integrated security management knom-2000 2000. 12. 12

LSTR Real-TimeSystems

Laboratory

Tai M. ChungTai M. ChungReal-Time Systems Lab. Sungkyunkwan University Real-Time Systems Lab. Sungkyunkwan University

[email protected]@ece.skku.ac.kr

INTEGRATEDSECURITY

MANAGEMENTKNOM-20002000. 12. 12


Laboratory

Talk Talk OutlineOutline

Introduction to ISM and Research Objectives Current Integrated Security Management

Technologies OPSEC Active Security Common Data Security Architecture Integrated Security Management System

Architecture of ISMS Features of ISMS Architecture & Detailed Modules of ISMS

Current Status and Future Development of ISMS


Laboratory

Why ISM?Why ISM?

Increasing complexity & difficulty of security products

Diverse security policies for heterogeneous security systems scattered over wide network

Increasing risks resulting from human mistakes

Need for immediate and automated response to various security threats

Need for unified human interface for simple management

Security Management

VPN

VirusCheck

VulnerabilityTest

IDS

FirewallIntrusion Tracking

File Security

Authentication

Encryption


Laboratory

Research ObjectivesResearch Objectives Develop a common representation scheme for

diverse security policies with Integrated policy and data management scheme Easy and unified interface for total management

Prototype a master-agent based integrated security management system that Includes Coordinated management model based on common

representation scheme Immediate and autonomous response to security threats Fault tolerant capability for continuous service Flexible and scalable management architecture


Laboratory

Security SystemSecurity SystemIntegrationIntegration

Trends of ISMOPSECActive Security


Laboratory

Integrate IDS functionality with firewall CISCO IOS + Firewall IDS

Firewall includes IDS functionality for mid-range, high-performance platforms, Limited to detect most significant attacks only Acts as in-line intrusion detection sensor : watching packets and

sessions to detect intrusion as well as to apply firewall policy

Firewallmodule

IDSmodule

Attacksignatures

Accesspolicies

Auditingrulesintrusion

detected

block the connection

match found

Mail toadmin

Paging

InternetInternalnetwork

Hybrid Integration ModelHybrid Integration Model


Laboratory

Interoperational Interoperational ModelModel

Real-time intrusion blocking : Real-time intrusion blocking : IDS interoperable with firewall RealSecure(ISS) + Firewall-1(Checkpoint)

When IDS detects misuse or attacks;① Reconfiguring firewall to block all traffic from a suspicious source② Alerting appropriate personnel through user interface③ Sending an SNMP trap to NMS to record the session information④ Terminating connections if possible

Internal network DMZ network

Server pool(for public/customer service)

IDS

Externalfirewall

Internalfirewall

Internet

NMS

Policy configurationmessage

SNMPtrap

Mail toadmin

Paging

Mail server


Laboratory

OPSEC by OPSEC by CheckpointCheckpoint

Open Platform for Security / Open Platform for Secure Enterprise Connection

Based on SVN(Secure Virtual Network) environment Goes beyond VPNs for securing all internet gateways Fine-grain access control for all users

Provisioning of integration and interoperability to the various security products such as VPN-1, Firewall-1, FloodGate-1, and Meta IP Openview, Tivoli, etc.


Laboratory

OPSEC OPSEC frameworkframework

Intranet

Policy Verification

Reporting and Analysis

Check Point Management Consolewith Account Management CA

Enterprise Management PlatformOpenView, Tivoli, etc.

Meta IP Address Managementwith User-to-Address Mapping

Directory Server

VPN-1/Firewall-1Gateway

Content Security Server

URL Categorization Server

VPN-1 SecuRemote/VPN-1 SecuClient

Intrusion Detection

Internet VPN-1/Firewall-1Gateway

Remoteoffice


Laboratory

OPSEC API OPSEC API overviewoverview

Message based, layered environment OPSEC Transport Layer converts messages into events Client locates and initiates the connection to the Server Servers implements one or more OPSEC security tasks

OPSEC client

OPSECservice API

OPSECtransport API

OPSEC server

OPSECservice API

OPSECtransport API

TCP Memory Othermechanism

OPSECTransport

OPSEC Client Process OPSEC Server Process

The OPSEC Client and Server Process can also be the same process

The OPSEC Transport Layer links the OPSEC Client and Server using one of these mechanisms


