1Information Networking Security and Assurance LabNational Chung Cheng University

Security Assurance Policy Helper Security Assurance Policy Helper (SAPH)(SAPH)

鄭伯炤bcheng@ccu.edu.tw

Speaker：Information Networking Security and Assurance LAB

Department of Communication Engineering

National Chung Cheng University

A Framework for Network Security Assurance A Framework for Network Security Assurance DesignDesign

2Information Networking Security and Assurance LabNational Chung Cheng University

Outline

What is the Problem ?Security Management Life CycleSAPH (Security Assurance Policy Helper)

SLC (Security Language Composer) VAST (Vulnerability Assessment & Security

Testing)SAPH and Security Assurance ConclusionReference

3Information Networking Security and Assurance LabNational Chung Cheng University

The Reality

1 - 5 6 - 10 11 - 30 31 - 60 Over 60 Don't know

2003 38 20 more:16 0 0 26

2002 42 20 8 2 5 232001 33 24 5 1 5 312000 33 23 5 2 6 311999 34 22 7 2 5 29

How many Incidents By Percentage (%)

020406080

100120

1999 2000 2001 2002 2003

Intrusion Detection

Firewall

Anti-virus

Access Constrol

Physical Security

Security Technologies Used

Gartner Group 估計出現在的駭客攻擊有 75% 是發生在應用層 (OSI第七層 )上，而且一次成功的入侵將會產生令人震驚的破壞。 Gartner Group 估計出現在的駭客攻擊有 75% 是發生在應用層 (OSI第七層 )上，而且一次成功的入侵將會產生令人震驚的破壞。

Information and Networking Security Assurance & Survivability

Data and Application Security

Source : SSI/FBI

4Information Networking Security and Assurance LabNational Chung Cheng University

Attack Motivations, Phases and Goals

• Revenge• Political activism• Financial gain

Data manipulation System access Elevated privileges Deny of Service

Collect Information• Public data source• Scanning and probing

Collect Information• Public data source• Scanning and probing

Actual Attack Network Compromise DoS/DDoS Attack

• Bandwidth consumption• Host resource starvation

Actual Attack Network Compromise DoS/DDoS Attack

• Bandwidth consumption• Host resource starvation

Analyze Information & Prepare Attacks• Service in use• Known OS/Application vulnerability• Known network protocol security weakness• Network topology

Analyze Information & Prepare Attacks• Service in use• Known OS/Application vulnerability• Known network protocol security weakness• Network topology

5Information Networking Security and Assurance LabNational Chung Cheng University

What is the Problem ?

Vulnerability 1

Vulnerability 2

Vulnerability n

……

….

……

….

Vulnerability Database e.x. Bugtraq

Quick & Dirty ！！！

Solution 1

Solution 2

Solution n

Security Operation Center (SOC)

6Information Networking Security and Assurance LabNational Chung Cheng University

Security Management Cycle Problems

Security PolicySecurity PolicyImplementation Design

Assessment & Testing

Monitoring & Audit

Service Provision

Business Requirement

How to map business and service requirements into security policy

How to automate security management cycle (i.e. eliminating the gaps and smoothing processes between different security management phases)

How to evaluate the risk of exposure and the cost of security breaches

Security Operation Center (SOC)

7Information Networking Security and Assurance LabNational Chung Cheng University

Security Management Cycle Problems

Design Defining a good security policy and the topology of

network in accordance with the requirements of an enterprise and the goal of the business

Monitoring & Audit Performing testing and scanning to appraise risk values on

the target network Implementation

Including installing, system level testing, education and technical transference, etc

Assessment & Testing Check whether the security policy is implemented

correctly and investigate any intrusions

8Information Networking Security and Assurance LabNational Chung Cheng University

VAST: Vulnerabilities Assessment & Security Testing DTN: Defense Target NetworkSLC: Security Language Composer

