400 likes | 587 Views
INTEGRATED SECURITY MANAGEMENT KNOM-2000 2000. 12. 12. Tai M. Chung Real-Time Systems Lab. Sungkyunkwan University tmchung@ece.skku.ac.kr. Talk Outline. Introduction to ISM and Research Objectives Current Integrated Security Management Technologies OPSEC Active Security
E N D
INTEGRATEDSECURITY MANAGEMENTKNOM-20002000. 12. 12 Tai M. Chung Real-Time Systems Lab. Sungkyunkwan University tmchung@ece.skku.ac.kr
Talk Outline • Introduction to ISM and Research Objectives • Current Integrated Security Management Technologies • OPSEC • Active Security • Common Data Security Architecture • Integrated Security Management System • Architecture of ISMS • Features of ISMS • Architecture & Detailed Modules of ISMS • Current Status and Future Development of ISMS
Why ISM? Security Management • Increasing complexity & difficulty of security products • Diverse security policies for heterogeneous security systems scattered over wide network • Increasing risks resulting from human mistakes • Need for immediate and automated response to various security threats • Need for unified human interface for simple management File Security VPN Vulnerability Test Virus Check IDS Intrusion Tracking Firewall Authentication Encryption
Research Objectives • Develop a common representation scheme for diverse security policies with • Integrated policy and data management scheme • Easy and unified interface for total management • Prototype a master-agent based integrated security management system that Includes • Coordinated management model based on common representation scheme • Immediate and autonomous response to security threats • Fault tolerant capability for continuous service • Flexible and scalable management architecture
Security System Integration Trends of ISM OPSEC Active Security
Attack signatures Paging match found Auditing rules intrusion detected Firewall module IDS module Mail to admin Access policies Internet Internal network block the connection Hybrid Integration Model • Integrate IDS functionality with firewall • CISCO IOS + Firewall IDS • Firewall includes IDS functionality for mid-range, high-performance platforms, • Limited to detect most significant attacks only • Acts as in-line intrusion detection sensor : watching packets and sessions to detect intrusion as well as to apply firewall policy
Paging Internal network DMZ network IDS Mail server Internal firewall External firewall Mail to admin Policy configuration message Internet SNMP trap Server pool (for public/customer service) NMS Interoperational Model • Real-time intrusion blocking : IDS interoperable with firewall • RealSecure(ISS) + Firewall-1(Checkpoint) • When IDS detects misuse or attacks; • Reconfiguring firewall to block all traffic from a suspicious source • Alerting appropriate personnel through user interface • Sending an SNMP trap to NMS to record the session information • Terminating connections if possible
OPSEC by Checkpoint • Open Platform for Security / Open Platform for Secure Enterprise Connection • Based on SVN(Secure Virtual Network) environment • Goes beyond VPNs for securing all internet gateways • Fine-grain access control for all users • Provisioning of integration and interoperability to the various security products such as • VPN-1, Firewall-1, FloodGate-1, and Meta IP • Openview, Tivoli, etc.
Check Point Management Console with Account Management CA Directory Server Content Security Server URL Categorization Server Policy Verification Intranet Reporting and Analysis Internet VPN-1/Firewall-1 Gateway VPN-1/Firewall-1 Gateway Enterprise Management Platform OpenView, Tivoli, etc. Intrusion Detection VPN-1 SecuRemote/ VPN-1 SecuClient Remote office Meta IP Address Management with User-to-Address Mapping OPSEC framework
OPSEC Client Process OPSEC Server Process OPSEC client OPSEC server The OPSEC Client and Server Process can also be the same process OPSEC service API OPSEC service API OPSEC transport API OPSEC transport API The OPSEC Transport Layer links the OPSEC Client and Server using one of these mechanisms OPSEC Transport TCP Memory Other mechanism OPSEC API overview • Message based, layered environment • OPSEC Transport Layer converts messages into events • Client locates and initiates the connection to the Server • Servers implements one or more OPSEC security tasks
Program startup Initialization Event #1 main loop Event #2 Handle for Event #1 Handle for Event #2 Asynchronous Events Life Cycle of OPSEC Application • Endless loop(opsec_mainloop) • Waits for event to occur and process them • Events are handled by the OPSEC application • OPSEC layer may call user-defined functions to process events
Machine Machine Process Process OPSEC environment OPSEC environment Machine OPSEC entity OPSEC entity Process LEA server LEA server OPSEC environment OPSEC entity Process OPSEC session OPSEC session OPSEC environment LEA client OPSEC entity OPSEC entity OPSEC session SAM server SAM client OPSEC Environments • A framework for OPSEC applications to communicate • One OPSEC environment for each OPSEC process • OPSEC entity is an instantiation of a specific behavior