Laboratory

Life Cycle of OPSEC Life Cycle of OPSEC ApplicationApplication

Endless loop(opsec_mainloop) Waits for event to occur and process them Events are handled by the OPSEC application OPSEC layer may call user-defined functions to process events

Program startup

Initialization

Handle forEvent #2

Handle forEvent #1

Event #1 Event #2mainloop

Asynchronous Events


Laboratory

OPSEC OPSEC EnvironmentsEnvironments

MachineProcess

OPSECenvironment

Machine

Process

Process

LEA server

OPSECentity

OPSECenvironment

ProcessMachine

LEA server

OPSECentity

OPSECenvironment

SAM server

OPSECentity

OPSECenvironmentLEA client

OPSECentity

SAM client

OPSECentity

OPSECsession OPSEC

session

OPSECsession

A framework for OPSEC applications to communicate One OPSEC environment for each OPSEC process OPSEC entity is an instantiation of a specific behavior


Laboratory

OPSEC OPSEC subcomponentssubcomponents

CVP (Content Vectoring Protocol)

UFP (URL Filtering Protocol)

SAMP (Suspicious Activity Monitoring Protocol)

LEA (Log Export API)

ELA (Export Logging API)

OMI (OPSEC Management Interface)

UAM (User to Address Mapping API)

SAA (Secure Authentication API)

Content security

Web resource management

IDS interoperability

Reporting and event analysis

Security and event consolidation

Management and analysis

Association between user and IP address

Integrated authentication


Laboratory

Content Security : Content Security : CVPCVP

Outsourcing some functionalities to other content security systems Forward buffer to CVP server for inspection

Viruses, malicious codes Flow out of confidential data Specific URL access

CVP client and server know nothing about each other, except that the client knows where to find the server

CVP client

Buffer

CVP server

Source DestinationDestination

flow

Serverflow

Event handler(callback)functions

EventsAPIfunctions

Firewall-1/VPN-1


Laboratory

Content Security : Content Security : CVPCVP

Applied CVP to detect and cure compromised mail by viruses Firewall rule base specifies virus checking and disinfection on mail

attachment Firewall CVP client contacts the Anti-Virus server and transfers the file

attachment for processing The Anti-Virus content validation server scans for viruses, disinfects

the file The Anti-Virus sever returns the virus-free file and log information to

the firewall

Internet

Mail Server3rd Party Anti-Virus Application Server

Internet Mail

Scan and cure


Laboratory

Web Resource Management : Web Resource Management : UFPUFP

Track and monitor web usage Categorize and control HTTP communication based on

specific URL address Operations

URL client on the firewall passes the URL to the UFP server URL server returns a classification of the category for the URL Firewall determines the appropriate action in accordance with

the security policy related to the category


Laboratory

Intrusion Detection : Intrusion Detection : SAMPSAMP

Intrusion detection by monitoring events Active feedback loop integration between IDS and

Firewall/VPN gateways SAMP API enables Firewall-1/VPN-1 to block the connection

when an IDS detects suspicious activity on the network or specific host

SAMP API defines an interface through which an IDS can communicate with a VPN-1/Firewall-1 management server

Management server directs the VPN-1/Firewall-1 modules to terminate sessions or deny access to those specific hosts.


Laboratory

Event Integration : LEA, Event Integration : LEA, ELAELA

LEA(Log Export API) Enables applications to read the VPN-1/Firewall-1 log database LEA client can retrieve both real-time and historical log data

from Management Console of LEA server A reporting application can use the LEA client to progress the

logged events generated by the VPN-1/Firewall-1 security policy

ELA(Event Logging API) Used to write to the VPN-1/Firewall-1 log database Enables third party applications to trigger the VPN-1/Firewall-1

alert mechanism for specific events Enables Management Console to become the central event

repository for all traffic events accounting and analysis With SAMP, applications can track suspicious activity and

request the VPN-1/Firewall-1 to terminate a malicious activity


Laboratory

Management and Analysis : Management and Analysis : OMIOMI

Interface to central policy database to share objects such as Host, Network, User, Service, Resource, Sever, Key..

