Secure Network Design: New Directions

Sumit Ghosh

Hattrick Endowed Chaired Professor of Information Systems Engineering

Department of Electrical & Computer Engineering

Stevens Institute of Technology, Hoboken, NJ 07030

E-mail: sghosh2@stevens-tech.edu

Manifestation Des Jeunes Chercheurs Stic (MAJECSTIC) Conference 2003

Marseille, France

October 29-31, 2003

What are Networks?

• Networks transport material or messages in electromagnetic (EM) form

• Increasingly networks carrying EM messages are gaining importance• Messages represent

1. Information

2. Control• Fundamental elements of networks

1. Networking nodes providing computational intelligence

2. Links representing medium of transport

3. Control algorithms – unseen hand that makes networks work correctly

Why are Networks Important?

• Increasingly, civilization evolving from matter-based to abstract (cyber-based)• All systems steadily evolving towards networked computational systems

• Networks underlie all systems and are therefore indispensable• Networked systems parallel human civilization

1. Idea originates in an individual(s) and processed by the brain

2. Exchanged among different individuals and further processed

3. Eventually develops into a whole new product, solution, organization• Networked systems bring unique characteristics

1. Extremely fast processing and transport

2. Vast geographical coverage

3. Simultaneously reaches many many individuals

Why is Security of a Network Important?

• Packets are encrypted, so how can they be vulnerable?

• First, fundamental weakness is finite distance between source and destination

1. Millions of miles in space, or

2. Few millimeters in a VLSI chip

• Packets exposed, not accompanied by either source or destination

Second, fundamentally, networks are shared; therefore:Second, fundamentally, networks are shared; therefore:

Need to protect a user’s process from all other users’ processesNeed to protect a user’s process from all other users’ processes

Need to protect a user from network components, gone haywireNeed to protect a user from network components, gone haywire

Need to protect network elements from users’ processesNeed to protect network elements from users’ processes

Damage -- accidental (rm *.* in unix), intentional (malicious)Damage -- accidental (rm *.* in unix), intentional (malicious) Therefore, study of network security is here to stayTherefore, study of network security is here to stay

It is not a here-today-gone-tomorrow type topicIt is not a here-today-gone-tomorrow type topic

It is a very serious issueIt is a very serious issue

Why is Security of a Network Node Important?

• Networking node provides all intelligence, including authentication, etc.

• Vulnerability from viruses and intrusions

• All data and information are susceptible

• If a perpetrator gains control, every activity can be misdirected

• A fundamental challenge

1. Login procedure is fundamental – authenticates user and system

2. Requires combination of user account name and password(s)

3. Fundamental vulnerability

Security of Transport Links

• Vulnerability in a physical sense, i.e. being severe

• All data and information in transit are susceptible

• Algorithm ties in nodes and links to achieve a desired objective

• Algorithm encapsulates complex interactions between three elements

• If algorithm is susceptible, nothing is trustworthy

• Example: Exploit TCP's retransmission to deliberately cause network overload

• Exemplified in World War II episodes

• Strategically, U-boat warfare most critical

1. U-boat command and control utilized enigma encryption machine

2. Key to allied success lay in the Nazi failure to understand the key importance of asynchronous distributed algorithms

• Unique example from history: Precision bombing run during WWII

Control Algorithm Vulnerability?

Control Algorithm Vulnerability (Cont'd)?

Britain Bombers

Bomb drop

Open bomb bay

Beam 2

Beam 1

France

Bombers

Bombers

Why is Security Gaining Such Importance?

