View
216
Download
0
Tags:
Embed Size (px)
Citation preview
1Pfleeger Visit 4/13/2004 UCCS Network/System Security
C. Edward ChowXiaobo Joe Zhou
Yu CaiGanesh Godavari
Department of Computer ScienceUniversity of Colorado at Colorado Springs
C. Edward ChowXiaobo Joe Zhou
Yu CaiGanesh Godavari
Department of Computer ScienceUniversity of Colorado at Colorado Springs
UCCS Network/System Security ResearchUCCS Network/System Security Research
Some of the research projects are sponsored by the Air Force Research Laboratory, under agreement number F49620-03-1-0207. It was sponsored by NISSC
Summer/Fall2003 grants. Part of these results are supported by a generous gift from Fujitsu for Internet research.
2Pfleeger Visit 4/13/2004 UCCS Network/System Security
Outline of the TalkOutline of the TalkOverview of Network/System Security Research Projects at
Network/System Lab Secure Collective Internet Defense (SCOLD): an Intrusion
Tolerance System. Autonomous Anti-DDoS (A2D2: )Integrated enhanced Snort IDS
with multi-level adaptive rate limiting firewall Secure Groupware for First Responders (SGFR): Integrated Group
Rekeying (Keystone) with Instant Massaging (Jabber) on MANET Secure Access Mobile Ad Hoc Network (SMANET): Implemented
PEAP module on freeRadius server, compared PEAP with TTLS First Responder Sensor Network (FRSN): Track Fire Fighters with
Crossbow Mote-based Sensor Network. Improving System Performance by QoS Regulations with Adaptive
Resource Management under Cyber Threats Intelligence/Information Fusion Secure Information Sharing
Overview of Network/System Security Research Projects at Network/System Lab Secure Collective Internet Defense (SCOLD): an Intrusion
Tolerance System. Autonomous Anti-DDoS (A2D2: )Integrated enhanced Snort IDS
with multi-level adaptive rate limiting firewall Secure Groupware for First Responders (SGFR): Integrated Group
Rekeying (Keystone) with Instant Massaging (Jabber) on MANET Secure Access Mobile Ad Hoc Network (SMANET): Implemented
PEAP module on freeRadius server, compared PEAP with TTLS First Responder Sensor Network (FRSN): Track Fire Fighters with
Crossbow Mote-based Sensor Network. Improving System Performance by QoS Regulations with Adaptive
Resource Management under Cyber Threats Intelligence/Information Fusion Secure Information Sharing
3Pfleeger Visit 4/13/2004 UCCS Network/System Security
UCCS Network/System Research LabUCCS Network/System Research Lab Director: Dr. C. Edward Chow (Network/Protocol) Assistant Professor: Dr. Xiaobo Zhou (Distributed Systems; QoS) Graduate students:
John Bicknell/Steve McCaughey/Anders Hansmat: Distributed Network Restoration/Network Survivability
Hekki Julkunen: Dynamic Packet Filter Chandra Prakash: High Available Linux kernel-based Content Switch Ganesh Godavari: Linux based Secure Web Switch Angela Cearns: Autonomous Anti-DDoS (A2D2) Testbed Longhua Li: IXP-based Content Switch David Wikinson: Secure DNS (update/query) with multiple indirect routing entries Nirmala Bulusu: Secure Wireless Access; PEAP vs. TTLS; enhance freeRadius server
with PEAP module (the above graduated) Yu Cai (Ph.D. research assistant): Proxy Server Based Multipath Routing; Secure
Collective Internet Defense; Information Fusion; Ganesh Godavari: (Ph.D. research assistant): Content Switching Rule Conflict Detection;
Secure Groupware; First Responder Sensor Network; Secure Information Sharing Frank Watson: enhanced TCP with multiple routes (User Mode Linux) Paul Fong: Wireless AODV Routing for sensor networks Murthy Andukuri/Jing Wu: iSCSI/VPN/MPLS Secure QoS Storage Network. Patricia Ferrao/Merlin Vincent: Web-based Collaborative System Sarah Jelinek: Enterprise Intrusion Detection and Response System (A2D2V2).
4Pfleeger Visit 4/13/2004 UCCS Network/System Security
UCCS Network Lab EquipmentUCCS Network Lab Equipment
Gigabit fiber connection to UCCS backbone Switch/Firewall/Wireless AP:
HP 4000 switch; 4 Linksys/Dlink Switches; 5 Intel 24 ports Fast Ethernet switch.
Sonicwall Pro 300 Firewall; 6 Intel VPN Firewall 8 Intel 7112 SSL accelerators; 4 7820 XML directors donated by Intel. Cisco 1200 Aironet Dual Band Access Point and 350 client PC/PCI
cards (both 802.11a and 802.11b cards). Intel IXP12EB network processor evaluation board
Servers: Two Dell PowerEdge Servers. Workstations/PCs:
8 Dell PCs (3Ghz-500Mhz); 12 HP PCs (500-233Mhz) 2 laptop PCs with Aironet 350 for mobile wireless 1 IPAQ3875 PDA OS: Linux Redhat 9, Fedora; Window XP/2000/2003
Gigabit fiber connection to UCCS backbone Switch/Firewall/Wireless AP:
HP 4000 switch; 4 Linksys/Dlink Switches; 5 Intel 24 ports Fast Ethernet switch.
