network security and information assurance€¦ · information assurance products robert neal smith...

Network Security and Network Security and Information Assurance:Information Assurance: a broad brusha broad brush

A Discussion of Firewalls, Intrusion Detection Systems, Encryption, and the Common Criteria for evaluating Information Assurance Products

Robert Neal Smith [email protected]

[email protected] 2IEEE Phoenix Section Computer Society Chapter Feb 27, 2003

Order of PresentationOrder of Presentation

! Introduction! Firewalls! Intrusion Detection Systems! Encryption ! Common Criteria! Questions


IntroductionIntroduction

! Firewalls block or allow selected traffic based on various parameters (typically IP address, TCP or UDP port number)

! Intrusion Detection Systems involve scanning traffic on a network or within a host to determine if an intruder is present.

! Encryption systems involve the distribution of keys used by the encryption algorithm for the encryption/decryption of message and data. (algorithms, keys, key management)

! Common Criteria is the standardization of testing methods for proving information technology systems have security.


What makes an application secure?What makes an application secure?


SecuritySecurity

! Privacy / Confidentiality (supported by encryption and firewalls)

! Integrity (supported by signatures)! Authentication! Non-Repudiation (supported by signatures)

! Denial of Service (supported by firewalls)


Before we begin: R U Familiar Before we begin: R U Familiar with..with..! Sapphire (aka) SQL Slammer

– What could have been done?• Patches to the application• Firewall policy to block

– UDP Selected Addresses on Port 1428• Intrusion detection of UDP traffic on port 1428 and a

Search for the signature• Encryption and signatures of user communications• Better requirements and testing of application to

prevent security holes.•• Know who is connecting to your networkKnow who is connecting to your network


FIREWALLFIREWALL


FirewallFirewall

! Firewalls (or internet interface proxies) may be used to provide a secure interface to the Internet.– Firewall blocks or allows traffic– Proxy to filter application traffic and provides

address translation• Main proxies is the web interface proxies

– Providing filtering on normal TCP port 80


Firewall TechniquesFirewall Techniques

! Policy Based– (based on your security policy)

! Address Filter– Allow or disallow


Firewall FunctionsFirewall Functions

! Block selected traffic– Security policy

• Address, • Port,• Protocol, • Service,• Direction, and • User.


Fully BlockedRegion Partially Blocked

Partially Enabled

Fully Enabled

Region

Firewall Model BackgroundFirewall Model Background


Popular ProductsPopular Products

! PIX by Cisco (Ver 6.0)

! Firewall-1 by Checkpoint (http://www.checkpoint.com)

! NetWall by Evidian Inc (www.evidian.com)


Home Use FirewallHome Use Firewall

! Norton! McAfee


ENCRYPTIONENCRYPTION


Encryption Encryption (ref: Applied Cryptography by Bruce Schneier)(ref: Applied Cryptography by Bruce Schneier)

! Algorithm– Symmetric (key distribution is difficult) (DES, BLOWFISH, RC3, etc)– Asymmetric ( 2 parts: private and public parts) (RSA, DSA)– Digital Signatures (one-way hash function)– Certificates

! The Key– 56 bits, – Elliptical

! Key Management– Firefly– PKI (Public Key Infrastructure) (key must be 7 times longer for equivalent 56

bit RSA encryption) evolving into a very Complex Hierarch– X.509 Certificates (trust someone)


Application of EncryptionApplication of Encryption

! Link Layer Encryption– Voice and – Data(1970’s ARPA)– KG-15, KG-30….– TACLANE (ATM)

! Application– Kerberos– Secure Sockets Layer– Secure Telnet


PC Disk and Application SecurityPC Disk and Application Security

! Secret Agent– SecretAgent® is the premier file encryption and

digital signature utility, supporting cross-platform interoperability over a wide range of Windows- and UNIX-based systems. ($50)

– Information Security Corp (ISC) www.infoseccorp.com

! SpyProof– automatically encrypts all data blocks written to it

and then transparently decrypts them for any application

– Information Security Corp (ISC) www.infoseccorp.com


Secure Sockets LayerSecure Sockets Layer

! Public Key! Private Key! Session (secret key)

! Only as secure as– the Length and privacy of the KEY.– <Fill in the line>


Intrusion Detection SystemsIntrusion Detection Systems


IDS CategoriesIDS Categories

! Network based! Host based


IDS TechniquesIDS Techniques

! Artificial Immune System [7]! Control-Loop Measurement [8]! Data Mining [9]! Statistical [24]! Signature-Based (Rule-Based [25]).