• Increasingly, key national infrastructures are controlled by networks

1. Telecommunications, power grid, financial services, etc.

• X-10 network for via power line communication in homes

X-10 devices and controller

Turn on A/C in Arizona remotely from cell phone

Turn on outdoor pool following a sand storm in Arizona

Check whether garage door accidentally left opened

Monitor home following an alarm going off

Perpetrator may set fire to a specific home by overheating appliances

Worse, perpetrator may sacrifice many homes to destroy a target building

• Accessing a patient’s medical record, routine or emergency care

• Transmitting sensitive financial information

• Exchanging proprietary trade secrets among company sites – GM, Prudential

• Accessing individuals’ genetic map from gene analysis laboratories

• Uses limited only by imagination, while losses cause irreversible damages

Security Guarantees Today

•In the Internet and IP networks, security assumes the forms

Encryption – applied to information in storage and in transit

Key management

Firewall•Fundamental challenges

Recently invented primality algorithm from IIT Kanpur severely challenges fundamental mathematical assumptions of encryption keys

Severe performance limitations

•Issues with a perpetrator intercepting data

Current thought: Immediate value of data is time-bound

Analysis of data may render it a timeless attribute, e.g. strategic thinking

Fundamental Principles Underlying IPFundamental Principles Underlying IP

• Store and forward

• End to end reasoning

• Consequences

Quality of service (QoS) fundamentally difficult

Differentiated services, etc. very difficult to realize

Security incorporated as an afterthought

Cannot prevent denial of service

Cannot prevent overload of TCP retransmissions

Cannot prevent network instability

• IP network unsuited for secure transmission of sensitive information1. Medical2. Financial3. Trade secrets

•Static data stored at a node may be less than useful

•Example: Shiny new car sitting in the dealer's parking lot does not make money. The tell-tale sign of an efficient dealer is a sparse parking lot since the cars are sold as soon as they are delivered.

•Data, enhanced, modified, and exchanged dynamically, is increasingly valuable – (i) information vs. data and (ii) information is subjective

•Therefore, data in transit, is of the highest concern

The Changing Nature of Networked Systems?

• Unique philosophical insight – in this creation, nothing for which no opposite

• New networking principles

1. Fundamental security framework to objectively analyze network security

1. Adopted by NSA in NRM

2. Translate security into a quality of service (QoS) metric

2. Select and establish secure route (connection-oriented) prior to propagating traffic

3. ATM, MPLS excellent candidates or design a new network (modified ATM)

• Security is an interdisciplinary challenge

• New approach and tools

1. Understand fundamental principles in great depth

2. Synthesize algorithm and threat scenarios

3. Test and validate utilizing comprehensive metrics

1. Behavior modeling

2. Asynchronous distributed simulation on a network of workstations

3. Representative traffic model

New Directions in Secure Network Design

Naval Academy

Baltimore

Alexandria/Ft Belvoir

The White House

Andrews AFB

Ft Meade

The Pentagon

Downtown, D.C.

Norfolk/NB

9

9

9

9 9

0

0

9

Node

0 Security matrix (overall value)Source Node - The White HouseDestination Node - Norfolk/Naval Base

0

0

Naval Academy

Baltimore

Alexandria/Ft Belvoir

The White House

Andrews AFB

Ft Meade

The Pentagon

Downtown, D.C.

Norfolk/NB

9

9

9

9 9

0

0

9

Node

0 Security matrix (overall value)Source Node - The White HouseDestination Node - Norfolk/Naval Base

0

0

Route Selected

node (ID)

77.5 Mb link

155 Mb link

Group 5Group 1

Group 3

Bangor Sub Base

Seattle

Tacoma

Whidbey Island NAS 23

Ft Lewis

22

21

1924

Hanford Nuclear Reservation

To San Francisco

Group 7

Group 6 To Atlanta

Chicago/DFAS38

Dayton/WrightPatterson AFB

Milwaukee/Great LakesNaval Tng Ctr

Indianapolis/DFAS

40

37

39 To Baltimore

To Colorado Springs

To Dayton

ColumbusFt Benning

Augusta/Ft Gordon

Ft McPherson

Atlanta

Maxwell AFB

32 30

31

34

To Norfolk

33

Group 4

To LongBeach

Denver/DFAS

Colorado Springs/USAFA/Ft Carson

Aurora/Rocky Flats

To Denver

26

28

27

To Redmond

To Chicago

11San Francisco/Presidio

Travis AFB

San Jose

Moffett NAS

Oakland NAS

Oakland 16

14

To Los Angeles

15

10

13

To Seattle

Livermore Labs

Naval Academy

Baltimore

Alexandria/Ft Belvoir

The White House

Andrews AFB

Ft Meade

The Pentagon

Anacostia

43

49

47

4642

50

41

48

45

44

Downtown, D.C.