CVP (Content Vectoring Protocol) Content security Web resource management IDS interoperability Reporting and event analysis Security and event consolidation Management and analysis Association between user and IP address Integrated authentication UFP (URL Filtering Protocol) SAMP (Suspicious Activity Monitoring Protocol) OPSEC subcomponents LEA (Log Export API) ELA (Export Logging API) OMI (OPSEC Management Interface) UAM (User to Address Mapping API) SAA (Secure Authentication API)
Firewall-1/VPN-1 CVP client Buffer Destination flow Source Destination Server flow API functions Events CVP server Event handler (callback) functions Content Security : CVP • Outsourcing some functionalities to other content security systems • Forward buffer to CVP server for inspection • Viruses, malicious codes • Flow out of confidential data • Specific URL access • CVP client and server know nothing about each other, except that the client knows where to find the server
3rd Party Anti-Virus Application Server Mail Server Scan and cure Internet Mail Internet Content Security : CVP • Applied CVP to detect and cure compromised mail by viruses • Firewall rule base specifies virus checking and disinfection on mail attachment • Firewall CVP client contacts the Anti-Virus server and transfers the file attachment for processing • The Anti-Virus content validation server scans for viruses, disinfects the file • The Anti-Virus sever returns the virus-free file and log information to the firewall
Web Resource Management : UFP • Track and monitor web usage • Categorize and control HTTP communication based on specific URL address • Operations • URL client on the firewall passes the URL to the UFP server • URL server returns a classification of the category for the URL • Firewall determines the appropriate action in accordance with the security policy related to the category
Intrusion Detection : SAMP • Intrusion detection by monitoring events • Active feedback loop integration between IDS and Firewall/VPN gateways • SAMP API enables Firewall-1/VPN-1 to block the connection when an IDS detects suspicious activity on the network or specific host • SAMP API defines an interface through which an IDS can communicate with a VPN-1/Firewall-1 management server • Management server directs the VPN-1/Firewall-1 modules to terminate sessions or deny access to those specific hosts.
Event Integration : LEA, ELA • LEA(Log Export API) • Enables applications to read the VPN-1/Firewall-1 log database • LEA client can retrieve both real-time and historical log data from Management Console of LEA server • A reporting application can use the LEA client to progress the logged events generated by the VPN-1/Firewall-1 security policy • ELA(Event Logging API) • Used to write to the VPN-1/Firewall-1 log database • Enables third party applications to trigger the VPN-1/Firewall-1 alert mechanism for specific events • Enables Management Console to become the central event repository for all traffic events accounting and analysis • With SAMP, applications can track suspicious activity and request the VPN-1/Firewall-1 to terminate a malicious activity
Management and Analysis : OMI • Interface to central policy database to share objects such as • Host, Network, User, Service, Resource, Sever, Key.. • Tie together different products that may control security policies in different domains • Enables third party applications to securely access the policy stored in the management server by providing access to read • Policies stored in the management sever • Network objects, services, resources, users, templates, groups and servers defined in the management server • List of all administrators that are allowed to log into the management server
Customers Partners Internet VPN-1 Gateway Remote site VPN-1 SecuRemote Authentication : SAA • SAA(secure authentication API) • Supports wide variety of authentication mechanisms such as biometric devices, challenge response tokens and passwords • Passing authentication information to the authentication server • After authentication, VPN gateway acquires user's certificate from CA server, and then IPSEC/IKE session is established
OPSEC Framework Partners Content Security Event Analysis and Reporting • Safe gate, Computer Associates • Norton AntiVirus for Firewalls, Symantec • Firewall HealthCHECK, VeriSign • Web Trends for Firewalls and VPNs, Web Trends Authentication and Authorization Enterprise Directory Servers • Defend Security Server, Axent Technologies, Inc. • ACE/Server, RSA Security • IBM SecureWay Directory, IBM • Novell Directory Services, Novell Intrusion Detection Enterprise Directory Servers • RealSecure, Check Point Technologies, Ltd. • SessionWall-3, Platinum • Go! Secure, VeriSign
Security Policy Helpdesk Firewall Administrator Alerts Vulnerability Scanner Event Orchestra Overview of Active security • Detection(Sensing) device • E.g. : Vulnerability Scanner to proactively scanning internal network • Event Orchestra • Accepts all alerts, compares with security policy and initiates responses • Fed in Security Policy to decide what is important and how to respond • Actions for security through • Helpdesk, Firewall, Administrator Alerts, etc.
