Implementing distributed internet security using a firewall collaboration framework
1 / 52

Implementing Distributed Internet Security using a Firewall Collaboration Framework - PowerPoint PPT Presentation

  • Uploaded on

Implementing Distributed Internet Security using a Firewall Collaboration Framework. Lane Thames and Randal Abler Georgia Institute of Technology Distributed Network Applications Laboratory . Outline. Introduction Computer security overview Firewall technology overview Related Work

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about ' Implementing Distributed Internet Security using a Firewall Collaboration Framework' - eloise

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Implementing distributed internet security using a firewall collaboration framework

Implementing Distributed Internet Security using a Firewall Collaboration Framework

Lane Thames and Randal Abler

Georgia Institute of Technology

Distributed Network Applications Laboratory

Outline Collaboration Framework

  • Introduction

  • Computer security overview

  • Firewall technology overview

  • Related Work

  • Firewall Collaboration Framework

  • Future Work and Conclusions

Introduction Collaboration Framework

  • The Internet is growing

  • The growth appears to be accelerating

Internet growth 1
Internet Growth Collaboration Framework[1]

Internet growth 2
Internet Growth Collaboration Framework[2]

Internet growth and attack trends
Internet Growth and Attack Trends Collaboration Framework

  • As the phenomenal growth of the Internet continues, malicious activities will continue to increase as well.

  • Hacking: Computer activity with malicious intentions.

Hacking trends
Hacking Trends Collaboration Framework

  • Paradigm shift taking place in the Hacking Community.

  • Whereas hackers once performed their malicious deeds for Internet notoriety, there are now large numbers that do this for profit.

Hacking trends1
Hacking Trends Collaboration Framework

  • According to PC World News, Jeanson Ancheta was arrested by the FBI in 2006 and was the first hacker to be prosecuted in the US for creating malicious code for a profit.

Hacking trends2
Hacking Trends Collaboration Framework

  • According to Symantec, spammers and phishers pay on average about $350.00 per week for a botnet of 5500 zombie computers.

Hacking trends3
Hacking Trends Collaboration Framework

  • Corporate extortion, information espionage, and identity theft are Internet commodities for malicious users.

  • Protx—British online payment processing company. Attacks brought their system down in 2005. The extortionists warned that the attacks would continue unless a $10,000 fee was paid.

Hacking trends4
Hacking Trends Collaboration Framework

  • Identity theft—huge ROI for hackers

  • According to anti-spam provider Cloudmark, credit card data sells for up to $100.00 per account.

The engineering need
The Engineering Need Collaboration Framework

  • What does the data tell us?

  • There still exists an engineering need to continue developing reliable and robust computer security systems that can thwart the actions of malicious users as their tools and techniques continue to evolve.

  • Because of the financial incentives now presented to hackers, the need is even greater than in the past.

Computer security overview
Computer Security Overview Collaboration Framework

  • The field of computer security provides the technologies to prevent users with malicious intent from doing damage

Computer security services
Computer Security Services Collaboration Framework

  • The five main services:

    • Confidentiality

    • Authenticity

    • Integrity

    • Availability

    • Access Control

Computer network attack types
Computer/Network Attack Types Collaboration Framework

  • Common Attack Types

    • Buffer Overflow Exploits

    • Denial of Service

    • Password Attacks

Computer network attack types1
Computer/Network Attack Types Collaboration Framework

  • Common Attack Types

    • Exponential Attacks

    • Trojan Horses, Spyware, Adware

    • Spam and Phishing

    • TCP/IP protocol exploitation

Overview of firewall technology
Overview of Firewall Technology Collaboration Framework

  • Firewalls—devices that limit network access

  • Firewalls are access control mechanisms

  • They are components inserted between two networks that filter network traffic according to a LOCAL security policy

Firewall types
Firewall Types Collaboration Framework

  • Packet Filtering Devices

  • Application Filtering Devices

  • Stateful Packet Filtering Devices

Firewall strengths
Firewall Strengths Collaboration Framework

  • Disallows incoming connections to hosts that do not offer public network services

  • Reduces the amount of dangerous noise flowing through networks (probes)

  • Allows administrators tools to control their networks from the inside and outside (i.e. do you allow your users to get access to the Web?)

Firewall weaknesses
Firewall Weaknesses Collaboration Framework

  • Because of increasing line speeds and computation-intensive protocols (IPSec), the firewall can become a congestion point

  • There exist protocols that are difficult to process at the firewall

  • Classical firewall design assumes that all internal users can be trusted

Firewall weaknesses1
Firewall Weaknesses Collaboration Framework

  • Large networks tend to have high numbers of ingress points. This makes administration difficult, both from a practical point of view and with regard to policy consistency

  • End-to-end encryption can be a threat to firewalls as it prevents the firewalls from looking at the packet fields necessary for certain types of filtering

Related work
Related Work Collaboration Framework

  • Bellovin, et al—First to describe a distributed firewall system.

