Presentation is loading. Please wait.

Presentation is loading. Please wait.

PhD Proposal - Draft Ajoy Kumar Advisor: Dr. EF

Published byAmy Moody Modified over 8 years ago

Similar presentations

Presentation on theme: "PhD Proposal - Draft Ajoy Kumar Advisor: Dr. EF"— Presentation transcript:

1 PhD Proposal - Draft Ajoy Kumar Advisor: Dr. EF
Unifying the conceptual levels of network security through use of patterns. PhD Proposal - Draft Ajoy Kumar Advisor: Dr. EF Secure Systems Research Group – Florida Atlantic University

2 Introduction We analyze security mechanisms at the conceptual network layers and propose a unification of these levels using security patterns. We also develop several new patterns and study the existing patterns for this purpose. Secure Systems Research Group – Florida Atlantic University

3 Problem Statement Three basic conceptual layers in the network are the network layer, the transport layer and the user application layer. Each of these layers is subjected to security threats and we need to consider security defenses at each of these layers. Security threats help form security policies which in turn lead to the development of protocol mechanisms and these mechanisms lead to security patterns at each of these layers. Secure Systems Research Group – Florida Atlantic University

4 Contd… Some of the specific mechanisms used for security are Firewalls, IDS and VPN (Virtual Private Network). In this thesis we attempt to look at the involved security components such as Firewalls, IDS and VPN at these three primary layers and study the synergistic combination of these components. Then we look at the different security protocols controlling these layers such as IPSec (network or IP layer), TLS (the transport layer) and SOAP ( user application layer) which contribute to the defense at these layers. When Security is designed for these layers including these components and protocols, a systematic approach is required by the developers to enhance security. Secure Systems Research Group – Florida Atlantic University

5 Contd… In this work we try to identify already existing security patterns for these components and protocols and then fill in the gaps for the missing security patterns. We will also try to compare and contrast the patterns developed at each of these layers and try to unify these levels using patterns. Once the patterns are developed, they will serve as a catalog to help designers build and maintain secure networks. Secure Systems Research Group – Florida Atlantic University

6 Software Patterns and Security
The primary objectives of security are to provide confidentiality, integrity, availability, and accountability to the information. Information or messages passed are usually vulnerable to attacks and are targeted by many people for political or personal reasons. Security countermeasures are usually classified into five groups: identification and authentication, access control and authorization, logging, cryptography, and intrusion detection. Secure Systems Research Group – Florida Atlantic University

7 Contd… A way to counter the threats to security faced by these network layers is use of patterns. Patterns are solutions to recurrent problems in given contexts. Security patterns have been looked at extensively in the current world of threats and have been studied in detail. A good number of security patterns have been described in the literature [Fer06a, Sch06, Ste05]. In the ideal case the developer would be able to find one or more security patterns to provide guidance for specific security problems. Patterns in general capture knowledge and wisdom of developers in a highly accessible form for ordinary practitioners to apply.

8 Security Mechanisms Three of the most common security mechanisms used are firewalls, VPN and IDS. Firewalls have been shown to be very effective in providing security by basically creating a choke point of entry (and exit) into a local network [Bar99]. A firewall therefore restricts unauthorized clients from access to the local network and local networks from accessing external sites that are considered untrustworthy. A firewall can be used as a mechanism to enforce security policies and also allows a limited exposure of the protected network to outsiders.

9 Sec Mech. (Contd…) VPN uses a technique called tunneling, in which data is transmitted across a public network in a private tunnel that simulates a end to end connection. A system intrusion is any attempt to attack a system and compromise its integrity, confidentiality, or availability of a resource. Intrusion Detection Systems (IDS) are implemented to detect an intrusion when it occurs and on detection should trigger appropriate recovery measures [Fer05].

