ELA (Export Logging API)
advertisement
INTEGRATED SECURITY MANAGEMENT KNOM-2000 2000. 12. 12 Tai M. Chung Real-Time Systems Lab. Sungkyunkwan University tmchung@ece.skku.ac.kr RTSL Real-Time Systems Laboratory Talk Outline Introduction to ISM and Research Objectives Current Integrated Security Management Technologies OPSEC Active Security Common Data Security Architecture Integrated Security Management System Architecture of ISMS Features of ISMS Architecture & Detailed Modules of ISMS Current Status and Future Development of ISMS RTSL Real-Time Systems Laboratory Why ISM? Increasing complexity & difficulty of security products Diverse security policies for heterogeneous security systems scattered over wide network Increasing risks resulting from human mistakes Need for immediate and automated response to various security threats Need for unified human interface for simple management File Security VPN Vulnerability Test Virus IDS Check Intrusion Tracking Firewall Authentication Encryption RTSL Real-Time Systems Laboratory Research Objectives Develop a common representation scheme for diverse security policies with Integrated policy and data management scheme Easy and unified interface for total management Prototype a master-agent based integrated security management system that Includes Coordinated management model based on common representation scheme Immediate and autonomous response to security threats Fault tolerant capability for continuous service Flexible and scalable management architecture RTSL Real-Time Systems Laboratory Security System Integration Trends of ISM OPSEC Active Security RTSL Real-Time Systems Laboratory Hybrid Integration Model Integrate IDS functionality with firewall CISCO IOS + Firewall IDS Firewall includes IDS functionality for mid-range, high-performance platforms, Limited to detect most significant attacks only Acts as in-line intrusion detection sensor : watching packets and sessions to detect intrusion as well as to apply firewall policy Paging Mail to admin Internal network RTSL Real-Time Systems Laboratory Attack signatures match found intrusion detected block the connection IDS module Firewall module Auditing rules Access policies Internet Interoperational Model Real-time intrusion blocking : IDS interoperable with firewall RealSecure(ISS) + Firewall-1(Checkpoint) When IDS detects misuse or attacks; ① ② ③ ④ Reconfiguring firewall to block all traffic from a suspicious source Alerting appropriate personnel through user interface Sending an SNMP trap to NMS to record the session information Terminating connections if possible Internal network Mail server Mail to admin IDS Internal firewall SNMP trap NMS RTSL Real-Time Systems Laboratory DMZ network Paging Policy configuration message External firewall Internet Server pool (for public/customer service) OPSEC by Checkpoint Open Platform for Security / Open Platform for Secure Enterprise Connection Based on SVN(Secure Virtual Network) environment Goes beyond VPNs for securing all internet gateways Fine-grain access control for all users Provisioning of integration and interoperability to the various security products such as VPN-1, Firewall-1, FloodGate-1, and Meta IP Openview, Tivoli, etc. RTSL Real-Time Systems Laboratory OPSEC framework Check Point Management Console with Account Management CA Directory Server Content Security Server URL Categorization Server Policy Verification Reporting and Analysis Intranet Internet Enterprise Management Platform OpenView, Tivoli, etc. VPN-1/Firewall-1 Gateway Intrusion Detection Meta IP Address Management with User-to-Address Mapping RTSL Real-Time Systems Laboratory VPN-1/Firewall-1 Gateway VPN-1 SecuRemote/ VPN-1 SecuClient Remote office OPSEC API overview Message based, layered environment OPSEC Transport Layer converts messages into events Client locates and initiates the connection to the Server Servers implements one or more OPSEC security tasks OPSEC Client Process OPSEC Server Process OPSEC client OPSEC server OPSEC service API OPSEC service API OPSEC transport API OPSEC transport API OPSEC Transport TCP RTSL Real-Time Systems Laboratory The OPSEC Client and Server Process can also be the same process Memory Other mechanism The OPSEC Transport Layer links the OPSEC Client and Server using one of these mechanisms Life Cycle of OPSEC Application Endless loop(opsec_mainloop) Waits for event to occur and process them Events are handled by the OPSEC application OPSEC layer may call user-defined functions to process events Program startup Initialization Handle for Event #1 Event #1 main loop Event #2 Asynchronous Events RTSL Real-Time Systems Laboratory Handle for Event #2 OPSEC Environments A framework for OPSEC applications to communicate One OPSEC environment for each OPSEC process OPSEC entity is an instantiation of a specific behavior Machine Machine Process Process Machine Process OPSEC environment OPSEC entity LEA client OPSEC entity SAM client RTSL Real-Time Systems Laboratory OPSEC environment OPSEC environment OPSEC entity LEA server OPSEC session OPSEC session OPSEC entity LEA server Process OPSEC session OPSEC environment OPSEC entity SAM server OPSEC subcomponents CVP (Content Vectoring