Escolar Documentos
Profissional Documentos
Cultura Documentos
2
Introduction of Ideal network
security
Fantastic 4s
Integrity
Authenticity
Confidentiality AUTHENTICATION
DIRECT REGULAR
LOG MAINTENANCE
UPDATES FOR EACH
NEED BASE SERVICE `
IDS (Host/Server)
Fig 1. Ideal security perimeter
3
Potential threats to security
Bad 4s
Interception
Intrusion
Modification
Fabrication
4
Defense-in-depth (existing)
Border routers
Firewalls
IDS
IPS
VPN devices
Software services of DMZs
Server-side/ client-side web filters
Server-side/ client-side antivirus services
DIRECT REGULAR
UPDATES FOR EACH
`
FIREWALL (Client-Server)
ANTIVIRUS (Client-Server)
IPS (Host/Server)
IDS (Host/Server)
6
Defense-in-depth (exemplified by ‘antivirus
application’)
1 Gbps
Server farm
independent solutions
• Higher traffic load due to bp
s
AV-update
10
recursive dictation from
M 0
0 M
10 Router bp
s
the core-servers for AV-update
10/
administrating the
100
Switch AV-update
Switch
Mbp
network.
s
AV-update
• Non-modularized `
AV-update
`
`
component services due to Client Client
`
monopolization of
backdoors by the Fig 3. Updates in a traditional
manufacturer/ developer network
8
Switch with resident
virus updates
applications should be
logically, one entity. AV-HELLO
handshake
separately. Check if
Request to
retransmit YES
retransmit
HELLOs?
• Routing, ACL, NO
resource consuming
MAC entry
& Report
Distribution device 1
Distribution device 3
• Regular updates,
Mbps
100 Mbps
Distribution device 4.
Distribution device 2
100
100 Mbps
alerts, REQ/ACK, and log
100 Mbps
Flash update Flash update
s
Flash update
0 Mbp
Mbps
ps
Switch 1 Switch x2
Mb
Mbp
at near-by locations.
10/ 10
Switch 30
10 0
10/ 10
Switch x1
100
10 /
1 0/
` ` `
`
Client 1-30 Clients 1-30
Clients 1-30 Clients 1-30
Mbps
100 Mbps
Distribution device 4.
Distribution device 2
wide network.
100
100 Mbps
100 Mbps
Flash update Flash update
Flash update
s
Flash update
0 Mbp
Mbps
ps
Switch 1 Switch x2
Mb
• Higher number of threats
Mbp
10/ 10
Switch 30
10 0
10/ 10
Switch x1
100
10 /
detected as compared to
1 0/
` ` `
`
traditional network Client 1-30
Clients 1-30 Clients 1-30
Clients 1-30
2500 results
NUMBER OF THREATS DETECTED
DOS malware 50
T.N.P.M
8
P.N.P.M
16
TRADITIONAL
2000 UNIX viruses 44 8 8
PROPOSED
e
s
ar
se
w
s
ru
al
e
an
vi
ar
m
or
r
e
s
wa
ar
IX
oj
w
or
W
S
Tr
al
w
N
al
O
do
m
al
U
tm
er
ck
m
S
th
Ba
rip
O
er
O
D
Sc
th
O
12
Future extensions
UNDERGRAD PROJECTS
13
Conclusion
We discuss the true definition of “network
security perimeter” or “defense-in-depth”.
15
Acknowledgement
16
References
Hae-Jin Jeong; Il-Seop Song; et-al; “A Multi-dimension Rule Update in a TCAM-based High-
Performance Network Security System”Advanced Information Networking and Applications,
2006. AINA 2006, 20th International Conference on Volume 2, 18-20 April 2006 Page(s):62 – 66
Al-Shaer, E; “Network Security Policies: Verification, Optimization and Testing”
Network Operations and Management Symposium, 2006. NOMS 2006, 10th IEEE/IFIP, 2006
Page(s):584 – 584
Magic quadrant, “Symantec network access control; the key to endpoint security” advertising
section report 2006, www.symantec.com/endpoint
Hamed, H.; Al-Shaer, E; “Taxonomy of conflicts in network security policies”
Communications Magazine, IEEE, Volume 44, Issue 3, March 2006 Page(s):134-141
Salim, R.; Rao, G.S.V.R.K;” Design and Development of Network Intrusion Detection System
Detection Scheme on Network Processing Unit” Advanced Communication Technology, 2006.
ICACT 2006, the 8th International Conference, Volume 2, 20-22 Feb. 2006 Page(s):1023 – 1025
Adnan A. Arain, Marvie, Manzoor Hashmani, “An analytical revelation for a safer network
security perimeter”, 2006 proceedings of Intentional Conference on Information and Networks-
ICOIN2006 Sendai, Japan, 14-17 January 2006
Schaelicke, L.; Freeland, J.C.; “Characterizing sources and remedies for packet loss in network
intrusion detection systems” Workload Characterization Symposium, 2005. Proceedings of the
IEEE International 6-8 Oct. 2005 Page(s):188 – 196
Jiang-Neng Yi; Wei-Dong Meng; Wei-Min Ma; Jin-Jun Du; “Assess model of network security
based on analytic network process” Machine Learning and Cybernetics, 2005. Proceedings of
2005 International Conference on Volume 1, 18-21 Aug. 2005 Page(s):27-32 Vol. 1
Harrison, J.V.; “Enhancing network security by preventing user-initiated malware execution”
Information Technology: Coding and Computing, 2005. ITCC 2005, International Conference on
Volume 2, 4-6 April 2005 Page(s):597 - 602 Vol. 2
17
References
Yanhui Guo; Cong Wang; “Autonomous decentralized network security system”
Networking, Sensing and Control, 2005. Proceedings, 2005 IEEE, 19-22 March
2005 Page(s):279-282
Stephen Northcutt, Lenzy, et-al, “Inside network perimeter security: The
definitive guide to firewalls, virtual private networks (VPNs), routers, and
intrusion detection systems”, ISBN 0672327376, SAMS; 2nd Edition, March 4,
2005
Brian Monroe, Security Engineer-STILLSECURE, “Demystifying network access
control”, white paper 2005, www.stillsecure.com
Djordjevic, I.; Phillips, C.; Dimitrakos, T; “An architecture for dynamic security
perimeters of virtual collaborative networks” Network Operations and
Management Symposium, 2004. NOMS 2004, IEEE/IFIP, Volume 1, 19-23 April
2004 Page(s):249 - 262 Vol.1
Sean Convery, “Network security architectures”, ISBN: 158705115X, Cisco Press;
2nd Edition Edition, April 19, 2004
Stephen Northcutt, Judy Novak, “Network intrusion detection”, ISBN
0735712654, SAMS; 3rd Edition, August 27, 2002
Todd Lammle, Sean Odom, Kevin, “CCNP- Routing (study guide)”; SYBEX press
Exam 640-503Fdsf
Wendell Odom, “CCNA Intro (self study guide)”, CISCO press; Exam 640-821
18 Glen Kunene, “Perimeter security ain't what it used to be, experts Say” Senior
Editor, DevX, www.devx.com/security/ Article/20472
Thanks
Q&A
19