1 / 31

Security Related Research Projects at UCCS Network Research Lab

Security Related Research Projects at UCCS Network Research Lab. C. Edward Chow Department of Computer Science University of Colorado at Colorado Springs. Outline of the Talk. Brief Introduction to the Network/Protocol Research Lab at UCCS

ferris-lloyd
Download Presentation

Security Related Research Projects at UCCS Network Research Lab

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security Related Research Projects at UCCS Network Research Lab C. Edward Chow Department of Computer Science University of Colorado at Colorado Springs

  2. Outline of the Talk • Brief Introduction to the Network/Protocol Research Lab at UCCS • Network security related research projects at UCCS Network/Protocol Research Lab • Autonomous Anti-DDoS Project • Secure Collective Defense Project • BGP/MPLS based VPN Project • Discussion on Innerwall-UCCS Joint Research Project • STTR N03-T010 TITLE: Intrusion Monitoring, Detection and Reporting

  3. UCCS Network Research Lab • Director: Dr. C. Edward Chow • Graduate students: • John Bicknell/Steve McCaughey/Anders Hansmat: Distributed Network Restoration/Network Survivability • Hekki Julkunen: Dynamic Packet Filter • Chandra Prakash: High Available Linux kernel-based Content Switch • Ganesh Godavari: Linux based Secure Web Switch • Angela Cearns: Autonomous Anti-DDoS (A2D2) Testbed • Longhua Li: IXP-based Content Switch • Yu Cai (Ph.D. research assistant): Multipath Routing • Jianhua Xie (Ph.D.): Secure Storage Networks • Frank Watson: Content Switch for Email Security • Paul Fong: Wireless AODV Routing for sensor networks • Nirmala Belusu: Wireless Network Security PEAP vs. TTLS • David Wikinson/Sonali Patankar: Secure Collective Defense • Murthy Andukuri/Jing Wu: Enhanced BGP/MPLS-based VPN • Patricia Ferrao/Merlin Vincent: Web-based Collaborative System Support

  4. UCCS Network Lab Setup • Gigabit fiber connection to UCCS backbone • Switch/Firewall/Wireless AP: • HP 4000 switch; 4 Linksys/Dlink Switches. • Sonicwall Pro 300 Firewall • 8 Intel 7112 SSL accelerators; 4 7820 XML directors donated by Intel. • Cisco 1200 Aironet Dual Band Access Point and 350 client PC/PCI cards (both 802.11a and 802.11b cards). • Intel IXP12EB network processor evaluation board • Servers: Two Dell PowerEdge Servers. • Workstations/PCs: • 8 Dell PCs (3Ghz-500Mhz); 12 HP PCs (500-233Mhz) • 2 laptop PCs with Aironet 350 for mobile wireless • OS: Linux Redhat 8.0; Window XP/2000

  5. HP4000SWGigibit Fiber to UCCS Backbone&WorkstationDell ServerIntel IXP Network Processor

  6. Intel 7110 SSL Accelerators • 7280 XML Director

  7. DDoS Victims:Yahoo/Amazon 2000CERT 5/2001DNS Root Servers 10/2002 DDoS Tools:StacheldrahtTrinooTribal Flood Network (TFN) DDoS: Distributed Denial of Service Attack

  8. How wide spread is DDoS? • Research by Moore et al of University of California at San Diego, 2001. • 12,805 DoS in 3-week period • Most of them are Home, small to medium sized organizations

  9. Intrusion Related Research Areas • Intrusion Prevention • General Security Policy • Ingress/Egress Filtering • Intrusion Detection • Anomaly Detection • Misuse Detection • Intrusion Response • Identification/Traceback/Pushback • Intrusion Tolerance

  10. Security Related Research Projects • Secure Content Switch • Autonomous Anti-DDoS Project • Deal with Intrusion Detection and Handling; • Techniques: • IDS-Firewall Integration • Adaptive Firewall Rules • Easy to use/manage. • Secure Collective Defense Project • Deal with Intrusion Tolerance; How to tolerate the attack • Techniques (main ideaExplore secure alternate paths for clients to come in) • Multiple Path Routing • Secure DNS extension: how to inform client DNS servers to add alternate new entries • Utilize a consortium of Proxy servers with IDS that hides the IP address of alternate gateways. • BGP/MPLS based VPN Project • Content Switch for Email Security.