Sonicwall Pro 300 Firewall; 6 Intel VPN Firewall 8 Intel 7112 SSL accelerators; 4 7820 XML directors donated by Intel. Cisco 1200 Aironet Dual Band Access Point and 350 client PC/PCI
cards (both 802.11a and 802.11b cards). Intel IXP12EB network processor evaluation board
Servers: Two Dell PowerEdge Servers. Workstations/PCs:
8 Dell PCs (3Ghz-500Mhz); 12 HP PCs (500-233Mhz) 2 laptop PCs with Aironet 350 for mobile wireless 1 IPAQ3875 PDA OS: Linux Redhat 9, Fedora; Window XP/2000/2003
5Pfleeger Visit 4/13/2004 UCCS Network/System Security
Intrusion Related Research AreasIntrusion Related Research Areas
Intrusion PreventionGeneral Security Policy Ingress/Egress Filtering
Intrusion DetectionHoney potHost-based IDS Tripwire Anomaly DetectionMisuse Detection
Intrusion Response Identification/Traceback/PushbackIntrusion Tolerance
Intrusion PreventionGeneral Security Policy Ingress/Egress Filtering
Intrusion DetectionHoney potHost-based IDS Tripwire Anomaly DetectionMisuse Detection
Intrusion Response Identification/Traceback/PushbackIntrusion Tolerance
6Pfleeger Visit 4/13/2004 UCCS Network/System Security
Wouldn’t it be Nice to Have Alternate Routes?Wouldn’t it be Nice to Have Alternate Routes?
DNS1
...
Victim
AA A A A A A A
net-a.mil net-b.mil net-c.mil
DNS2 DNS3
... ......
R R R
R
R2 R1R3
Alternate Gateways
DNS
DDoS Attack Traffic
Client Traffic
How to reroute clients traffic through R1-R3?
Multi-homing
7Pfleeger Visit 4/13/2004 UCCS Network/System Security
Implement Alternate RoutesImplement Alternate Routes
DNS1
...
Victim
AA A A A A A A
net-a.mil net-b.mil net-c.mil
DNS2 DNS3
... ......
R R R
R
R2 R1R3
Alternate Gateways
DNS
DDoS Attack Traffic
Client Traffic
Need to Inform Clients or Client DNS servers!
But how to tell which Clients are not compromised?
How to hide IP addresses of
Alternate Gateways?
8Pfleeger Visit 4/13/2004 UCCS Network/System Security
Possible Solution for Alternate RoutesPossible Solution for Alternate Routes
DNS1
...
Victim
AA A A A A A A
net-a.mil net-b.mil net-c.mil
DNS2 DNS3
... ......
R R R
R R2R1 R3
New route via Proxy3 to R3
Proxy1
block
Proxy3Proxy2
Attack msgs blocked by IDSBlocked by IDS
Sends Reroute Command with DNS/IP Addr. Of
Proxy and VictimDistress Call
9Pfleeger Visit 4/13/2004 UCCS Network/System Security
SCOLDPhase1SCOLDPhase1
DNS1
...
Victim
AA A A A A A A
net-a.mil net-b.mil net-c.mil
DNS2 DNS3
... ......
R R R
R
Proxy1
Proxy2Proxy3
R2
R1 R3
block
RerouteCoordinato
rAttack TrafficClient Traffic
1. IDS detects intrusion Blocks Attack Traffic Sends distress call to Reroute Coordinator
block
10Pfleeger Visit 4/13/2004 UCCS Network/System Security
SCOLDPhase 2SCOLDPhase 2
DNS1
...
Victim
AA A A A A A A
net-a.mil net-b.mil net-c.mil
DNS2 DNS3
... ......
R R R
R
Proxy1
Proxy2 Proxy3
R2
R1 R3
block
Attack TrafficClient Traffic
1. IDS detects intrusion Blocks Attack Traffic Sends distress call to Reroute Coordinator
RerouteCoordinato
r
2. Sends Reroute Command with (DNS Name, IP Addr. Of victim,
Proxy Server(s)) to DNS
11Pfleeger Visit 4/13/2004 UCCS Network/System Security
SCOLDPhase3SCOLDPhase3
DNS1
...
Victim
AA A A A A A A
net-a.mil net-b.mil net-c.mil
DNS2 DNS3
... ......
R R
R
Proxy1
Proxy2 Proxy3
R2
R1 R3
Attack TrafficClient Traffic
RerouteCoordinato
r
2. Sends Reroute Command with (DNS Name, IP Addr. Of victim,
Proxy Server(s)) to DNS
3. New route via Proxy3 to R3
3. New route via Proxy2 to R2
3. New route via Proxy1 to R1
R
block
12Pfleeger Visit 4/13/2004 UCCS Network/System Security
SCOLDPhase4SCOLDPhase4
DNS1
...
Victim
AA A A A A A A
net-a.mil net-b.mil net-c.mil
DNS2 DNS3
... ......
