Benson Wu, 2005 1

Research Roadmap on network security:

from practical firewall to anti-spam/spyware

PhD Candidate: Ming-Wei (Benson) Wu, 吳明蔚Dept. of Electrical Engineering

National Taiwan University

benson@ee.ntu.edu.tw

http://www.ee.ntu.edu.tw/~benson

Benson Wu, 2005 2

Questions to Answer

Changes in Security Perimeter Depth Granularity

Case studies Anti-spyware

Conclusions

What have I done? Brief background Research

What does Internet Security look like today?

Changes in Internet users and applications

Changes in Threat Legacy security measures

Benson Wu, 2005 3

Leadership Implementation

Brief Background

工研院交大網路測試中心Network Benchmarking Lab

交大資科高速網路實驗室High Speed Network Lab

利基網路L7 Networks

資訊工業策進會Information Industry

Institution

台大電機分散式網路實驗室Dependable and

Distributed Network Lab

台網資訊中心台灣新世代網路菁英

TaiWan Internet Next Generation

2000~20032000~2003

2003~20052003~2005Domain knowledge

Discipline

馬尼拉美國學校ISM

1992~19961992~1996English

Benson Wu, 2005 4

Research

Connectivity

P2P GatewayWeb ServicesDigital Home

Security

Security GatewayBenchmarking XML FirewallAnti-spyware

Anti-spam

Public interests…

Open Source Dev.Textbook writingMag. article writing

Benson Wu, 2005 5

Internet Evolution

Changes in Networking Technologies Changes in Internet Users and Internet

Applications Changes in Security Accessories

Benson Wu, 2005 6

Changes in Internet Applications: Primitive Web becoming Web Services

Is Primitive Web enough? When they are still newbie…they want to “join”

ALL Client-to-Server When they become big enough…they want to

“share” Some Peer-to-Peer (P2P) Some Server-to-Server (Web Services)

Benson Wu, 2005 7

Changes in Internet Users:from Browsing towards Clicking

Necessary services at one-click: Web Services

e.g. One-stop shopping

Necessary authentications at one-time: Single Sign-On

e.g. One-click cart/basket

Necessary confidentiality with higher-granularity: XML Enc.

e.g. Interleaved workflow

Benson Wu, 2005 8

Such changes are more like a reality…

Some numbers about P2P 2 millions of Kuro users and 50.2% of teenag

ers (15~22) have visited either Kuro or EZPeer (創市際市場研究顧問公司 , 2003/09)

Some NT$9.6 billions lost due to P2P sharing (資策會網路通訊雜誌 , 2003/06)

Some numbers about Web Services… 79% are evaluating (Accenture) 52% are using or testing (TechMetrix) 45.5% consider security to be the biggest obs

tacle (BusinessWeek)

Benson Wu, 2005 9

The Evolution of P2P: Darwinism

Benson Wu, 2005 10

2004 P2P Popularity and User Rating

Top 20 Popular P2P File-Sharing Applications

0

50,000,000

100,000,000

150,000,000

200,000,000

250,000,000

300,000,000

350,000,000

400,000,000

# of D

ownlo

ads

0102030405060708090100

TotalDownloads

User Rating

Benson Wu, 2005 11

Extending Client-Server to P2P:Its Problems and Solutions

Connectivity Internet transparency?

How to connect resources successfully? Sol: middleman (e.g. gatekeeper in H.323, broker in middleware,

renderzvous node in JXTA)

Scalability size?

How to locate MANY resources? Sol: smart routing (make use of DHT)

time? How to locate resources INSTANTLY?

Sol: Distributed hash table or DHT (resilience?)

Benson Wu, 2005 12

Extending Client-Server to Web Services:Its Problems and Solutions

What most XML firewall do? How to manipulate only parts of a document?

Per-element XML encryption/signing How to authenticate/authorize between more than

two parties Single-Sign On

How to assure the validity of Web Services’ action? SOAP Schema validation SOAP Digital Signature verification

Benson Wu, 2005 13

Changes in Threat:Volume and Impact Security is tougher than ever

In volume: >600% 137,529 reported incidents during 2003, which is more

than 6 times of 2000 (CERT) In impact: <10 minutes

SQL slammer (aka. Sapphire) happened to own the Internet in less than 10 minutes in 2003

Benson Wu, 2005 14

A Remind of Legacy Security Measures

Access security Firewall Content Filter

Data security Virtual Private Network (VPN)

System security Intrusion Detection System (IDS) Antivirus

Benson Wu, 2005 15

Technical Analysis: Issues

FW: must leave alone well-known ports, e.g. 80 IDS: false alarm, new attack, correlation AV: new virus, signatures, where (desktop or

network), polymorphism CF: false positives, false negatives VPN: management overhead, interoperability

Benson Wu, 2005 16

Changes in Security: Perimeter, Depth and Granularity

Existing security measures that protect you TCP/IP firewall: packet-level Virtual Private Network (VPN): IP-level tunneling Content filter: application-level Intrusion Detection System (IDS): application-level Antivirus: application-level

Situation had changed Network perimeters have become less defined due to pervasive mobile devices

(e.g. WLAN, PDA, etc.) 80% of all attacks come from external parties, yet 80% of all security-related loss

es are due to remaining 20% of attacks Increasing Depth

Stand-alone security measure Integrated all-in-one approach Demand for internal security is emerging (plus more applications and more u

sers requiring higher bandwidth) Finer Granularity

Packet-level Application-level Per-flow basis Per-element basis

Benson Wu, 2005 17

Anti-spyware: What are we dealing?

Spyware Definition: a generic term referring to a class of software program

s that could violate and potentially jeopardize people privacy and security concerns

Examples: Gator, Cydoor, Aureate, Comet Cursor and Web3000 could be found in many free applications (Kazaa, Bearshare, iMesh and Limewire) Read the EULA (End-user license agreement)

How serious? nearly 70% spyware penetration in campus environment (Saroiu et al., 2004)

Impact: credit card numbers could be stolen keystrokes could be captured browser settings could be modified users could be profiled …following spyware often comes with Trojan, virus and worms

Benson Wu, 2005 18

Anti-spyware: Rootkits as an example

Definition: software that comprise tools to erase traces of the intrusion from audit logs have "backdoors" that allow easy access hide the rootkit itself from administrators

Types: User-mode rootkit

replacing system binaries with trojaned ones Kernel-mode rootkit (with Linux Kernel Module support)

insert a module that overrides kernel syscalls Runtime kernel patchings

writing to /dev/kmem (with or without the LKM support) Tools for Rootkit Detection

Tripwire AIDE (Advanced Intrusion Detection Environment) Chkrootkit (~56 rootkits)

Benson Wu, 2005 19

Conclusions

Firewall Application-aware filtering Anti-spam Single-sign on

IDS IPS

VPN SSL VPN

Anti-virus Anti-spyware

Benson Wu, 2005 20

Many thanks for your time :)