secure network access system (snas)barc.gov.in/publications/nl/2014/spl2014/pdf/paper04.pdf · also...
TRANSCRIPT
26 Special Issue | October 2014
BARC NEWSLETTERFounder’s DaySECURE NETWORK ACCESS SYSTEM (SNAS)
Gigi JosephComputer Division
Abstract
Cyber-security has emerged as an important issue because of the sophisticated cyber attacks on information as-
sets and industrial assets which lead to serious threats to power plant control and critical information of our
organization. It is a well known fact that cyber security related products sourced from other countries may have
built-in trap doors. Hence development of indigenous security solutions are very important. In April 2012, SNAS
was launched as a commercial product at national level by Dr. Srikumar Banerjee in the presence of Dr. Rajagopala
Chidambaram in Delhi. ECIL is providing marketing and support of SNAS. This article details some of the major
highlights of SNAS.
Shri Gigi Joseph is the recipient of the DAE Homi Bhabha Science &Technology Award for the year 2012
Introduction
Secure Network Access System (SNAS) is an
indigenously developed integrated host-aware
network security appliance. It secures any enterprise
network by intelligently sensing security threats
and responding to them automatically. With next
generation portable devices, network access has
become trouble-free. Users can be simultaneously
connected to multiple networks. But this renders the
concept of perimeter firewall based network security
useless. In such a scenario, firewalls need to be aware
of the endpoint status and health to counter the
threats to organizational networks.
SNAS combines the features of a perimeter
firewall with those of an endpoint security
solution to provide a bird’s eye view of the entire
network as well as detailed information about
each entity connected to it. SNAS is a highly
scalable system which can be easily configured
to suit the requirements of any small, medium or
large enterprise with varying security concerns.
It identifies the “who, what and where” of the
devices connected in the network. SNAS can
identify everything on your network – the devices,
their operating systems, applications running on
them and their network activities.
Fig.1: SNAS Appliance BOX
Home
NEXTPREVIOUS ê ê
CONTENTS
Special Issue | October 2014 27
BARC NEWSLETTERFounder’s DaySNAS Subsystems
SNAS has got many subsystems which themselves can
also be implemented as independent systems.
number, installed and running software and services.
If the security state of the end-system is such that
it casts negative impact on other devices then SNAS
can isolate it from the internal network also. This way
NeTwork Admission ConTrol (iNTACT)
module of SNAS ensures that the
end-systems remain unharmed by
compromised systems.
Host AwaRE security Policy Enforcement FIREwal (HEAR-FiRE)
If an end-system complies with the
security policy, the firewall rules are
dynamically manipulated so that it can
only access the network services that it is
authorized to. Once an end system has
securely gained access to the network,
continuous monitoring, threat analysis
and policy enforcement are provided
through intelligent integration
with other SNAS components.
This capability makes SNAS a Host
AwaRE security Policy Enforcement
FIREwall (HEAR-FiRE). The acronym
HEAR-FiRE stands for the capability
of SNAS to listen to the state of
hosts, check their security compliance and configure
the firewall rules accordingly.
Fig.2: SNAS Subsystems
NeTwork Admission ConTrol (iNTACT)
SNAS offers a comprehensive solution
for proactive network security by
determining the policy compliance
of the connected end-systems. End-
systems are allowed to access network
services only if they are in compliance
with the security policy defined for
them. The identification and subsequent
authentication of the end-systems can
be based on a multitude of factors.
Among others, these include IP, MAC,
location, generated network traffic,
running operating system, open
application ports, disk-partition serial Fig.3: SNAS End Point Policy Enforcement Architecture
28 Special Issue | October 2014
BARC NEWSLETTERFounder’s DayCompLete SEcUrity viSualisation (CELSiUS)
SNAS provides a CompLete SEcUrity viSualisation
(CELSiUS) of all the entities present in the network.
