IPSecRMS: Automatic Generation of IPSec Security Policies considering Mission Objectives and Risk Walter Goulet wgoulet@gmail.com DePaul University October 16, 2007 Agenda • • • • • Research Motivation Problem Statement Current Research / Background Risk Assessment Methodology A Model for Applying Risk Assessment to IPSec Policy Generation • Demo of IPSecRMS • Future Work Research Motivation • IPSec is a powerful security control that provides the capability to ‘add’ security to networks without requiring modifications to applications/protocols. • IPSec has seem somewhat limited deployment beyond uses such as Virtual Private Networks. The reasons include: – Difficulty in choosing appropriate IPSec policies. – Distributing IPSec policies to end hosts / security gateways. – Efficiently describing IPSec policies in a manner that permits them to be evaluated. • The research presented herein is focused primarily on addressing the first problem. Problem Statement • The network administrator that is charged with ‘securing’ the network will need to consider a variety of possible network deployment scenarios. • How can the administrator determine if IPSec is a cost efficient security control to deploy in the network? – IPSec policy deployment is generally not an easy task as the number of policies that need to be managed increase rapidly as the number of hops that need IPSec grows. • If the administrator has chosen to deploy IPSec inside the network, how do they choose which IPSec policies to use? – Stronger IPSec policies that use stronger authentication/encryption algorithms will negatively impact performance. Problem Statement • The network administrator / CIS officer is faced with multiple questions that must be answered to determine what the IPSec security policies used in the network should be. How is my network organized? What type of information is exchanged in my network? What type of security incidents have been observed in my network? What is my budget for securing the network? Do I have a mixed use network (data, voice etc.) or is it data only? How much risk does our risk management strategy allow me to accept in my network? How secure are systems in my network today? Problem Statement • There are many different network deployment scenarios that can benefit from IPSec. Voice Application Service Provider Service Provider Network 10.1.1.0/24 10.1.3.0/24 ` PBX ` ` 192.168.1.251/ 30 ` 192.168.1.252/ 30 ` ` 192.168.2.251/ 30 Data Application Service Provider Finance Engineering Access Network 192.168.2.252/ 30 Streaming Media ` Web ` 10.1.2.0/24 Secure backbone links between networks in a cellular/wireless broadband carrier network. ` Legal Protect communications between IP subnets in a LAN ` Development Workstation 1 Provide point to point connection security between hosts in a LAN (or WAN). L3 Router/Switch CVS Code Repository ` Development Workstation 1 DNS Server ` Development Workstation 1 Web Server Current Research • Several aspects of IPSec policy generation/management have been addressed by other works: – Interface for applications to update IPSec policies based on application security policy (see [8]). – High-level policy specification language (see [7]). – Guidance on choosing when to apply IPSec based on protocol requirements (see [10]). – Guidelines for IPSec policy creation and distribution (see [12]). Proposed Solution • A standard risk assessment methodology defined by NIST will be used to determine the level of ‘risk’ present in the network. • The risk level will be used to derive a set of IPSec security policies. • The level of risk accepted by the network administrator/CIS officer will be used to determine whether IPSec policies will be deployed in the network. Background: NIST Standards • NIST SP800-33 (see [5]) defines a technical model or vocabulary for defining security concepts in a network. • NIST SP800-26v2 (see [3]) describes 26 common types of information found in networks and provides default security classifications for the information. • NIST SP800-30 (see [6]) defines a 9 step risk assessment process that can be used to generate quantitative risk levels (HIGH, MEDIUM, LOW) Background: Terminology • Security Domain – A set of subjects, their information objects, and a common security policy. • Information Type - A specific category of information (e.g., privacy, medical, proprietary, financial, investigative, contractor sensitive, security management) defined by an organization or in some instances, by a specific law, executive order, directive, policy, or regulation. • Security Domain Relationship – A relationship between 2 security domains over which one or more information types are exchanged. Risk Assessment Methodology 1. Characterize the network. 