  • Many firewalls within an institute’s network, all being centrally managed

  • Overcome issues like multiple ingress points and trusting inside users

Related work1
Related Work Collaboration Framework

  • Smith, et al—Cascade model of distributed firewalls

  • Zou, et al—Defense in Depth model of distributed firewalls

  • These two works are similar in nature

Related work2
Related Work Collaboration Framework

  • Schnackenberg, et al—Infrastructure for Intrusion Detection and Response

  • Intrusion Detection and Isolation Protocol (IDIP)

  • Similar in nature to the FCF, but designed with IDS at the core

Firewall collaboration framework
Firewall Collaboration Framework Collaboration Framework

  • Some factors driving the design and development of this framework

Spam statistics 3 2006
Spam Statistics Collaboration Framework[3](2006)

  • Email considered spam: 40% of all email

  • Daily spam emails sent: 12.4 billion

  • Daily spam received per person: 6

  • Email address changes due to spam: 16%

  • Wasted corporate time per spam email: 4-5 seconds

  • Estimated spam increase by end of 2007: 63%

Exponential attacks internet worms
Exponential Attacks-Internet Worms Collaboration Framework

  • The Logistics equation is commonly used to model worm propagation. It can be derived (not just assumed)

  • The logistics equation describes the rate of growth of epidemics in finite systems when all entities are equally likely to infect any other entity

Worm propagation model
Worm Propagation Model Collaboration Framework

  • N(t): the number of infected hosts at t

  • S: the total number of susceptible hosts

  • α: the rate at which one machine can compromise another

  • T: the time where ½ of the total number of susceptible hosts are infected

Worm propagation model1
Worm Propagation Model Collaboration Framework

The philosophy of this work
The Philosophy of this Work Collaboration Framework

  • Limit the impact of malware such as worms, viruses, and spam as well as the actions of malicious users by attempting to stop the malicious behavior as close to the source as possible thus preserving network resources for intended applications

High level system description
High Level System Description Collaboration Framework

  • Create a federation of firewalls that collaborate with each other and share a “global” pool of information.

  • Use advanced algorithms to classify malicious activities in real-time.

  • Distribute the new attack classification information to members of the federation

Framework components
Framework Components Collaboration Framework


Trust Relationship Management

Policy Management

Network Traffic Classification

Information Management

Resource Management

Federation management
Federation Management Collaboration Framework

  • Control membership of new firewalls to the federation

  • Responsible for establishing initial trust between the new firewall and the federation

Trust relationship management
Trust Relationship Management Collaboration Framework

  • Maintain trust relationships between members

  • Information authentication

  • Credential management

Policy management
Policy Management Collaboration Framework

  • Responsible for differentiating “Local” security policy from “Global” security policy

Network traffic classification
Network Traffic Classification Collaboration Framework

  • Let’s look a little closer at some attack types

Buffer overflow case study
Buffer Overflow—Case Study Collaboration Framework

Buffer overflow case study1

buf Collaboration Framework

Other data

Return Address

* str=input buffer

Rest of Stack

Buffer Overflow—Case Study

  • Abstract view of the memory stack before the call to strcpy

Buffer overflow case study2
Buffer Overflow—Case Study Collaboration Framework

Denial of service case study icmp smurf attack
Denial of Service—Case Study Collaboration FrameworkICMP Smurf Attack

Denial of service case study tcp syn flood attack
Denial of Service—Case Study Collaboration FrameworkTCP SYN Flood Attack

Attack case studies summary
Attack Case Studies--Summary Collaboration Framework

  • With each of the previous mentioned case studies, data flows can be collected from end hosts and from within the network

  • The collected data flows can be analyzed with algorithms, and behavioral classification can be performed

  • The behavioral classification allows the observation of malicious behavior to be made

Network traffic classification1
Network Traffic Classification Collaboration Framework

  • Classical Types of Classification

    • Statistical based anomaly detection

    • Rule based anomaly detection

    • Signature based anomaly detection

    • Artificial intelligence and machine learning techniques [4]

  • Main goal: Classify traffic in real-time and send information vectors to the federation

Information management
Information Management Collaboration Framework

  • Information transport

    • Centralized, peer-to-peer, hybrid

  • Information caching and staleness

  • Information confidentiality and integrity

Resource management
Resource Management Collaboration Framework

  • Provide mechanisms needed for scalability, reliability, and robustness

Experimental evaluation
Experimental Evaluation Collaboration Framework

  • Linux IPtables firewall mechanism

  • PortSentry scan detection tool

  • netcat and Perl scripting

  • nmap scanning tool

Experimental evaluation1
Experimental Evaluation Collaboration Framework

  • Stop at source? YES

  • Preemptive protection? YES

  • Is denial of service a major threat? YES

Future work
Future Work Collaboration Framework

  • The framework is in its initial design stage

  • Solution spaces for the framework components will be evaluated

  • In depth analysis of the solution space for the network traffic classification component as it is the major component of the framework

Conclusion Collaboration Framework

  • Computer network attacks evolve on a daily basis. Financial incentives will drive the evolution of these attacks. We believe the FCF will be a useful tool for protecting networks against attack. The framework will allow malicious data flows to be stopped at or close to the source, and it will allow for preemptive protection.

References Collaboration Framework

  • CERT—Computer Emergency Response Team,

  • “Internet traffic growth: Sources and implications,” A.M. Odlyzko, Proceedings of SPIE, 2003

  •, D. Evett, 2006

  • “Hybrid Intelligent Systems for Network Security,” J.L.Thames, R. Abler, A. Saad, Proceedings of the ACM Southeast Conference, 2006