Protocol) Content security UFP (URL Filtering Protocol) Web resource management SAMP (Suspicious Activity Monitoring Protocol) IDS interoperability LEA (Log Export API) Reporting and event analysis ELA (Export Logging API) Security and event consolidation OMI (OPSEC Management Interface) Management and analysis UAM (User to Address Mapping API) Association between user and IP address SAA (Secure Authentication API) Integrated authentication RTSL Real-Time Systems Laboratory Content Security : CVP Outsourcing some functionalities to other content security systems Forward buffer to CVP server for inspection Viruses, malicious codes Flow out of confidential data Specific URL access CVP client and server know nothing about each other, except that the client knows where to find the server Firewall-1/VPN-1 CVP client Buffer Source Events Server flow CVP server RTSL Real-Time Systems Laboratory Event handler (callback) functions Destination flow API functions Destination Content Security : CVP Applied CVP to detect and cure compromised mail by viruses Firewall rule base specifies virus checking and disinfection on mail attachment Firewall CVP client contacts the Anti-Virus server and transfers the file attachment for processing The Anti-Virus content validation server scans for viruses, disinfects the file The Anti-Virus sever returns the virus-free file and log information to the firewall Mail Server 3rd Party Anti-Virus Application Server Scan and cure Internet Mail Internet RTSL Real-Time Systems Laboratory Web Resource Management : UFP Track and monitor web usage Categorize and control HTTP communication based on specific URL address Operations URL client on the firewall passes the URL to the UFP server URL server returns a classification of the category for the URL Firewall determines the appropriate action in accordance with the security policy related to the category RTSL Real-Time Systems Laboratory Intrusion Detection : SAMP Intrusion detection by monitoring events Active feedback loop integration between IDS and Firewall/VPN gateways SAMP API enables Firewall-1/VPN-1 to block the connection when an IDS detects suspicious activity on the network or specific host SAMP API defines an interface through which an IDS can communicate with a VPN-1/Firewall-1 management server Management server directs the VPN-1/Firewall-1 modules to terminate sessions or deny access to those specific hosts. RTSL Real-Time Systems Laboratory Event Integration : LEA, ELA LEA(Log Export API) Enables applications to read the VPN-1/Firewall-1 log database LEA client can retrieve both real-time and historical log data from Management Console of LEA server A reporting application can use the LEA client to progress the logged events generated by the VPN-1/Firewall-1 security policy ELA(Event Logging API) Used to write to the VPN-1/Firewall-1 log database Enables third party applications to trigger the VPN-1/Firewall-1 alert mechanism for specific events Enables Management Console to become the central event repository for all traffic events accounting and analysis With SAMP, applications can track suspicious activity and request the VPN-1/Firewall-1 to terminate a malicious activity RTSL Real-Time Systems Laboratory Management and Analysis : OMI Interface to central policy database to share objects such as Host, Network, User, Service, Resource, Sever, Key.. Tie together different products that may control security policies in different domains Enables third party applications to securely access the policy stored in the management server by providing access to read Policies stored in the management sever Network objects, services, resources, users, templates, groups and servers defined in the management server List of all administrators that are allowed to log into the management server RTSL Real-Time Systems Laboratory Authentication : SAA SAA(secure authentication API) Supports wide variety of authentication mechanisms such as biometric devices, challenge response tokens and passwords Passing authentication information to the authentication server After authentication, VPN gateway acquires user's certificate from CA server, and then IPSEC/IKE session is established Customers Internet VPN-1 Gateway RTSL Real-Time Systems Laboratory Partners Remote site VPN-1 SecuRemote OPSEC Framework Partners Content Security Safe gate, Computer Associates Norton AntiVirus for Firewalls, Symantec Authentication and Authorization Defend Security Server, Axent Technologies, Inc. ACE/Server, RSA Security Intrusion Detection RealSecure, Check Point Technologies, Ltd. SessionWall-3, Platinum RTSL Real-Time Systems Laboratory Event Analysis and Reporting Firewall HealthCHECK, VeriSign Web Trends for Firewalls and VPNs, Web Trends Enterprise Directory Servers IBM SecureWay Directory, IBM Novell Directory Services, Novell Enterprise Directory Servers Go! Secure, VeriSign Overview of Active security Detection(Sensing) device E.g. : Vulnerability Scanner to proactively scanning internal network Event Orchestra Accepts all alerts, compares with security policy and initiates responses Fed in Security Policy to decide what is important and how to respond Actions for security through