unifying the conceptual levels of network security through use of patterns l.
Download
Skip this Video
Download Presentation
Unifying the conceptual levels of network security through use of patterns .

Loading in 2 Seconds...

play fullscreen
1 / 28

Unifying the conceptual levels of network security through use of patterns . - PowerPoint PPT Presentation


  • 92 Views
  • Uploaded on

Unifying the conceptual levels of network security through use of patterns . . PhD Proposal - Draft Ajoy Kumar Advisor: Dr. EF. Introduction.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Unifying the conceptual levels of network security through use of patterns .' - nerita


Download Now An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
unifying the conceptual levels of network security through use of patterns

Unifying the conceptual levels of network security through use of patterns.

PhD Proposal - Draft

Ajoy Kumar

Advisor: Dr. EF

introduction
Introduction
  • We analyze security mechanisms at the conceptual network layers and propose a unification of these levels using security patterns. We also develop several new patterns and study the existing patterns for this purpose.
problem statement
Problem Statement
  • Three basic conceptual layers in the network are the network layer, the transport layer and the user application layer. Each of these layers is subjected to security threats and we need to consider security defenses at each of these layers. Security threats help form security policies which in turn lead to the development of protocol mechanisms and these mechanisms lead to security patterns at each of these layers.
contd
Contd…
  • Some of the specific mechanisms used for security are Firewalls, IDS and VPN (Virtual Private Network). In this thesis we attempt to look at the involved security components such as Firewalls, IDS and VPN at these three primary layers and study the synergistic combination of these components. Then we look at the different security protocols controlling these layers such as IPSec (network or IP layer), TLS (the transport layer) and SOAP ( user application layer) which contribute to the defense at these layers. When Security is designed for these layers including these components and protocols, a systematic approach is required by the developers to enhance security.
contd5
Contd…
  • In this work we try to identify already existing security patterns for these components and protocols and then fill in the gaps for the missing security patterns. We will also try to compare and contrast the patterns developed at each of these layers and try to unify these levels using patterns. Once the patterns are developed, they will serve as a catalog to help designers build and maintain secure networks.
software patterns and security
Software Patterns and Security
  • The primary objectives of security are to provide confidentiality, integrity, availability, and accountability to the information. Information or messages passed are usually vulnerable to attacks and are targeted by many people for political or personal reasons. Security countermeasures are usually classified into five groups: identification and authentication, access control and authorization, logging, cryptography, and intrusion detection.
contd7
Contd…
  • A way to counter the threats to security faced by these network layers is use of patterns. Patterns are solutions to recurrent problems in given contexts. Security patterns have been looked at extensively in the current world of threats and have been studied in detail. A good number of security patterns have been described in the literature [Fer06a, Sch06, Ste05]. In the ideal case the developer would be able to find one or more security patterns to provide guidance for specific security problems. Patterns in general capture knowledge and wisdom of developers in a highly accessible form for ordinary practitioners to apply.
security mechanisms
Security Mechanisms
  • Three of the most common security mechanisms used are firewalls, VPN and IDS.
  • Firewalls have been shown to be very effective in providing security by basically creating a choke point of entry (and exit) into a local network [Bar99]. A firewall therefore restricts unauthorized clients from access to the local network and local networks from accessing external sites that are considered untrustworthy. A firewall can be used as a mechanism to enforce security policies and also allows a limited exposure of the protected network to outsiders.
sec mech contd
Sec Mech. (Contd…)
  • VPN uses a technique called tunneling, in which data is transmitted across a public network in a private tunnel that simulates a end to end connection.
  • A system intrusion is any attempt to attack a system and compromise its integrity, confidentiality, or availability of a resource. Intrusion Detection Systems (IDS) are implemented to detect an intrusion when it occurs and on detection should trigger appropriate recovery measures [Fer05].
network architecture
Network Architecture

Security Mechanisms

abstact pattern for sec mech
Abstact Pattern for Sec. Mech.

