Tai M. Chung

1
INTEGRATEDSECURITY MANAGEMENTKNOM-20002000.
12. 12

• Tai M. Chung
• Real-Time Systems Lab. Sungkyunkwan University
• tmchung_at_ece.skku.ac.kr

2
Talk Outline

• Introduction to ISM and Research Objectives
• Current Integrated Security Management
  Technologies
• OPSEC
• Active Security
• Common Data Security Architecture
• Integrated Security Management System
• Architecture of ISMS
• Features of ISMS
• Architecture Detailed Modules of ISMS
• Current Status and Future Development of ISMS

3
Why ISM?
Security Management

• Increasing complexity difficulty of security
  products
• Diverse security policies for heterogeneous
  security systems scattered over wide network
• Increasing risks resulting from human mistakes
• Need for immediate and automated response to
  various security threats
• Need for unified human interface for simple
  management

File Security
VPN
Vulnerability Test
Virus Check
IDS
Intrusion Tracking
Firewall
Authentication
Encryption
4
Research Objectives

• Develop a common representation scheme for
  diverse security policies with
• Integrated policy and data management scheme
• Easy and unified interface for total management
• Prototype a master-agent based integrated
  security management system that Includes
• Coordinated management model based on common
  representation scheme
• Immediate and autonomous response to security
  threats
• Fault tolerant capability for continuous service
• Flexible and scalable management architecture

5
Security System Integration
Trends of ISM OPSEC Active Security
6
Hybrid Integration Model

• Integrate IDS functionality with firewall
• CISCO IOS Firewall IDS
• Firewall includes IDS functionality for
  mid-range, high-performance platforms,
• Limited to detect most significant attacks only
• Acts as in-line intrusion detection sensor
  watching packets and sessions to detect intrusion
  as well as to apply firewall policy

7
Interoperational Model

• Real-time intrusion blocking IDS interoperable
  with firewall
• RealSecure(ISS) Firewall-1(Checkpoint)
• When IDS detects misuse or attacks
• Reconfiguring firewall to block all traffic from
  a suspicious source
• Alerting appropriate personnel through user
  interface
• Sending an SNMP trap to NMS to record the session
  information
• Terminating connections if possible

8
OPSEC by Checkpoint

• Open Platform for Security / Open Platform for
  Secure Enterprise Connection
• Based on SVN(Secure Virtual Network) environment
• Goes beyond VPNs for securing all internet
  gateways
• Fine-grain access control for all users
• Provisioning of integration and interoperability
  to the various security products such as
• VPN-1, Firewall-1, FloodGate-1, and Meta IP
• Openview, Tivoli, etc.

9
OPSEC framework
10
OPSEC API overview

• Message based, layered environment
• OPSEC Transport Layer converts messages into
  events
• Client locates and initiates the connection to
  the Server
• Servers implements one or more OPSEC security
  tasks

11
Life Cycle of OPSEC Application

• Endless loop(opsec_mainloop)
• Waits for event to occur and process them
• Events are handled by the OPSEC application
• OPSEC layer may call user-defined functions to
  process events

12
OPSEC Environments

• A framework for OPSEC applications to communicate
• One OPSEC environment for each OPSEC process
• OPSEC entity is an instantiation of a specific
  behavior

13
OPSEC subcomponents
CVP (Content Vectoring Protocol)
UFP (URL Filtering Protocol)
SAMP (Suspicious Activity Monitoring Protocol)
LEA (Log Export API)
ELA (Export Logging API)
OMI (OPSEC Management Interface)
UAM (User to Address Mapping API)
SAA (Secure Authentication API)
14
Content Security CVP

• Outsourcing some functionalities to other content
  security systems
• Forward buffer to CVP server for inspection
• Viruses, malicious codes
• Flow out of confidential data
• Specific URL access
• CVP client and server know nothing about each
  other, except that the client knows where to find
  the server

15
Content Security CVP

• Applied CVP to detect and cure compromised mail
  by viruses
• Firewall rule base specifies virus checking and
  disinfection on mail attachment
• Firewall CVP client contacts the Anti-Virus
  server and transfers the file attachment for
  processing
• The Anti-Virus content validation server scans
  for viruses, disinfects the file
• The Anti-Virus sever returns the virus-free file
  and log information to the firewall