Problem Lists / DatabasesProblem Lists / Databases

! bugtraq (since 1993)– http://www.securityfocus.com/– http://online.securityfocus.com/archive/1– A description of bug / events

! Common Vulnerability Exposure (CVE) (since 1999)– http://www.cve.mitre.org/compatible/enterprise.html– http://www.cve.mitre.org/cve/– A Dictionary Not a database

! WhiteHat– In Jail


Slammer SignatureSlammer Signature

! http://www.snort.org/snort-db/sid.html?sid=2003

! Signature/Rule– alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"MS-SQL

Worm propagation attempt"; content:"|04|"; depth:1; content:"|81 F1 03 01 04 9B 81 F1 01|"; content:"sock"; content:"send"; reference:bugtraq,5310; classtype:misc-attack; reference:bugtraq,5311; reference:url,vil.nai.com/vil/content/v_99992.htm; sid:2003; rev:2;)

– Literal meaning: Any udp from External IP to an home IP at port 1434• If youb see hex 81 F1 03 01 04 9B 81 F1 01 and “sock” and “send”


CVE Candidate (CAN)CVE Candidate (CAN)

! CAN-2000-1209– The "sa" account is installed with a default null

password on (1) Microsoft SQL Server 2000, (2) SQL Server 7.0, and (3) Data Engine (MSDE) 1.0, including third party packages that use these products such as (4) Tumbleweed Secure Mail (MMS) (5) Compaq Insight Manager, and (6) Visio 2000, are installed with a default "sa" account with a null password, which allows remote attackers to gain privileges, including worms such as Voyager Alpha Force and Spida.


CVE CandidateCVE Candidate

! CAN-2002-0649– Multiple buffer overflows in SQL Server

2000 Resolution Service allow remote attackers to cause a denial of service or execute arbitrary code via UDP packets to port 1434 in which (1) a 0x04 byte causes the SQL Monitor thread to generate a long registry key name, or (2) a 0x08 byte with a long string causes heap corruption.


BugTraq BugTraq (Sample)(Sample)

! SQL Sapphire Worm Analysis

! Release Date: 1/25/03

! Severity: High

! Systems Affected: Microsoft SQL Server 2000 pre SP 2

! Description: Late Friday, January 24, 2003 we became aware of a new SQL worm spreading quickly across various networks around the world.

! The worm is spreading using a buffer overflow to exploit a flaw in Microsoft SQL Server 2000. The SQL 2000 server flaw was discovered in July, 2002 by Next Generation Security Software Ltd. The buffer overflow exists because of the way SQL improperly handles data sent to its Microsoft SQL Monitor port


Monitor / Search TechniquesMonitor / Search Techniques

! User behavior! Network traffic

– Pattern match


Popular ProductsPopular Products

! Real Secure (Ver 6.0) (www.iss.net)– <$5k

– Related Products• Black ICE ($49.00)

! NFR Security (Ver 5.0) (www.nfr.com)– <$5k

! SNORT (Ver 1.9.0) (http://www.snort.org)– free software

! Tripwire (http://www.tripwire.com)

! Cisco Secure IDS ()


Home Use IDSsHome Use IDSs

! Black Ice ! Norton! Snort ! may not be compatible with other products


Common CriteriaCommon Criteria


Common Criteria Common Criteria http://www.commoncriteria.org/http://www.commoncriteria.org/

! Managed by the National Institute of Standards and Technology (NIST) and the National Security Agency (NSA) (heading towards commercialization)

! Commercialized/Privatized/Nationalized

! Common Criteria is IT security evaluation


Creation of CCCreation of CC

! National Institute of Standards and Technology (NIST)

! National Security Agency (NSA) – National Information Assurance Partnership

(NIAP) • NIAP Common Criteria Evaluation and Validation

Scheme for IT Security



! Standards! Training! Tools! Common Criteria

– Part 1, Introduction and general model– Part 2, Security functional requirements– Part 3, Security assurance requirements

! Common Evaluation Methodology– CEM Version 1.0 Part2,


Very Brief Overview of CCVery Brief Overview of CC

! Common Terms– TOE - Target of Evaluation– Evaluation Assurance Level (EAL) – Protection Profile (PP) requirements of the TOE;

implementation-independent set of security requirements

– Security Target (ST) TOE implementation-dependentrequirement are contained in a construct termed = Security Target (ST).


