1. 1 Pfleeger Visit 4/13/2004 UCCS Network/System Security C. Edward Chow Xiaobo Joe Zhou Yu Cai Ganesh Godavari Department of Computer Science University of Colorado at Colorado Springs C. Edward Chow Xiaobo Joe Zhou Yu Cai Ganesh Godavari Department of Computer Science University of Colorado at Colorado Springs UCCS Network/System Security Research Some of the research projects are sponsored by the Air Force Research Laboratory, under agreement number F49620-03-1-0207. It was sponsored by NISSC Summer/Fall2003 grants. Part of these results are supported by a generous gift from Fujitsu for Internet research.

2. 2 Pfleeger Visit 4/13/2004 UCCS Network/System Security Outline of the Talk Overview of Network/System Security Research Projects at Network/System Lab Secure Collective Internet Defense (SCOLD): an Intrusion Tolerance System. Autonomous Anti-DDoS (A2D2: )Integrated enhanced Snort IDS with multi-level adaptive rate limiting firewall Secure Groupware for First Responders (SGFR): Integrated Group Rekeying (Keystone) with Instant Massaging (Jabber) on MANET Secure Access Mobile Ad Hoc Network (SMANET): Implemented PEAP module on freeRadius server, compared PEAP with TTLS First Responder Sensor Network (FRSN): Track Fire Fighters with Crossbow Mote-based Sensor Network. Improving System Performance by QoS Regulations with Adaptive Resource Management under Cyber Threats Intelligence/Information Fusion Secure Information Sharing Overview of Network/System Security Research Projects at Network/System Lab Secure Collective Internet Defense (SCOLD): an Intrusion Tolerance System. Autonomous Anti-DDoS (A2D2: )Integrated enhanced Snort IDS with multi-level adaptive rate limiting firewall Secure Groupware for First Responders (SGFR): Integrated Group Rekeying (Keystone) with Instant Massaging (Jabber) on MANET Secure Access Mobile Ad Hoc Network (SMANET): Implemented PEAP module on freeRadius server, compared PEAP with TTLS First Responder Sensor Network (FRSN): Track Fire Fighters with Crossbow Mote-based Sensor Network. Improving System Performance by QoS Regulations with Adaptive Resource Management under Cyber Threats Intelligence/Information Fusion Secure Information Sharing

3. 3 Pfleeger Visit 4/13/2004 UCCS Network/System Security UCCS Network/System Research Lab Director: Dr. C. Edward Chow (Network/Protocol) Assistant Professor: Dr. Xiaobo Zhou (Distributed Systems; QoS) Graduate students: John Bicknell/Steve McCaughey/Anders Hansmat: Distributed Network Restoration/Network Survivability Hekki Julkunen: Dynamic Packet Filter Chandra Prakash: High Available Linux kernel-based Content Switch Ganesh Godavari: Linux based Secure Web Switch Angela Cearns: Autonomous Anti-DDoS (A2D2) Testbed Longhua Li: IXP-based Content Switch David Wikinson: Secure DNS (update/query) with multiple indirect routing entries Nirmala Bulusu: Secure Wireless Access; PEAP vs. TTLS; enhance freeRadius server with PEAP module (the above graduated) Yu Cai (Ph.D. research assistant): Proxy Server Based Multipath Routing; Secure Collective Internet Defense; Information Fusion; Ganesh Godavari: (Ph.D. research assistant): Content Switching Rule Conflict Detection; Secure Groupware; First Responder Sensor Network; Secure Information Sharing Frank Watson: enhanced TCP with multiple routes (User Mode Linux) Paul Fong: Wireless AODV Routing for sensor networks Murthy Andukuri/Jing Wu: iSCSI/VPN/MPLS Secure QoS Storage Network. Patricia Ferrao/Merlin Vincent: Web-based Collaborative System Sarah Jelinek: Enterprise Intrusion Detection and Response System (A2D2V2). Director: Dr. C. Edward Chow (Network/Protocol) Assistant Professor: Dr. Xiaobo Zhou (Distributed Systems; QoS) Graduate students: John Bicknell/Steve McCaughey/Anders Hansmat: Distributed Network Restoration/Network Survivability Hekki Julkunen: Dynamic Packet Filter Chandra Prakash: High Available Linux kernel-based Content Switch Ganesh Godavari: Linux based Secure Web Switch Angela Cearns: Autonomous Anti-DDoS (A2D2) Testbed Longhua Li: IXP-based Content Switch David Wikinson: Secure DNS (update/query) with multiple indirect routing entries Nirmala Bulusu: Secure Wireless Access; PEAP vs. TTLS; enhance freeRadius server with PEAP module (the above graduated) Yu Cai (Ph.D. research assistant): Proxy Server Based Multipath Routing; Secure Collective Internet Defense; Information Fusion; Ganesh Godavari: (Ph.D. research assistant): Content Switching Rule Conflict Detection; Secure Groupware; First Responder Sensor Network; Secure Information Sharing Frank Watson: enhanced TCP with multiple routes (User Mode Linux) Paul Fong: Wireless AODV Routing for sensor networks Murthy Andukuri/Jing Wu: iSCSI/VPN/MPLS Secure QoS Storage Network. Patricia Ferrao/Merlin Vincent: Web-based Collaborative System Sarah Jelinek: Enterprise Intrusion Detection and Response System (A2D2V2).