Policy & Topology Model

SLCVAST

Script Generator

Lighter

DTN

GUI

Enforcement

Object StorageWhite Hat

Audit/System Log

SAPHSAPH

Conf.Profile

xSecurity Guardian

Black Hat

SAPH Architecture

Verifier

Import/Interpreter

9Information Networking Security and Assurance LabNational Chung Cheng University

SLC: Get The Highest Level of Security

Make good security policies to protect your networks and services Accomplishable Enforceable Definable

Identify real security needs for service and match business requirements

Assessment and risk evaluation

10Information Networking Security and Assurance LabNational Chung Cheng University

SAPH Components – Security Language Composer

GUI : a Graphic User Interface providing user interactions Policy & Topology model: allowing user to define security policies and

network topology based on business and service requirements . Security Guardian : an engine evaluates the risk of exposure and the

cost of security breaches based on built-in and user-define functions Object Storage : store network objects and security policy definitions Enforcement : an intelligent agent is able to produce configuration

profiles based on acceptable risks, security policy settings and network topology.

Configuration Profile : a set of configuration parameters and running scripts for network element and security device

11Information Networking Security and Assurance LabNational Chung Cheng University

Policy & Topology Model

Display an idea Communicate to System and other engineer OAB (Object Association Binding)

Object Entity、 Concept or Group Data & Attribution

Association Relation Between Two Object Direction、 Condition、 Action & Transition

Binding Relation Between Two Model Object in Policy Model & Object in Topology Model

Policy & Topology Model

SLCGUI

Enforcement

Object Storage

Conf.Profile

xSecurity Guardian

12Information Networking Security and Assurance LabNational Chung Cheng University

OAB (Object Association Binding)

Policy ModePolicy Mode

George

AttributionInfo. DepEngineer

Topology ModeTopology Mode Binding

Subnet140.123.113.0/24

Subnet140.123.113.0/24

Association If protocol =! FTP accept

Firewall140.123.113.25

Host140.123.114.14

rule 2： Deny FTP connection

rule 1： George can access the Marketing Dep. Network

Security Policy

Binding

Attribution

Emp. 15Computer 12

George Marketing Dep.

13Information Networking Security and Assurance LabNational Chung Cheng University

Security Guardian : Check Policy & Topology and Evaluate the Risk

Risk Exposure

Network Topology

Security Policy

Policy & Topology Model

SLCGUI

Enforcement

Object Storage

Conf.Profile

xSecurity Guardian

Security Guardian

■ User-Define Factors ■ Information Asset ■ Vulnerability

■ Probability Loss ■ Event Severity

14Information Networking Security and Assurance LabNational Chung Cheng University

Risk Relationship

Assets

Physical

Hardware

Software

OS Application

Security ThreatClassification

TheftFireExplosive…..Radiation

Service in useKnown OS/Application vulnerabilityKnown network protocol security weaknessNetwork topology

Security Threat

Probability

LevelValue

Severity

LevelValue

15Information Networking Security and Assurance LabNational Chung Cheng University

Evaluation Function (Built-In and User-Defined)

n

iij TC

1

iii SPT *Pi: Probability Loss

Si: Event Severity

Ti: Threat Factor

m

jjCA

1

Ci: Class Risk

Ti: Threat Factor

If A < then X otherwise Y

A: Asset Risk Exposure

: Acceptable Risk Value

Ci: Class Risk

X,Y : Accept Value (e.g., Boolean)

16Information Networking Security and Assurance LabNational Chung Cheng University

Enforcement

Network Topology

Security Policy

Equipment Adaptors

Script files

Network

Configuration

Policy & Topology Model

SLCGUI

Enforcement

Object Storage

Conf.Profile

xSecurity Guardian

Enforcement

17Information Networking Security and Assurance LabNational Chung Cheng University

SLC: Get The Highest Level of Security

Make good security policies to protect your networks and services Accomplishable Enforceable Definable

Identify real security needs for service and match business requirements

Assessment and risk evaluation

18Information Networking Security and Assurance LabNational Chung Cheng University