CC DocumentsCC Documents

! Part 1: Introduction and General Model! Part 2: Security functional components ! Part 3: EALs and Security assurance

components


How to Use CC DocumentsHow to Use CC DocumentsConsumers Evaluators Evaluators

Part 1: Introduction and General Model

For background information and reference purposes

For background information and reference for the development of requirements and formulating security specifications for TOEs

For background information and reference purposes. Guidance structure for PPs and STs

Part 2: Security Functional Requirements

For guidance and reference when formulating statements of requirements for security functions

For reference when interpreting statements of requirements and formulating functional specifications of TOEs

Mandatory statement of evaluation criteria when determining whether TOE effectively meets claimed security functions

Part 3: Security Assurance Requirements

For guidance when determining required levels of assurance

For reference when interpreting statements of assurance requirements and determining assurance approaches of TOEs

Mandatory statement of evaluation criteria when determining the assurance of TOEs and when evaluating PPs and STs



! The CC, or more precisely the Common Criteria for Information Technology Security Evaluation, version 2.1 [CC99-P1, CC99-P2, and CC99-P3],

! The CC provides extensive flexibility in selecting components to satisfy security objectives.


CC Requirements ConstructionCC Requirements Construction

! Classes– most general grouping of security equirements.

! Families– a grouping of sets of security requirements that

share security objectives! Components

– a specific set of security requirements! Package

– intermediate combination of components


Evaluation Assurance Levels (Evaluation Assurance Levels (EALsEALs))

! an increasing scale that balances the level of assurance obtained with the cost and feasibility of acquiring that degree of assurance.

! EAL 1 through 7– Typical Windows 2000 is rated EAL 4+


More on Common CriteriaMore on Common Criteria

– The Common Criteria (CC) provides a grammar for describing Information Technology (IT) system security.

• The CC is a language you can use to describe IT product and system security requirements or specifications.

– The Common Criteria (CC) Toolbox provides an automated process for identifying Information Technology (IT) security requirements

– Use the Users Guide, Touring the CC Toolbox, and Reference Manual together.


CC CC ToolBoxToolBox

! The CC Toolbox helps you to write a PP! Download from National Information

Assurance Partnership (NIAP) website (http://niap.nist.gov/tools/cctool.html).

! NIAP provides a database of security engineering information. – CC Profiling Knowledge Base.


Products Tested by NISTProducts Tested by NISTDefend the

Network andInfrasturcture

Defend the Enclave Boundary

Defend the Computing

Environment

Supporting the Infrastructure(PKI, Detect,

Mgmt)

Switches & Routers Firewalls Operating

Systems Network Mgmt

Routers VPNs Biometrics Certificate Management

WLANS Remote Access Secure Messaging Key Recovery

Mobile Code Tokens Smart CardsMultiple Domain

Solutions Single-Level Web

ServersPKI/KMI

Guards Sensitive Data Protection IDS

Trusted DBMSMisc.

PC Access Control

Mobile Code

Peripheral Switch

Misc.


Product InformationProduct Information

! Product Name ! Manufacturer! Conformance Claim! Validation Date! CC Scheme


The CC Toolbox The CC Toolbox helps you do the following:helps you do the following:

! Describe the assumptions, policies, and threats that make up the TOE security environment.

! Capture security objectives to counter threats and satisfy policies and assumptions for the TOE and its environment.

! Identify relevant CC components to satisfy an objective and incorporate them into your PP or ST.

! Apply CC operations (i.e., assignment, iteration, refinement, and selection) to tailor CC components into requirements.

! Select an Evaluation Assurance Level (EAL).! Manage mappings that relate the TOE security

environment to the security objectives and relate security objectives to requirements.

! Build rationale arguments required by the CC.

! Manage details of identification, component dependencies.