4. 4 Pfleeger Visit 4/13/2004 UCCS Network/System Security UCCS Network Lab Equipment Gigabit fiber connection to UCCS backbone Switch/Firewall/Wireless AP: HP 4000 switch; 4 Linksys/Dlink Switches; 5 Intel 24 ports Fast Ethernet switch. Sonicwall Pro 300 Firewall; 6 Intel VPN Firewall 8 Intel 7112 SSL accelerators; 4 7820 XML directors donated by Intel. Cisco 1200 Aironet Dual Band Access Point and 350 client PC/PCI cards (both 802.11a and 802.11b cards). Intel IXP12EB network processor evaluation board Servers: Two Dell PowerEdge Servers. Workstations/PCs: 8 Dell PCs (3Ghz-500Mhz); 12 HP PCs (500-233Mhz) 2 laptop PCs with Aironet 350 for mobile wireless 1 IPAQ3875 PDA OS: Linux Redhat 9, Fedora; Window XP/2000/2003 Gigabit fiber connection to UCCS backbone Switch/Firewall/Wireless AP: HP 4000 switch; 4 Linksys/Dlink Switches; 5 Intel 24 ports Fast Ethernet switch. Sonicwall Pro 300 Firewall; 6 Intel VPN Firewall 8 Intel 7112 SSL accelerators; 4 7820 XML directors donated by Intel. Cisco 1200 Aironet Dual Band Access Point and 350 client PC/PCI cards (both 802.11a and 802.11b cards). Intel IXP12EB network processor evaluation board Servers: Two Dell PowerEdge Servers. Workstations/PCs: 8 Dell PCs (3Ghz-500Mhz); 12 HP PCs (500-233Mhz) 2 laptop PCs with Aironet 350 for mobile wireless 1 IPAQ3875 PDA OS: Linux Redhat 9, Fedora; Window XP/2000/2003

5. 5 Pfleeger Visit 4/13/2004 UCCS Network/System Security Intrusion Related Research Areas Intrusion Prevention General Security Policy Ingress/Egress Filtering Intrusion Detection Honey pot Host-based IDS Tripwire Anomaly Detection Misuse Detection Intrusion Response Identification/Traceback/Pushback Intrusion Tolerance Intrusion Prevention General Security Policy Ingress/Egress Filtering Intrusion Detection Honey pot Host-based IDS Tripwire Anomaly Detection Misuse Detection Intrusion Response Identification/Traceback/Pushback Intrusion Tolerance

6. 6 Pfleeger Visit 4/13/2004 UCCS Network/System Security Wouldn’t it be Nice to Have Alternate Routes? DNS1... Victim AAAAAAAA net-a.milnet-b.milnet-c.mil DNS2 DNS3... RRR R R2 R1 R3 Alternate Gateways DNS DDoS Attack Traffic Client Traffic How to reroute clients traffic through R1-R3? Multi-homing

7. 7 Pfleeger Visit 4/13/2004 UCCS Network/System Security Implement Alternate Routes DNS1... Victim AAAAAAAA net-a.milnet-b.milnet-c.mil DNS2 DNS3... RRR R R2 R1 R3 Alternate Gateways DNS DDoS Attack Traffic Client Traffic Need to Inform Clients or Client DNS servers! But how to tell which Clients are not compromised? How to hide IP addresses of Alternate Gateways?

8. 8 Pfleeger Visit 4/13/2004 UCCS Network/System Security Possible Solution for Alternate Routes DNS1... Victim AAAAAAAA net-a.milnet-b.milnet-c.mil DNS2 DNS3... RRR R R2 R1 R3 New route via Proxy3 to R3 Proxy1 block Proxy3 Proxy2 Attack msgs blocked by IDS Blocked by IDS Sends Reroute Command with DNS/IP Addr. Of Proxy and Victim Distress Call

9. 9 Pfleeger Visit 4/13/2004 UCCS Network/System Security SCOLD Phase1 DNS1... Victim AAAAAAAA net-a.mil net-b.milnet-c.mil DNS2 DNS3... RRR R Proxy1 Proxy2 Proxy3 R2R2 R1 R3 block Reroute Coordinator Attack Traffic Client Traffic 1. IDS detects intrusion Blocks Attack Traffic Sends distress call to Reroute Coordinator block