2. Identify and assess threats to the network. 3. Identify and assess the vulnerabilities present in the network. 4. Determine likelihood of threats being realized by an attacker. 5. Determine the risk to the network if a threat is realized by an attacker. Characterize the Network • Identify the types of information that will be exchanged over the network (information types). • Qualitatively identify the impact to the network if confidentiality and integrity of the information types is breached (H,M,L). • Describe the network in terms of individual security domains (individual hosts, IP subnets, independent networks). • Define relationships between security domains (information types exchanged, path between domains). • Describe information about the business environment (acceptable levels of risk, budget for deploying IPSec security policies etc.) Identify and Assess Threats • As the focus of this research is on IPSec policy management, only threats that IPSec can reasonably mitigate are considered: – Loss of confidentiality – An attacker with IP connectivity to the network can view packets. – Loss of integrity – An attacker can intercept and modify unauthenticated packets to forge packet contents. – Unauthorized access – An attacker can obtain IP connectivity to resources. • These threats assume an attacker can obtain easy access to the network (insider attacks). Identify and Assess Vulnerabilities • Classify the overall security posture of each Security Domain by using a quantitative metric. – The Quality of Protection Policy Security Score (see [14]) generates a security score in the range of 0-10 rating the overall security posture of a network, given the set of existing vulnerabilities and historical vulnerabilities. • The quantitative metric is then used to adjust the resulting IPSec security policies. Determine Likelihood of Threats Being Realized • To assess the likelihood of the threats identified earlier being realized, 2 sources of input are considered: – Historical data published via surveys such as the ECrime surveys published annually by CERT (see [16]). – Local incident report data gathered by the network/business operator. • The historical data and local incident report data is combined statistically to arrive at a qualitative (H,M,L) likelihood value. – IATL – Inside Attacker Data Theft Likelihood Value – IAUL – Inside Attacker Unauthorized Access Likelihood Value • The IATL is mapped to the likelihood of data confidentiality being lost. • The IAUL is mapped to the likelihood of data integrity being lost. Determine the Risk to the Network • The impact to the organization if confidentiality and integrity of the information types is compromised is combined with the IATL and IAUL to yield a risk factor as shown in the following table (from NIST SP800-30): Threat Likelihood High (1.0) Medium (0.5) Low (0.1) Impact Low (10) Low 10 X 1.0 = 10 Low 10 X 0.5 = 5 Low 10 X 0.1 = 1 Medium (50) Medium 50 X 1.0 = 50 Medium 50 X 0.5 = 25 Low 50 X 0.1 = 5 High (100) High 100 X 1.0 = 100 Medium 100 X 0.5 = 50 Low 100 X 0.1 = 10 Determine the Risk to the Network • Example: – Contingency Planning Information Type: • Impact of Confidentiality Loss = MEDIUM(50) • Impact of Integrity Loss = MEDIUM(50) • Likelihood of Confidentiality Loss (IATL) = HIGH (1.0) • Likelihood of Integrity Loss (IAUL) = MEDIUM(0.5) • Risk of Confidentiality Loss: 50 * 1.0 = 50 (MEDIUM) • Risk of Integrity Loss: 50 * 0.5 = 25 (MEDIUM) Deriving IPSec Policies based on Risk Scores • IPSec security policies are mapped to a Confidentiality and Integrity risk score as shown in the following table: Integrity Confidentiality HIGH MEDIUM LOW HIGH AHs + ESPs AHs + ESPw AHs MEDIUM AHw + ESPs ESPw-Authw AHw LOW ESPs-Authw ESPw-Authw ESPw-Authw Putting it All Together Security Domain Relationship Information Types Indirect Neighbor