LSTR Real-TimeSystems
Laboratory
Tai M. ChungTai M. ChungReal-Time Systems Lab. Sungkyunkwan University Real-Time Systems Lab. Sungkyunkwan University
[email protected]@ece.skku.ac.kr
INTEGRATEDSECURITY
MANAGEMENTKNOM-20002000. 12. 12
LSTR Real-TimeSystems
Laboratory
Talk Talk OutlineOutline
Introduction to ISM and Research Objectives Current Integrated Security Management
Technologies OPSEC Active Security Common Data Security Architecture Integrated Security Management System
Architecture of ISMS Features of ISMS Architecture & Detailed Modules of ISMS
Current Status and Future Development of ISMS
LSTR Real-TimeSystems
Laboratory
Why ISM?Why ISM?
Increasing complexity & difficulty of security products
Diverse security policies for heterogeneous security systems scattered over wide network
Increasing risks resulting from human mistakes
Need for immediate and automated response to various security threats
Need for unified human interface for simple management
Security Management
VPN
VirusCheck
VulnerabilityTest
IDS
FirewallIntrusion Tracking
File Security
Authentication
Encryption
LSTR Real-TimeSystems
Laboratory
Research ObjectivesResearch Objectives Develop a common representation scheme for
diverse security policies with Integrated policy and data management scheme Easy and unified interface for total management
Prototype a master-agent based integrated security management system that Includes Coordinated management model based on common
representation scheme Immediate and autonomous response to security threats Fault tolerant capability for continuous service Flexible and scalable management architecture
LSTR Real-TimeSystems
Laboratory
Security SystemSecurity SystemIntegrationIntegration
Trends of ISMOPSECActive Security
LSTR Real-TimeSystems
Laboratory
Integrate IDS functionality with firewall CISCO IOS + Firewall IDS
Firewall includes IDS functionality for mid-range, high-performance platforms, Limited to detect most significant attacks only Acts as in-line intrusion detection sensor : watching packets and
sessions to detect intrusion as well as to apply firewall policy
Firewallmodule
IDSmodule
Attacksignatures
Accesspolicies
Auditingrulesintrusion
detected
block the connection
match found
Mail toadmin
Paging
InternetInternalnetwork
Hybrid Integration ModelHybrid Integration Model
LSTR Real-TimeSystems
Laboratory
Interoperational Interoperational ModelModel
Real-time intrusion blocking : Real-time intrusion blocking : IDS interoperable with firewall RealSecure(ISS) + Firewall-1(Checkpoint)
When IDS detects misuse or attacks;① Reconfiguring firewall to block all traffic from a suspicious source② Alerting appropriate personnel through user interface③ Sending an SNMP trap to NMS to record the session information④ Terminating connections if possible
Internal network DMZ network
Server pool(for public/customer service)
IDS
Externalfirewall
Internalfirewall
Internet
NMS
Policy configurationmessage
SNMPtrap
Mail toadmin
Paging
Mail server
LSTR Real-TimeSystems
Laboratory
OPSEC by OPSEC by CheckpointCheckpoint
Open Platform for Security / Open Platform for Secure Enterprise Connection
Based on SVN(Secure Virtual Network) environment Goes beyond VPNs for securing all internet gateways Fine-grain access control for all users
Provisioning of integration and interoperability to the various security products such as VPN-1, Firewall-1, FloodGate-1, and Meta IP Openview, Tivoli, etc.
LSTR Real-TimeSystems
Laboratory
OPSEC OPSEC frameworkframework
Intranet
Policy Verification
Reporting and Analysis
Check Point Management Consolewith Account Management CA
Enterprise Management PlatformOpenView, Tivoli, etc.