R
Proxy1
Proxy2Proxy3
R1
Attack TrafficClient Traffic
RerouteCoordinato
r
3. New route via Proxy3 to R3
3. New route via Proxy2 to R2
3. New route via Proxy1 to R1
R
block4a. Attack traffic detected by IDSblocked by Firewall
4. Attack traffic detected by IDSblocked by Firewall
R R
R3R2
13Pfleeger Visit 4/13/2004 UCCS Network/System Security
SCOLD Secure DNS Updatewith New Indirect DNS EntriesSCOLD Secure DNS Update
with New Indirect DNS Entries
(target.targetnet.com, 133.41.96.7, ALT 203.55.57.102)
203.55.57.103185.11.16.49
A set of alternate proxy servers for indirect routes
New DNS Entries:
Modified
Bind9
Modified
Bind9IP Tunnel
IP Tunnel
Modified
ClientResolveLibrary
Trusted DomainWAN
DMZ
ClientDomai
n
proxy2
14Pfleeger Visit 4/13/2004 UCCS Network/System Security
SCOLD Indirect RoutingSCOLD Indirect Routing
IP tunnelIP tunnel
15Pfleeger Visit 4/13/2004 UCCS Network/System Security
SCOLD Indirect Routing with Client running SCOLD client daemon
SCOLD Indirect Routing with Client running SCOLD client daemon
IP tunnelIP tunnel
16Pfleeger Visit 4/13/2004 UCCS Network/System Security
Performance of SCOLD v0.1Performance of SCOLD v0.1
Table 1: Ping Response Time (on 3 hop route)
Table 2: SCOLD FTP/HTTP download Test (from client to target)
Table 1: Ping Response Time (on 3 hop route)
Table 2: SCOLD FTP/HTTP download Test (from client to target)
No DDoS attack, direct route
DDoS attack, direct route
No DDoS attack, indirect route
with DDoS attack indirect route Doc
Size
FTP HTTP FTP HTTP FTP HTTP FTP HTTP 100k 0.11 s 3.8 s 8.6 s 9.1 s 0.14 s 4.6 s 0.14 s 4.6 s 250k 0.28 s 11.3 s 19.5 s 13.3 s 0.31 s 11.6 s 0.31 s 11.6 s 500k 0.65 s 30.8 s 39 s 59 s 0.66 s 31.1 s 0.67 s 31.1 s 1000k 1.16 s 62.5 s 86 s 106 s 1.15 s 59 s 1.15 s 59 s 2000k 2.34 s 121 s 167 s 232 s 2.34 s 122 s 2.34 s 123 s
No DDoS attack direct route
DDoS attackdirect route
No DDoS attack indirect route
DDoS attack indirect route
0.49 ms 225 ms 0.65 ms 0.65 ms
17Pfleeger Visit 4/13/2004 UCCS Network/System Security
Secure Collective DefenseSecure Collective Defense Main IdeaExplore secure alternate paths for clients to come in; Utilize geographically
separated proxy servers. Goal:
Provide secure alternate routes Hide IP addresses of alternate gateways
Techniques: Multiple Path (Indirect) Routing Enhanced Secure DNS extension: how to inform client DNS servers to add new DNS
entries with alternate routes (Not your normal DNS name/IP address mapping entry). Utilize a consortium of Proxy servers with IDS that hides the IP address of alternate
gateways. Partition clients to come in at different proxy servers.
can help identify the origin of spoofed attacks! How clients use the new multiple path indirect DNS entries and route traffic through
proxy servers? Use Sock protocol, modify resolver library
18Pfleeger Visit 4/13/2004 UCCS Network/System Security
Current SCOLD Project ResultsCurrent SCOLD Project Results
Proposed new DNS entries for intrusion tolerance, containing multiple proxy servers info for establishing indirect routes.
Modified Bind9 DNS server to accept secure DNS updates and to serve queries with new indirect DNS entries.
Developed new secure DNS update utility to securely update target zone file in the new enhanced Bind9 DNS server.
Implemented new secure indirect routing protocol to allow client DNS to query target DNS during DDoS attack. to allow client to communicate with target server through proxy
server and alternate gateway.
Proposed new DNS entries for intrusion tolerance, containing multiple proxy servers info for establishing indirect routes.
Modified Bind9 DNS server to accept secure DNS updates and to serve queries with new indirect DNS entries.
Developed new secure DNS update utility to securely update target zone file in the new enhanced Bind9 DNS server.
Implemented new secure indirect routing protocol to allow client DNS to query target DNS during DDoS attack. to allow client to communicate with target server through proxy
server and alternate gateway.
19Pfleeger Visit 4/13/2004 UCCS Network/System Security
Benefits of Secure Collective DefenseBenefits of Secure Collective Defense
Security When attacked, users switch to different routes dynamically Urgent/critical packets sent over multiple routes simultaneously Encrypted content sent over multiple routes Information on DDoS attacks used to isolate source of attacks
Reliability: Users can choose most reliable route dynamically Packet content spread over multiple routes Use redundant transmission or error correction to reduce PLR
Performance: Multiple indirect routes provide additional bandwidth Can be used for dynamic bandwidth provisioning
Security When attacked, users switch to different routes dynamically Urgent/critical packets sent over multiple routes simultaneously Encrypted content sent over multiple routes Information on DDoS attacks used to isolate source of attacks
Reliability: Users can choose most reliable route dynamically Packet content spread over multiple routes Use redundant transmission or error correction to reduce PLR
Performance: Multiple indirect routes provide additional bandwidth Can be used for dynamic bandwidth provisioning
20Pfleeger Visit 4/13/2004 UCCS Network/System Security
Organic NetworkingOrganic Networking
One possible approach: Dynamic provisioning of multiple paths (direct and indirect routes)
Use secure DNS update to inform the clients
Use secure indirect routing for establishing alternate routes.
