unifying the conceptual levels of network security through use of patterns. phd proposal ajoy kumar...
Post on 19-Dec-2015
214 Views
Preview:
TRANSCRIPT
Unifying the Conceptual levels of Network Security
through use of Patterns.
PhD Proposal
Ajoy Kumar
Secure Systems Research Group – Florida Atlantic University
Overview
Firewall IDS VPN
Application
TLS
IPSec
Secure Systems Research Group – Florida Atlantic University
Problem Statement
• In each of the layers such as the application layer, transport layer, and the IP layer, security is of utmost concern. At each of these layers we discuss the different security components such as Firewall, IDS and VPNs and analyze security criteria and identify the non existing patterns and develop them.
Secure Systems Research Group – Florida Atlantic University
Network Architecture
FireWall IDS VPN Protocol
Application XML FW XML IDS XML VPN SAML
TCP Proxy FW TCP IDS TLS/SSL VPN
TLS
IP Packet FW Packet IDS IPSec VPN IPSec
AUTHENTICATION
SECRECY
AUTHORIZATION
IDENTIFICATION
Security Mechanisms
Secure Systems Research Group – Florida Atlantic University
VPN
XML VPN
TLS VPN
IP VPN
SAML
TLS
IPSec
Supports
Supports
Supports
Secure Systems Research Group – Florida Atlantic University
Pattern Diagram for VPN
VPN
TLS VPN IP VPN XML VPN
Authentication Secure Channel
TLS IPSec
Secure Systems Research Group – Florida Atlantic University
SAMLRealize
RealizeRealize
• We can create similar diagrams for Firewalls and IDS.
• Previous Work - Survey
Secure Systems Research Group – Florida Atlantic University
Class Diagram for a Packet FW[Fe06]
address addressPFFirewall
ExplicitRule DefaultRule
ExternalHost LocalHost
Rule
in/out
{ordered}*
1
1 1**requestService requestService
RuleBase
addRuledeleteRulemodifyRulereorderRules
Secure Systems Research Group – Florida Atlantic University
Work Already Completed
• IDS Pattern (Signature Based)
• VPN Pattern (Abstract)
Secure Systems Research Group – Florida Atlantic University
Class Diagram for Signature basedIDS.[Fer05]
Viking PLOP
Secure Systems Research Group – Florida Atlantic University
Network
Network End Point
VPN
Authenticator Secure Channel
Identity Base
Identity
*
**
1 1
1
Class Diagram For VPN
*
Secure Systems Research Group – Florida Atlantic University
Proposed Work
• Missing Patterns for the Functions and Protocols
• Study of Combinations– IDS + Firewalls– Firewalls + VPN
Secure Systems Research Group – Florida Atlantic University
Expected Contributions
• Unification of Security Functions in the Network Layer.
• Consider a Case study like a SCADA system and see how these patterns apply to a SCADA system.
• Development of Specific Patterns
Secure Systems Research Group – Florida Atlantic University
Case Study
• SCADA Architecture
• SCADA can be used as an example of a distributed system where we apply these patterns.
Secure Systems Research Group – Florida Atlantic University
SCADA
• Supervisory Control and Data Acquisition (SCADA) systems consists of geographically scattered units (field devices) controlled using centralized data acquisition and control (control center) [Sto06]. They are usually highly distributed systems. Field devices could be controlling local operations such as valve operations, collecting sensor data, and monitoring for disaster conditions. The next figure shows the general architecture of a SCADA system. Examples for SCADA systems are electric power systems, oil and gas pipelines, water utilities, and any system that requires remote monitoring and control.
Secure Systems Research Group – Florida Atlantic University
General SCADA architecture (from [Sto06]).
Secure Systems Research Group – Florida Atlantic University
• The common attacks threatening a SCADA system are physical attacks to the field (remote) units and network attacks to the communication networks usually through the internet. The primary security concerns are availability and integrity. Confidentiality and non-repudiation are secondary concerns.
Secure Systems Research Group – Florida Atlantic University
• Example– An important example of SCADA application
is electric power generation.
• Context– A SCADA system such as electric power
generation system with a Distributed Architecture and connected to the Internet.
Secure Systems Research Group – Florida Atlantic University
Forces• Only Authorized personnel should be able to
access the system at the Remote units and the Main control unit. .