10 Overview of layers and security mechanisms at network layers
Firewall IDS VPN User Application Transport IP

11 Network Architecture Security Mechanisms Firewall IDS VPN Protocol User application XML Fw XML IDS XML VPN SAML TCP Proxy Fw TCP IDS TLS/SSL VPN TLS IP Packet filter Packet IDS IPSec VPN IPSec AU T H E N I CA ON SECRECY AUTHOR ZAT ION IDENT F C A O FireWall IDS VPN Protocol Application XML FW XML IDS XML VPN SAML TCP Proxy FW TCP IDS TLS/SSL VPN TLS IP Packet FW Packet IDS IPSec VPN IPSec Secure Systems Research Group – Florida Atlantic University

12 Abstact Pattern for Sec. Mech.
VPN/FW/IDS SAML Realize Realize Realize TLS V/F/I IPSec V/F/I XML V/F/I TLS IPSec Secure Channel Authentication Secure Systems Research Group – Florida Atlantic University

13 Proposed Research General Goal
We try to unify the security functions used in different network layers through security patterns. We identify the common security components of each layer and their protocols and try to discover the existing security patterns for each of these layers and identify the patterns yet to be developed and try to develop them. Secure Systems Research Group – Florida Atlantic University

14 Specific Goals and Outline
Survey security Components such as Firewall, IDS and VPN Survey the existing protocols for each of these layers such as IPSec, TLS and SAML. Identify the existing patterns for each of these security components for each of the network layers. Identify the patterns yet to be developed for the security components for each of these network layers. Develop these new security patterns yet to be developed for each of these layers. Apply the new patterns developed on a Case Study and study the consequences in detail. Secure Systems Research Group – Florida Atlantic University

15 Contributions A description of the three basic architectural layers using pattern diagrams showing the relationship between these patterns A description of the protocols to provide security for these layers using security pattern diagrams. An enumeration of the use cases and the security threats involved for the typical network functions. Analysis of the existing countermeasures, eg. Firewalls, IDS, VPNs and their combinations. We will consider existing commercial products as possible sources of security patterns. Specific patterns for the network architectural layers, their security standards, and mechanisms to defend against the identified threats. We have already published one of these [Fer05] and in the process of completing another. Validation of the approach to applying it to a SCADA system. Secure Systems Research Group – Florida Atlantic University

16 Validation A way to validate the proposed model is to apply it to a real system. We can analyze its main use cases and enumerate possible threats. Then we can see how our architectural model provides a structure to develop and evaluate a range of those systems. We intend to apply our model to a SCADA system and compare our results to other analysis of SCADA security such as [Nae07, NIST]. The new patterns can be validated by publishing in conferences such as PLOP or similar conferences. (We did this with an early pattern [Fer05]). Secure Systems Research Group – Florida Atlantic University

17 Remaining Work: New Patterns
All the other patterns that need to be developed will be identified. The above existing patterns will be further expanded in detail. For example IDS pattern would be extended to include Misuse based IDS also. The VPN pattern will be expanded into different patterns for XML, Packet VPN and SSL VPNs. Patterns for the different Protocols. Proposed TimeLine: Fall Spring 2009 Secure Systems Research Group – Florida Atlantic University

18 2. Synergy Impact of synergistic combination of these security mechanisms VPN + FW + IDS Summer 2009.

19 4. Case Study (Validation)
Finally after all the missing pieces are developed it will be applied to the SCADA model which has been developed above and will be studied in detail. Proposed Time Line: Fall 2009 Secure Systems Research Group – Florida Atlantic University

20 Completed Work Survey of existing patterns
First we will identify all the patterns that have been developed by other researchers in these network layers such as the Packet filter pattern, proxy firewall pattern and XML firewall pattern and Survey of security mechanisms limiting to SCADA.