10. 10 Pfleeger Visit 4/13/2004 UCCS Network/System Security SCOLD Phase 2 DNS1... Victim AAAAAAAA net-a.mil net-b.milnet-c.mil DNS2 DNS3... RRR R Proxy1 Proxy2 Proxy3 R2R2 R1 R3 block Attack Traffic Client Traffic 1. IDS detects intrusion Blocks Attack Traffic Sends distress call to Reroute Coordinator Reroute Coordinator 2. Sends Reroute Command with (DNS Name, IP Addr. Of victim, Proxy Server(s)) to DNS

11. 11 Pfleeger Visit 4/13/2004 UCCS Network/System Security SCOLD Phase3 DNS1... Victim AAAAAAAA net-a.mil net-b.milnet-c.mil DNS2 DNS3... RR R Proxy1 Proxy2 Proxy3 R2R2 R1 R3 Attack Traffic Client Traffic Reroute Coordinator 2. Sends Reroute Command with (DNS Name, IP Addr. Of victim, Proxy Server(s)) to DNS 3. New route via Proxy3 to R3 3. New route via Proxy2 to R2 3. New route via Proxy1 to R1 R block

12. 12 Pfleeger Visit 4/13/2004 UCCS Network/System Security SCOLD Phase4 DNS1... Victim AAAAAAAA net-a.mil net-b.milnet-c.mil DNS2 DNS3... R Proxy1 Proxy2 Proxy3 R1 Attack Traffic Client Traffic Reroute Coordinator 3. New route via Proxy3 to R3 3. New route via Proxy2 to R2 3. New route via Proxy1 to R1 R block 4a. Attack traffic detected by IDS blocked by Firewall 4. Attack traffic detected by IDS blocked by Firewall RR R3 R2R2

13. 13 Pfleeger Visit 4/13/2004 UCCS Network/System Security SCOLD Secure DNS Update with New Indirect DNS Entries (target.targetnet.com, 133.41.96.7, ALT 203.55.57.102) 203.55.57.103 185.11.16.49 A set of alternate proxy servers for indirect routes New DNS Entries: Modified Bind9 IP Tunnel Modified Client Resolve Library Trusted Domain WAN DMZ Client Domain proxy2

14. 14 Pfleeger Visit 4/13/2004 UCCS Network/System Security SCOLD Indirect Routing IP tunnel

15. 15 Pfleeger Visit 4/13/2004 UCCS Network/System Security SCOLD Indirect Routing with Client running SCOLD client daemon IP tunnel

16. 16 Pfleeger Visit 4/13/2004 UCCS Network/System Security Performance of SCOLD v0.1 Table 1: Ping Response Time (on 3 hop route) Table 2: SCOLD FTP/HTTP download Test (from client to target) Table 1: Ping Response Time (on 3 hop route) Table 2: SCOLD FTP/HTTP download Test (from client to target) No DDoS attack direct route DDoS attack direct route No DDoS attack indirect route DDoS attack indirect route 0.49 ms225 ms0.65 ms

17. 17 Pfleeger Visit 4/13/2004 UCCS Network/System Security Secure Collective Defense Main Idea  Explore secure alternate paths for clients to come in; Utilize geographically separated proxy servers. Goal: Provide secure alternate routes Hide IP addresses of alternate gateways Techniques: Multiple Path (Indirect) Routing Enhanced Secure DNS extension: how to inform client DNS servers to add new DNS entries with alternate routes (Not your normal DNS name/IP address mapping entry). Utilize a consortium of Proxy servers with IDS that hides the IP address of alternate gateways. Partition clients to come in at different proxy servers.  can help identify the origin of spoofed attacks! How clients use the new multiple path indirect DNS entries and route traffic through proxy servers?  Use Sock protocol, modify resolver library Main Idea  Explore secure alternate paths for clients to come in; Utilize geographically separated proxy servers. Goal: Provide secure alternate routes Hide IP addresses of alternate gateways Techniques: Multiple Path (Indirect) Routing Enhanced Secure DNS extension: how to inform client DNS servers to add new DNS entries with alternate routes (Not your normal DNS name/IP address mapping entry). Utilize a consortium of Proxy servers with IDS that hides the IP address of alternate gateways. Partition clients to come in at different proxy servers.  can help identify the origin of spoofed attacks! How clients use the new multiple path indirect DNS entries and route traffic through proxy servers?  Use Sock protocol, modify resolver library