Tie together different products that may control security policies in different domains

Enables third party applications to securely access the policy stored in the management server by providing access to read Policies stored in the management sever Network objects, services, resources, users, templates, groups

and servers defined in the management server List of all administrators that are allowed to log into the

management server


Laboratory

Authentication : Authentication : SAASAA

SAA(secure authentication API) Supports wide variety of authentication mechanisms such as

biometric devices, challenge response tokens and passwords Passing authentication information to the authentication server After authentication, VPN gateway acquires user's certificate

from CA server, and then IPSEC/IKE session is established

InternetVPN-1 Gateway

VPN-1 SecuRemote

Customers

Partners

Remote site


Laboratory

OPSEC Framework PartnersOPSEC Framework Partners

Safe gate, Computer Associates

Norton AntiVirus for Firewalls, Symantec

Content Security

Defend Security Server, Axent Technologies, Inc.

ACE/Server, RSA Security

Authentication and Authorization

RealSecure, Check Point Technologies, Ltd.

SessionWall-3, Platinum

Intrusion Detection

Firewall HealthCHECK, VeriSignWeb Trends for Firewalls and

VPNs, Web Trends

Event Analysis and Reporting

IBM SecureWay Directory, IBMNovell Directory Services,

Novell

Enterprise Directory Servers

Go! Secure, VeriSign

Enterprise Directory Servers


Laboratory

Overview of Active Overview of Active securitysecurity

Detection(Sensing) device E.g. : Vulnerability Scanner to proactively scanning internal network

Event Orchestra Accepts all alerts, compares with security policy and initiates responses Fed in Security Policy to decide what is important and how to respond

Actions for security through Helpdesk, Firewall, Administrator Alerts, etc.

Security Policy

Vulnerability Scanner Event Orchestra

Helpdesk

Firewall

AdministratorAlerts


Laboratory

More about Active More about Active SecuritySecurity

The heart of Active Security : Event orchestra Conducts central event management Standard based open event management system Centrally collects alerts and other inter-process communications from

security products Includes own data store, but also works with other database using ODBC

Current Active Security products sensor : CyberCop scanner (Windows NT) arbiter : Event orchestra (Windows NT) actor : Gauntlet firewall (Windows NT / UNIX)

sensors arbiters actorswatch

the networkfor trouble

decide whatto do when

trouble happenstake

responsiveaction


Laboratory

Example of Active security : Example of Active security : CyberCopCyberCop

WMI(Windows management instrumentation) Describes a standard way of accessing and representing management

information in Windows 2000 networks Enables real-time monitoring Enhances interoperability of security applications

Logs Event log Performancemonitor

File/print SQL server Others

Existing

Forthcoming

Anti-virusevents

IDSevents

Firewallevents Others

Provider

Windows2000WMI

EventOrchestra

CyberCopMonitor

Actionmodule

Objectmanager

Consumer


Laboratory

Active Security Active Security IllustrationIllustration

1. Incoming mail message2. Redirect mail to anti-virus server

Firewall

Event Orchestra

Network VirusProtection Gateway

3. Virus found in messageFrom : [email protected] : [email protected]

4. action : do not acceptmail from [email protected]

Network File Server

5. action :Scan all filesowned by 'joe'

6. Scan hosts for complianceto network security policy

7. Unallowed 'finger'service found on Host1

Host1

8. action :Shutdown 'finger'service on Host1

VulnerabilityScanner

A

S A

S

A

A

SActor agent

Sensor agent


Laboratory

What is CDSA? What is CDSA? The Open, cross-platform, interoperable, extensible and

exportable security infrastructure Specification and Reference Implementation

Adopted by The Open Group in November 1997 “Mature” code base from Intel, widely reviewed by Industry

A robust security building block for eBusiness software solutions Enables interoperability for security apps and services Allows developers to focus on application expertise


Laboratory

CDSA Design GoalsCDSA Design Goals Create an open, interoperable, cross platform security

infrastructure Support use and management of the

fundamental elements of security: Certificates, trust, cryptography, integrity Authentication, authorization

Make extensible above and below Embrace emerging technologies Plug-and-play service provider model Extend to new services

Layered service provider model


Laboratory

Security Service Add-in Modules

CDSA ArchitectureCDSA Architecture

Layered Security Services

CSSM Security API

Common Security Services Manager

Service Provider Interfaces

CDSA defines a four-layer architecture for cross-platform, high-level security services