It measures the security state of the end-systems in
the network using various parameters. The SNAS
dashboard enables administrators to monitor the status
of the network. It provides them with an interface to
know what processes and services are running, whether
they are trusted or not, what software have been
installed, when they have been installed, what network
application ports are open on the devices, which
devices have connected to those application ports and
the traffic that is being generated by the systems.
This functionality is a major advancement to that
provided by traditional Intrusion Detection and
Prevention System (IDS/ IPS). The approach used
by SNAS is capable of detecting and mitigating
even those attacks whose packets do not reach the
SNAS appliance. SNAS can identify any malicious
behavior of end points in terms of network traffic,
applications and threat propagation. Endpoints
causing Denial of service (DOS) attack are detected
and isolated from the network in near real-time.
SNAS approach of integrated network admission
control and anomaly detection provides a dynamic
intrusion response and proactive prevention against
zero-day attacks
Fig.4: SNAS dashboard
Network and hoST Anomaly DEtection (iNSTEAD)
Network and hoST Anomaly DEtection (iNSTEAD)
ensures that whatever happens in the network is
trusted and any non-trusted behaviour is isolated.
SNAS Network Management Suite (NMS)
SNAS Network Management Suite (NMS) provides
a mechanism to monitor and manage the various
network devices and end-systems present in the
Special Issue | October 2014 29
BARC NEWSLETTERFounder’s Day
network. It provides the details about the device,
their configuration, current status, their link with
other devices and status of those links. It also helps
administrators in managing IP address allocation,
device movement and generating periodic reports for
the purpose of network auditing.
Rogue Detection with Isolation (RiD)
The Rogue Detection with Isolation (RiD) module of
SNAS ensures that as soon as any unknown device
enters the network, it can be identified and isolated in
near real-time. This module is able to scan a sufficiently
large network and detect and isolate unknown systems
in less than a minute. True to its name, this module rids
administrators from the menace caused by unknown
entities.
Backdoor Detection
Users connected to internal networks can connect
to external networks simultaneously using wireless
Fig.5: SNAS Security Visualization and NMS dashboard
devices e.g. USB dongles, smart-phones etc. This can
not only compromise the confidentiality of information
present on that system, but it can also be used as a
point to attack the enterprise’s internal network. SNAS
can detect endpoints which are connected directly to
outside networks. They pose a threat to organizational
security as they bypass all network security systems
and act as a bridge between outside world and
internal secure networks. Such end-points can be
easily detected by SNAS and blocked from using the
internal network while they are connected to external
networks.
USB Storage Management
USB based storage devices are prominently used for
data transfer between different machines. But they
also act as hub for the spread of viruses and worms
and pose a threat to network security. SNAS can track
the movement and usage of USB-storage devices
within the network. It can ensure that only authorized
USB-based storage devices are used on an end-system.
30 Special Issue | October 2014
BARC NEWSLETTERFounder’s Day
This will help in ensuring that there is no unintended
data loss from PCs through removable media. Also,
once a pen-drive is registered, the user can get full
details about when and where his/her pen-drive has
been used.
Network Bridging Sensor
When multiple isolated networks are extended to
user’s end, there is a definite chance of network
bridging. SNAS detects any bridging immediately and
disconnects the devices to keep your networks isolated.
Trust Monitor
SNAS monitors and mitigates the impact of untrusted
programs and services on the network. SNAS builds a
profile of trusted applications and services running on
Fig.6: SNAS USB Module
the endpoints. Patterns of newly found processes can
be monitored and easily analyzed to handle threats.
Conclusions
SNAS can be deployed in enterprise networks to replace
the existing firewalls between intranet segments (LAN)
and various demilitarized zones and WAN. SNAS will
ensure that the devices in the user segment comply
with security policy and all internal network attacks
are identified and mitigated. The SNAS security suite
provides a comprehensive solution for mitigation of
internal and external attacks. As on today, SNAS is
the only Indian integrated network security solution
present in the country. The SNAS is being accepted
as an Intranet security solution at national level and
installation of SNAS in various organizations including
strategic ones is in progress.