18. 18 Pfleeger Visit 4/13/2004 UCCS Network/System Security Current SCOLD Project Results Proposed new DNS entries for intrusion tolerance, containing multiple proxy servers info for establishing indirect routes. Modified Bind9 DNS server to accept secure DNS updates and to serve queries with new indirect DNS entries. Developed new secure DNS update utility to securely update target zone file in the new enhanced Bind9 DNS server. Implemented new secure indirect routing protocol to allow client DNS to query target DNS during DDoS attack. to allow client to communicate with target server through proxy server and alternate gateway. Proposed new DNS entries for intrusion tolerance, containing multiple proxy servers info for establishing indirect routes. Modified Bind9 DNS server to accept secure DNS updates and to serve queries with new indirect DNS entries. Developed new secure DNS update utility to securely update target zone file in the new enhanced Bind9 DNS server. Implemented new secure indirect routing protocol to allow client DNS to query target DNS during DDoS attack. to allow client to communicate with target server through proxy server and alternate gateway.

19. 19 Pfleeger Visit 4/13/2004 UCCS Network/System Security Benefits of Secure Collective Defense Security When attacked, users switch to different routes dynamically Urgent/critical packets sent over multiple routes simultaneously Encrypted content sent over multiple routes Information on DDoS attacks used to isolate source of attacks Reliability: Users can choose most reliable route dynamically Packet content spread over multiple routes Use redundant transmission or error correction to reduce PLR Performance: Multiple indirect routes provide additional bandwidth Can be used for dynamic bandwidth provisioning Security When attacked, users switch to different routes dynamically Urgent/critical packets sent over multiple routes simultaneously Encrypted content sent over multiple routes Information on DDoS attacks used to isolate source of attacks Reliability: Users can choose most reliable route dynamically Packet content spread over multiple routes Use redundant transmission or error correction to reduce PLR Performance: Multiple indirect routes provide additional bandwidth Can be used for dynamic bandwidth provisioning

20. 20 Pfleeger Visit 4/13/2004 UCCS Network/System Security Organic Networking One possible approach: Dynamic provisioning of multiple paths (direct and indirect routes) Use secure DNS update to inform the clients Use secure indirect routing for establishing alternate routes. Coordinate the selection of proxy servers for clients. Critical for supporting wide area IDC system One possible approach: Dynamic provisioning of multiple paths (direct and indirect routes) Use secure DNS update to inform the clients Use secure indirect routing for establishing alternate routes. Coordinate the selection of proxy servers for clients. Critical for supporting wide area IDC system VPN Consumer enterprise Headquarters Branch IDC1(inB portal) IDC3(data backup ) IDC2(BtoB/C portal) VPN-CUG BtoB inB Operation resource backup resource Sharing BtoC The Internet Operation resource

21. 21 Pfleeger Visit 4/13/2004 UCCS Network/System Security A2D2: Autonomous Anti DDoS Main Idea  Integrate enhanced IDS with adaptive firewall for autonomous intrusion defense. Goal: Automate adaptive intrusion handling triggered by enhanced intrusion detection Investigate the impact of various intrusion types on QoS Techniques: Enhanced Snort Plug-in with subnet spoofing detection Adaptive rate limiting firewall with user defined threshold and intrusion history. Main Idea  Integrate enhanced IDS with adaptive firewall for autonomous intrusion defense. Goal: Automate adaptive intrusion handling triggered by enhanced intrusion detection Investigate the impact of various intrusion types on QoS Techniques: Enhanced Snort Plug-in with subnet spoofing detection Adaptive rate limiting firewall with user defined threshold and intrusion history.

22. 22 Pfleeger Visit 4/13/2004 UCCS Network/System Security

23. 23 Pfleeger Visit 4/13/2004 UCCS Network/System Security A2D2 Multi-Level Adaptive Rate Limiting For Anti-DDos Defense

24. 24 Pfleeger Visit 4/13/2004 UCCS Network/System Security A2D2 Results – Non-stop Attack Packets Received: 8,039 Retransmission Request: 2,592 Retransmission Received: 35 Lost: 2,557 Connection Timed-out Packets Received: 8,039 Retransmission Request: 2,592 Retransmission Received: 35 Lost: 2,557 Connection Timed-out QoS Experienced at A2D2 Client

25. 25 Pfleeger Visit 4/13/2004 UCCS Network/System Security A2D2 Results – UDP Attack Mitigation: Firewall Policy Packets Received: 23,407 Retransmission Request: 0 Retransmission Received: 0 Lost: 0 Packets Received: 23,407 Retransmission Request: 0 Retransmission Received: 0 Lost: 0 QoS Experienced at A2D2 Client

26. 26 Pfleeger Visit 4/13/2004 UCCS Network/System Security A2D2 Results – ICMP Attack Mitigation: Firewall Policy Packets Received: 7,127 Retransmission Request: 2,105 Retransmission Received: 4 Lost: 2,101 Connection Timed-out Packets Received: 7,127 Retransmission Request: 2,105 Retransmission Received: 4 Lost: 2,101 Connection Timed-out QoS Experienced at A2D2 Client

