Monitoring for network security and management

1
Monitoring for network security and management

• Cyber Solutions Inc.

2
Why monitoring?

• Health check of networked node
• Usage and load evaluation for optimizing the
  configuration
• Illegal access detection for both inbound and
  outbound traffic

All networked information is on the LINE
3
Threats have to be monitored

• Node alive or dead
• Network or node fault?
• Attacked?
• Performance degradation
• Network fault?
• DoS possibility?
• Large-scale incident?
• Policy enforcement
• Detecting policy violation (prohibited
  communication)
• Detecting configuration change
• Potential attack originator
• Exploited / Compromised by attacker?
• Attacking by insider?
• Virus polluted?
• Malicious terminal connected?

4
Monitoring is the first step for security and
network management

• Monitoring basics
• Information collection from every networked node
• Packet monitoring
• Advanced topics
• High-resolution monitoring
• Hash-based traceback
• Simple and light weight analysis for practical
  monitoring
• Information collection from mobile node/network
• Monitoring network inside

5
High-resolution monitoring

• Traffic is so dynamic
• Peak rate is important for actual performance
• Malicious access is in peaky traffic (pulsing
  DoS)
• Requirement
• Shift minutes, hours, daily measurement to msec,
  usec, and further precise measurement

6
Monitoring with high-resolution
7
Scalability by Aggregation
time
8
The drafts

•  http//wwwietf.org/internet-drafts/
• draft-glenn-mo-aggr-mib-02.txt

9
Problems in current counter DoS attack solutions
Not solved!
10
Take the battle to the foe
Traceback potential
Traceback
11
The traceback concept
Yes !
Source
Target
Yes !
Around Here!
Yes !
No !
12
The Architecture
Packet Query/Response
PRA
Packet Tracker(PT)
PRB
PR
13
The Architecture
Packet Query/Response
PRA
Packet Tracker(PT)
Conf Query/Response
Setting
PRB
PR
14
Requirements Packet Record Protocol

• Mapping PacketRecord (encoded) Packet

• Additional Data for corroboration

• Scope of Packet Record
• which IP header fields are masked)

how much of the payload
15
Requirements Packet Record Protocol

16
Requirements Communication Protocol

• Check for existence of a datagram

• Lightweight

• Authenticated

• Privacy, Integrity

• Non Repudiation

• Query for Packet Recording parameters

17
The Process
18
Demonstration Tracking Attacks using
SNMP based packet tracing
IETF wired network Attacker2
IETF wireless network Attacker1

1. Attacker1 sends packet to Victim.
2. IDS detects it and sends SNMP trap to manager
   along with packets record.
3. Manager queries packet record agents PRA1, PRA2
   and PRA3 for packet record
4. Manager receives responses from PRA1, PRA2, PRA3
   and traces packet path.

The Internet
Query and Response
attack
Manager
SNMP Trap
Victim on remote network
19
Demonstration Screen shot
20
For practical network monitoring

• Simple and right weight monitoring
• Focusing on stability of traffic
• Simple event generation and deep inspection

Event notification
Monitoring and Stability analysis
Deep inspection
Packet Sample DB
21
Stability example
Observed source address is stable in large scale
network
22
Mobility issues

• Some times disconnected

Access to more information
changing network
changing place/environment
23
Mobility issues (1)

• not continuously connected

Usual polling paradigm will not work
Store locally (Offline)
Store and forward (Semi-online)
Agent initiated polling
Agent intitiated informs
24
Current Method
Manager
time
25
time
Current Method
Manager
26
time
27
time
Agent initiated informs
Manager
28
Conventional defense strategy

• Monitoring access from outside to inside

WEB seriver
Mail server
DMZ
Firewalling
Monitoring by IDS
Intranet
29
Risks network inside
Potential insider attacks
Virus influenced node
Prohibited user access From DHCP/Wireless network
Exploited and/or compromised
30
Monitoring inside

• Monitoring
• Log collection and audit
• DHCP and/or connection activity monitoring
• Application traffic from inside to outside

Connectivity and log monitoring
Prevent illegal outbound access
Detection non-authorized terminal
31
Summary

• Monitoring is the real base of network security
  and the management
• Further advanced monitoring is required
• High-resolution
• New security applications are required
• Packet traceback
• Further practical analysis is required
• Stability based analysis
• Future network environment support is required
• Mobile node and network support
• New monitoring target is required
• Network inside