Helpdesk, Firewall, Administrator Alerts, etc. Security Policy Helpdesk Firewall Vulnerability Scanner RTSL Real-Time Systems Laboratory Event Orchestra Administrator Alerts More about Active Security The heart of Active Security : Event orchestra Conducts central event management Standard based open event management system Centrally collects alerts and other inter-process communications from security products Includes own data store, but also works with other database using ODBC Current Active Security products sensor : CyberCop scanner (Windows NT) arbiter : Event orchestra (Windows NT) actor : Gauntlet firewall (Windows NT / UNIX) RTSL Real-Time Systems Laboratory sensors arbiters actors watch the network for trouble decide what to do when trouble happens take responsive action Example of Active security : CyberCop WMI(Windows management instrumentation) Describes a standard way of accessing and representing management information in Windows 2000 networks Enables real-time monitoring Enhances interoperability of security applications Provider Existing Logs Event log Object manager Performance monitor Forthcoming File/print Anti-virus events RTSL Real-Time Systems Laboratory IDS events SQL server Firewall events Consumer Others Others Event Orchestra Windows 2000 WMI CyberCop Monitor Action module Active Security Illustration A Actor agent Firewall 1. Incoming mail message S Sensor agent 2. Redirect mail to anti-virus server A Network Virus Protection Gateway 4. action : do not accept mail from bar@domain.com S 3. Virus found in message From : bar@domain.com To : joe@ourdomain.com 5. action :Scan all files owned by 'joe' Event Orchestra 7. Unallowed 'finger' service found on Host1 Vulnerability Scanner RTSL Real-Time Systems Laboratory Network File Server S A 8. action :Shutdown 'finger' service on Host1 6. Scan hosts for compliance to network security policy Host1 A What is CDSA? The Open, cross-platform, interoperable, extensible and exportable security infrastructure Specification and Reference Implementation Adopted by The Open Group in November 1997 “Mature” code base from Intel, widely reviewed by Industry A robust security building block for eBusiness software solutions Enables interoperability for security apps and services Allows developers to focus on application expertise RTSL Real-Time Systems Laboratory CDSA Design Goals Create an open, interoperable, cross platform security infrastructure Support use and management of the fundamental elements of security: Certificates, trust, cryptography, integrity Authentication, authorization Make extensible above and below Embrace emerging technologies Plug-and-play service provider model Extend to new services Layered service provider model RTSL Real-Time Systems Laboratory CDSA Architecture CDSA defines a four-layer architecture for crossplatform, high-level security services CSSM defines a common API / SPI for security services & an integrity foundation Service providers implement selectable security services Applications Layered Security Services CSSM Security API Common Security Services Manager Service Provider Interfaces Security Service Add-in Modules Security Service Add-in Modules Security Service Add-in Modules RTSL Real-Time Systems Laboratory Structure of ISMS security management Web client ISMS Engine SNMP Agent SNMP Agent Network A RTSL Real-Time Systems Laboratory Central policy database SNMP Agent policy policy Firewall DBMS IDS Network B policy VPN Network C Features of ISMS Integrated policy management Maintain logical security domain for consistent security management Applies access control policy automatically by deploying blacklist to agents Automated response to threats Automatic Policy integrity check at management server Removes potential risks resulting from human mistakes by autonomous operation and by integrity checking Notification through unified user interface Integrated view for security management through web interface Statistic information based on collected information Fault tolerant security management Records all security related events through central logging Simple policy recovery and backup through central policy management Scalability and flexibility using master-agent paradigm No modification to management engine RTSL Real-Time Systems Laboratory Detailed ISMS architecture Notification UIM Policy UIM Configuration UIM Secure TCP Log management module Notification message processing module Configuration file Message Communication module Session management module Message analyzing module DBMS interface State monitoring module RTSL Real-Time Systems Laboratory Security management Client Security management DBMS DBMS proxy User authentication module DBMS SMDB Policy processing module Management message communication module Secure UDP Notification processing module Log UIM Message communication module Secure UDP Configuration management module Status UIM Display module Notification processing module Log file Monitoring UIM Central security management server Secure UDP Configuration management module Management message communication module Message analyzing module Configuration file Security system control module Security product Log management