To Ft McPherson

To Indianapolis

Norfolk/NB

Camp Pendleton

San Diego/Naval Base

Los Angeles

Long Beach

3

2

1

5

To San Jose

4

Group 2

12

20

1 1

El Toro

Continental Military Network

Security as an Interdisciplinary Challenge

• Operating systems

1. Notion of files and attributes

2. Why can a perpetrator wipe out log files

• Viruses

1. Executable file transfer

2. BIOS attack

3. Viruses combining autonomously, unstable mutation (SARS)

4. Biological and computer virus – unique difference

5. Ultra-fast viruses?

• Computer architectures

1. Fundamental weakness across all computers

2. Virus modifies instruction set, computer’s primary objective

Interdisciplinary Issues (Cont’d)

• Control algorithm attacks -- If algorithm is susceptible, nothing is trustworthy

1. Precision bombing run during WWII

2. Exploit TCP's retransmission to deliberately cause network overload

3. Insider attacks – greatest threat in Financial Services Industry

4. Coordinated attacks – physical and cyberattacks

5. Elusive attacks – very slow in time and highly geographically distributed

6. System attacks itself, autoimmune failure – accidentally modified autonomous agents

• Lessons from Nature and biology

1. Hantavirus

2. Quarantine only technique that works in infectious diseases, fundamentally weak for computer viruses – spreads at EM speed

3. Bubonic plague bacterium and AIDS virus use identical two-prong attack strategy

4. Sharks switch sensors while attacking prey

5. Human immune system design and insight from nature of computational power

6. Genetically imprinted immune system of bees versus adaptive in humans

Interdisciplinary Issues (Cont’d)

• Threat scenario design, rationale, and testing

1. Requires depth and breadth

2. Requires interdisciplinary knowledge in biology, law

3. Law: Can privacy be protected on the Internet?

4. Law enforcement: Identify original weapon (unique) for conviction?

• Encryption

1. Continue mathematical research into improving performance

Intrusion Detection

Fundamental Challenges to Intrusion Detection

• Intrusion detection is compute-intensive

• Scalability a fundamental issue with all networks

• ATM and variants holds promise

– Inherent promise quality of service

– IP networks based on store and forward principle

• Fundamental framework for security

– NSA adopted under NRM

– Comprehensive security mapped into a QoS metric

Basic Network Intrusion Detection

• Minimum components:

– Sensors

– Assessment Engine

– Response Agents

ResponseAgent

ResponseAgent

S S S

AssessmentEngine

Switched Network Intrusion Detection

• Complications resulting from switched networks

– Unlike broadcast networks where sensors can “sniff” large portions of a network, switched networks use point-to-point connections.

– Switched (and particularly ATM) networks scale well to very large sizes

• Requires many more sensors

• Overloads the assessment engine

• A new intrusion detection architecture is needed for large, switched networks

Underlying Motivations

• Practical, scaleable intrusion detection architecture for ATM Networks.

– Attacks against the PNNI protocol develop very quickly

– Processes and events within ATM switches occur over very short intervals of time

– ATM networks can grow quite large using hierarchical peer groups

• Previous research has shown that decentralized military command and control models allow faster reaction times, resulting in faster convergence on the enemy and higher kill rates, with fewer casualties

– But, a purely decentralized approach may not be compatible with ATM peer groups

• Architecture that would apply to other switched networks (e.g. MPLS)

Inspiration -- Human Immune System Design

• Nature designed and tested over millions of years

– Nature's primary objectives

– Key elements of the design

– Evolutionary nature of the design

– Spectacular failures of nature

• The notions of computational energy and limits of computational power

Hierarchical Intrusion Assessment

• Sensors are assigned to various assessment engines, arranged hierarchically

• Manages load for assessment engines

• Scaleable solution

• Allows both tactical and strategic assessment

S S S

TacticalAssessment

Engine

S S S

TacticalAssessment

Engine

ResponseAgent

ResponseAgent

StrategicAssessment

Engine

ResponseAgent

Tactical and Strategic Assessment

• Tactical assessment facilitates fast local responses, necessary in high-speed switched networks