Coordinate the selection of proxy servers for clients.
Critical for supporting wide area IDC system
One possible approach: Dynamic provisioning of multiple paths (direct and indirect routes)
Use secure DNS update to inform the clients
Use secure indirect routing for establishing alternate routes.
Coordinate the selection of proxy servers for clients.
Critical for supporting wide area IDC system
VPN
Consumer enterprise Headquarters Branch
IDC1(inB portal)
IDC3(data backup)
IDC2(BtoB/C portal)
VPN-CUGVPN-CUG
BtoB inB inB
Operation resource
backup resource
SharingBtoC
The Internet
Operation resource
21Pfleeger Visit 4/13/2004 UCCS Network/System Security
A2D2: Autonomous Anti DDoSA2D2: Autonomous Anti DDoS Main Idea Integrate enhanced IDS with adaptive firewall
for autonomous intrusion defense.
Goal:
Automate adaptive intrusion handling triggered by enhanced intrusion detection
Investigate the impact of various intrusion types on QoS
Techniques:
Enhanced Snort Plug-in with subnet spoofing detection
Adaptive rate limiting firewall with user defined threshold and intrusion history.
22Pfleeger Visit 4/13/2004 UCCS Network/System Security
Attack
Attack Attack
Private Subnet192.168.0
Attack Network128.198.61
IP: 128.198.61.12NM: 255.255.255.128
GW: 128.198.61.1
eth0
Pluto
Titan
DMZ
Multi-LevelRate Limiting
Class-BasedQueuing(CBQ)
as Linux Router
Firewall(iptables)
Security Policy
IP: 192.168.0.1NM: 255.255.0.0
GW: 128.198.61.12
eth1
RealServer
Re
alS
erv
er
Tra
ffic
IDS
Ale
rts
tr
igg
er
Mu
lti-L
eve
lR
ate
-Lim
itin
g
IDS
70
% H
TT
P,
Re
alP
laye
r
1
5%
SM
TP
, P
OP
3
1
0%
SS
H,
SF
TP
5
% S
YN
, IC
MP
, D
NS
10 Mbps Hub
eth0
IP: 192.168.0.2NM: 255.255.0.0GW: 192.168.0.1
Public Network128.198
Internet
Alpha128.198.61.15
DDoSAgent
Gamma128.198.61.17
DDoSAgent
Beta128.198.61.16
DDoSAgent
Delta128.198.61.18
DDoSAgent
SimulatedInternet
100Mpbs Switch
Master Client& Handler
DDoS
Saturn128.198.61.11
NM: 255.255.255.128GW: 128.198.61.1
Autonomous Anti-DDoS Network(A2D2)
Client1128.198.a.195
Real Player Client
Client2128.198.b.82
Real Player Client
Client3128.198.c.31
Real Player Client
100Mpbs Switch
23Pfleeger Visit 4/13/2004 UCCS Network/System Security
A2D2 Multi-Level Adaptive Rate Limiting For
Anti-DDos Defense
A2D2 Multi-Level Adaptive Rate Limiting For
Anti-DDos Defense
IP: 128.198.61.12NM: 255.255.255.128
GW: 128.198.61.1
eth0
Firewall Gateway
Multi-LevelRate Limiting
as Linux Router
IP: 192.168.0.1NM: 255.255.0.0
GW: 128.198.61.12
eth1
IDS
snort.confFloodPreprocessor
Threshold
snort.confFloodRateLimiter
PreprocessorThresholds
rateif.conflevels, rate,expiration,port # etc.
