On Implementing Real-time Detection

Techniques in Future Network Access

Control

Engr. Arain, Adnan Ashraf

Mehran University of Engineering & Technology,
Pakistan
adnanlooking@ieee.

Ph.D. (Security Models of Wireless Sensor Networks-

06/09)
M.E. (Communication Systems & Networks-2004)
B.E. (Computer Systems Engineering-2003)

ICTTA’08, Damascus, 7th -11th

April, 2008
 Agenda
Introduction of ideal network security/
access control
Potential threats to network access control
General pitfalls of existing “traditional
security techniques”
 The proposed network security technique
Real-time test results (pros & cons)
Future integration
Summary

2
 Introduction of Ideal network
security
Fantastic 4s
Integrity
Authenticity
Confidentiality AUTHENTICATION

Availability FIREWALL (Client-Server) SPECIAL FILTERS (server)

BORDER ROUTER ANTIVIRUS (Client-Server)

DIRECT REGULAR
LOG MAINTENANCE
UPDATES FOR EACH
NEED BASE SERVICE `

ID and IP SENSORS ALERTS/ NOTIFICATIONS Host or Client

VPN DEVICES IPS (Host/Server)

IDS (Host/Server)
Fig 1. Ideal security perimeter

3
 Potential threats to security
Bad 4s
Interception
Intrusion
Modification
Fabrication

4
 Defense-in-depth (existing)
Border routers
Firewalls
IDS
IPS
VPN devices
Software services of DMZs
Server-side/ client-side web filters
Server-side/ client-side antivirus services

“Castel without gate is not the security

solution”
5
 Defense-in-depth
(..continued)
AUTHENTICATION ALERTS/ NOTIFICATIONS

AVAILABIITY VPN DEVICES LOG MAINTENANCE INTEGRITY

DIRECT REGULAR
UPDATES FOR EACH

`
FIREWALL (Client-Server)
ANTIVIRUS (Client-Server)

IPS (Host/Server)

SECURITY ID and IP SENSORS

CONFIDENTIALITY

SPECIAL FILTERS (server) BORDER ROUTER

IDS (Host/Server)

Fig 2. Optimal requirements from a traditional

network

6
 Defense-in-depth (exemplified by ‘antivirus
application’)

• General Pitfall of traditional

security
• Minimum synchronization

1 Gbps
Server farm

of network components/ AV-update

services due to individual/ Gigabit Switch

AV-update

independent solutions
• Higher traffic load due to bp
s
AV-update
10
recursive dictation from
M 0
0 M
10 Router bp
s
the core-servers for AV-update

10/ 100 Mbps

10/
administrating the

100
Switch AV-update
Switch

Mbp
network.

s
AV-update

• Non-modularized `
AV-update
`
`
component services due to Client Client
`

monopolization of
backdoors by the Fig 3. Updates in a traditional
manufacturer/ developer network

7 of the security devices/

application.
 Proposed objectives
Maximizing synchronization among security
component services.

Modularizing the solution for potential

threats.

Minimizing the unnecessary traffic load

8
 Switch with resident
virus updates

Proposed security solution Requires

NO
HELLOs?

• Firewall, secure routing

schemes, authentication
YES

mechanisms, antivirus HELLO

handshake

applications should be
logically, one entity. AV-HELLO
handshake

• Each of the component Frame for

services should be clearly

ACK error? NO
Authenticity

identified and run YES

separately. Check if
Request to
retransmit YES
retransmit
HELLOs?

• Routing, ACL, NO

cryptography, and likely Discard

resource consuming
MAC entry
& Report

services must be Fig 4. Switch-based

9 performed before the updates

arrival of the next packet

 Implementation of the proposed
solution
Internet

• Switches does not

generate/ direct the DHCP

redundant traffic every

Authentication &
Corporate Access server
firewall server

time towards the core- AV datafiles AV-Client server 1 Gbps

server. Core Device Web server

Mail server

Distribution device 1
Distribution device 3

• Regular updates,

Mbps

100 Mbps
Distribution device 4.
Distribution device 2

100

100 Mbps
alerts, REQ/ACK, and log

100 Mbps
Flash update Flash update

are accessible to clients

Flash update

s
Flash update

0 Mbp

Mbps

ps
Switch 1 Switch x2

Mb
Mbp
at near-by locations.
10/ 10
Switch 30

10 0
10/ 10
Switch x1

100

10 /
1 0/
` ` `
`
Client 1-30 Clients 1-30
Clients 1-30 Clients 1-30

• Minimal sinkholes/ Fig 5. Proposed solution: Campus-

wide security perimeter
10 continuous pings/ hello
 Implementation of the proposed..
(continue)
Internet

• Gives protection against

backdoors and trapdoors.
DHCP
Authentication &
Corporate Access server
firewall server

• Feasible in existing AV datafiles AV-Client server 1 Gbps

network infrastructures.
Core Device Web server
Mail server

• Technique was tested for Distribution device 1

Distribution device 3

500+ nodes in campus-

Mbps

100 Mbps
Distribution device 4.
Distribution device 2

wide network.