• Messages sent from the supervisory control unit to the Remote field units and back should be confidential and data integrity should be preserved.
• Messages should be sent only by authorized personnel at the remote location and the main location.
• Authorized personnel should be able to do their respective duties based on Company defined Policies. Secure Systems Research Group – Florida Atlantic University
Forces (Contd…)
• Any message from unknown or spurious remote locations should be discarded.
• We should be able to detect any intrusions into the system and create alert logs.
• Field Units and Communication Lines should be free from Physical Attacks.
• Service should be available 24 hrs 7 days a week.
Secure Systems Research Group – Florida Atlantic University
Solution
• Authentication is done at the Remote and the Central Controller unit to make sure that only Authorized personnel have entry access to the system.
• We can create secure VPN channels at the Central Controller and the Remote units so that we can send confidential messages. This also makes sure that the integrity of data is maintained.
• Intrusion Detection Systems are able to detect any intrusions to the systems based on misuse based detection or anomaly based detection.
• Firewalls prevent messages from unknown and dangerous sites from reaching the system.
Secure Systems Research Group – Florida Atlantic University
Solution (Contd…)
• By providing Reference monitor or RBAC, we can make sure that the authorized personnel can perform their respective roles.
• By adding Physical Access control zones we can prevent physical attacks caused by external elements.
• All these security measures added make sure that there is no Denial of Service (DOS).
• The use of these security models in SCADA communication can significantly reduce the vulnerability of these critical systems.
Secure Systems Research Group – Florida Atlantic University
Class Diagram (w/o Security Components)
Central Controller
User Interface
Field Unit Controller
Comm. Network
Internet
Zone
*
1*
1
1
Secure Systems Research Group – Florida Atlantic University
Consequences
• Advantages– Users are authenticated by the system. This
helps to maintain a good logging system also. – The RBAC model helps authorization policies
to be implemented within the system based on roles of the personnel.
– Secure channels use strong encryption which helps confidentiality and data integrity.
– Firewall and IDS helps to make the system more secure.
Secure Systems Research Group – Florida Atlantic University
Consequences(Contd…)
• Liabilities– High overhead with VPN connection, firewall
and IDS.
– If the protocol used is not a secure protocol, the risk increases. .
Secure Systems Research Group – Florida Atlantic University
• Known Uses– Any Power Utility company such as FPL.
• Related Patterns– VPN Patterns. – Firewall Patterns– IDS Patterns
Secure Systems Research Group – Florida Atlantic University
References• [Bar04] K. Barnes, B. Johnson and R Nickelson. “Review of Supervisory Control and
Data Acquisition (SCADA) Systems. “ Idaho National Engineering and Environmental Laboratory, Bechtel BWXT, Idaho.
• http://www.inl.gov/technicalpublications/Documents/3310858.pdf• [Cla04] Practical Modern SCADA Protocols: DNP3, 60870.5 and Related Systems
GR Clarke, D Reynders - 2004 - books.google.com• [Fer07] Eduardo B. Fernandez. Class Notes COT5930 – Fall 2007, Florida Atlantic
University.• [Fer05] Eduardo B. Fernandez, Jose Ballesteros, Ana C. Desouza-Doucet, and Maria
M.• Larrondo-Petrie. “Security Patterns for Physical Access Control Systems.” Class
Notes COT5930 – Fall 2007, Florida Atlantic University. • [Jeo07] Jeon Il Moon, Jung Sub Kim, Jong Bae Kim, Kye Young Lim and Byoung
Wook Choi, “A hardware implementation of distributed network protocol.” Computer Standards & Interfaces, Volume 27, Issue 3, Pages 221-232
• [Pat07] S C Patel and Y Yu, “Analysis of SCADA security Models.” International Management Review. Vol.3 No.2., 2007 Pages 68 – 76.
• [Sto06] K. Stouffer, J. Falco, and K. Kent, “Guide to supervisory control and data acquisition (SCADA) and industrial control systems security”, Spec. Pub. 800-82, National Institute of Standards and Technology (NIST),
• http://csrc.nist.gov/publications/drafts/800-82/Draft-SP800-82.pdf
Secure Systems Research Group – Florida Atlantic University
top related