./snort -A UNSOCK
report.c./alert
rateif.pl
Level 4
Open(5 days)
Level 3
100 p/s
Level 2
50 p/s
Level 1
Block(2 hrs)
Level 0
Block(2 days)
Level 1Expires
24Pfleeger Visit 4/13/2004 UCCS Network/System Security
A2D2 Results – Non-stop AttackA2D2 Results – Non-stop Attack
Packets Received: 8,039
Retransmission Request: 2,592
Retransmission Received: 35
Lost: 2,557
Connection Timed-out
Packets Received: 8,039
Retransmission Request: 2,592
Retransmission Received: 35
Lost: 2,557
Connection Timed-out
QoS Experienced at A2D2 Client
25Pfleeger Visit 4/13/2004 UCCS Network/System Security
A2D2 Results – UDP AttackMitigation: Firewall Policy
A2D2 Results – UDP AttackMitigation: Firewall Policy
Packets Received: 23,407
Retransmission Request: 0 Retransmission Received: 0 Lost: 0
Packets Received: 23,407
Retransmission Request: 0 Retransmission Received: 0 Lost: 0
QoS Experienced at A2D2 Client
26Pfleeger Visit 4/13/2004 UCCS Network/System Security
A2D2 Results – ICMP AttackMitigation: Firewall Policy
A2D2 Results – ICMP AttackMitigation: Firewall Policy
Packets Received: 7,127
Retransmission Request: 2,105
Retransmission Received: 4
Lost: 2,101
Connection Timed-out
Packets Received: 7,127
Retransmission Request: 2,105
Retransmission Received: 4
Lost: 2,101
Connection Timed-out
QoS Experienced at A2D2 Client
27Pfleeger Visit 4/13/2004 UCCS Network/System Security
A2D2 Results – ICMP AttackMitigation: Firewall Policy & CBQ
A2D2 Results – ICMP AttackMitigation: Firewall Policy & CBQ
Packets Received: 23,438
Retransmission Request: 0 Retransmission Received: 0 Lost: 0
Packets Received: 23,438
Retransmission Request: 0 Retransmission Received: 0 Lost: 0
QoS Experienced at A2D2 Client
28Pfleeger Visit 4/13/2004 UCCS Network/System Security
A2D2 Results – TCP AttackMitigation: Policy+CBQ
A2D2 Results – TCP AttackMitigation: Policy+CBQ
Packets Received: 22,179
Retransmission Request: 4,090
Retransmission Received: 2,641
Lost: 1,449
Screen Quality Impact
Packets Received: 22,179
Retransmission Request: 4,090
Retransmission Received: 2,641
Lost: 1,449
Screen Quality Impact
QoS Experienced at A2D2 Client
29Pfleeger Visit 4/13/2004 UCCS Network/System Security
A2D2 Results – TCP AttackMitigation: Policy+CBQ+RateA2D2 Results – TCP Attack
Mitigation: Policy+CBQ+Rate
Packets Received: 23,444
Retransmission Request: 49 – 1,376
Retransmission Received: 40 – 776
Lost: 9 – 600
Packets Received: 23,444
Retransmission Request: 49 – 1,376
Retransmission Received: 40 – 776
Lost: 9 – 600
QoS Experienced at A2D2 Client
30Pfleeger Visit 4/13/2004 UCCS Network/System Security
Autonomous Anti-DDoS Organic Security System?
Autonomous Anti-DDoS Organic Security System?
IDIP DiscoveryCoordinator
FirewallIDIP Neighbor
Class-BasedQueuing
(CBQ)
Firewall(iptables)
Security Policy
Multi-LevelRate Limiting
eth0 eth1
Local IDS ResponseMulti-Level Adaptive
Rate Limiting
EnhancedIDS
+IDIP Application Layer
Cooperative TracebackCooperative Detection
Net RestructuringIntrusion Pushback
TracebackMsg Sent
IDIPNeighbor
NotificationTo IDIP
DiscoveryCoordinator
Rates Dependenton Traffic Type
SnortAlerts
InternetTraffic
31Pfleeger Visit 4/13/2004 UCCS Network/System Security
SGFR: Secure Groupware for First Responder
SGFR: Secure Groupware for First Responder
Main Idea design a framework for enhancing security of groupware packages such as instant messenger and video monitoring/conferencing tool.
Goal: Investigate proper interface between group rekeying system and
groupware. Develop secure instant messaging system with remote group file download
and remote display. Experiment the prototype software on PDA with mobile ad hoc network. Integrate with stress level and tool usage effectiveness evaluation
This is a joint project with Dr. Chip Benight of psychology department at UCCS.
Techniques:
Scalable group key management (Keystone from UT Austin)
Efficient groupware (Jabber Instant Messaging System)
Mobile Ad Hoc Network (NIST)
32Pfleeger Visit 4/13/2004 UCCS Network/System Security
SGFR FeaturesSGFR Features
Security Enhanced GroupwareInstant messenger
(JabberX)
Group Communication ServerInstant Messaging Server
(Jabber)
Psychology EvaluationStress Level Tracking
Effectiveness of Tool Usage(Keyboard/Mouse Event Tracking,History of Commands, Mistakes,
Popup Quiz?)
Group Key ManagmentSecure Group
Rekeying system(Keystone)
33Pfleeger Visit 4/13/2004 UCCS Network/System Security
SGFR System ArchitectureSGFR System Architecture
SGFR Client
SGFR Client
SGFR Client
SGFR Group Key Server
SGFR Instant Messenger
Server
Group key distribution
Sign-in create/join chat groups
Registration/authentication
Encrypt/Decrypt msgs using group key
34Pfleeger Visit 4/13/2004 UCCS Network/System Security
SGFR System Operation SGFR System Operation
Registrar
JabberXclient
ControlManager
KeyServer
Jabber Server
DataBroadcast
JabberXClient
JabberXClient
Multicast/Unicast
Rekey messages
Rekey messages
Registration
Requests
ApplicationData
35Pfleeger Visit 4/13/2004 UCCS Network/System Security
Associate JabberX client with Keyserver and Jabber server
Associate JabberX client with Keyserver and Jabber server
Users login to the Jabber server If login successful, the client registers with the
Keyserver by presenting digital certificate. When a user creates/joins a group, the Keyserver
issues a group key to the client. When a user leaves the group, the Keyserver
generates a new group key for the remaining members of the group.
