270 likes | 287 Views
Security Related Research Projects at UCCS Network Research Lab. C. Edward Chow Department of Computer Science University of Colorado at Colorado Springs. Outline of the Talk. Brief Introduction to the Network/Protocol Research Lab at UCCS
E N D
Security Related Research Projects at UCCS Network Research Lab C. Edward Chow Department of Computer Science University of Colorado at Colorado Springs
Outline of the Talk • Brief Introduction to the Network/Protocol Research Lab at UCCS • Network security related research projects at UCCS Network/Protocol Research Lab • Autonomous Anti-DDoS Project • Secure Collective Defense Project • BGP/MPLS based VPN Project • Discussion on AFA-UCCS Joint Research/Teaching Projects on Information Assurance • Penetration Analysis/Testing exercises? • Intrusion Detection/Handling exercises? • Other Cyberwarfare related projects? • Security Form/Seminar Series
UCCS Network Research Lab • Personnel: • Director: Dr. C. Edward Chow • Graduate students: • Chandra Prakash: High Available Linux kernel-based Content Switch • Ganesh Godavari: Linux based Secure Web Switch • Angela Cearns: Autonomous Anti-DDoS (A2D2) Testbed • Longhua Li: IXP-based Content Switch • Yu Cai (Ph.D. research assistant): Multipath Routing • Jianhua Xie (Ph.D.): Secure Storage Networks • Frank Watson: Content Switch for Email Security • Paul Fong: Wireless AODV Routing for sensor networks • Nirmala Belusu: Wireless Network Security PEAP vs. TTLS • David Wikinson/Sonali Patankar: Secure Collective Defense • Murthy Andukuri/Jing Wu: Enhanced BGP/MPLS-based VPN • Patricia Ferrao: Web-based Collaborative System Support
UCCS Network Lab Setup • Gigabit fiber connection to UCCS backbone • Switch/Firewall/Wireless AP: • HP 4000 switch; 4 Linksys/Dlink Switches. • Sonicwall Pro 300 Firewall • 8 Intel 7112 SSL accelerators; 4 7820 XML directors donated by Intel. • Cisco 1200 Aironet Dual Band Access Point and 350 client PC/PCI cards (both 802.11a and 802.11b cards). • Intel IXP12EB network processor evaluation board • Servers: Two Dell PowerEdge Servers. • Workstations/PCs: • 8 Dell PCs (3Ghz-500Mhz); 12 HP PCs (500-233Mhz) • 2 laptop PCs with Aironet 350 for mobile wireless • OS: Linux Redhat 8.0; Window XP/2000
HP4000SWGigibit Fiber to UCCS Backbone&WorkstationDell ServerIntel IXP Network Processor
Intel 7110 SSL Accelerators • 7280 XML Director
DDoS: Distributed Denial of Service Attack DDoS Victims:Yahoo/Amazon 2000CERT 5/2001DNS Root Servers 10/2002 DDoS Tools:StacheldrahtTrinooTribal Flood Network (TFN)
How wide spread is DDoS? • Research by Moore et al of University of California at San Diego, 2001. • 12,805 DoS in 3-week period • Most of them are Home, small to medium sized organizations
Intrusion Related Research Areas • Intrusion Prevention • General Security Policy • Ingress/Egress Filtering • Intrusion Detection • Anomaly Detection • Misuse Detection • Intrusion Response • Identification/Traceback/Pushback • Intrusion Tolerance
Security Related Research Projects • Secure Content Switch • Autonomous Anti-DDoS Project • Deal with Intrusion Detection and Handling; • Techniques: • IDS-Firewall Integration • Adaptive Firewall Rules • Easy to use/manage. • Secure Collective Defense Project • Deal with Intrusion Tolerance; How to tolerate the attack • Techniques (main ideaExplore secure alternate paths for clients to come in) • Multiple Path Routing • Secure DNS extension: how to inform client DNS servers to add alternate new entries • Utilize a consortium of Proxy servers with IDS that hides the IP address of alternate gateways. • BGP/MPLS based VPN Project • Content Switch for Email Security.