16
Web Resource Management UFP

• Track and monitor web usage
• Categorize and control HTTP communication based
  on specific URL address
• Operations
• URL client on the firewall passes the URL to the
  UFP server
• URL server returns a classification of the
  category for the URL
• Firewall determines the appropriate action in
  accordance with the security policy related to
  the category

17
Intrusion Detection SAMP

• Intrusion detection by monitoring events
• Active feedback loop integration between IDS and
  Firewall/VPN gateways
• SAMP API enables Firewall-1/VPN-1 to block the
  connection when an IDS detects suspicious
  activity on the network or specific host
• SAMP API defines an interface through which an
  IDS can communicate with a VPN-1/Firewall-1
  management server
• Management server directs the VPN-1/Firewall-1
  modules to terminate sessions or deny access to
  those specific hosts.

18
Event Integration LEA, ELA

• LEA(Log Export API)
• Enables applications to read the VPN-1/Firewall-1
  log database
• LEA client can retrieve both real-time and
  historical log data from Management Console of
  LEA server
• A reporting application can use the LEA client to
  progress the logged events generated by the
  VPN-1/Firewall-1 security policy
• ELA(Event Logging API)
• Used to write to the VPN-1/Firewall-1 log
  database
• Enables third party applications to trigger the
  VPN-1/Firewall-1 alert mechanism for specific
  events
• Enables Management Console to become the central
  event repository for all traffic events
  accounting and analysis
• With SAMP, applications can track suspicious
  activity and request the VPN-1/Firewall-1 to
  terminate a malicious activity

19
Management and Analysis OMI

• Interface to central policy database to share
  objects such as
• Host, Network, User, Service, Resource, Sever,
  Key..
• Tie together different products that may control
  security policies in different domains
• Enables third party applications to securely
  access the policy stored in the management server
  by providing access to read
• Policies stored in the management sever
• Network objects, services, resources, users,
  templates, groups and servers defined in the
  management server
• List of all administrators that are allowed to
  log into the management server

20
Authentication SAA

• SAA(secure authentication API)
• Supports wide variety of authentication
  mechanisms such as biometric devices, challenge
  response tokens and passwords
• Passing authentication information to the
  authentication server
• After authentication, VPN gateway acquires user's
  certificate from CA server, and then IPSEC/IKE
  session is established

21
OPSEC Framework Partners
Content Security
Event Analysis and Reporting

• Safe gate, Computer Associates
• Norton AntiVirus for Firewalls, Symantec

• Firewall HealthCHECK, VeriSign
• Web Trends for Firewalls and VPNs, Web Trends

Authentication and Authorization
Enterprise Directory Servers

• Defend Security Server, Axent Technologies, Inc.
• ACE/Server, RSA Security

• IBM SecureWay Directory, IBM
• Novell Directory Services, Novell

Intrusion Detection
Enterprise Directory Servers

• RealSecure, Check Point Technologies, Ltd.
• SessionWall-3, Platinum

• Go! Secure, VeriSign

22
Overview of Active security

• Detection(Sensing) device
• E.g. Vulnerability Scanner to proactively
  scanning internal network
• Event Orchestra
• Accepts all alerts, compares with security policy
  and initiates responses
• Fed in Security Policy to decide what is
  important and how to respond
• Actions for security through
• Helpdesk, Firewall, Administrator Alerts, etc.

23
More about Active Security

• The heart of Active Security Event orchestra
• Conducts central event management
• Standard based open event management system
• Centrally collects alerts and other inter-process
  communications from security products
• Includes own data store, but also works with
  other database using ODBC
• Current Active Security products
• sensor CyberCop scanner (Windows NT)
• arbiter Event orchestra (Windows NT)
• actor Gauntlet firewall (Windows NT / UNIX)

24
Example of Active security CyberCop

• WMI(Windows management instrumentation)
• Describes a standard way of accessing and
  representing management information in Windows
  2000 networks
• Enables real-time monitoring
• Enhances interoperability of security applications