Meta IP Address Managementwith User-to-Address Mapping
Directory Server
VPN-1/Firewall-1Gateway
Content Security Server
URL Categorization Server
VPN-1 SecuRemote/VPN-1 SecuClient
Intrusion Detection
Internet VPN-1/Firewall-1Gateway
Remoteoffice
LSTR Real-TimeSystems
Laboratory
OPSEC API OPSEC API overviewoverview
Message based, layered environment OPSEC Transport Layer converts messages into events Client locates and initiates the connection to the Server Servers implements one or more OPSEC security tasks
OPSEC client
OPSECservice API
OPSECtransport API
OPSEC server
OPSECservice API
OPSECtransport API
TCP Memory Othermechanism
OPSECTransport
OPSEC Client Process OPSEC Server Process
The OPSEC Client and Server Process can also be the same process
The OPSEC Transport Layer links the OPSEC Client and Server using one of these mechanisms
LSTR Real-TimeSystems
Laboratory
Life Cycle of OPSEC Life Cycle of OPSEC ApplicationApplication
Endless loop(opsec_mainloop) Waits for event to occur and process them Events are handled by the OPSEC application OPSEC layer may call user-defined functions to process events
Program startup
Initialization
Handle forEvent #2
Handle forEvent #1
Event #1 Event #2mainloop
Asynchronous Events
LSTR Real-TimeSystems
Laboratory
OPSEC OPSEC EnvironmentsEnvironments
MachineProcess
OPSECenvironment
Machine
Process
Process
LEA server
OPSECentity
OPSECenvironment
ProcessMachine
LEA server
OPSECentity
OPSECenvironment
SAM server
OPSECentity
OPSECenvironmentLEA client
OPSECentity
SAM client
OPSECentity
OPSECsession OPSEC
session
OPSECsession
A framework for OPSEC applications to communicate One OPSEC environment for each OPSEC process OPSEC entity is an instantiation of a specific behavior
LSTR Real-TimeSystems
Laboratory
OPSEC OPSEC subcomponentssubcomponents
CVP (Content Vectoring Protocol)
UFP (URL Filtering Protocol)
SAMP (Suspicious Activity Monitoring Protocol)
LEA (Log Export API)
ELA (Export Logging API)
OMI (OPSEC Management Interface)
UAM (User to Address Mapping API)
SAA (Secure Authentication API)
Content security
Web resource management
IDS interoperability
Reporting and event analysis
Security and event consolidation
Management and analysis
Association between user and IP address
Integrated authentication
LSTR Real-TimeSystems
Laboratory
Content Security : Content Security : CVPCVP
Outsourcing some functionalities to other content security systems Forward buffer to CVP server for inspection
Viruses, malicious codes Flow out of confidential data Specific URL access
CVP client and server know nothing about each other, except that the client knows where to find the server
CVP client
Buffer
CVP server
Source DestinationDestination
flow
Serverflow
Event handler(callback)functions
EventsAPIfunctions
Firewall-1/VPN-1
LSTR Real-TimeSystems
Laboratory
Content Security : Content Security : CVPCVP
Applied CVP to detect and cure compromised mail by viruses Firewall rule base specifies virus checking and disinfection on mail
attachment Firewall CVP client contacts the Anti-Virus server and transfers the file
attachment for processing The Anti-Virus content validation server scans for viruses, disinfects
the file The Anti-Virus sever returns the virus-free file and log information to
the firewall
Internet
Mail Server3rd Party Anti-Virus Application Server
Internet Mail
Scan and cure
LSTR Real-TimeSystems
Laboratory
Web Resource Management : Web Resource Management : UFPUFP
Track and monitor web usage Categorize and control HTTP communication based on
specific URL address Operations
URL client on the firewall passes the URL to the UFP server URL server returns a classification of the category for the URL Firewall determines the appropriate action in accordance with
the security policy related to the category
LSTR Real-TimeSystems
Laboratory
Intrusion Detection : Intrusion Detection : SAMPSAMP
Intrusion detection by monitoring events Active feedback loop integration between IDS and
Firewall/VPN gateways SAMP API enables Firewall-1/VPN-1 to block the connection
when an IDS detects suspicious activity on the network or specific host
SAMP API defines an interface through which an IDS can communicate with a VPN-1/Firewall-1 management server
Management server directs the VPN-1/Firewall-1 modules to terminate sessions or deny access to those specific hosts.
LSTR Real-TimeSystems
Laboratory
Event Integration : LEA, Event Integration : LEA, ELAELA
LEA(Log Export API) Enables applications to read the VPN-1/Firewall-1 log database LEA client can retrieve both real-time and historical log data
from Management Console of LEA server A reporting application can use the LEA client to progress the
logged events generated by the VPN-1/Firewall-1 security policy
ELA(Event Logging API) Used to write to the VPN-1/Firewall-1 log database Enables third party applications to trigger the VPN-1/Firewall-1
alert mechanism for specific events Enables Management Console to become the central event
repository for all traffic events accounting and analysis With SAMP, applications can track suspicious activity and
request the VPN-1/Firewall-1 to terminate a malicious activity
LSTR Real-TimeSystems
Laboratory
Management and Analysis : Management and Analysis : OMIOMI
Interface to central policy database to share objects such as Host, Network, User, Service, Resource, Sever, Key..