module Log file Security management agent Detailed ISMS Engine ISMS ISMS engine Manages policies Processes user requests Notifies events Collects information from agents Manages log data RTSL Real-Time Systems Laboratory Downloaded Java Applet ISMS server WISMS engine Agent log file Engine log file TCP/IP HTTP Communication module Data processing modules User request processing modules User table Request mapping table DBMS Manager (ISMS client) Log manager Client(Java applet) Engine(Solaris) Agent(Solaris, LINUX, FreeBSD) Using standard management protocol(SNMP) Extensibility, Scaleability SNMP communication module Policy table Agent table ISMS MIB SNMP Firewall agent Firewall agent IDS agent Agent for other security products HTTPD HTML Pages Java Applet Web serve r Integrated policy management Security policy for IDS Security policy for firewall Backup/Restore SMDB (primary) Security policy for VPN DBMS proxy Synchronizing DB Security management policy DBMS SMDB (secondary) proxy Policy Security management agent for IDS IDS Security management client Central security management server Policy distribution/recover Policy Security management agent for Firewall Firewall Policy Security management agent for VPN VPN Policy update/action command RTSL Real-Time Systems Laboratory Automated Response to threats Response policy for specific event (Automatic response) SMDB Log DBMS proxy Record events Policy Central security management server Notification Security management policy RTSL Result reply Security management agent for IDS Security management agent for firewall / VPN IDS Firewall / VPN Detect suspicious action Real-Time Systems Laboratory Policy update/action command Policy Notification for human operation Security Manager Security management policy SMDB Log DBMS proxy Record events Policy Security management client Central security management server Notification Response policy for specific event (Notify manager/wait for command) Security management agent for IDS IDS Detect suspicious action RTSL Real-Time Systems Laboratory Policy update/action command Result reply Security management agent for firewall / VPN Firewall / VPN Policy Logical secure domain maintenance User information Domain user information Security management client User registration SMDB DBMS proxy Central security management server Log User information Secure domain RTSL Real-Time Systems Laboratory Security management agent for firewall Security management agent for VPN Access control (Firewall) Secure communication (VPN) Application with authentication capability Blacklist management Security management client Blacklist Manual backlist update Central security management server DBMS proxy SMDB Automatic blacklist update Log Blacklist information or Policy update Suspicious subject information Security management agent for firewall Security management agent for VPN Security management agent for IDS Firewall VPN IDS Log RTSL Real-Time Systems Laboratory Log Log ISMS Deployment Structure Web based security management web client Access Control External Firewall User's request Control message ISMS Engine request /result Policy update Internal Firewall 1 Internal Network 2 Internet Internal Firewall 2 Virus Scanner IDS Internal Network 1 RTSL Real-Time Systems Laboratory Internal Network 3 Summary Increasing need for Integrated security management Easy and unified user interface Integrated Policy management Currently Integrated Security Management is a hot issue Checkpoint(OPSEC), Network Associate(Active Security), and Intel(CDSA) develop standards and prototypes They are still under development CDSA is publically available We have been working for Designing a integrated model to manage various security products Develop a prototype system with one view and total security concept RTSL Real-Time Systems Laboratory References and Further Information [1] Open Platform for Security(OPSEC) Technical Note, Check Point Software Technologies, Inc., 2000. [2] OPSEC Software Development Kit Data Sheet, Check Point Software Technologies, Inc., 1998. [3] Check Point OPSEC SDK version4.1 Release Notes, Check Point Software Technologies, Inc., November 1999. [4] Check Point VPN-1/Firewall-1 OPSEC API Specification version4.1, Check Point Software Technologies, Inc., November 1999. [5] Check Point Firewall-1 OPSEC Open Specification version1.01, Check Point Software Technologies, Inc., November, 1998. [6] Active Security Getting Started Guide version5.0, Network Associates, Inc., 1999 [7] Automating Security Management while Reducing Total Cost of Ownership, Network Associates, Inc., 1999 [8] Security Solutions Practice - Technology Update, Ernst & Young, LLP., March 1999. [9] Ensuring the Success of E-Business Sites, NetScreen Technologies, Inc., January 2000. [10] Technology Overview: The NetScreen-1000 Gigabit Security System, NetScreen Technologies, Inc., March 2000. [11] Next Generation Security Solutions for the Broadband Internet, NetScreen Technologies, Inc., February 2000. [12] ServerIron Data Sheet; Internet Traffic Management, Foundry Networks, 2000. [13] Application note; Firewall Load Balancing with ServerIron, Foundry Networks, 2000. RTSL Real-Time Systems Laboratory