Link SecDomain 1 SecDomain 3 Direct Neighbor Link Direct Neighbor Link SecDomain 2 IPSec security policies are applied on a per-link basis. This Security Domain is in the path between SecDomain1 and SecDomain3 Security Domain can be a single host, an IP subnet in a network, or a completely independent network. Putting it All Together Security Policy Generation Security policies for a relationship are based on the risk scores calculated for Information Types. Policies can be generated for each Information Type independently, or they can be generated for the link as a whole. SecDomain 1 PSS = 7 SecDomain 3 PSS = 8 SecDomain 2 PSS = 3 The PSS score of domains in the path is used to adjust the resulting policies. Demo of IPSecRMS • Demo 1 – Show IPSec policy generation for network with low risk scores. • Demo 2 – Show IPSec policy generation for network with high risk scores. • Demo 3 – Show IPSec policy generation for network with low risk scores, but high vulnerability scores. • Demo 4 – Show segregate IPSec security policies. Future Work • Additional support is required in IPSecRMS to deploy policies to security gateways/hosts that are implementing the policies. • Better support for generating aggregate vs. segregate security policies is needed. • Threat model used in the IPSecRMS model is primarily aimed at insider threats, model needs to be expanded to cover other IPSec deployment models. 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. References A Cryptographic Analysis of IPsec, Neils Ferguson and Bruce Schneier, http://www.schneier.com/paper-ipsec.pdf Security Architecture for the Internet Protocol, RFC4301 http://ietf.org/rfc/rfc4301.txt SP800-60 Volume 2 “Guide for Mapping Types of Information and Information Systems to Security Categories, Volume 2” June 2004 http://csrc.nist.gov/publications/nistpubs/80060/SP800-60V2-final.pdf SP800-60 Volume 1 “Guide for Mapping Types of Information and Information Systems to Security Categories, Volume 1” June 2004 http://csrc.nist.gov/publications/nistpubs/80060/SP800-60V1-final.pdf SP800-33 “Underlying Technical Models for Information Technology Security, December 2001” http://csrc.nist.gov/publications/nistpubs/800-33/sp800-33.pdf SP800-30 “Risk Management Guide for Information Technology Systems, July 2002”, http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf Blaze, Ioannidis, Keromytis “Trust Management for IPsec” http://www.crypto.com/papers/knipsec.pdf Yin, Wang “Building an Application-aware IPsec Policy System”, http://www.cs.wm.edu/~hnw/paper/usenix05.pdf Arkko, Nikender “Limitations of IPsec Policy Mechanisms”, http://www.arkko.com/publications/SWP03.pdf RFC3457 “Requirements for IPsec Remote Access Scenarios” http://www.ietf.org/rfc/rfc3457.txt References 10. 11. 12. 13. 14. 15. 16. 17. 18. 19. Bellovin “Guidelines for Mandating the Use of IPsec” http://www.ietf.org/internet-drafts/draftbellovin-useipsec-06.txt FIPS PUB 199 “Standards for Security Categorization of Federal Information and Information Systems”, February 2004 http://csrc.nist.gov/publications/fips/fips199/FIPS-PUB-199-final.pdf IP Security Policy (IPSP) Requirements, RFC 3586 http://www.ietf.org/rfc/rfc3586.txt Ecrime survey, 2004 (http://www.csoonline.com/releases/ecrimewatch04.pdf), 2005 (http://www.csoonline.com/info/ecrimesurvey05.pdf), and 2006 Muhammad Abedin, Syeda Nessa, Ehab Al-Shaer and Latifur Khan, " Vulnerability Analysis For Evaluating Quality of Protection of Security Policies ", http://www.mnlab.cs.depaul.edu/mnlab/pubs/qop06.pdf Workshop in Quality of Protection Workshop (co-located with ACM CCS 2006) , Oct. 30, 2006 Common Vulnerabilities and Exposures http://cve.mitre.org/ Ecrime survey, 2004 (http://www.csoonline.com/releases/ecrimewatch04.pdf), 2005 (http://www.csoonline.com/info/ecrimesurvey05.pdf), and 2006 (http://www2.csoonline.com/info/release.html?CID=24531) Incident Object Description Exchange Format (IODEF) http://www.cert.org/ietf/inch/docs/draftietf-inch-iodef-13.txt JGraph Open Source Graphing Library, http://jgraph.com/ The Risk Management Standard http://www.theirm.org/publications/PUstandard.html , The Institute of Risk Management (IRM), The Association of Insurance and Risk Managers (AIRMIC) and ALARM (The National Forum for Risk Management in the Public Sector)