  11. Design of an Autonomous Anti-DDOS Network (A2D2) • Graduate Student: Angela Cearns • Goals: • Study Linux Snort IDS/Firewall system • Develop Snort-Plug-in for Generic Flood Detection • Investigate Rate Limiting and Class Based Queueing for Effective Firewall Protection • Intrusion Detection automatically triggers adaptive firewall rule update. • Study QoS impact with/without A2D2 system. • http://cs.uccs.edu/~chow/pub/master/acearns/doc/

  12. A2D2 Multi-Level Adaptive Rate Limiting

  13. A2D2 QoS Results - Baseline Playout Buffering to Avoid Jitter • 10-min Video Stream betweenReal Player &Real Server • Packets Received: • Around 23,000 (23,445) • No DDoS Attack QoS Experienced at A2D2 by Real Player Client with No DDoS

  14. A2D2 Results – Non-stop Attack • Packets Received: 8,039 • Retransmission Request: 2,592 • Retransmission Received: 35 • Lost: 2,557 • Connection Timed-out Lost of Packets QoS Experienced at A2D2 Client

  15. A2D2 Results – UDP AttackMitigation: Firewall Policy • Packets Received: 23,407 • Retransmission Request: 0 • Retransmission Received: 0 • Lost: 0 • Look like we just need plainold Firewall rules, no fancy Rate Limiting/CBQ? QoS Experienced at A2D2 Client

  16. A2D2 Results – ICMP AttackMitigation: Firewall Policy • Packets Received: 7,127 • Retransmission Request: 2,105 • Retransmission Received: 4 • Lost: 2,101 • Connection Timed-out • Just plain old firewall ruleis not good enough! Packet/Connection Loss QoS Experienced at A2D2 Client

  17. A2D2 Results – TCP AttackMitigation: Policy+CBQ • Turn on CBQ • Packets Received: 22,179 • Retransmission Request: 4,090 • Retransmission Received: 2,641 • Lost: 1,449 • Screen Quality Impact! Look OK But Quality Degrade QoS Experienced at A2D2 Client

  18. A2D2 Results – TCP AttackMitigation: Policy+CBQ+RateLimiting • Turn on Both CBQ & Rate Limiting • Packets Received: 23,444 • Retransmission Request: 49 – 1,376 • Retransmission Received: 40 – 776 • Lost: 9 – 600 • No image quality degradation QoS Experienced at A2D2 Client

  19. A2D2 Future Works • Extend to include IDIP/Pushback • Precise Anomaly Detection • Improve Firewall/IDS Processing Speed • Scalability Issues • Tests with More Services Types • Tests with Heavy Client Traffic Volume • Fault Tolerant (Multiple Firewall Devices) • Alternate Routing

  20. R2 R1 R3 Alternate Gateways Wouldn’t it be Nice to Have Alternate Routes? net-a.com net-b.com net-c.com ... ... ... ... A A A A A A A A DNS3 DNS1 DNS2 R R R How to reroute clients traffic through R1-R3? R DNS DDoS Attack Traffic Client Traffic Victim

  21. R2 R1 R3 Alternate Gateways Implement Alternate Routes net-a.com net-b.com net-c.com ... ... ... ... A A A A A A A A DNS3 DNS1 DNS2 R R R Need to Inform Clients or Client DNS servers!But how to tell which Clients are not compromised?How to hide IP addresses of Alternate Gateways? R DNS DDoS Attack Traffic Client Traffic Victim

  22. net-b.com net-c.com net-a.com SCOD ... ... ... ... A A A A A A A A DNS3 DNS1 DNS2 R R R Proxy2 Proxy3 Proxy1 block block R R1 R2 R3 RerouteCoordinator 1. IDS detects intrusion Blocks Attack Traffic Sends distress call to Reroute Coordinator Attack Traffic Client Traffic Victim