VAST: Vulnerabilities Assessment & Security Testing DTN: Defense Target NetworkSLC: Security Language Composer

Policy & Topology Model

SLCVAST

Script Generator

Lighter

DTN

GUI

Enforcement

Object StorageWhite Hat

Audit/System Log

SAPHSAPH

Conf.Profile

xSecurity Guardian

Black Hat

SAPH Architecture

Verifier

Import/Interpreter

19Information Networking Security and Assurance LabNational Chung Cheng University

VAST: Assure Information and Networking Security

Assessment Information reconnaissance and network scan Vulnerability assessment and threat Analysis

Penetration System penetration test Security policy certification

Auditing Log analysis

20Information Networking Security and Assurance LabNational Chung Cheng University

SAPH Components - Vulnerabilities Assessment & Security Testing (VAST)

Import/Interpreter: a converter to import audit log/syslog from security audit tools and network elements into Black Hat Database or transform attack severity/structure to Evaluator for further analysis.

Black Hat Database: real hacker signatures and methods White Hat Database: network architecture and network element

(e.g., router and firewall) configuration, security profiles and well know security holes

Verifier: an engine use both Black Hat and White Hat Database to forecast/analyze possible vulnerabilities

Script Generator: generating script files to exploit vulnerabilities Lighter: an engine launch attacks based on hacker scripts

21Information Networking Security and Assurance LabNational Chung Cheng University

Lighter

Reconnaissance•Nslookup •Whois•ARIN•Dig•Target Web Site•Others

Network Scanning•Telnet•Nmap•Hping2•Netcat•ICMP: Ping and Traceroute

Vulnerability Assessment •Nessus•SARA

VASTScript Generator

Lighter

White HatBlack Hat

Verifier

Import/Interpreter

Script Generator

22Information Networking Security and Assurance LabNational Chung Cheng University

VAST: Assure Information and Networking Security

Assessment Information reconnaissance and network scan Vulnerability assessment and threat Analysis

Penetration System penetration test Security policy certification

Auditing Log analysis

23Information Networking Security and Assurance LabNational Chung Cheng University

SAPH and Security Assurance

Design assurance Policy & Topology Model : OAB (Object

Association Binding) Security Guardian

Development assurance VAST

Operation assurance Enforcement GUI

24Information Networking Security and Assurance LabNational Chung Cheng University

Conclusion

Security Operation Center (SOC)

BeforeAfter

Security Operation Center (SOC)

Increase Productivity

Save Cost

Enhance Security

Extend Network Management

SAPHSAPH

25Information Networking Security and Assurance LabNational Chung Cheng University

Reference (1/2)

BCS Review 2001 Setting standards for information security policy http://www.bcs.org.uk/review/2001/html/p181.htm

B. Fraser, “RFC2196: Site Security Handbook”, IETF, September 1997.

BUGTRAQ http://www.securityfocus.com/archive/1 E. Carter, Cisco Secure Intrusion Detection System, Cisco Pr

ess, 2001 G. Stoneburner, A. Goguen, and A. Feringa "Risk Managem

ent Guide for Information Technology Systems", Special Publication 800-30, NIST.

J. Wack and M. Tracey, “Guideline on Network Security Testing”, Draft Special Publication 800-42, NIST, February 4, 2002

26Information Networking Security and Assurance LabNational Chung Cheng University

Reference (2/2)

Microsoft Security Bulletin MS03-028 http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms03-028.asp

R. M. Barnhart, “High Assurance Security Mideical Information Systems”, Science Application International Corporation, 2000

SANS Institute - Security Policy Project. http://www.sans.org/resources/policies/

S. Northcutt, L. Zeltser, S. Winters, K. Kent Frederick, R. W.Ritchey, Inside Network Perimeter Security, New Riders , 2003

T. Layton, “Penetration Studies – A Technical Overview” SANS, May 30, 2002

27Information Networking Security and Assurance LabNational Chung Cheng University

Question ？Thank You ！