• Strategic assessment gives overall picture of distributed or slow-to-develop attacks

• Assessment engines appear as sensors or response agents to assessment engines at other levels of the hierarchy

S S S

TacticalAssessment

Engine

S S S

TacticalAssessment

Engine

ResponseAgent

ResponseAgent

StrategicAssessment

Engine

ResponseAgent

Detailed View

• Tactical sentinels

– Hardware embodiment of one or more sensors and an assessment engine

– Monitors fabric of associated switch

– Response is limited to ports, elements, and UNI traffic of associated switch

– Report observations, events, and actions to strategic assessment at peer group level

– Execute local responses as directed by the peer group level strategic assessment engine

– Change its behavior via reprogramming by the strategic assessment engine at the peer group level

A1 A1-T

A2 A2-T

A3 A3-T

A4 A4-T

B1 B1-T

B2 B2-T

B3 B3-T

B4 B4-T

Strategic AssessmentLevel 1

Strategic AssessmentLevel 1

StrategicAssessment

Level 2

Group A

Group B

A1-T through A4-T: Tactical ATM Sentinels in Peer Group AB1-T through B4-T: Tactical ATM Sentinels in Peer Group B

Detailed View (continued)

• Strategic assessment (level 1)– Hardware/software entities– Distinct from the nodes of the peer group– Analyze all anomalies within the peer

group, taken in the context of recent history

– Reprogram tactical sentinels– Initiate other responses (beyond the

scope of a single switch)– Report “conclusions” and responses to

level 2 assessment• Strategic assessment (level 2)

– Likely software implementations– Assess network behavior– Compute long-term decisions within the

context of network history– Initiate responses

A1 A1-T

A2 A2-T

A3 A3-T

A4 A4-T

B1 B1-T

B2 B2-T

B3 B3-T

B4 B4-T

Strategic AssessmentLevel 1

Strategic AssessmentLevel 1

StrategicAssessment

Level 2

Group A

Group B

A1-T through A4-T: Tactical ATM Sentinels in Peer Group AB1-T through B4-T: Tactical ATM Sentinels in Peer Group B

New Approach and Tools

• Synthesize high-level asynchronous distributed algorithm

• Synthesize comprehensive metrics

• Test and validate algorithm through modeling and simulation

– Accurate asynchronous, distributed PNNI simulator

– Representative traffic model

•As networks evolve, newer forms of attacks will emerge

•Interdisciplinary thinking and proposed approach are our key weapons

•Pure energy computers?

•Quantum entanglement?

Ultimate Future?

Source Material for the Tutorial & Further Reading

1. 1. Sumit Ghosh, Principles of Secure Network Systems Design, Springer Verlag, 0-387-95213-6, April 2002.

2. Thomas D. Tarman and Edward L. Witzke, Implementing Security for ATM Networks, Artech House, Boston, ISBN 1-58053-293-4. 2002.

3. Sumit Ghosh, "Computer Virus Attacks on the Rise: Causes, Mitigation,and the Future," Financial IT Decisions 2002, Vol. 1, a Bi-AnnualTechnology Publication of the Wall Street Technology Association, Red Bank,New Jersey, http://www.wsta.org, Feb/Mar 2002, pp. 16-17, ISBN 1-85938-369-6.

4. Ed Witzke, Tom Tarman, Gerald Woodard, and Sumit Ghosh, "A NovelScaleable Architecture for Intrusion Detection and Mitigation in SwitchedNetworks," Proceedings of the IEEE Milcom 2002, Oct 7-10, 2002, The

Disneyland Resort, Anaheim, CA.

5. Sumit Ghosh, "Future Advances in Networked Systems and New Forms ofCyberattacks," chapter in "Cybercrimes," Edited by Elliot Turrini (Asst. US Attorney) and Jessica R. Herrera (Federal Prosecutor, CCIPS, US DoJ), Wadsworth Publishing, Belmont, CA., August 2002.

Thank youQuestions, Suggestions, & Criticisms

email: sghosh2@stevens-tech.edu http://attila.stevens-tech.edu/~sghosh2