CSSM defines a common API / SPI for security services & an integrity foundation

Service providers implement selectable security services

Applications

Security Service Add-in ModulesSecurity Service Add-in Modules


Laboratory

Network CNetwork BNetwork A

ISMS Engine

Agent

securitymanagement

policy policy policy

Agent Agent

Centralpolicy databaseDBMS

Web client

SNMP SNMP SNMP

Firewall IDS VPN

Structure of ISMSStructure of ISMS


Laboratory

Features of ISMSFeatures of ISMS Integrated policy management

Maintain logical security domain for consistent security management Applies access control policy automatically by deploying blacklist to

agents Automated response to threats

Automatic Policy integrity check at management server Removes potential risks resulting from human mistakes by autonomous

operation and by integrity checking Notification through unified user interface

Integrated view for security management through web interface Statistic information based on collected information

Fault tolerant security management Records all security related events through central logging Simple policy recovery and backup through central policy management

Scalability and flexibility using master-agent paradigm No modification to management engine


Laboratory

Detailed ISMS architectureDetailed ISMS architecture

MessageCommunication

module

DBMSinterface

Logmanagement

module

Message analyzingmodule

User authenticationmodule

Policy processingmodule

Management messagecommunication module

Sessionmanagement

module

Logfile

Configurationfile

DBMSproxy DBMS

SMDBConfigurationmanagement

module

Notification m

essageprocessing m

odule

Message communication module

Display module

PolicyUIM

ConfigurationUIM

MonitoringUIM

StatusUIM

LogUIM

Notificationprocessing

module

NotificationUIM

Management messagecommunication module

Security systemcontrol module

Notificationprocessing

module

Security product

Configurationmanagement module

Logmanagement module

Configurationfile

Logfile

Message analyzingmoduleState

monitoringmodule

Secure TCPSecure UDP

Secure UDPSecure UDP

SecuritymanagementClient

SecuritymanagementDBMS

Central securitymanagement server

Securitymanagementagent


Laboratory

ISMSMIB

Communication module

SNMP communication module

Usertable

Policytable

Agenttable

DBMS

Requestmapping table

Dataprocessingmodules

Userrequest

processingmodules

Log manager

Enginelogfile

Agentlogfile

Firewallagent

Firewallagent

IDSagent

Agent for other security

products

HTTPD

JavaApplet

HTMLPages

Downloaded Java Applet

SNMP

TCP/IP HTTP

WISMSengine

Manager(ISMS client)

Webserve

r

ISMS server

Detailed ISMS EngineDetailed ISMS Engine ISMS

Client(Java applet)Engine(Solaris)Agent(Solaris, LINUX,

FreeBSD)Using standard

management protocol(SNMP)

Extensibility, Scaleability ISMS engine

Manages policiesProcesses user requestsNotifies eventsCollects information from

agentsManages log data


Laboratory

Integrated policy managementIntegrated policy management

Policy

SMDB(secondary)

Centralsecurity management

server

SMDB(primary)

Securitymanagement agent

for IDS

Policy update/action command

Security managementclient

PolicySecurity

management agentfor Firewall

PolicySecurity

management agentfor VPN

Security policyfor IDS

Security policyfor firewall

Security policyfor VPN

Securitymanagement

policyPolicy distribution/recover

Backup/Restore

IDS Firewall VPN

DBMSproxy

DBMSproxy

Synchronizing DB


Laboratory

Automated Response to threatsAutomated Response to threats

Policy

Log


server

SMDB

PolicyNo

tifica

tion


for IDS


for firewall / VPN


Resultreply

Detectsuspicious

action

Firewall / VPNIDS

Securitymanagement

policyDBMSproxy

Recordevents

Response policy for specific event(Automatic response)


Laboratory

Notification for human operationNotification for human operation

Policy


server

PolicySecurity

management agentfor IDS


for firewall / VPNNo

tifica

tion

Security managementclient


Resultreply

Security Manager

Detectsuspicious

action

Log

SMDBSecurity

managementpolicy

DBMSproxy

Recordevents

Response policy for specific event(Notify manager/wait for command)