21 2. VPN Patterns SAML XML VPN VPN TLS TLS VPN IPSec IP VPN
Supports SAML XML VPN VPN Supports TLS TLS VPN IPSec Supports IP VPN Secure Systems Research Group – Florida Atlantic University

22 3. IDS - Class Diagram for Signature basedIDS.[Fer05] Viking PLOP
Secure Systems Research Group – Florida Atlantic University

23 Class Diagram For VPN Network VPN Network End Point
* * Network End Point 1 1 * Authenticator Secure Channel 1 Identity Base * Identity Secure Systems Research Group – Florida Atlantic University

24 4. Case Study Identification
SCADA Architecture SCADA can be used as an example of a distributed system where we apply these patterns. Security Threats. Secure Systems Research Group – Florida Atlantic University

25 Example An important example of SCADA application is electric power generation. Context A SCADA system such as electric power generation system with a Distributed Architecture and connected to the Internet. Secure Systems Research Group – Florida Atlantic University

26 Class Diagram (w/o Security Components)
Central Controller User Interface Field Unit Controller Comm. Network Internet Zone * 1 Secure Systems Research Group – Florida Atlantic University

27 Class Diagram for Secure SCADA
Secure Systems Research Group – Florida Atlantic University

28 Suggestions Additions Concerns Modifications Improvements
Secure Systems Research Group – Florida Atlantic University

Download ppt "PhD Proposal - Draft Ajoy Kumar Advisor: Dr. EF"

Similar presentations

Security by Design A Prequel for COMPSCI 702. Perspective “Any fool can know. The point is to understand.” - Albert Einstein “Sometimes it's not enough.

Security by Design A Prequel for COMPSCI 702. Perspective “Any fool can know. The point is to understand.” - Albert Einstein “Sometimes it's not enough.
Firewalls By Tahaei Fall 2012. What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
Security in VoIP Networks Juan C Pelaez Florida Atlantic University Security in VoIP Networks Juan C Pelaez Florida Atlantic University.

Security in VoIP Networks Juan C Pelaez Florida Atlantic University Security in VoIP Networks Juan C Pelaez Florida Atlantic University.
Unifying the conceptual levels of network security through use of patterns Ph.D Dissertation Proposal Candidate: Ajoy Kumar, Advisor: Dr Eduardo B. Fernandez.

Unifying the conceptual levels of network security through use of patterns Ph.D Dissertation Proposal Candidate: Ajoy Kumar, Advisor: Dr Eduardo B. Fernandez.
Chapter 19: Computer and Network Security Techniques Business Data Communications, 6e.

Chapter 19: Computer and Network Security Techniques Business Data Communications, 6e.
Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.

Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.

FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.

Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.
A Security Pattern for a Virtual Private Network Ajoy Kumar and Eduardo B. Fernandez Dept. of Computer Science and Eng. Florida Atlantic University Boca.

A Security Pattern for a Virtual Private Network Ajoy Kumar and Eduardo B. Fernandez Dept. of Computer Science and Eng. Florida Atlantic University Boca.
Security+ Guide to Network Security Fundamentals

Security+ Guide to Network Security Fundamentals
Network and Security Patterns

Network and Security Patterns
Unifying the Conceptual levels of Network Security through use of Patterns. PhD Proposal Ajoy Kumar Secure Systems Research Group – Florida Atlantic University.

Unifying the Conceptual levels of Network Security through use of Patterns. PhD Proposal Ajoy Kumar Secure Systems Research Group – Florida Atlantic University.
Chapter 12 Network Security.

Chapter 12 Network Security.
A Security Pattern for a Virtual Private Network Ajoy Kumar and Eduardo B. Fernandez Dept. of Computer Science and Eng. Florida Atlantic University Boca.

A Security Pattern for a Virtual Private Network Ajoy Kumar and Eduardo B. Fernandez Dept. of Computer Science and Eng. Florida Atlantic University Boca.
Information Security 1 Information Security: Demo of Some Security Tools Jeffy Mwakalinga.

Information Security 1 Information Security: Demo of Some Security Tools Jeffy Mwakalinga.
Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.

Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.
NETWORK SECURITY.

NETWORK SECURITY.
1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.

1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.
Introduction to Network Defense

Introduction to Network Defense
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 9 Network Policy and Access Services in Windows Server 2008.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 9 Network Policy and Access Services in Windows Server 2008.

Similar presentations

Ads by Google