27. 27 Pfleeger Visit 4/13/2004 UCCS Network/System Security A2D2 Results – ICMP Attack Mitigation: Firewall Policy & CBQ Packets Received: 23,438 Retransmission Request: 0 Retransmission Received: 0 Lost: 0 Packets Received: 23,438 Retransmission Request: 0 Retransmission Received: 0 Lost: 0 QoS Experienced at A2D2 Client

28. 28 Pfleeger Visit 4/13/2004 UCCS Network/System Security A2D2 Results – TCP Attack Mitigation: Policy+CBQ Packets Received: 22,179 Retransmission Request: 4,090 Retransmission Received: 2,641 Lost: 1,449 Screen Quality Impact Packets Received: 22,179 Retransmission Request: 4,090 Retransmission Received: 2,641 Lost: 1,449 Screen Quality Impact QoS Experienced at A2D2 Client

29. 29 Pfleeger Visit 4/13/2004 UCCS Network/System Security A2D2 Results – TCP Attack Mitigation: Policy+CBQ+Rate Packets Received: 23,444 Retransmission Request: 49 – 1,376 Retransmission Received: 40 – 776 Lost: 9 – 600 Packets Received: 23,444 Retransmission Request: 49 – 1,376 Retransmission Received: 40 – 776 Lost: 9 – 600 QoS Experienced at A2D2 Client

30. 30 Pfleeger Visit 4/13/2004 UCCS Network/System Security Autonomous Anti-DDoS  Organic Security System?

31. 31 Pfleeger Visit 4/13/2004 UCCS Network/System Security SGFR: Secure Groupware for First Responder Main Idea  design a framework for enhancing security of groupware packages such as instant messenger and video monitoring/conferencing tool. Goal: Investigate proper interface between group rekeying system and groupware. Develop secure instant messaging system with remote group file download and remote display. Experiment the prototype software on PDA with mobile ad hoc network. Integrate with stress level and tool usage effectiveness evaluation This is a joint project with Dr. Chip Benight of psychology department at UCCS. Techniques: Scalable group key management (Keystone from UT Austin) Efficient groupware (Jabber Instant Messaging System) Mobile Ad Hoc Network (NIST) Main Idea  design a framework for enhancing security of groupware packages such as instant messenger and video monitoring/conferencing tool. Goal: Investigate proper interface between group rekeying system and groupware. Develop secure instant messaging system with remote group file download and remote display. Experiment the prototype software on PDA with mobile ad hoc network. Integrate with stress level and tool usage effectiveness evaluation This is a joint project with Dr. Chip Benight of psychology department at UCCS. Techniques: Scalable group key management (Keystone from UT Austin) Efficient groupware (Jabber Instant Messaging System) Mobile Ad Hoc Network (NIST)

32. 32 Pfleeger Visit 4/13/2004 UCCS Network/System Security SGFR Features Security Enhanced Groupware Instant messenger (JabberX) Group Communication Server Instant Messaging Server (Jabber) Psychology Evaluation Stress Level Tracking Effectiveness of Tool Usage (Keyboard/Mouse Event Tracking, History of Commands, Mistakes, Popup Quiz?) Group Key Managment Secure Group Rekeying system (Keystone)

33. 33 Pfleeger Visit 4/13/2004 UCCS Network/System Security SGFR System Architecture SGFR Client SGFR Group Key Server SGFR Instant Messenger Server Group key distribution Sign-in create/join chat groups Registration/authentication Encrypt/Decrypt msgs using group key

34. 34 Pfleeger Visit 4/13/2004 UCCS Network/System Security SGFR System Operation

35. 35 Pfleeger Visit 4/13/2004 UCCS Network/System Security Associate JabberX client with Keyserver and Jabber server Users login to the Jabber server If login successful, the client registers with the Keyserver by presenting digital certificate. When a user creates/joins a group, the Keyserver issues a group key to the client. When a user leaves the group, the Keyserver generates a new group key for the remaining members of the group. Group key can be refreshed periodically. Group key are used to encrypt data and authenticate the group. Users login to the Jabber server If login successful, the client registers with the Keyserver by presenting digital certificate. When a user creates/joins a group, the Keyserver issues a group key to the client. When a user leaves the group, the Keyserver generates a new group key for the remaining members of the group. Group key can be refreshed periodically. Group key are used to encrypt data and authenticate the group.