sensors arbiters actors watch the network for trouble decide what to do when trouble happens take responsive action More about Active Security • The heart of Active Security : Event orchestra • Conducts central event management • Standard based open event management system • Centrally collects alerts and other inter-process communications from security products • Includes own data store, but also works with other database using ODBC • Current Active Security products • sensor : CyberCop scanner (Windows NT) • arbiter : Event orchestra (Windows NT) • actor : Gauntlet firewall (Windows NT / UNIX)
Provider Object manager Consumer Existing Windows 2000 WMI CyberCop Monitor Logs Event log Performance monitor Action module Event Orchestra Forthcoming File/print SQL server Others Anti-virus events IDS events Firewall events Others Example of Active security : CyberCop • WMI(Windows management instrumentation) • Describes a standard way of accessing and representing management information in Windows 2000 networks • Enables real-time monitoring • Enhances interoperability of security applications
Firewall 1. Incoming mail message 2. Redirect mail to anti-virus server A Network Virus Protection Gateway Network File Server 4. action : do not accept mail from bar@domain.com S A 3. Virus found in message From : bar@domain.com To : joe@ourdomain.com 5. action :Scan all files owned by 'joe' A Actor agent Sensor agent S Event Orchestra 8. action :Shutdown 'finger' service on Host1 7. Unallowed 'finger' service found on Host1 Host1 Vulnerability Scanner 6. Scan hosts for compliance to network security policy S A Active Security Illustration
What is CDSA? • The Open, cross-platform, interoperable, extensible and exportable security infrastructure • Specification and Reference Implementation • Adopted by The Open Group in November 1997 • “Mature” code base from Intel, widely reviewed by Industry • A robust security building block for eBusiness software solutions • Enables interoperability for security apps and services • Allows developers to focus on application expertise
CDSA Design Goals • Create an open, interoperable, cross platformsecurity infrastructure • Support use and management of thefundamental elements of security: • Certificates, trust, cryptography, integrity • Authentication, authorization • Make extensible above and below • Embrace emerging technologies • Plug-and-play service provider model • Extend to new services • Layered service provider model
CDSA Architecture CDSA defines a four-layer architecture for cross-platform, high-level security services Applications Layered Security Services CSSM Security API CSSM defines a common API / SPI for security services & an integrity foundation Common Security Services Manager Service Provider Interfaces Security Service Add-in Modules Security Service Add-in Modules Service providers implement selectable security services Security Service Add-in Modules
security management Web client Central policy database ISMS Engine DBMS SNMP SNMP SNMP Agent Agent Agent policy policy policy Network A Network B Network C Firewall IDS VPN Structure of ISMS
Features of ISMS • Integrated policy management • Maintain logical security domain for consistent security management • Applies access control policy automatically by deploying blacklist to agents • Automated response to threats • Automatic Policy integrity check at management server • Removes potential risks resulting from human mistakes by autonomous operation and by integrity checking • Notification through unified user interface • Integrated view for security management through web interface • Statistic information based on collected information • Fault tolerant security management • Records all security related events through central logging • Simple policy recovery and backup through central policy management • Scalability and flexibility using master-agent paradigm • No modification to management engine
Notification UIM Policy UIM Configuration UIM Monitoring UIM Status UIM Log UIM Security management Client Notification processing module Display module Message communication module Secure UDP Secure TCP Security management DBMS Log management module Message Communication module Session management module Log file Message analyzing module DBMS interface DBMS proxy DBMS Notification message processing module User authentication module SMDB Configuration management module Policy processing module Configuration file Management message communication module Central security management server Secure UDP Secure UDP Notification processing module Management message communication module Configuration management module Security management agent Configuration file Message analyzing module State monitoring module Log management module Security system control module Log file Security product Detailed ISMS architecture