CC ReportsCC Reports

! Protection Profile (PP) Report, helps specify your IT security requirements (PP requirements called security objectives) using CC terminology

! Security Target (ST) Report, which helps vendors indicate the security objectives that a particular product meets, also using CC terminology


CC Tool Steps for PPCC Tool Steps for PP

! Protection Profile (PP) steps supported by CC Tool include: – Identifying TOE Security Environment (Environment

Interview[R]). – Specifying TOE Security Environment (Context[R]). – Selecting Evaluation Assurance Level (EAL[R]). – Identifying Applicable CC Components (Component

Interview[R]). – Allocating CC Components (Allocation[R]). – Clarifying CC Components (Elaboration[R]). – Completing Draft Report (Report[R]).


CC ComponentCC Component

!A CC component is the smallest selectable set of security requirements


CC Tool Steps for STCC Tool Steps for ST

! ST Steps are as follows: – Identifying Applicable CC Components (Component

Interview[R]). – Selecting Evaluation Assurance Level (EAL[R]). – Identifying TOE Security Environment (Environment

Interview[R]). – Specifying TOE Security Environment (Context[R]). – Allocating CC Components (Allocation[R]). – Clarifying CC Components (Elaboration[R]). – Completing Draft Report (Report[R]).


Tool Knowledge BaseTool Knowledge Base (Grows)(Grows)

! The Knowledge Base contains sample policy, threat, and assumption statements that you can use to describe the TOE security environment.


The CC ToolThe CC Tool

! Requires Java 1.3


QuestionsQuestions


Security TrainingSecurity Training

! SANS (SysAdmin, Audit, Network, Security) Institute

– http://www.sans.org– Since 1989– GIAC (Global Information Assurance Certification) in 1999

! Common Criteria– NAIP (using the tools)

! Certificates– Master Certificate in Computer Security WWW.ITI.EDU– System and Network Security

Certificate Program ) WWW.ITI.EDU! NIST

– http://csrc.nist.gov/ATE/te_full.html#build


ReferencesReferences

! Common Criteria for Information Technology Security Evaluation (CC 2.1) is a revision that aligns it with International Standard ISO/IEC 15408:1999.


Web ReferencesWeb References

! https://www.trusecure.com! http://www.iss.net


Examples of Common CriteriaExamples of Common Criteria

! Smart Card! Windows 2000


Acronym/GlossaryAcronym/Glossary

! Common Criteria Testing Laboratory (CCTL)

! security target (ST)! Information Technology (IT)! target of evaluation (TOE)! Information Assurance (IA)


Web LinksWeb Links

! http://niap.nist.gov/cc-scheme! http://commoncriteria.org! http://niap.nist.gov/


The Primary DocumentsThe Primary Documents

! http://commoncriteria.org/docs/PDF/CCPART1V21.PDF




Related PapersRelated Papers

! Smith, R. N. and S. Bhattacharya, 1997, ”Firewall Placement In A Large Network Topology,” IEEE FTDCS’97

! Smith, R. N. and S. Bhattacharya, 1998, “Fault and Leak Tolerance in Firewall Engineering,” IEEE HASE’98

! Smith, R. N. and S. Bhattacharya, 1998, “A Protocol and Simulation for Distributed Communicating Firewalls,” IEEE COMPSAC,99

! Smith, R. N. and S. Bhattacharya, 1999, “Operating Firewalls Outside the LAN Perimeter,” IEEE IPCCC’99.


Related PapersRelated Papers

! Smith, R. N. and S. Bhattacharya, 1999, “Distributed Firewall Protocol, With Simulation and Emulation Tool in Java,”Motorola Inc., SMS’99

! Smith, R. N., R. Feigen, and S. Bhattacharya, 2000, “Securing Communications in an Enterprise Network of LAN and or WAN by Utilizing an Enhanced Encrypting Network Interface Card and Associated Software,” Motorola Inc., Technical Developments, 2000

! Smith, R. N., and S. Bhattacharya, 2003, “Cascade of Distributed and Cooperating Firewalls in a Secure Data Network,” IEEE Transactions on Knowledge AND Data Engineering, VOL. 15, NO. 4, July/August 2003


Listed ReferencesListed References

[1] S. Staniford, J. Hoagland, J. McAlerney. “Practical Automated Detection of Stealthy Portscans.” In: CCS IDS Workshop Athens. November 1, 2000.