36. 36 Pfleeger Visit 4/13/2004 UCCS Network/System Security Output of the Keystone Server User ganesh joining group g1 User ayen joining group g1 First group key assigned to group Second group key assigned to group When a member joined

37. 37 Pfleeger Visit 4/13/2004 UCCS Network/System Security Packet captured by Ethereal Packet Sniffer Output of the Jabber server running on a machine Encrypted “Hello” Surrounded by tag

38. 38 Pfleeger Visit 4/13/2004 UCCS Network/System Security Testing Results RunsClient Registration Time (ms) Group Join Time (ms)Group Leave Time (ms) 1279.62233.46135.54 2249.28652.74126.78 3253.93706.04769.08 4259.46118.15434.12 Avg/Run260.57427.59366.38 Table 1 time taken for client registration group join, group leave File sizeTime Taken (ms) 8.5K35302.47 25K105986.05 60K305934.53 195K1007949.38 Table 2 time taken for file transfer IBM Thinkpad Intel Pentium III 800MHz Server; IPAQ PDA StrongArm200MHz; Linux 2.4 Kernel; 802.11b Ad hoc Mode with NIST driver

39. 39 Pfleeger Visit 4/13/2004 UCCS Network/System Security Conclusion A secure group communication software package SGFR v.0 was developed. Use Digital Certificate to authenticate client access. Group keys are distributed when members join/leave or based on some time period. Group key is used to encrypted the messages. Enhanced Jabber-based text chat with remote file download and remote display. Lesson1: Fire fighters do not like stylus input and they carry heavy load!! Lesson2: Fire fighter don’t care security; Police do!! Ported the SGFR v.0 to run on handheld devices include iPAQ PDA running Linux and Sony PalmTop with 802.11b mobile ad hoc network. A secure group communication software package SGFR v.0 was developed. Use Digital Certificate to authenticate client access. Group keys are distributed when members join/leave or based on some time period. Group key is used to encrypted the messages. Enhanced Jabber-based text chat with remote file download and remote display. Lesson1: Fire fighters do not like stylus input and they carry heavy load!! Lesson2: Fire fighter don’t care security; Police do!! Ported the SGFR v.0 to run on handheld devices include iPAQ PDA running Linux and Sony PalmTop with 802.11b mobile ad hoc network.

40. 40 Pfleeger Visit 4/13/2004 UCCS Network/System Security Secure Wireless Access Control Goal: Compare performance of two proposed wireless authentication protocols, PEAP vs. TTLS. Develop a PEAP module for freeRadius server on Linux. Techniques/Tools used: Xsupplicant, Window XP freeRadius, Win 2003 server OpenSSL Goal: Compare performance of two proposed wireless authentication protocols, PEAP vs. TTLS. Develop a PEAP module for freeRadius server on Linux. Techniques/Tools used: Xsupplicant, Window XP freeRadius, Win 2003 server OpenSSL

41. 41 Pfleeger Visit 4/13/2004 UCCS Network/System Security UCCS Secure Wireless Access Testbed Client RADIUS

42. 42 Pfleeger Visit 4/13/2004 UCCS Network/System Security Client/Server Machine Configurations Machine SpecIP AddressOSSoftware wiper.uccs.edu 1.8 Ghz, 1 GB RAM RADIUS Server and DHCP server 128.192.61.132RedHat 9.0 Running Linux 2.2.20-19.9 kernel FreeRadius Modified CVS snapshot radiusd- 09.03.03.tar.gz willow.uccs.edu Access Point Cisco Aironet 1200 128.192.61.130RedHat 9.0 Running Linux 2.2.20-19.9 kernel Cisco 1200 series Software Toshiba – 366 Mhz, 512 MB Wireless Client Using Cisco Aironet 350 PC Card Dynamic IP address 128.192.61.144 to 128.98.61.152 RedHat 6.2 running Linux 2.2.20-19.9 kernel Open1x Xsupplicant Version 9.0 Hobbit – 1 Ghz Dell Optiplex, 512 MB Wireless Client Using Cisco Aironet 350 PCI Card Dynamic IP address 128.192.61.144 to 128.98.61.152 Windows XP-SP1 And RedHat 9.0 Running Linux 2.2.20.9 kernel Open1x Xsupplicant for Linux and built in Service Pack for XP

43. 43 Pfleeger Visit 4/13/2004 UCCS Network/System Security PEAP vs. TTLS on Toshiba machine PEAPTTLS Average1046 949 Variance814212060

44. 44 Pfleeger Visit 4/13/2004 UCCS Network/System Security PEAP vs. TTLS Average Performance

45. 45 Pfleeger Visit 4/13/2004 UCCS Network/System Security Conclusion Developed a Radius Server on Linux that supports both PEAP and TTLS. PEAP is relatively more influenced by Client’s processor speeds, distance range and network transient nature as compared to TTLS. Although the higher performance shown by TTLS over PEAP is negligible, it is worth noting that TTLS was outperforming PEAP on an average by 10% in all the tests. The enhanced Radius Server can serve both Windows and Linux clients. Developed a Radius Server on Linux that supports both PEAP and TTLS. PEAP is relatively more influenced by Client’s processor speeds, distance range and network transient nature as compared to TTLS. Although the higher performance shown by TTLS over PEAP is negligible, it is worth noting that TTLS was outperforming PEAP on an average by 10% in all the tests. The enhanced Radius Server can serve both Windows and Linux clients.