100

100 Mbps
100 Mbps
Flash update Flash update
Flash update

s
Flash update

0 Mbp

Mbps

ps
Switch 1 Switch x2

Mb
• Higher number of threats

Mbp
10/ 10
Switch 30

10 0
10/ 10
Switch x1

100

10 /
detected as compared to

1 0/
` ` `
`
traditional network Client 1-30
Clients 1-30 Clients 1-30
Clients 1-30

security threat. Fig 5. Proposed solution: Campus-

wide security perimeter (Repeat)
11
 Test results of the proposed
network security technique

Almost 63% better Name of attacker

Total
Number
of attacks
Statistic of attacks (blocked)

2500 results
NUMBER OF THREATS DETECTED
DOS malware 50
T.N.P.M

8
P.N.P.M

16
TRADITIONAL
2000 UNIX viruses 44 8 8
PROPOSED

1500 Script malware 232 35 24

Worms 517 111 324

1000
Backdoors 3851 1477 2130
500

Trojans 3653 725 1461

0

e
s

ar
se

w
s
ru

Other malware 371 279 269

m

al
e

an
vi
ar

m
or
r

e
s
wa

ar
IX

oj
w

or
W

S
Tr
al

w
N

al

O
do
m

al
U

tm

er
ck

m
S

th
Ba
rip
O

er

Other OS malware 137 19 8

O
D

Sc

th
O

Total 8855 30.1% 47.9%

Fig 6 & 7. Traditional versus Proposed network security

techniques: Analysis and quantification of malicious codes in
the network (Tabular & Graph format)

12
 Future extensions
UNDERGRAD PROJECTS

To develop APIs for CISCO/ Alcatel switches

to update an antivirus application/ firewall
policy by some GUI.

To re-write flash memory of network switches

in order to reserve memory dedicated for the
storage of updates/source in passive mode.

13
 Conclusion
We discuss the true definition of “network
security perimeter” or “defense-in-depth”.

We present a hierarchical model with

logical separation between different
services to analyze the integration
possibility of components services.

We show that how synchronization among

network component services/ applications
may be achieved among clients in their
neighborhood core-servers, thus
14
minimizing the traffic load @ core-servers.
 Conclusion (..continued)
By emulating the proposal we quantify the
results in a real-time network environment.

We compare the results of existing and

proposed security technique and found the
later one ‘better’.

We identify the possible extension to this

research work.

15
 Acknowledgement

Department of network operations @

Mehran UET, Pakistan

Miss: Marvi Mussadiq (IT specialist,

UoSindh, Pakistan)

16
 References
  Hae-Jin Jeong; Il-Seop Song; et-al; “A Multi-dimension Rule Update in a TCAM-based High-
Performance Network Security System”Advanced Information Networking and Applications,
2006. AINA 2006, 20th International Conference on Volume 2, 18-20 April 2006 Page(s):62 – 66
 Al-Shaer, E; “Network Security Policies: Verification, Optimization and Testing”
Network Operations and Management Symposium, 2006. NOMS 2006, 10th IEEE/IFIP, 2006
Page(s):584 – 584
 Magic quadrant, “Symantec network access control; the key to endpoint security” advertising
section report 2006, www.symantec.com/endpoint
 Hamed, H.; Al-Shaer, E; “Taxonomy of conflicts in network security policies”
Communications Magazine, IEEE, Volume 44,  Issue 3,  March 2006 Page(s):134-141
 Salim, R.; Rao, G.S.V.R.K;” Design and Development of Network Intrusion Detection System
Detection Scheme on Network Processing Unit” Advanced Communication Technology, 2006.
ICACT 2006, the 8th International Conference, Volume 2, 20-22 Feb. 2006 Page(s):1023 – 1025
 Adnan A. Arain, Marvie, Manzoor Hashmani, “An analytical revelation for a safer network
security perimeter”, 2006 proceedings of Intentional Conference on Information and Networks-
ICOIN2006 Sendai, Japan, 14-17 January 2006
 Schaelicke, L.; Freeland, J.C.; “Characterizing sources and remedies for packet loss in network
intrusion detection systems” Workload Characterization Symposium, 2005. Proceedings of the
IEEE International 6-8 Oct. 2005 Page(s):188 – 196
 Jiang-Neng Yi; Wei-Dong Meng; Wei-Min Ma; Jin-Jun Du; “Assess model of network security
based on analytic network process” Machine Learning and Cybernetics, 2005. Proceedings of
2005 International Conference on Volume 1, 18-21 Aug. 2005 Page(s):27-32 Vol. 1
 Harrison, J.V.; “Enhancing network security by preventing user-initiated malware execution”
Information Technology: Coding and Computing, 2005. ITCC 2005, International Conference on
Volume 2, 4-6 April 2005 Page(s):597 - 602 Vol. 2

17
 References
 Yanhui Guo; Cong Wang; “Autonomous decentralized network security system”
Networking, Sensing and Control, 2005. Proceedings, 2005 IEEE, 19-22 March
2005 Page(s):279-282
 Stephen Northcutt, Lenzy, et-al, “Inside network perimeter security: The
definitive guide to firewalls, virtual private networks (VPNs), routers, and
intrusion detection systems”, ISBN 0672327376, SAMS; 2nd Edition, March 4,
2005
 Brian Monroe, Security Engineer-STILLSECURE, “Demystifying network access
control”, white paper 2005, www.stillsecure.com
 Djordjevic, I.; Phillips, C.; Dimitrakos, T; “An architecture for dynamic security
perimeters of virtual collaborative networks” Network Operations and
Management Symposium, 2004. NOMS 2004, IEEE/IFIP, Volume 1, 19-23 April
2004 Page(s):249 - 262 Vol.1
 Sean Convery, “Network security architectures”, ISBN: 158705115X, Cisco Press;
2nd Edition Edition, April 19, 2004
 Stephen Northcutt, Judy Novak, “Network intrusion detection”, ISBN
0735712654, SAMS; 3rd Edition, August 27, 2002
 Todd Lammle, Sean Odom, Kevin, “CCNP- Routing (study guide)”; SYBEX press
Exam 640-503Fdsf
 Wendell Odom, “CCNA Intro (self study guide)”, CISCO press; Exam 640-821

18  Glen Kunene, “Perimeter security ain't what it used to be, experts Say” Senior
Editor, DevX, www.devx.com/security/ Article/20472
 Thanks
Q&A

19