[2] deleted.[3] A. Sundaram. “An Introduction to Intrusion Detection.”

http://www.acm.org/crossroads/xrds2-4/intrus.html[4] H. Debar. “What is knowledge-based intrusion detection?” In: Intrusion

Detection FAQ. http://www.sans.org/newlook/resources/IDFAQ/knowledge_based.htm

[5] H. Debar. “What is behavior-based intrusion detection?” In: Intrusion Detection FAQ. http://www.sans.org/newlook/resources/IDFAQ/behavior_based.htm

[6] D. Lehmann. “What is ID?” In: Intrusion Detection FAQ. http://www.sans.org/newlook/resources/IDFAQ/what_is_ID.htm


References ContinuedReferences Continued

[7] J. Kim. “An Artificial Immune System for Network Intrusion Detection.”http://www.cs.ucl.ac.uk/staff/J.Kim/GECCO_WS99.html

[8] M. Craymer, J. Cannady, J. Harrell. “New Methods of Intrusion Detection using Control-Loop Measurement.” In: Fourth Technology for Information Security Conference’96. May, 16, 1996.

[9] W. Lee, S. Stolfo. “Data Mining Approaches for Intrusion Detection.” In: Proceedings of the 7th USENIX Security Symposium. 1998.

[10] M. Gerken. “Statistical-Based Intrusion Detection.”http://www.sei.cmu.edu/str/descriptions/sbid_body.html



[11] http://www.nfr.com/products/NID/[12] http://www.checkpoint.com/products/firewall-1/realsecure.html[13] http://www.portcullis-security.com/products/index.htm[14] http://www.snort.org[15] http://www.cisco.com/warp/public/cc/pd/sqsw/sqidsz/[16] S. Northcutt. Network Intrusion Detection: An Analyst’s Handbook. New

Riders, Indianapolis, 1999. p. 125.



[17] http://www.silicondefense.com/software/spice/index.htm[18] http://www.tcpdump.org[19] http://www.ethereal.com[20] http://www.gnu.org/copyleft/gpl.html[21] R. Permeh, M. Maiffret. “.ida “Code Red” Worm.”

http://www.eeye.com/html/Research/Advisories/AL20010717.html.[22] R. Lyttle. http://www.sub-seven.com[23] D. Ruiu. “Snort FAQ Version 1.8.”

http://snort.sourcefire.com/docs/faq.html[24] M. Prabhaker. “Intrusion Detection.”

http://www.cs.wright.edu/~pmateti/Courses/499/IntrusionDetection/


References (continued)References (continued)

[25] M. Gerken. “Rule-Based Intrusion Detection.”http://www.sei.cmu.edu/str/descriptions/rbid_body.html

[26] R. Lupton. Statistics In Theory And Practice. Princeton University Press, Princeton, NJ, 1993. p. 50.


Distributed and Communicating Distributed and Communicating Gateway FirewallsGateway Firewalls (a system of(a system of))

!A system of distributed communicating gateway with firewalls incorporated in each distributed node (DCGFW)


Architecture TopologyArchitecture Topology

AttackerScout

=Untrusted node=Trusted node=Scout to monitor traffic

Attackee

k=3

k=2

k=1

k=4


The LAN Node The LAN Node (the main node)(the main node)

! CGFW manager! CGFW aware gateway! Filter commands! Activation heuristics.


Naïve ActivationNaïve Activation

! Set 1 CGFW active– At the LAN or– At the attacker CGFW


Ring HeuristicRing Heuristic

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16

Attacker

p

o

n

m

g

j

i

k

h

l

f

e

d

c

b

a

Attackee

p

o

n

m

g

j

i

k

h

l

f

e

d

c

b

a


Path HeuristicPath Heuristic (Shortest Path)(Shortest Path)

! Smallest number of hops

! Smallest delay


Shortest PathShortest Path

Un-Trusted

CGFW Nodes

CGFW Scout Nodes

Shortest Path(s)

Attacker

- CGFW Nodes

k=1

k=2

k=3

k=4

Attackee(LAN firewall)

Not On Shortest Path

On Shortest Path


Scouting of other CGFW agentsScouting of other CGFW agents

! Scout benefits– Distributed denial of service

– Accounts for address spoofing.


Architecture TopologyArchitecture Topology

=Untrusted node=Trusted node

Attacker

Attackee