Upload
raya-walls
View
19
Download
0
Embed Size (px)
DESCRIPTION
Research Roadmap on network security : from practical firewall to anti-spam / spyware. PhD Candidate: Ming-Wei (Benson) Wu, 吳明蔚 Dept. of Electrical Engineering National Taiwan University [email protected] http://www.ee.ntu.edu.tw/~benson. Questions to Answer. Changes in Security - PowerPoint PPT Presentation
Citation preview
Benson Wu, 2005 1
Research Roadmap on network security:
from practical firewall to anti-spam/spyware
PhD Candidate: Ming-Wei (Benson) Wu, 吳明蔚Dept. of Electrical Engineering
National Taiwan University
http://www.ee.ntu.edu.tw/~benson
Benson Wu, 2005 2
Questions to Answer
Changes in Security Perimeter Depth Granularity
Case studies Anti-spyware
Conclusions
What have I done? Brief background Research
What does Internet Security look like today?
Changes in Internet users and applications
Changes in Threat Legacy security measures
Benson Wu, 2005 3
Leadership Implementation
Brief Background
工研院交大網路測試中心Network Benchmarking Lab
交大資科高速網路實驗室High Speed Network Lab
利基網路L7 Networks
資訊工業策進會Information Industry
Institution
台大電機分散式網路實驗室Dependable and
Distributed Network Lab
台網資訊中心台灣新世代網路菁英
TaiWan Internet Next Generation
2000~20032000~2003
2003~20052003~2005Domain knowledge
Discipline
馬尼拉美國學校ISM
1992~19961992~1996English
Benson Wu, 2005 4
Research
Connectivity
P2P GatewayWeb ServicesDigital Home
Security
Security GatewayBenchmarking XML FirewallAnti-spyware
Anti-spam
Public interests…
Open Source Dev.Textbook writingMag. article writing
Benson Wu, 2005 5
Internet Evolution
Changes in Networking Technologies Changes in Internet Users and Internet
Applications Changes in Security Accessories
Benson Wu, 2005 6
Changes in Internet Applications: Primitive Web becoming Web Services
Is Primitive Web enough? When they are still newbie…they want to “join”
ALL Client-to-Server When they become big enough…they want to
“share” Some Peer-to-Peer (P2P) Some Server-to-Server (Web Services)
Benson Wu, 2005 7
Changes in Internet Users:from Browsing towards Clicking
Necessary services at one-click: Web Services
e.g. One-stop shopping
Necessary authentications at one-time: Single Sign-On
e.g. One-click cart/basket
Necessary confidentiality with higher-granularity: XML Enc.
e.g. Interleaved workflow
Benson Wu, 2005 8
Such changes are more like a reality…
Some numbers about P2P 2 millions of Kuro users and 50.2% of teenag
ers (15~22) have visited either Kuro or EZPeer (創市際市場研究顧問公司 , 2003/09)
Some NT$9.6 billions lost due to P2P sharing (資策會網路通訊雜誌 , 2003/06)
Some numbers about Web Services… 79% are evaluating (Accenture) 52% are using or testing (TechMetrix) 45.5% consider security to be the biggest obs
tacle (BusinessWeek)
Benson Wu, 2005 10
2004 P2P Popularity and User Rating
Top 20 Popular P2P File-Sharing Applications
0
50,000,000
100,000,000
150,000,000
200,000,000
250,000,000
300,000,000
350,000,000
400,000,000
# of D
ownlo
ads
0102030405060708090100
TotalDownloads
User Rating
Benson Wu, 2005 11
Extending Client-Server to P2P:Its Problems and Solutions
Connectivity Internet transparency?
How to connect resources successfully? Sol: middleman (e.g. gatekeeper in H.323, broker in middleware,
renderzvous node in JXTA)
Scalability size?
How to locate MANY resources? Sol: smart routing (make use of DHT)
time? How to locate resources INSTANTLY?
Sol: Distributed hash table or DHT (resilience?)
Benson Wu, 2005 12
Extending Client-Server to Web Services:Its Problems and Solutions
What most XML firewall do? How to manipulate only parts of a document?
Per-element XML encryption/signing How to authenticate/authorize between more than
two parties Single-Sign On
How to assure the validity of Web Services’ action? SOAP Schema validation SOAP Digital Signature verification
Benson Wu, 2005 13
Changes in Threat:Volume and Impact Security is tougher than ever
In volume: >600% 137,529 reported incidents during 2003, which is more
than 6 times of 2000 (CERT) In impact: <10 minutes
SQL slammer (aka. Sapphire) happened to own the Internet in less than 10 minutes in 2003
Benson Wu, 2005 14
A Remind of Legacy Security Measures
Access security Firewall Content Filter
Data security Virtual Private Network (VPN)
System security Intrusion Detection System (IDS) Antivirus
Benson Wu, 2005 15
Technical Analysis: Issues
FW: must leave alone well-known ports, e.g. 80 IDS: false alarm, new attack, correlation AV: new virus, signatures, where (desktop or
network), polymorphism CF: false positives, false negatives VPN: management overhead, interoperability
Benson Wu, 2005 16
Changes in Security: Perimeter, Depth and Granularity
Existing security measures that protect you TCP/IP firewall: packet-level Virtual Private Network (VPN): IP-level tunneling Content filter: application-level Intrusion Detection System (IDS): application-level Antivirus: application-level
Situation had changed Network perimeters have become less defined due to pervasive mobile devices
(e.g. WLAN, PDA, etc.) 80% of all attacks come from external parties, yet 80% of all security-related loss
es are due to remaining 20% of attacks Increasing Depth
Stand-alone security measure Integrated all-in-one approach Demand for internal security is emerging (plus more applications and more u
sers requiring higher bandwidth) Finer Granularity
Packet-level Application-level Per-flow basis Per-element basis
Benson Wu, 2005 17
Anti-spyware: What are we dealing?
Spyware Definition: a generic term referring to a class of software program
s that could violate and potentially jeopardize people privacy and security concerns
Examples: Gator, Cydoor, Aureate, Comet Cursor and Web3000 could be found in many free applications (Kazaa, Bearshare, iMesh and Limewire) Read the EULA (End-user license agreement)
How serious? nearly 70% spyware penetration in campus environment (Saroiu et al., 2004)
Impact: credit card numbers could be stolen keystrokes could be captured browser settings could be modified users could be profiled …following spyware often comes with Trojan, virus and worms
Benson Wu, 2005 18
Anti-spyware: Rootkits as an example
Definition: software that comprise tools to erase traces of the intrusion from audit logs have "backdoors" that allow easy access hide the rootkit itself from administrators
Types: User-mode rootkit
replacing system binaries with trojaned ones Kernel-mode rootkit (with Linux Kernel Module support)
insert a module that overrides kernel syscalls Runtime kernel patchings
writing to /dev/kmem (with or without the LKM support) Tools for Rootkit Detection
Tripwire AIDE (Advanced Intrusion Detection Environment) Chkrootkit (~56 rootkits)
Benson Wu, 2005 19
Conclusions
Firewall Application-aware filtering Anti-spam Single-sign on
IDS IPS
VPN SSL VPN
Anti-virus Anti-spyware