanied by either source or destination
Second, fundamentally, networks are shared; therefore:
Need to protect a user’s process from all other users’ processes
Need to protect a user from network components, gone haywire
Need to protect network elements from users’ processes
Damage -- accidental (rm *.* in unix), intentional (malicious)
Therefore, study of network security is here to stay
It is not a here-today-gone-tomorrow type topic
It is a very serious issue
Slide5: Why is Security of a Network Node Important? Networking node provides all intelligence, including authentication, etc.
Vulnerability from viruses and intrusions
All data and information are susceptible
If a perpetrator gains control, every activity can be misdirected
A fundamental challenge
Login procedure is fundamental – authenticates user and system
Requires combination of user account name and password(s)
Fundamental vulnerability
Slide6: Security of Transport Links Vulnerability in a physical sense, i.e. being severe
All data and information in transit are susceptible
Slide7: Algorithm ties in nodes and links to achieve a desired objective
Algorithm encapsulates complex interactions between three elements
If algorithm is susceptible, nothing is trustworthy
Example: Exploit TCP's retransmission to deliberately cause network overload
Exemplified in World War II episodes
Strategically, U-boat warfare most critical
U-boat command and control utilized enigma encryption machine
Key to allied success lay in the Nazi failure to understand the key importance of asynchronous distributed algorithms
Unique example from history: Precision bombing run during WWII
Control Algorithm Vulnerability?
Slide8: Control Algorithm Vulnerability (Cont'd)? Britain Bombers Bomb drop Open bomb bay Beam 2 Beam 1 France Bombers Bombers
Slide9: Why is Security Gaining Such Importance? Increasingly, key national infrastructures are controlled by networks
Telecommunications, power grid, financial services, etc.
X-10 network for via power line communication in homes
X-10 devices and controller
Turn on A/C in Arizona remotely from cell phone
Turn on outdoor pool following a sand storm in Arizona
Check whether garage door accidentally left opened
Monitor home following an alarm going off
Perpetrator may set fire to a specific home by overheating appliances
Worse, perpetrator may sacrifice many homes to destroy a target building
Accessing a patient’s medical record, routine or emergency care
Transmitting sensitive financial information
Exchanging proprietary trade secrets among company sites – GM, Prudential
Accessing individuals’ genetic map from gene analysis laboratories
Uses limited only by imagination, while losses cause irreversible damages
Slide10: Security Guarantees Today In the Internet and IP networks, security assumes the forms
Encryption – applied to information in storage and in transit
Key management
Firewall
Fundamental challenges
Recently invented primality algorithm from IIT Kanpur severely challenges fundamental mathematical assumptions of encryption keys
Severe performance limitations
Issues with a perpetrator intercepting data
Current thought: Immediate value of data is time-bound
Analysis of data may render it a timeless attribute, e.g. strategic thinking
Slide11: Fundamental Principles Underlying IP Store and forward
End to end reasoning
Consequences
Quality of service (QoS) fundamentally difficult
Differentiated services, etc. very difficult to realize
Security incorporated as an afterthought
Cannot prevent denial of service
Cannot prevent overload of TCP retransmissions
Cannot prevent network instability
IP network unsuited for secure transmission of sensitive information
Medical
Financial
Trade secrets
Slide12: Static data stored at a node may be less than useful
Example: Shiny new car sitting in the dealer's parking lot does not make money. The tell-tale sign of an efficient dealer is a sparse parking lot since the cars are sold as soon as they are delivered.
Data, enhanced, modified, and exchanged dynamically, is increasingly valuable – (i) information vs. data and (ii) information is subjective
Therefore, data in transit, is of the highest concern The Changing Nature of Networked Systems?
Slide13: Unique philosophical insight – in this creation, nothing for which no opposite
New networking principles
Fundamental security framework to objectively analyze network security
Adopted by NSA in NRM
Translate security into a quality of service (QoS) metric
Select and establish secure route (connection-oriented) prior to propagating traffic
ATM, MPLS excellent candidates or design a new network (modified ATM)
Security is an interdisciplinary challenge
New approach and tools
Understand fundamental principles in great depth
Synthesize algorithm and threat scenarios
Test and validate utilizing comprehensive metrics
Behavior modeling
Asynchronous distributed simulation on a network of workstations
Representative traffic model New Directions in Secure Network Design
Slide17: Continental Military Network
Slide18: Security as an Interdisciplinary Challenge Operating systems
Notion of files and attributes
Why can a perpetrator wipe out log files
Viruses
Executable file transfer
BIOS attack
Viruses combining autonomously, unstable mutation (SARS)
Biological and computer virus – unique difference
Ultra-fast viruses?
Computer architectures
Fundamental weakness across all computers
Virus modifies instruction set, computer’s primary objective
Slide19: Interdisciplinary Issues (Cont’d) Control algorithm attacks -- If algorithm is susceptible, nothing is trustworthy
Precision bombing run during WWII
Exploit TCP's retransmission to deliberately cause network overload
Insider attacks – greatest threat in Financial Services Industry
Coordinated attacks – physical and cyberattacks
Elusive attacks – very slow in time and highly geographically distributed
System attacks itself, autoimmune failure – accidentally modified autonomous agents
Lessons from Nature and biology
Hantavirus
Quarantine only technique that works in infectious diseases, fundamentally weak for computer viruses – spreads at EM speed
Bubonic plague bacterium and AIDS virus use identical two-prong attack strategy
Sharks switch sensors while attacking prey
Human immune system design and insight from nature of computational power
Genetically imprinted immune system of bees versus adaptive in humans
Slide20: Interdisciplinary Issues (Cont’d) Threat scenario design, rationale, and testing
Requires depth and breadth
Requires interdisciplinary knowledge in biology, law
Law: Can privacy be protected on the Internet?