Manager (ISMS client) Downloaded Java Applet ISMS server TCP/IP HTTP WISMS engine Log manager Communication module DBMS User table HTTPD Data processing modules User request processing modules Request mapping table HTML Pages Policy table Agent log file Java Applet Agent table Engine log file ISMS MIB Web server SNMP communication module SNMP Firewall agent Firewall agent IDS agent Agent for other security products Detailed ISMS Engine • ISMS • Client(Java applet) • Engine(Solaris) • Agent(Solaris, LINUX, FreeBSD) • Using standard management protocol(SNMP) • Extensibility, Scaleability • ISMS engine • Manages policies • Processes user requests • Notifies events • Collects information from agents • Manages log data
Security policy for IDS Security management client Backup/Restore Security policy for firewall SMDB (primary) DBMS proxy Central security management server Security policy for VPN Synchronizing DB Security management policy SMDB (secondary) DBMS proxy Policy distribution/recover Policy Security management agent for IDS Policy Security management agent for Firewall Policy Security management agent for VPN IDS Firewall VPN Policy update/action command Integrated policy management
Response policy for specific event (Automatic response) Security management policy SMDB DBMS proxy Central security management server Policy update/action command Log Record events Result reply Notification Policy Security management agent for IDS Security management agent for firewall / VPN Policy IDS Firewall / VPN Detect suspicious action Automated Response to threats
Security Manager Response policy for specific event (Notify manager/wait for command) Security management client Security management policy SMDB DBMS proxy Central security management server Policy update/action command Log Record events Result reply Notification Policy Security management agent for IDS Security management agent for firewall / VPN Policy IDS Firewall / VPN Detect suspicious action Notification for human operation
Security management client User information User registration Domain user information SMDB DBMS proxy Central security management server Log User information Secure domain Security management agent for firewall Security management agent for VPN Application with authentication capability Access control (Firewall) Secure communication (VPN) Logical secure domain maintenance
Security management client Blacklist Manual backlist update DBMS proxy SMDB Central security management server Automatic blacklist update Log Blacklist information or Policy update Suspicious subject information Security management agent for firewall Security management agent for VPN Security management agent for IDS Firewall VPN IDS Log Log Log Blacklist management
Access Control Web based security management ISMS Engine User's request Control message web client External Firewall Internal Firewall 1 Internet request /result Internal Network 2 Policy update Internal Firewall 2 Internal Network 3 IDS Internal Network 1 Virus Scanner ISMS Deployment Structure
Summary • Increasing need for Integrated security management • Easy and unified user interface • Integrated Policy management • Currently Integrated Security Management is a hot issue • Checkpoint(OPSEC), Network Associate(Active Security), and Intel(CDSA) develop standards and prototypes • They are still under development • CDSA is publically available • We have been working for • Designing a integrated model to manage various security products • Develop a prototype system with one view and total security concept
References and Further Information [1] Open Platform for Security(OPSEC) Technical Note, Check Point Software Technologies, Inc., 2000. [2] OPSEC Software Development Kit Data Sheet, Check Point Software Technologies, Inc., 1998. [3] Check Point OPSEC SDK version4.1 Release Notes, Check Point Software Technologies, Inc., November 1999. [4] Check Point VPN-1/Firewall-1 OPSEC API Specification version4.1, Check Point Software Technologies, Inc., November 1999. [5] Check Point Firewall-1 OPSEC Open Specification version1.01, Check Point Software Technologies, Inc., November, 1998. [6] Active Security Getting Started Guide version5.0, Network Associates, Inc., 1999 [7] Automating Security Management while Reducing Total Cost of Ownership, Network Associates, Inc., 1999 [8] Security Solutions Practice - Technology Update, Ernst & Young, LLP., March 1999. [9] Ensuring the Success of E-Business Sites, NetScreen Technologies, Inc., January 2000. [10] Technology Overview: The NetScreen-1000 Gigabit Security System, NetScreen Technologies, Inc., March 2000. [11] Next Generation Security Solutions for the Broadband Internet, NetScreen Technologies, Inc., February 2000. [12] ServerIron Data Sheet; Internet Traffic Management, Foundry Networks, 2000. [13] Application note; Firewall Load Balancing with ServerIron, Foundry Networks, 2000.