VPN/FW/IDS

SAML

Realize

Realize

Realize

TLS V/F/I

IPSec V/F/I

XML V/F/I

TLS

IPSec

Secure Channel

Authentication

proposed research
Proposed Research
  • General Goal

We try to unify the security functions used in different network layers through security patterns. We identify the common security components of each layer and their protocols and try to discover the existing security patterns for each of these layers and identify the patterns yet to be developed and try to develop them.

specific goals and outline
Specific Goals and Outline
  • Survey security Components such as Firewall, IDS and VPN
  • Survey the existing protocols for each of these layers such as IPSec, TLS and SAML.
  • Identify the existing patterns for each of these security components for each of the network layers.
  • Identify the patterns yet to be developed for the security components for each of these network layers.
  • Develop these new security patterns yet to be developed for each of these layers.
  • Apply the new patterns developed on a Case Study and study the consequences in detail.
contributions
Contributions
  • A description of the three basic architectural layers using pattern diagrams showing the relationship between these patterns
  • A description of the protocols to provide security for these layers using security pattern diagrams.
  • An enumeration of the use cases and the security threats involved for the typical network functions.
  • Analysis of the existing countermeasures, eg. Firewalls, IDS, VPNs and their combinations. We will consider existing commercial products as possible sources of security patterns.
  • Specific patterns for the network architectural layers, their security standards, and mechanisms to defend against the identified threats. We have already published one of these [Fer05] and in the process of completing another.
  • Validation of the approach to applying it to a SCADA system.
validation
Validation
  • A way to validate the proposed model is to apply it to a real system. We can analyze its main use cases and enumerate possible threats. Then we can see how our architectural model provides a structure to develop and evaluate a range of those systems. We intend to apply our model to a SCADA system and compare our results to other analysis of SCADA security such as [Nae07, NIST].
  • The new patterns can be validated by publishing in conferences such as PLOP or similar conferences. (We did this with an early pattern [Fer05]).
remaining work new patterns
Remaining Work: New Patterns
  • All the other patterns that need to be developed will be identified. The above existing patterns will be further expanded in detail. For example IDS pattern would be extended to include Misuse based IDS also. The VPN pattern will be expanded into different patterns for XML, Packet VPN and SSL VPNs. Patterns for the different Protocols.
  • Proposed TimeLine: Fall 2008 + Spring 2009
2 synergy
2. Synergy
  • Impact of synergistic combination of these security mechanisms VPN + FW + IDSSummer 2009.
4 case study validation
4. Case Study (Validation)
  • Finally after all the missing pieces are developed it will be applied to the SCADA model which has been developed above and will be studied in detail.
  • Proposed Time Line: Fall 2009
completed work
Completed Work
  • Survey of existing patterns

First we will identify all the patterns that have been developed by other researchers in these network layers such as the Packet filter pattern, proxy firewall pattern and XML firewall pattern and Survey of security mechanisms limiting to SCADA.

2 vpn patterns
2. VPN Patterns

Supports

SAML

XML VPN

VPN

Supports

TLS

TLS VPN

IPSec

Supports

IP VPN

slide23

Class Diagram For VPN

Network

VPN

*

*

Network

End Point

1

1

*

Authenticator

Secure Channel

1

Identity Base

*

Identity

4 case study identification
4. Case Study Identification
  • SCADA Architecture
  • SCADA can be used as an example of a distributed system where we apply these patterns.
  • Security Threats.
slide25
Example
    • An important example of SCADA application is electric power generation.
  • Context
    • A SCADA system such as electric power generation system with a Distributed Architecture and connected to the Internet.
class diagram w o security components

Central Controller

Comm. Network

Field Unit Controller

*

1

*

Internet

User Interface

1

Zone

1

Class Diagram (w/o Security Components)
slide28
Suggestions
  • Additions
  • Concerns
  • Modifications
  • Improvements