Tie together different products that may control security policies in different domains
Enables third party applications to securely access the policy stored in the management server by providing access to read Policies stored in the management sever Network objects, services, resources, users, templates, groups
and servers defined in the management server List of all administrators that are allowed to log into the
management server
LSTR Real-TimeSystems
Laboratory
Authentication : Authentication : SAASAA
SAA(secure authentication API) Supports wide variety of authentication mechanisms such as
biometric devices, challenge response tokens and passwords Passing authentication information to the authentication server After authentication, VPN gateway acquires user's certificate
from CA server, and then IPSEC/IKE session is established
InternetVPN-1 Gateway
VPN-1 SecuRemote
Customers
Partners
Remote site
LSTR Real-TimeSystems
Laboratory
OPSEC Framework PartnersOPSEC Framework Partners
Safe gate, Computer Associates
Norton AntiVirus for Firewalls, Symantec
Content Security
Defend Security Server, Axent Technologies, Inc.
ACE/Server, RSA Security
Authentication and Authorization
RealSecure, Check Point Technologies, Ltd.
SessionWall-3, Platinum
Intrusion Detection
Firewall HealthCHECK, VeriSignWeb Trends for Firewalls and
VPNs, Web Trends
Event Analysis and Reporting
IBM SecureWay Directory, IBMNovell Directory Services,
Novell
Enterprise Directory Servers
Go! Secure, VeriSign
Enterprise Directory Servers
LSTR Real-TimeSystems
Laboratory
Overview of Active Overview of Active securitysecurity
Detection(Sensing) device E.g. : Vulnerability Scanner to proactively scanning internal network
Event Orchestra Accepts all alerts, compares with security policy and initiates responses Fed in Security Policy to decide what is important and how to respond
Actions for security through Helpdesk, Firewall, Administrator Alerts, etc.
Security Policy
Vulnerability Scanner Event Orchestra
Helpdesk
Firewall
AdministratorAlerts
LSTR Real-TimeSystems
Laboratory
More about Active More about Active SecuritySecurity
The heart of Active Security : Event orchestra Conducts central event management Standard based open event management system Centrally collects alerts and other inter-process communications from
security products Includes own data store, but also works with other database using ODBC
Current Active Security products sensor : CyberCop scanner (Windows NT) arbiter : Event orchestra (Windows NT) actor : Gauntlet firewall (Windows NT / UNIX)
sensors arbiters actorswatch
the networkfor trouble
decide whatto do when
trouble happenstake
responsiveaction
LSTR Real-TimeSystems
Laboratory
Example of Active security : Example of Active security : CyberCopCyberCop
WMI(Windows management instrumentation) Describes a standard way of accessing and representing management
information in Windows 2000 networks Enables real-time monitoring Enhances interoperability of security applications
Logs Event log Performancemonitor
File/print SQL server Others
Existing
Forthcoming
Anti-virusevents
IDSevents
Firewallevents Others
Provider
Windows2000WMI
EventOrchestra
CyberCopMonitor
Actionmodule
Objectmanager
Consumer
LSTR Real-TimeSystems
Laboratory
Active Security Active Security IllustrationIllustration
1. Incoming mail message2. Redirect mail to anti-virus server
Firewall
Event Orchestra
Network VirusProtection Gateway
3. Virus found in messageFrom : [email protected] : [email protected]
4. action : do not acceptmail from [email protected]
Network File Server
5. action :Scan all filesowned by 'joe'
6. Scan hosts for complianceto network security policy
7. Unallowed 'finger'service found on Host1
Host1
8. action :Shutdown 'finger'service on Host1
VulnerabilityScanner
A
S A
S
A
A
SActor agent
Sensor agent
LSTR Real-TimeSystems
Laboratory
What is CDSA? What is CDSA? The Open, cross-platform, interoperable, extensible and
exportable security infrastructure Specification and Reference Implementation
Adopted by The Open Group in November 1997 “Mature” code base from Intel, widely reviewed by Industry
A robust security building block for eBusiness software solutions Enables interoperability for security apps and services Allows developers to focus on application expertise
LSTR Real-TimeSystems
Laboratory
CDSA Design GoalsCDSA Design Goals Create an open, interoperable, cross platform security
infrastructure Support use and management of the
fundamental elements of security: Certificates, trust, cryptography, integrity Authentication, authorization