Firewall / VPNIDS


Laboratory

Logical secure domain Logical secure domain maintenancemaintenance

Secure domain

Central securitymanagement server

User registration

Applicationwith

authenticationcapability

Securitymanagement client


for firewall


for VPN

User informationLog

SMDBDomain

userinformation

DBMSproxy

User information

Securecommunication

(VPN)Access control

(Firewall)


Laboratory

Blacklist managementBlacklist management

Log


server

SMDB

Manual backlist update

Automaticblacklistupdate

Blacklist information orPolicy update


for firewall


for VPN


for IDS

Log Log Log

Securitymanagement client

Suspicious subjectinformation

Blacklist

DBMSproxy

Firewall VPN IDS


Laboratory

Internal Network 1

webclient

Web basedsecurity

management

VirusScanner

AccessControl

InternalFirewall

1

ISMS Engine

ExternalFirewall

Internet

InternalFirewall

2

IDS

Internal Network 3

Internal Network 2

User's requestControl message

request/result

Policy update

ISMS Deployment StructureISMS Deployment Structure


Laboratory

SummarSummaryy

Increasing need for Integrated security management Easy and unified user interface Integrated Policy management

Currently Integrated Security Management is a hot issue Checkpoint(OPSEC), Network Associate(Active Security), and

Intel(CDSA) develop standards and prototypes They are still under development CDSA is publically available

We have been working for Designing a integrated model to manage various security products Develop a prototype system with one view and total security concept


Laboratory

References and Further References and Further InformationInformation

[1][1] Open Platform for Security(OPSEC) Technical Note, Check Point Software Open Platform for Security(OPSEC) Technical Note, Check Point Software Technologies, Inc., 2000.Technologies, Inc., 2000.

[2][2] OPSEC Software Development Kit Data Sheet, Check Point Software Technologies, OPSEC Software Development Kit Data Sheet, Check Point Software Technologies, Inc., 1998.Inc., 1998.

[3][3] Check Point OPSEC SDK version4.1 Release Notes, Check Point Software Check Point OPSEC SDK version4.1 Release Notes, Check Point Software Technologies, Inc., November 1999.Technologies, Inc., November 1999.

[4][4] Check Point VPN-1/Firewall-1 OPSEC API Specification version4.1, Check Point Check Point VPN-1/Firewall-1 OPSEC API Specification version4.1, Check Point Software Technologies, Inc., November 1999.Software Technologies, Inc., November 1999.

[5][5] Check Point Firewall-1 OPSEC Open Specification version1.01, Check Point Software Check Point Firewall-1 OPSEC Open Specification version1.01, Check Point Software Technologies, Inc., November, 1998.Technologies, Inc., November, 1998.

[6][6] Active Security Getting Started Guide version5.0, Network Associates, Inc., 1999Active Security Getting Started Guide version5.0, Network Associates, Inc., 1999[7][7] Automating Security Management while Reducing Total Cost of Ownership, Network Automating Security Management while Reducing Total Cost of Ownership, Network

Associates, Inc., 1999Associates, Inc., 1999[8][8] Security Solutions Practice - Technology Update, Ernst & Young, LLP., March 1999.Security Solutions Practice - Technology Update, Ernst & Young, LLP., March 1999.[9][9] Ensuring the Success of E-Business Sites, NetScreen Technologies, Inc., January 2000.Ensuring the Success of E-Business Sites, NetScreen Technologies, Inc., January 2000.[10][10]Technology Overview: The NetScreen-1000 Gigabit Security System, NetScreen Technology Overview: The NetScreen-1000 Gigabit Security System, NetScreen

Technologies, Inc., March 2000.Technologies, Inc., March 2000.[11][11]Next Generation Security Solutions for the Broadband Internet, NetScreen Next Generation Security Solutions for the Broadband Internet, NetScreen

Technologies, Inc., February 2000.Technologies, Inc., February 2000.[12][12]ServerIron Data Sheet; Internet Traffic Management, Foundry Networks, 2000.ServerIron Data Sheet; Internet Traffic Management, Foundry Networks, 2000.[13][13]Application note; Firewall Load Balancing with ServerIron, Foundry Networks, 2000.Application note; Firewall Load Balancing with ServerIron, Foundry Networks, 2000.

integrated security management knom-2000 2000. 12. 12

Documents