25
Active Security Illustration
26
What is CDSA?

• The Open, cross-platform, interoperable,
  extensible and exportable security infrastructure
• Specification and Reference Implementation
• Adopted by The Open Group in November 1997
• Mature code base from Intel, widely reviewed by
  Industry
• A robust security building block for eBusiness
  software solutions
• Enables interoperability for security apps and
  services
• Allows developers to focus on application
  expertise

27
CDSA Design Goals

• Create an open, interoperable, cross platform
  security infrastructure
• Support use and management of thefundamental
  elements of security
• Certificates, trust, cryptography, integrity
• Authentication, authorization
• Make extensible above and below
• Embrace emerging technologies
• Plug-and-play service provider model
• Extend to new services
• Layered service provider model

28
CDSA Architecture
CDSA defines a four-layer architecture for
cross-platform, high-level security services
Applications
Layered Security Services
CSSM Security API
CSSM defines a common API / SPI for security
services an integrity foundation
Common Security Services Manager
Service Provider Interfaces
Security Service Add-in Modules
Security Service Add-in Modules
Service providers implement selectable security
services
Security Service Add-in Modules
29
Structure of ISMS
30
Features of ISMS

• Integrated policy management
• Maintain logical security domain for consistent
  security management
• Applies access control policy automatically by
  deploying blacklist to agents
• Automated response to threats
• Automatic Policy integrity check at management
  server
• Removes potential risks resulting from human
  mistakes by autonomous operation and by integrity
  checking
• Notification through unified user interface
• Integrated view for security management through
  web interface
• Statistic information based on collected
  information
• Fault tolerant security management
• Records all security related events through
  central logging
• Simple policy recovery and backup through central
  policy management
• Scalability and flexibility using master-agent
  paradigm
• No modification to management engine

31
Detailed ISMS architecture
32
Detailed ISMS Engine

• ISMS
• Client(Java applet)
• Engine(Solaris)
• Agent(Solaris, LINUX, FreeBSD)
• Using standard management protocol(SNMP)
• Extensibility, Scaleability
• ISMS engine
• Manages policies
• Processes user requests
• Notifies events
• Collects information from agents
• Manages log data

33
Integrated policy management
34
Automated Response to threats
35
Notification for human operation
36
Logical secure domain maintenance
37
Blacklist management
38
ISMS Deployment Structure
39
Summary

• Increasing need for Integrated security
  management
• Easy and unified user interface
• Integrated Policy management
• Currently Integrated Security Management is a hot
  issue
• Checkpoint(OPSEC), Network Associate(Active
  Security), and Intel(CDSA) develop standards and
  prototypes
• They are still under development
• CDSA is publically available
• We have been working for
• Designing a integrated model to manage various
  security products
• Develop a prototype system with one view and
  total security concept

40
References and Further Information

• 1 Open Platform for Security(OPSEC) Technical
  Note, Check Point Software Technologies, Inc.,
  2000.
• 2 OPSEC Software Development Kit Data Sheet,
  Check Point Software Technologies, Inc., 1998.
• 3 Check Point OPSEC SDK version4.1 Release
  Notes, Check Point Software Technologies, Inc.,
  November 1999.
• 4 Check Point VPN-1/Firewall-1 OPSEC API
  Specification version4.1, Check Point Software
  Technologies, Inc., November 1999.
• 5 Check Point Firewall-1 OPSEC Open
  Specification version1.01, Check Point Software
  Technologies, Inc., November, 1998.
• 6 Active Security Getting Started Guide
  version5.0, Network Associates, Inc., 1999
• 7 Automating Security Management while Reducing
  Total Cost of Ownership, Network Associates,
  Inc., 1999
• 8 Security Solutions Practice - Technology
  Update, Ernst Young, LLP., March 1999.
• 9 Ensuring the Success of E-Business Sites,
  NetScreen Technologies, Inc., January 2000.
• 10 Technology Overview The NetScreen-1000
  Gigabit Security System, NetScreen Technologies,
  Inc., March 2000.
• 11 Next Generation Security Solutions for the
  Broadband Internet, NetScreen Technologies, Inc.,
  February 2000.
• 12 ServerIron Data Sheet Internet Traffic
  Management, Foundry Networks, 2000.
• 13 Application note Firewall Load Balancing
  with ServerIron, Foundry Networks, 2000.