Make extensible above and below Embrace emerging technologies Plug-and-play service provider model Extend to new services
Layered service provider model
LSTR Real-TimeSystems
Laboratory
Security Service Add-in Modules
CDSA ArchitectureCDSA Architecture
Layered Security Services
CSSM Security API
Common Security Services Manager
Service Provider Interfaces
CDSA defines a four-layer architecture for cross-platform, high-level security services
CSSM defines a common API / SPI for security services & an integrity foundation
Service providers implement selectable security services
Applications
Security Service Add-in ModulesSecurity Service Add-in Modules
LSTR Real-TimeSystems
Laboratory
Network CNetwork BNetwork A
ISMS Engine
Agent
securitymanagement
policy policy policy
Agent Agent
Centralpolicy databaseDBMS
Web client
SNMP SNMP SNMP
Firewall IDS VPN
Structure of ISMSStructure of ISMS
LSTR Real-TimeSystems
Laboratory
Features of ISMSFeatures of ISMS Integrated policy management
Maintain logical security domain for consistent security management Applies access control policy automatically by deploying blacklist to
agents Automated response to threats
Automatic Policy integrity check at management server Removes potential risks resulting from human mistakes by autonomous
operation and by integrity checking Notification through unified user interface
Integrated view for security management through web interface Statistic information based on collected information
Fault tolerant security management Records all security related events through central logging Simple policy recovery and backup through central policy management
Scalability and flexibility using master-agent paradigm No modification to management engine
LSTR Real-TimeSystems
Laboratory
Detailed ISMS architectureDetailed ISMS architecture
MessageCommunication
module
DBMSinterface
Logmanagement
module
Message analyzingmodule
User authenticationmodule
Policy processingmodule
Management messagecommunication module
Sessionmanagement
module
Logfile
Configurationfile
DBMSproxy DBMS
SMDBConfigurationmanagement
module
Notification m
essageprocessing m
odule
Message communication module
Display module
PolicyUIM
ConfigurationUIM
MonitoringUIM
StatusUIM
LogUIM
Notificationprocessing
module
NotificationUIM
Management messagecommunication module
Security systemcontrol module
Notificationprocessing
module
Security product
Configurationmanagement module
Logmanagement module
Configurationfile
Logfile
Message analyzingmoduleState
monitoringmodule
Secure TCPSecure UDP
Secure UDPSecure UDP
SecuritymanagementClient
SecuritymanagementDBMS
Central securitymanagement server
Securitymanagementagent
LSTR Real-TimeSystems
Laboratory
ISMSMIB
Communication module
SNMP communication module
Usertable
Policytable
Agenttable
DBMS
Requestmapping table
Dataprocessingmodules
Userrequest
processingmodules
Log manager
Enginelogfile
Agentlogfile
Firewallagent
Firewallagent
IDSagent
Agent for other security
products
HTTPD
JavaApplet
HTMLPages
Downloaded Java Applet
SNMP
TCP/IP HTTP
WISMSengine
Manager(ISMS client)
Webserve
r
ISMS server
Detailed ISMS EngineDetailed ISMS Engine ISMS
Client(Java applet)Engine(Solaris)Agent(Solaris, LINUX,
FreeBSD)Using standard
management protocol(SNMP)
Extensibility, Scaleability ISMS engine
Manages policiesProcesses user requestsNotifies eventsCollects information from
agentsManages log data
LSTR Real-TimeSystems
Laboratory
Integrated policy managementIntegrated policy management
Policy
SMDB(secondary)
Centralsecurity management
server
SMDB(primary)
Securitymanagement agent
for IDS
Policy update/action command
Security managementclient
PolicySecurity
management agentfor Firewall
PolicySecurity
management agentfor VPN
Security policyfor IDS
Security policyfor firewall
Security policyfor VPN
Securitymanagement
policyPolicy distribution/recover
Backup/Restore
IDS Firewall VPN
DBMSproxy
DBMSproxy
Synchronizing DB
LSTR Real-TimeSystems
Laboratory
Automated Response to threatsAutomated Response to threats
Policy
Log
Centralsecurity management
server
SMDB
PolicyNo
tifica
tion
Securitymanagement agent
for IDS
Securitymanagement agent
for firewall / VPN
Policy update/action command
Resultreply
Detectsuspicious
action
Firewall / VPNIDS
Securitymanagement
policyDBMSproxy
Recordevents
Response policy for specific event(Automatic response)
LSTR Real-TimeSystems
Laboratory
Notification for human operationNotification for human operation
Policy
Centralsecurity management
server
PolicySecurity
management agentfor IDS
Securitymanagement agent
for firewall / VPNNo
tifica
tion
Security managementclient
Policy update/action command