Group key can be refreshed periodically. Group key are used to encrypt data and authenticate the
group.
Users login to the Jabber server If login successful, the client registers with the
Keyserver by presenting digital certificate. When a user creates/joins a group, the Keyserver
issues a group key to the client. When a user leaves the group, the Keyserver
generates a new group key for the remaining members of the group.
Group key can be refreshed periodically. Group key are used to encrypt data and authenticate the
group.
36Pfleeger Visit 4/13/2004 UCCS Network/System Security
Output of the Keystone Server
User ganesh joining group g1
User ayen joining group g1
First group key assigned to group
Second group key assigned to groupWhen a member
joined
37Pfleeger Visit 4/13/2004 UCCS Network/System Security
Packet captured by Ethereal Packet Sniffer
Output of the Jabber server running on a machine
Encrypted “Hello”
Surrounded by <body>tag
38Pfleeger Visit 4/13/2004 UCCS Network/System Security
Testing ResultsTesting Results
Runs Client Registration Time (ms)
Group Join Time (ms) Group Leave Time (ms)
1 279.62 233.46 135.54
2 249.28 652.74 126.78
3 253.93 706.04 769.08
4 259.46 118.15 434.12
Avg/Run 260.57 427.59 366.38
Table 1 time taken for client registration group join, group leave
File size Time Taken (ms)
8.5K 35302.47
25K 105986.05
60K 305934.53
195K 1007949.38
Table 2 time taken for file transfer
IBM Thinkpad Intel Pentium III 800MHz Server; IPAQ PDA StrongArm200MHz; Linux 2.4 Kernel;
802.11b Ad hoc Mode with NIST driver
39Pfleeger Visit 4/13/2004 UCCS Network/System Security
ConclusionConclusion A secure group communication software package SGFR v.0 was
developed. Use Digital Certificate to authenticate client access. Group keys are distributed when members join/leave or based
on some time period. Group key is used to encrypted the messages. Enhanced Jabber-based text chat with remote file download
and remote display. Lesson1: Fire fighters do not like stylus input and they carry
heavy load!! Lesson2: Fire fighter don’t care security; Police do!!
Ported the SGFR v.0 to run on handheld devices include iPAQ PDA running Linux and Sony PalmTop with 802.11b mobile ad hoc network.
A secure group communication software package SGFR v.0 was developed. Use Digital Certificate to authenticate client access. Group keys are distributed when members join/leave or based
on some time period. Group key is used to encrypted the messages. Enhanced Jabber-based text chat with remote file download
and remote display. Lesson1: Fire fighters do not like stylus input and they carry
heavy load!! Lesson2: Fire fighter don’t care security; Police do!!
Ported the SGFR v.0 to run on handheld devices include iPAQ PDA running Linux and Sony PalmTop with 802.11b mobile ad hoc network.
40Pfleeger Visit 4/13/2004 UCCS Network/System Security
Secure Wireless Access ControlSecure Wireless Access Control Goal:
Compare performance of two proposed wireless authentication protocols, PEAP vs. TTLS.
Develop a PEAP module for freeRadius server on Linux.
Techniques/Tools used:
Xsupplicant, Window XP
freeRadius, Win 2003 server
OpenSSL
41Pfleeger Visit 4/13/2004 UCCS Network/System Security
UCCS Secure Wireless Access TestbedUCCS Secure Wireless Access Testbed
Client
RADIUS
42Pfleeger Visit 4/13/2004 UCCS Network/System Security
Client/Server Machine ConfigurationsClient/Server Machine Configurations
Machine Spec IP Address OS Software
wiper.uccs.edu1.8 Ghz, 1 GB RAMRADIUS Server and
DHCP server
128.192.61.132 RedHat 9.0Running Linux
2.2.20-19.9 kernel
FreeRadiusModified
CVS snapshot radiusd-
09.03.03.tar.gz
willow.uccs.eduAccess Point
Cisco Aironet 1200
128.192.61.130 RedHat 9.0 Running Linux
2.2.20-19.9 kernel
Cisco 1200 series
Software
Toshiba – 366 Mhz, 512 MB
Wireless ClientUsing Cisco Aironet
350 PC Card
Dynamic IP address
128.192.61.144to
128.98.61.152
RedHat 6.2 running Linux 2.2.20-19.9
kernel
Open1x XsupplicantVersion 9.0
Hobbit – 1 Ghz Dell Optiplex, 512 MBWireless Client
Using Cisco Aironet 350 PCI Card
Dynamic IP address
128.192.61.144to
128.98.61.152
Windows XP-SP1And RedHat 9.0 Running Linux 2.2.20.9 kernel
Open1x Xsupplicant for
Linux and built in Service Pack for
XP
43Pfleeger Visit 4/13/2004 UCCS Network/System Security
PEAP vs. TTLS on Toshiba machine
PEAP vs. TTLS on Toshiba machine
PEAP vs TTLS[Toshiba - 366.604mhz]
500600700800900
100011001200130014001500
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
No. of Runs
Tim
e in
ms
ec
TTLS
PEAP
PEAP TTLS
Average 1046 949
Variance 8142 12060
44Pfleeger Visit 4/13/2004 UCCS Network/System Security
PEAP-TTLS Average Performances over varying Distances
800
900
1000
1100
1200
1300
1400
1500
DIST1 DIST2 DIST3 DIST4 DIST5
Distance Range
Ave
rag
e-T
ime/
mse
c
PEAP
TTLS
PEAP vs. TTLS Average Performance
PEAP vs. TTLS Average Performance
45Pfleeger Visit 4/13/2004 UCCS Network/System Security
ConclusionConclusion
Developed a Radius Server on Linux that supports both PEAP and TTLS.