  23. Proxy3 net-b.com net-c.com net-a.com SCOD ... ... ... ... A A A A A A A A DNS3 DNS1 DNS2 R R R Proxy2 2. Sends Reroute Command with (DNS Name, IP Addr. Of victim, Proxy Server(s)) to DNS Proxy1 block R R1 R2 R3 RerouteCoordinator 1. IDS detects intrusion Blocks Attack Traffic Sends distress call to Reroute Coordinator Attack Traffic Client Traffic Victim

  24. Proxy3 net-b.com net-c.com net-a.com SCOD ... ... ... ... A A A A A A A A 3. New route via Proxy3 to R3 3. New route via Proxy1 to R1 3. New route via Proxy2 to R2 DNS3 DNS1 DNS2 R R R Proxy2 Proxy1 2. Sends Reroute Command with (DNS Name, IP Addr. Of victim, Proxy Server(s)) to DNS block R R1 R2 R3 RerouteCoordinator Attack Traffic Client Traffic Victim

  25. Proxy3 net-b.com net-c.com net-a.com SCOD ... ... ... ... A A A A A A A A 3. New route via Proxy3 to R3 3. New route via Proxy1 to R1 3. New route via Proxy2 to R2 DNS3 DNS1 DNS2 R R R Proxy2 Proxy1 4. Attack traffic detected by IDSblock by Firewall block 4a. Attack traffic detected by IDSblock by Firewall R R1 R2 R3 RerouteCoordinator Attack Traffic Client Traffic Victim

  26. net-b.com net-c.com net-a.com SCOD ... ... ... ... A A A A A A A A 3. New route via Proxy3 to R3 3. New route via Proxy1 to R1 3. New route via Proxy2 to R2 DNS3 DNS1 DNS2 R R R Proxy2 Proxy3 Proxy1 4. Attack traffic detected by IDSblock by Firewall block 4a. Attack traffic detected by IDSblock by Firewall R R1 R2 R3 RerouteCoordinator 4b. Client traffic comes in via alternate route Attack Traffic 1.distress call Client Traffic 2. Sends Reroute Command with (DNS Name, IP Addr. Of victim, Proxy Server(s)) Victim

  27. Secure Collective Defense • Main IdeaExplore secure alternate paths for clients to come in; Utilize geographically separated proxy servers. • Goal: • Provide secure alternate routes • Hide IP addresses of alternate gateways • Techniques: • Multiple Path Routing • Secure DNS extension: how to inform client DNS servers to add alternate new entries (Not your normal DNS name/IP address mapping entry). • Utilize a consortium of Proxy servers with IDS that hides the IP address of alternate gateways. • How to partition clients to come at different proxy servers? may help identify the attacker! • How clients use the new DNS entries and route traffic through proxy server? Use Sock protocol, modify resolver library?

  28. New UCCS IA Degree/Certificate • Master of Engineering Degree in Information Assurance • Certificate in Information Assurance (offered to Peterson AFB through NISSC) • Computer Networks; Fundamental of Security; Cryptography; Advanced System Security Design

  29. New CS691 Course on Advanced System Security Design • Use Matt Bishop new Computer Security Text • Spring 2003: With one class at UCCS; one at Peterson AFB. • Enhanced by Demo/Hand-on exercises at Distribute Security Lab of Northorp Grumman. • Integrate security research results into course material such as A2D2, Secure Collective Defense, MPLS-VPN projects. • Invite speakers from Industry such as Innerwall and AFA? • Looking for potential joint exercises with other institutions such as AFA, Northorp Grumman, Innerwall.

  30. Joint Research/Development Effort • STTR N03-T010 TITLE: Intrusion Monitoring, Detection and Reporting • Penetration Analysis/Testing projects? • Intrusion Detection/Handling projects? • Other Cyberwarfare related projects? • Security Forum organized by Dean Haefner/Dr. Ayen • Security Seminar Series with CITTI funding support • Look for Speakers (suggestion?)

More Related