46. 46 Pfleeger Visit 4/13/2004 UCCS Network/System Security First Responder Sensor Network Goal: How wireless sensor network can assist first responders. Status: Created a wireless sensor testbed with Crossbow Professional Mote Kits and Intel stargate gateway devices. Current Tasks: Investigate how to deploy sensor networks (pre- planned/dynamically deployed). Develop algorithms for tracking first responders using wireless sensors. Security in SMANET+FRSN. Goal: How wireless sensor network can assist first responders. Status: Created a wireless sensor testbed with Crossbow Professional Mote Kits and Intel stargate gateway devices. Current Tasks: Investigate how to deploy sensor networks (pre- planned/dynamically deployed). Develop algorithms for tracking first responders using wireless sensors. Security in SMANET+FRSN.

47. 47 Pfleeger Visit 4/13/2004 UCCS Network/System Security Scenario 1: Preplanned Wireless Sensors Building is surveyed and deployed with wireless sensors and include floor plan info in the gateway device. When there is fire, first responders can tap into the secure wireless sensor network to find the condition of the building and over with the floor plan picture. Building is surveyed and deployed with wireless sensors and include floor plan info in the gateway device. When there is fire, first responders can tap into the secure wireless sensor network to find the condition of the building and over with the floor plan picture.

48. 48 Pfleeger Visit 4/13/2004 UCCS Network/System Security Scenario 2: Dynamically Deploy Sensors Fire Fighter drops the wireless sensors along the route in. If sensors detects temperature increase or location movement!!, they relay the date through multiple hop wireless sensor network to both the team inside and the team outside. Fire Fighter drops the wireless sensors along the route in. If sensors detects temperature increase or location movement!!, they relay the date through multiple hop wireless sensor network to both the team inside and the team outside.

49. 49 Pfleeger Visit 4/13/2004 UCCS Network/System Security Secure Access to Sensor Network Terrorist may access the sensors and information on the gateway. Need authentication for secure access. Need encryption for avoid sniffing by terrorist. Need redundancy for fault tolerance and verifying the sensor results. Terrorist may access the sensors and information on the gateway. Need authentication for secure access. Need encryption for avoid sniffing by terrorist. Need redundancy for fault tolerance and verifying the sensor results.

50. 50 Pfleeger Visit 4/13/2004 UCCS Network/System Security Improving System Performance by QoS Regulations with Adaptive Resource Management under Cyber Threats Improving System Performance by QoS Regulations with Adaptive Resource Management under Cyber Threats Xiaobo Joe Zhou Improving System Performance by QoS Regulations with Adaptive Resource Management under Cyber Threats Improving System Performance by QoS Regulations with Adaptive Resource Management under Cyber Threats Xiaobo Joe Zhou

51. 51 Pfleeger Visit 4/13/2004 UCCS Network/System Security Information Fusion Project Goal: Intelligence/information fusion among multiple agencies. Starting with federal/state/city agencies extend it to including those from Canada, the United States, and Mexico. How to exchange, verify, correlate intelligence information for decision support, How to allocate resources and coordinate sensors in different agencies for a set of tasks with different priority Project Goal: Intelligence/information fusion among multiple agencies. Starting with federal/state/city agencies extend it to including those from Canada, the United States, and Mexico. How to exchange, verify, correlate intelligence information for decision support, How to allocate resources and coordinate sensors in different agencies for a set of tasks with different priority

52. 52 Pfleeger Visit 4/13/2004 UCCS Network/System Security Related Works Multilayered Video Deliver Multimedia Streams with Flexible QoS via a Multicast DAG, Jiong Yang, UIUC, ICDCS 03 Source-adaptive multilayered multicast algorithms for real- time video distribution, Brett Vickers, IEEE/ACM Transactions on Networking 2000 An End-to-End Adaptation Protocol for Layered Video Multicast Using Optimal Rate Allocation, Ya-Qin Zhang, IEEE Transaction on Multimedia 2004 QoS and multipath Admission Control and Dynamic Adaptation for a Proportional-Delay DiffServ-Enabled Web Server, Sam C. M. Lee, John C. S. Lui, David K. Y. Yau, SIGMETRICS 2002 Parallel Access For Mirror Sites in the Internet, Pablo Rodriguez, et al., Infocom 1999 Multilayered Video Deliver Multimedia Streams with Flexible QoS via a Multicast DAG, Jiong Yang, UIUC, ICDCS 03 Source-adaptive multilayered multicast algorithms for real- time video distribution, Brett Vickers, IEEE/ACM Transactions on Networking 2000 An End-to-End Adaptation Protocol for Layered Video Multicast Using Optimal Rate Allocation, Ya-Qin Zhang, IEEE Transaction on Multimedia 2004 QoS and multipath Admission Control and Dynamic Adaptation for a Proportional-Delay DiffServ-Enabled Web Server, Sam C. M. Lee, John C. S. Lui, David K. Y. Yau, SIGMETRICS 2002 Parallel Access For Mirror Sites in the Internet, Pablo Rodriguez, et al., Infocom 1999