Law enforcement: Identify original weapon (unique) for conviction?
Encryption
Continue mathematical research into improving performance
Slide21: Intrusion Detection
Fundamental Challenges to Intrusion Detection: Fundamental Challenges to Intrusion Detection Intrusion detection is compute-intensive
Scalability a fundamental issue with all networks
ATM and variants holds promise
Inherent promise quality of service
IP networks based on store and forward principle
Fundamental framework for security
NSA adopted under NRM
Comprehensive security mapped into a QoS metric
Basic Network Intrusion Detection: Basic Network Intrusion Detection Minimum components:
Sensors
Assessment Engine
Response Agents
Switched Network Intrusion Detection: Switched Network Intrusion Detection Complications resulting from switched networks
Unlike broadcast networks where sensors can “sniff” large portions of a network, switched networks use point-to-point connections.
Switched (and particularly ATM) networks scale well to very large sizes
Requires many more sensors
Overloads the assessment engine
A new intrusion detection architecture is needed for large, switched networks
Underlying Motivations: Underlying Motivations Practical, scaleable intrusion detection architecture for ATM Networks.
Attacks against the PNNI protocol develop very quickly
Processes and events within ATM switches occur over very short intervals of time
ATM networks can grow quite large using hierarchical peer groups
Previous research has shown that decentralized military command and control models allow faster reaction times, resulting in faster convergence on the enemy and higher kill rates, with fewer casualties
But, a purely decentralized approach may not be compatible with ATM peer groups
Architecture that would apply to other switched networks (e.g. MPLS)
Inspiration -- Human Immune System Design: Inspiration -- Human Immune System Design Nature designed and tested over millions of years
Nature's primary objectives
Key elements of the design
Evolutionary nature of the design
Spectacular failures of nature
The notions of computational energy and limits of computational power
Hierarchical Intrusion Assessment: Hierarchical Intrusion Assessment Sensors are assigned to various assessment engines, arranged hierarchically
Manages load for assessment engines
Scaleable solution
Allows both tactical and strategic assessment
Tactical and Strategic Assessment: Tactical and Strategic Assessment Tactical assessment facilitates fast local responses, necessary in high-speed switched networks
Strategic assessment gives overall picture of distributed or slow-to-develop attacks
Assessment engines appear as sensors or response agents to assessment engines at other levels of the hierarchy
Detailed View: Detailed View Tactical sentinels
Hardware embodiment of one or more sensors and an assessment engine
Monitors fabric of associated switch
Response is limited to ports, elements, and UNI traffic of associated switch
Report observations, events, and actions to strategic assessment at peer group level
Execute local responses as directed by the peer group level strategic assessment engine
Change its behavior via reprogramming by the strategic assessment engine at the peer group level
Detailed View (continued): Detailed View (continued) Strategic assessment (level 1)
Hardware/software entities
Distinct from the nodes of the peer group
Analyze all anomalies within the peer group, taken in the context of recent history
Reprogram tactical sentinels
Initiate other responses (beyond the scope of a single switch)
Report “conclusions” and responses to level 2 assessment
Strategic assessment (level 2)
Likely software implementations
Assess network behavior
Compute long-term decisions within the context of network history
Initiate responses
New Approach and Tools: New Approach and Tools
Synthesize high-level asynchronous distributed algorithm
Synthesize comprehensive metrics
Test and validate algorithm through modeling and simulation
Accurate asynchronous, distributed PNNI simulator
Representative traffic model
Slide32: As networks evolve, newer forms of attacks will emerge
Interdisciplinary thinking and proposed approach are our key weapons
Pure energy computers?
Quantum entanglement? Ultimate Future?
Slide33: Source Material for the Tutorial & Further Reading 1. 1. Sumit Ghosh, Principles of Secure Network Systems Design, Springer Verlag, 0-387-95213-6, April 2002.
2. Thomas D. Tarman and Edward L. Witzke, Implementing Security for ATM Networks, Artech House, Boston, ISBN 1-58053-293-4. 2002.
3. Sumit Ghosh, "Computer Virus Attacks on the Rise: Causes, Mitigation, and the Future," Financial IT Decisions 2002, Vol. 1, a Bi-Annual Technology Publication of the Wall Street Technology Association, Red Bank, New Jersey, http://www.wsta.org, Feb/Mar 2002, pp. 16-17, ISBN 1-85938-369-6.
4. Ed Witzke, Tom Tarman, Gerald Woodard, and Sumit Ghosh, "A Novel Scaleable Architecture for Intrusion Detection and Mitigation in Switched Networks," Proceedings of the IEEE Milcom 2002, Oct 7-10, 2002, The Disneyland Resort, Anaheim, CA.
5. Sumit Ghosh, "Future Advances in Networked Systems and New Forms of Cyberattacks," chapter in "Cybercrimes," Edited by Elliot Turrini (Asst. US Attorney) and Jessica R. Herrera (Federal Prosecutor, CCIPS, US DoJ), Wadsworth Publishing, Belmont, CA., August 2002.
Thank youQuestions, Suggestions, & Criticismsemail: sghosh2@stevens-tech.edu http://attila.stevens-tech.edu/~sghosh2: Thank you Questions, Suggestions, & Criticisms email: sghosh2@stevens-tech.edu http://attila.stevens-tech.edu/~sghosh2