Resultreply
Security Manager
Detectsuspicious
action
Log
SMDBSecurity
managementpolicy
DBMSproxy
Recordevents
Response policy for specific event(Notify manager/wait for command)
Firewall / VPNIDS
LSTR Real-TimeSystems
Laboratory
Logical secure domain Logical secure domain maintenancemaintenance
Secure domain
Central securitymanagement server
User registration
Applicationwith
authenticationcapability
Securitymanagement client
Securitymanagement agent
for firewall
Securitymanagement agent
for VPN
User informationLog
SMDBDomain
userinformation
DBMSproxy
User information
Securecommunication
(VPN)Access control
(Firewall)
LSTR Real-TimeSystems
Laboratory
Blacklist managementBlacklist management
Log
Centralsecurity management
server
SMDB
Manual backlist update
Automaticblacklistupdate
Blacklist information orPolicy update
Securitymanagement agent
for firewall
Securitymanagement agent
for VPN
Securitymanagement agent
for IDS
Log Log Log
Securitymanagement client
Suspicious subjectinformation
Blacklist
DBMSproxy
Firewall VPN IDS
LSTR Real-TimeSystems
Laboratory
Internal Network 1
webclient
Web basedsecurity
management
VirusScanner
AccessControl
InternalFirewall
1
ISMS Engine
ExternalFirewall
Internet
InternalFirewall
2
IDS
Internal Network 3
Internal Network 2
User's requestControl message
request/result
Policy update
ISMS Deployment StructureISMS Deployment Structure
LSTR Real-TimeSystems
Laboratory
SummarSummaryy
Increasing need for Integrated security management Easy and unified user interface Integrated Policy management
Currently Integrated Security Management is a hot issue Checkpoint(OPSEC), Network Associate(Active Security), and
Intel(CDSA) develop standards and prototypes They are still under development CDSA is publically available
We have been working for Designing a integrated model to manage various security products Develop a prototype system with one view and total security concept
LSTR Real-TimeSystems
Laboratory
References and Further References and Further InformationInformation
[1][1] Open Platform for Security(OPSEC) Technical Note, Check Point Software Open Platform for Security(OPSEC) Technical Note, Check Point Software Technologies, Inc., 2000.Technologies, Inc., 2000.
[2][2] OPSEC Software Development Kit Data Sheet, Check Point Software Technologies, OPSEC Software Development Kit Data Sheet, Check Point Software Technologies, Inc., 1998.Inc., 1998.
[3][3] Check Point OPSEC SDK version4.1 Release Notes, Check Point Software Check Point OPSEC SDK version4.1 Release Notes, Check Point Software Technologies, Inc., November 1999.Technologies, Inc., November 1999.
[4][4] Check Point VPN-1/Firewall-1 OPSEC API Specification version4.1, Check Point Check Point VPN-1/Firewall-1 OPSEC API Specification version4.1, Check Point Software Technologies, Inc., November 1999.Software Technologies, Inc., November 1999.
[5][5] Check Point Firewall-1 OPSEC Open Specification version1.01, Check Point Software Check Point Firewall-1 OPSEC Open Specification version1.01, Check Point Software Technologies, Inc., November, 1998.Technologies, Inc., November, 1998.
[6][6] Active Security Getting Started Guide version5.0, Network Associates, Inc., 1999Active Security Getting Started Guide version5.0, Network Associates, Inc., 1999[7][7] Automating Security Management while Reducing Total Cost of Ownership, Network Automating Security Management while Reducing Total Cost of Ownership, Network
Associates, Inc., 1999Associates, Inc., 1999[8][8] Security Solutions Practice - Technology Update, Ernst & Young, LLP., March 1999.Security Solutions Practice - Technology Update, Ernst & Young, LLP., March 1999.[9][9] Ensuring the Success of E-Business Sites, NetScreen Technologies, Inc., January 2000.Ensuring the Success of E-Business Sites, NetScreen Technologies, Inc., January 2000.[10][10]Technology Overview: The NetScreen-1000 Gigabit Security System, NetScreen Technology Overview: The NetScreen-1000 Gigabit Security System, NetScreen
Technologies, Inc., March 2000.Technologies, Inc., March 2000.[11][11]Next Generation Security Solutions for the Broadband Internet, NetScreen Next Generation Security Solutions for the Broadband Internet, NetScreen
Technologies, Inc., February 2000.Technologies, Inc., February 2000.[12][12]ServerIron Data Sheet; Internet Traffic Management, Foundry Networks, 2000.ServerIron Data Sheet; Internet Traffic Management, Foundry Networks, 2000.[13][13]Application note; Firewall Load Balancing with ServerIron, Foundry Networks, 2000.Application note; Firewall Load Balancing with ServerIron, Foundry Networks, 2000.