53. 53 Pfleeger Visit 4/13/2004 UCCS Network/System Security Research Direction Data Fusion Operations Artificial Neural Network for merging results from multiple classifiers Negotiation/Coordination Protocol [Idian, CIDF, IDMEF, IDIP] Specific test cases: distributed intrusion detection, compromised node detection, tracking with sensors. Data transmission in data fusion Techniques for guaranteeing the quality of service for the prioritized sensor information fusion/delivery Multilayered video encoding and distribution  multilayered information data classification and transportation Feedback control mechanism Comment? Other important research topics/directions? Data Fusion Operations Artificial Neural Network for merging results from multiple classifiers Negotiation/Coordination Protocol [Idian, CIDF, IDMEF, IDIP] Specific test cases: distributed intrusion detection, compromised node detection, tracking with sensors. Data transmission in data fusion Techniques for guaranteeing the quality of service for the prioritized sensor information fusion/delivery Multilayered video encoding and distribution  multilayered information data classification and transportation Feedback control mechanism Comment? Other important research topics/directions?

54. 54 Pfleeger Visit 4/13/2004 UCCS Network/System Security Secure Information Sharing Project Goal: Secure Intelligence/information sharing among multiple agencies/organizations How to exchange, verify information and provide security and non repudiation How to share information between different agencies and protect against misuse of authority during information sharing Project Goal: Secure Intelligence/information sharing among multiple agencies/organizations How to exchange, verify information and provide security and non repudiation How to share information between different agencies and protect against misuse of authority during information sharing

55. 55 Pfleeger Visit 4/13/2004 UCCS Network/System Security Related Works NIST standard on Role Based Access Control An Internet Attribute Certificate Profile for Authorization – RFC 3281 IETF Working Group on Public Key Infrastructure (X.509) Privilege and Role Management Infrastructure Standards Validation http://www.permis.org/ Akenti Distributed Access Control http://www-itg.lbl.gov/ NIST standard on Role Based Access Control An Internet Attribute Certificate Profile for Authorization – RFC 3281 IETF Working Group on Public Key Infrastructure (X.509) Privilege and Role Management Infrastructure Standards Validation http://www.permis.org/ Akenti Distributed Access Control http://www-itg.lbl.gov/

56. 56 Pfleeger Visit 4/13/2004 UCCS Network/System Security Research Direction Data Sharing Operations Access control mechanism for sharing information Mandatory, Discretionary, and Role Based Access Control Mechanisms Specific test cases: File Distribution, Directory Access Control, secure instant messaging for group communications Attribute Certificate profile for Authorization Provide non repudiation and Role Based Access Control Easy to Manage than certificates -- Short life span than certificates Provide resource access for short duration; tighter control, misuse avoidance, and increased responsibility Comment? Other important research topics/directions? Data Sharing Operations Access control mechanism for sharing information Mandatory, Discretionary, and Role Based Access Control Mechanisms Specific test cases: File Distribution, Directory Access Control, secure instant messaging for group communications Attribute Certificate profile for Authorization Provide non repudiation and Role Based Access Control Easy to Manage than certificates -- Short life span than certificates Provide resource access for short duration; tighter control, misuse avoidance, and increased responsibility Comment? Other important research topics/directions?

57. 57 Pfleeger Visit 4/13/2004 UCCS Network/System Security Summary We have innovated ideas on intrusion tolerance We have developed expertise in Secure DNS system  Organic Networking? Secure multiple path indirect routing  Organic Networking? Autonomous security system with Enhanced IDS+Firewall  Organic Security? Secure wireless access and MANET Group key management Secure groupware Wireless sensor network for first responders Content switching Network restoration QoS (proportional differential services) Developing expertise in information fusion/sharing. We have innovated ideas on intrusion tolerance We have developed expertise in Secure DNS system  Organic Networking? Secure multiple path indirect routing  Organic Networking? Autonomous security system with Enhanced IDS+Firewall  Organic Security? Secure wireless access and MANET Group key management Secure groupware Wireless sensor network for first responders Content switching Network restoration QoS (proportional differential services) Developing expertise in information fusion/sharing.