CS 552 – Senior Design Project

Greg MortonOliver GouldScott Dryer

Allen LaquindanumDustin LongLucas Vickers

Gossip: Network Security Agent

Mark LoeserHaifan LuKen Henriques

Jon Voris

System Architecture

Agenda Project Summary Non-Functional Requirements System Architecture

Process View Logical View Physical View Development View Coupling and Cohesion

Project Management Use Case Scenarios Test Plan Summary Installation Process Current Project Status ICED-T/QFD

Project Summary System administration tool to aid in the

distribution of firewall policy based on trust-based network of peers

Firewall policy can be applied locally Trust and suspicion of a given

suspected address No need for any detection or policing

locally Can be built with extensions to

interface with platform-specific firewall modules and administrator chosen network detection systems

Project Summary (cont.)

An average user, running Gossip on his or her Linux machine with a network of 20

peers, would reduce the amount of alerts they must address by 26%.

Gossip MOV

Non-Functional Requirements All errors will log and all non-fatal

errors recovered from. In the event that the agent module

crashes, other modules will stop their current tasks and exit cleanly.

The enforcement component will not affect the firewall rules in the event that it crashes.

Non-Functional Requirements (cont.) The system will be written in a component

oriented manner to allow for extensibility. Modules that will be directly accepting

input from the network, the P2P and detection system modules, will operate in a chroot jailed environment in order to improve system security in the situation that one of them is compromised.

System ArchitectureProcess View #1

System Architecture (cont.)

Process View #2

System Architecture (cont.)

Logical View

System Architecture (cont.)

Physical View

System Architecture (cont.)

Development ViewComponent Technologies Used

Agent CBisonFlex

Detection System C++IDMEFXML

Firewall C++IPTables

Peer-to-Peer C++OpenSSL

All Modules SocketsSyslog

Coupling and Cohesion Inter-Process Communication protocol

enforces low coupling Agent is least cohesive module Otherwise, highly cohesive.

System Architecture (cont.)

Project Management

Use gna.org open source project hosting service which supplies us with: Mailing List Management Task Manager Bug Tracker Version/Document Control Web Space for File Distribution

Use Cases I notice that my gossipers are updating too

often, causing too much network traffic. I change the timer update interval and signal my gossipers to reconfigure.

I have setup a new machine and installed gossip on it. Now I would like to add it to my list of trusted friends on all of my gossipers.

A new vulnerability is disclosed which makes previously benign traffic very dangerous instead. I update my detection system, and from then on my gossipers should block foreign machines sending such traffic.

Use Cases (cont.)

Someone tries to brute force guess a password on my machine. After my detection system collects enough failed password attempts, it causes my gossiper to block the offending foreign machine.

One of my friends (B) says that a foreign machine (M) has a very high suspicion. My other friend (C) says that M has a low suspicion. Both B and C have perfect assurance. I give M some score at or above B's suspicion.

A list of my friends all say that some foreign machine (M) attacked them. Since combined this shows that M is malicious, we all block M.

Test Plan Summary Comprehensive test plan meant to ensure

quality and promote a high level of system trust. Plan will involve 4 complementary parts, each of

which focuses on a specific method of testing. Unit Testing - check the functionality of

individual function calls. Use Case Testing - verify that the system

works from the user perspective. Regression Testing - Ensures that changes do

not reintroduce bugs over time. Automated Testing

Installation Process OAM&P Requirements:

- IPTables Linux Kernel module & command-line tool - IDMEF-compatible Network Detection System (Snort) - OpenSSL's crypto library - Bison/Flex parser generator - Installation - GNU Toolchain (CMMI) - Vendor packages - Configuration File

Peers Constraints

Current Project Status Function Point Re-calculation

Original Calculation: 26.6 Staff Months Re-calculated:

• Agent Component: 4.3• Enforcement Component: 1• Alert Component: 1.7• Peer-to-Peer Component: 2.6

• Total for Entire Project: 9.6 Staff Months

Current Project Status (cont.)

Revision was made after the final design and architectural designs were made. Eliminated one component by integrating the

needed requirements into other components and simplifying the concept.

This simplified design a bit and enabled it easier to engineer by passing less parameters between each sub-system.

Current Project Status (cont.)

Time Saving Features, COTS, Reuse: Snort® is an open source network intrusion

prevention and detection system Syslog is an industry standard protocol that is

supported in Unix and Linux used for capturing log information for devices on a network.

Opensource XML parser: Using libidmef, which parses XML IDMEF (Intrusion Detection Message Detection Format) messages (using libxml2) sent by the detection systems.

Current Project Status (cont.)

WBS Task Resources % Complete Start Date End Date Predecessor1 Project Inception 20-Oct-05 23-Nov-051.1 Research All 100% 20-Oct-05 31-Oct-051.2 Requirements Engineering Gould, Loeser 100% 1-Nov-05 22-Nov-05 21.3 Develop Prototype Gould, Loeser 100% 1-Nov-05 22-Nov-05 21.4 Requirements Complete Milestone 23-Nov-05 23-Nov-05 32 Development 12-Dec-05 5-May-06 52.1 UML Diagrams Long, Gould 100% 12-Dec-05 30-Jan-062.2 System Architecture Design Gould 100% 19-Dec-05 6-Feb-062.3 Implementation 7-Feb-06 19-Apr-06 7,82.3.1 Agent Component Gould, Vickers 15% 7-Feb-06 19-Apr-062.3.2 Enforcement Component Morton, Loeser 15% 7-Feb-06 28-Mar-062.3.3 Alert Component Loeser, Morton 5% 16-Feb-06 28-Mar-062.3.4 Peer-to-Peer Component Voris, Long 5% 21-Feb-06 12-Apr-062.4 Implementation Complete Milestone 20-Apr-06 20-Apr-06 92.5 Design/Update Unit and Regression Test Long 40% 7-Feb-06 12-Apr-06 7,82.6 Testing Long, Lu, Henriques 0% 7-Feb-06 5-May-06 7,82.7 Documentation Laquindanum 10% 7-Feb-06 5-May-063 Analysis 15-Nov-05 9-May-063.1 ICED-T Lu, Henriques 50% 15-Nov-05 9-May-063.2 QFD Lu, Henriques 50% 15-Nov-05 9-May-064 Present Presentation and System Milestone 11-May-06 11-May-06 1,6,18

Current Project Status (cont.)

Current Project Status (cont.)

Risks/Problems encountered since last presentation Algorithmic Complexity System is succumb to being overwhelmed by

alerts• If it's coming from the same IP address, they

will eventually be blocked, but if it's a great deal of attacks from multiple IP addresses we could run into load problems.

Stale Data Being able to adequately test all the possible

scenarios with a limited number of computers on a limited size network

ICED-T

ICED-T (cont.)

ICED-T (cont.)

ICED-T (cont.)

ICED-T (cont.)

sQFD

Questions/Comments