PEAP is relatively more influenced by Client’s processor speeds, distance range and network transient nature as compared to TTLS.
Although the higher performance shown by TTLS over PEAP is negligible, it is worth noting that TTLS was outperforming PEAP on an average by 10% in all the tests.
The enhanced Radius Server can serve both Windows and Linux clients.
Developed a Radius Server on Linux that supports both PEAP and TTLS.
PEAP is relatively more influenced by Client’s processor speeds, distance range and network transient nature as compared to TTLS.
Although the higher performance shown by TTLS over PEAP is negligible, it is worth noting that TTLS was outperforming PEAP on an average by 10% in all the tests.
The enhanced Radius Server can serve both Windows and Linux clients.
46Pfleeger Visit 4/13/2004 UCCS Network/System Security
First Responder Sensor NetworkFirst Responder Sensor Network
Goal: How wireless sensor network can assist first responders.
Status:Created a wireless sensor testbed with Crossbow Professional Mote Kits and Intel stargate gateway devices.
Current Tasks: Investigate how to deploy sensor networks (pre-
planned/dynamically deployed). Develop algorithms for tracking first responders using
wireless sensors. Security in SMANET+FRSN.
Goal: How wireless sensor network can assist first responders.
Status:Created a wireless sensor testbed with Crossbow Professional Mote Kits and Intel stargate gateway devices.
Current Tasks: Investigate how to deploy sensor networks (pre-
planned/dynamically deployed). Develop algorithms for tracking first responders using
wireless sensors. Security in SMANET+FRSN.
47Pfleeger Visit 4/13/2004 UCCS Network/System Security
Scenario 1:Preplanned Wireless Sensors
Scenario 1:Preplanned Wireless Sensors
Building is surveyed and deployed with wireless sensors and include floor plan info in the gateway device.
When there is fire, first responders can tap into the secure wireless sensor network to find the condition of the building and over with the floor plan picture.
Building is surveyed and deployed with wireless sensors and include floor plan info in the gateway device.
When there is fire, first responders can tap into the secure wireless sensor network to find the condition of the building and over with the floor plan picture.
48Pfleeger Visit 4/13/2004 UCCS Network/System Security
Scenario 2: Dynamically Deploy Sensors
Scenario 2: Dynamically Deploy Sensors
Fire Fighter drops the wireless sensors along the route in. If sensors detects temperature increase or location movement!!, they relay the
date through multiple hop wireless sensor network to both the team inside and the team outside.
Fire Fighter drops the wireless sensors along the route in. If sensors detects temperature increase or location movement!!, they relay the
date through multiple hop wireless sensor network to both the team inside and the team outside.
49Pfleeger Visit 4/13/2004 UCCS Network/System Security
Secure Access to Sensor NetworkSecure Access to Sensor Network
Terrorist may access the sensors and information on the gateway.
Need authentication for secure access. Need encryption for avoid sniffing by terrorist. Need redundancy for fault tolerance and verifying the
sensor results.
Terrorist may access the sensors and information on the gateway.
Need authentication for secure access. Need encryption for avoid sniffing by terrorist. Need redundancy for fault tolerance and verifying the
sensor results.
50Pfleeger Visit 4/13/2004 UCCS Network/System Security
Improving System Performance by QoS Regulations with Adaptive Resource Management under Cyber Threats
Xiaobo Joe Zhou
51Pfleeger Visit 4/13/2004 UCCS Network/System Security
Information FusionInformation Fusion
Project Goal: Intelligence/information fusion among multiple
agencies. Starting with federal/state/city agencies extend it to including those from Canada, the United States, and Mexico.
How to exchange, verify, correlate intelligence information for decision support,
How to allocate resources and coordinate sensors in different agencies for a set of tasks with different priority
Project Goal: Intelligence/information fusion among multiple
agencies. Starting with federal/state/city agencies extend it to including those from Canada, the United States, and Mexico.