Design of an Autonomous Anti-DDOS Network (A2D2) • Graduate Student: Angela Cearns • Goals: • Study Linux Snort IDS/Firewall system • Develop Snort-Plug-in for Generic Flood Detection • Investigate Rate Limiting and Class Based Queueing for Effective Firewall Protection • Intrusion Detection automatically trigger adaptive firewall rule update. • Study QoS impact with/without A2D2 system. • http://cs.uccs.edu/~chow/pub/master/acearns/doc/
A2D2 QoS Results - Baseline Playout Buffering to Avoid Jitter • 10-min Video Stream betweenReal Player &Real Server • Packets Received: • Around 23,000 (23,445) • No DDoS Attack QoS Experienced at A2D2 by Real Player Client with No DDoS
A2D2 Results – Non-stop Attack • Packets Received: 8,039 • Retransmission Request: 2,592 • Retransmission Received: 35 • Lost: 2,557 • Connection Timed-out Lost of Packets QoS Experienced at A2D2 Client
A2D2 Results – UDP AttackMitigation: Firewall Policy • Packets Received: 23,407 • Retransmission Request: 0 • Retransmission Received: 0 • Lost: 0 • Look like we just need plainold Firewall rules, no fancy Rate Limiting/CBQ? QoS Experienced at A2D2 Client
A2D2 Results – ICMP AttackMitigation: Firewall Policy • Packets Received: 7,127 • Retransmission Request: 2,105 • Retransmission Received: 4 • Lost: 2,101 • Connection Timed-out • Just plain old firewall ruleis not good enough! Packet/Connection Loss QoS Experienced at A2D2 Client
A2D2 Results – TCP AttackMitigation: Policy+CBQ • Turn on CBQ • Packets Received: 22,179 • Retransmission Request: 4,090 • Retransmission Received: 2,641 • Lost: 1,449 • Screen Quality Impact! Look OK But Quality Degrade QoS Experienced at A2D2 Client
A2D2 Results – TCP AttackMitigation: Policy+CBQ+RateLimiting • Turn on Both CBQ & Rate Limiting • Packets Received: 23,444 • Retransmission Request: 49 – 1,376 • Retransmission Received: 40 – 776 • Lost: 9 – 600 • No image quality degradation QoS Experienced at A2D2 Client
A2D2 Future Works • Extend to include IDIP/Pushback • Anomaly Detection • Improve Firewall/IDS Processing Speed • Scalability Issues • Tests with More Services Types • Tests with Heavy Client Traffic Volume • Fault Tolerant (Multiple Firewall Devices) • Alternate Routing
R2 R1 R3 Alternate Gateways Wouldn’t it be Nice to Have Alternate Routes? net-a.com net-b.com net-c.com ... ... ... ... A A A A A A A A DNS3 DNS1 DNS2 R R R How to reroute clients traffic through R1-R3? R DNS DDoS Attack Traffic Client Traffic Victim
R2 R1 R3 Alternate Gateways Implement Alternate Routes net-a.com net-b.com net-c.com ... ... ... ... A A A A A A A A DNS3 DNS1 DNS2 R R R Need to Inform Clients or Client DNS servers!But how to tell which Clients are not compromised?How to hide IP addresses of Alternate Gateways? R DNS DDoS Attack Traffic Client Traffic Victim
net-a.com net-b.com net-c.com ... ... ... ... A A A A A A A A DNS3 DNS1 DNS2 R R R New route via Proxy3 to R3 Proxy3 Proxy1 Proxy2 Attack msgs blocked by IDS Blocked by IDS block R R2 R3 R1 Sends Reroute Command with DNS/IP Addr. Of Proxy and Victim distress call Victim Possible Solution for Alternate Routes
Secure Collective Defense • Main IdeaExplore secure alternate paths for clients to come in; Utilize geographically separated proxy servers. • Goal: • Provide secure alternate routes • Hide IP addresses of alternate gateways • Techniques: • Multiple Path Routing • Secure DNS extension: how to inform client DNS servers to add alternate new entries (Not your normal DNS name/IP address mapping entry). • Utilize a consortium of Proxy servers with IDS that hides the IP address of alternate gateways. • How to partition clients to come at different proxy servers? may help identify the attacker! • How clients use the new DNS entries and route traffic through proxy server? Use Sock protocol, modify resolver library?
New UCCS IA Degree/Certificate • Master of Engineering Degree in Information Assurance • Certificate in Information Assurance (offered to Peterson AFB through NISSC) • Computer Networks; Fundamental of Security; Cryptography; Advanced System Security Design
New CS691 Course on Advanced System Security Design • Use Matt Bishop new Computer Security Text • Spring 2003: With one class at UCCS; one at Peterson AFB. • Potential use/cooperation with Distribute Security Lab of Ratheon? • Integrate security research results into course material such as A2D2, Secure Collective Defense, MPLS-VPN projects. • Invite speakers from Industry such as Innerwall and AFA? • Looking for potential joint exercises with other institutions such as AFA.
Joint Research/Teaching Effort on Information Assurance • Penetration Analysis/Testing exercises? • Intrusion Detection/Handling exercises? • Other Cyberwarfare related projects? • Security Forum organized by Dean Haefner/Dr. Ayen • Security Seminar Series with CITTI funding support • Look for Speakers (suggestion?)