How to exchange, verify, correlate intelligence information for decision support,
How to allocate resources and coordinate sensors in different agencies for a set of tasks with different priority
52Pfleeger Visit 4/13/2004 UCCS Network/System Security
Related WorksRelated Works Multilayered Video
Deliver Multimedia Streams with Flexible QoS via a Multicast DAG, Jiong Yang, UIUC, ICDCS 03
Source-adaptive multilayered multicast algorithms for real-time video distribution, Brett Vickers, IEEE/ACM Transactions on Networking 2000
An End-to-End Adaptation Protocol for Layered Video Multicast Using Optimal Rate Allocation, Ya-Qin Zhang, IEEE Transaction on Multimedia 2004
QoS and multipath Admission Control and Dynamic Adaptation for a
Proportional-Delay DiffServ-Enabled Web Server, Sam C. M. Lee, John C. S. Lui, David K. Y. Yau, SIGMETRICS 2002
Parallel Access For Mirror Sites in the Internet, Pablo Rodriguez, et al., Infocom 1999
Multilayered Video Deliver Multimedia Streams with Flexible QoS via a Multicast
DAG, Jiong Yang, UIUC, ICDCS 03 Source-adaptive multilayered multicast algorithms for real-
time video distribution, Brett Vickers, IEEE/ACM Transactions on Networking 2000
An End-to-End Adaptation Protocol for Layered Video Multicast Using Optimal Rate Allocation, Ya-Qin Zhang, IEEE Transaction on Multimedia 2004
QoS and multipath Admission Control and Dynamic Adaptation for a
Proportional-Delay DiffServ-Enabled Web Server, Sam C. M. Lee, John C. S. Lui, David K. Y. Yau, SIGMETRICS 2002
Parallel Access For Mirror Sites in the Internet, Pablo Rodriguez, et al., Infocom 1999
53Pfleeger Visit 4/13/2004 UCCS Network/System Security
Research DirectionResearch Direction
Data Fusion Operations Artificial Neural Network for merging results from multiple
classifiers Negotiation/Coordination Protocol [Idian, CIDF, IDMEF,
IDIP] Specific test cases: distributed intrusion detection,
compromised node detection, tracking with sensors. Data transmission in data fusion
Techniques for guaranteeing the quality of service for the prioritized sensor information fusion/delivery
Multilayered video encoding and distribution multilayered information data classification and transportation
Feedback control mechanism Comment? Other important research topics/directions?
Data Fusion Operations Artificial Neural Network for merging results from multiple
classifiers Negotiation/Coordination Protocol [Idian, CIDF, IDMEF,
IDIP] Specific test cases: distributed intrusion detection,
compromised node detection, tracking with sensors. Data transmission in data fusion
Techniques for guaranteeing the quality of service for the prioritized sensor information fusion/delivery
Multilayered video encoding and distribution multilayered information data classification and transportation
Feedback control mechanism Comment? Other important research topics/directions?
54Pfleeger Visit 4/13/2004 UCCS Network/System Security
Secure Information SharingSecure Information Sharing
Project Goal:Secure Intelligence/information sharing among
multiple agencies/organizationsHow to exchange, verify information and provide
security and non repudiationHow to share information between different agencies
and protect against misuse of authority during information sharing
Project Goal:Secure Intelligence/information sharing among
multiple agencies/organizationsHow to exchange, verify information and provide
security and non repudiationHow to share information between different agencies
and protect against misuse of authority during information sharing
55Pfleeger Visit 4/13/2004 UCCS Network/System Security
Related WorksRelated Works NIST standard on Role Based Access Control An Internet Attribute Certificate Profile for
Authorization – RFC 3281 IETF Working Group on Public Key Infrastructure
(X.509) Privilege and Role Management Infrastructure
Standards Validation http://www.permis.org/
Akenti Distributed Access Control http://www-itg.lbl.gov/
NIST standard on Role Based Access Control An Internet Attribute Certificate Profile for
Authorization – RFC 3281 IETF Working Group on Public Key Infrastructure
(X.509) Privilege and Role Management Infrastructure
Standards Validation http://www.permis.org/
Akenti Distributed Access Control http://www-itg.lbl.gov/
56Pfleeger Visit 4/13/2004 UCCS Network/System Security
Research DirectionResearch Direction
Data Sharing Operations Access control mechanism for sharing information Mandatory, Discretionary, and Role Based Access Control
Mechanisms Specific test cases: File Distribution, Directory Access
Control, secure instant messaging for group communications
Attribute Certificate profile for Authorization Provide non repudiation and Role Based Access Control Easy to Manage than certificates -- Short life span than
certificates Provide resource access for short duration; tighter control,
misuse avoidance, and increased responsibility Comment? Other important research topics/directions?
Data Sharing Operations Access control mechanism for sharing information Mandatory, Discretionary, and Role Based Access Control
Mechanisms Specific test cases: File Distribution, Directory Access
Control, secure instant messaging for group communications
Attribute Certificate profile for Authorization Provide non repudiation and Role Based Access Control Easy to Manage than certificates -- Short life span than
certificates Provide resource access for short duration; tighter control,
misuse avoidance, and increased responsibility Comment? Other important research topics/directions?
57Pfleeger Visit 4/13/2004 UCCS Network/System Security
SummarySummary
We have innovated ideas on intrusion tolerance We have developed expertise in
Secure DNS system Organic Networking? Secure multiple path indirect routing Organic Networking? Autonomous security system with Enhanced IDS+Firewall
Organic Security? Secure wireless access and MANET Group key management Secure groupware Wireless sensor network for first responders Content switching Network restoration QoS (proportional differential services)
Developing expertise in information fusion/sharing.
We have innovated ideas on intrusion tolerance We have developed expertise in
Secure DNS system Organic Networking? Secure multiple path indirect routing Organic Networking? Autonomous security system with Enhanced IDS+Firewall
Organic Security? Secure wireless access and MANET Group key management Secure groupware Wireless sensor network for first responders Content switching Network restoration QoS (proportional differential services)
Developing expertise in information fusion/sharing.