A Research Project of InterSOC Cooperation b/w Keio and Hitachi Graduate School of Science and Technology, Keio Univ. Headquarters of Information Technology Center, Keio Univ. 11/20/2017@Mita Campus, Keio Univ. Takao KONDO latte@itc.keio.ac.jp
Security Operation in Keio Univ. Hiyoshi 2001:200:167::/48 2001:df0:eb::/48 133.27.0.0/16 131.113.0.0/16 KEIO-NET Prefix: : Firewall : Router Shiba Fujisawa machi Shinano Mita Yagami 2001:200:1c0::/48 boundary and campus boundary 2 11/20/2017 • KEIO-NET has 3 PoPs for upstream networks – For WIDE-BB: 1 PoP – For SINET: 2 PoPs • Installed next generation firewalls at upstream networks – Conducts application protocol analysis – Separates security zones by each campus (zero trust approach) The Internet SINET WIDE-BB AS2904 AS2500 KEIO-NET AS38635
Features of University Networks (due to regard for research and education activities) network traffic by FWs security, vulnerability scanner etc.) into the Adst networks 11/20/2017 3 Necessary to suppress too much security scan in RandE networks • Research and Education (RandE) networks – Assigned to each faculty and department – Basically, operated by the assigned faculty and department – Information Technology Center (ITC) monitors RandE • Administration (Adst) networks – Assigned to administration offices – Basically, operated by ITC – ITC installed full-stacks security software (TLS proxy, Mail
Keio SOC / WIDE SOC Mita collector Flow : : : Firewall : Router machi Shinano Fujisawa Shiba Hiyoshi Hiyoshi 4 11/20/2017 L7 Analyzer • WIDE-BB: nationwide RandE backbone network – Operational and experimental network – Commodity traffic and Darknet traffic can be captured • KEIO-NET: Service network in Keio Univ. – Flow info (5 tuples) analysis, L7 analysis by FWs WIDE-BB AS2500 Darknet KEIO-NET AS38635 WIDE Neighbors
Use-cases of InterSOC Cooperation in Keio Univ. Analysis results (WIDE = Keio) hosts list Vulnerable hosts in the other stubs Finding vulnerable analysis in WIDE-BB Access pattern CVSS scoring Necessary to conduct access control for cooperation of WannaCry. about two weeks before the world first affected report (e.g., the num of dst port 445 accesses shapely raised 5 11/20/2017 (WIDE = Stub Nets) • Vulnerable hosts list (stub => upstream) – E.g., Hosts which have bad CVSS score • Darknet analysis result (upstream => stub) – Early threat warning:
InterSOC Modules Overview ... query log FW log xflow log Vul. Scan log Inter-SOC RDMS Agent User Apps (e.g., Visualization) ... Inter-SOC Agent DNS ... DNS fluentd, logstash etc. 6 REST API AAA 11/20/2017 Uniformed format (e.g., JSON) syslog sflow netflow ここの話題! • AAA agent conducts access control of gathered info. – In User Apps, InterSOC cooporation • Uniformed format in DB input/output – For flexible changing of gathering info. – E.g., Fluentd, logstash etc. • SOCs are communicated via InterSOC Agents – For hide the actual DB from external entities • User Apps retrieve gathered info via REST API Other AS
Assumed Environment 11/20/2017 Public Key Infrastructure (PKI) is available AAA Server in each domain stores: Inter-domain routing of AAA signaling Ticket-based Access Control System 7 • • – its domain's public key signed by CA – its members' public keys signed by domain AAA server • – Requirements: policies b/w domains, scalability • – Access Control List (ACL) is distributed as Ticket to each User – Ticket contains: Subject, Action, Resource, Valid time – Ticket is signed by Owner and pre-distributed to User AAA Inter-SOC Server Agent Upstream ISP User Domain Owner AAA AAA Server Server Inter-SOC Inter-SOC Agent Agent Stub-net-1 Stub-net-2 Domain Domain
User Authentication Procedures 11/20/2017 8 Inter SOC Inter SOC Inter SOC AAA AAA AAA Agent Agent Agent Authentication phase [info_request]K privuser + [ticket]K privowner Info request by User user_id_request User ID retrieval user_id_reply nonce + user_id Challenge/Response AuthN {nonce}Key privuser + user_id user_authn_request User’s Pubkey retrieval & User’s AuthN Inter-SOC user_authn_reply AAA App Stub-net-1 Upstream ISP Stub-net-2 Domain Domain Domain [K pubuser ]K privstub-net-1 + [K pubstub-net-1 ]K privCA
User Authorization Procedures 11/20/2017 9 Inter SOC Inter SOC Inter SOC AAA AAA AAA Agent Agent Agent Authorization phase Inter-SOC user_authr_request AAA App Owner’s Pubkey retrieval & User’s AuthR [K pubowner ]K privstub-net-2 + [K pubstub-net-2 ]K privCA user_authr_reply info_reply + [{Sk isp-stub-1 + nonce}K pubuser ]K privisp Session Key Stub-net-1 Upstream ISP Stub-net-2 Domain Domain Domain
Related Work 11/20/2017 10 (i) know existence of content,(ii) retrieve content • Access control per content – Authenticated / authorized users can • Access control based on multi-domain routing – AAA signaling mechanism on multi-domain overlay • Scalability – The num of content files and domains Kerberos [1] Shibboleth[2] RADIUS[3] Diameter Inter-SOC App Per-content yes yes yes yes Multi-domain yes yes no yes routing Scalability No[4] no no yes [1] C. Neuman et.al., "Kerberos: An Authentication Service for Computer Networks", In Proc. of IEEE Communications Magazine, 1994, pp. 33 –38 [2] W. Jieet.al., "A Guanxi Shibboleth based Security Infrastructure", In Proc. of IEEE EDOC WKSHPS'08, 2008, pp. 151 –158 [3] C. Rigney et.al., " Remote Authentication Dial In User Service (RADIUS)", RFC2138, IETF, 2000 [4] S. Sakaneet.al., "Problem Statement on the Cross-Realm Operation of Kerberos." RFC5868, IETF, 2010
AAA Protocol "Diameter" network access) information safely domain Environment 11 protocol extension 11/20/2017 format for carrying app. specific data (AuthN and AuthZ for • Diameter base protocol Diameter User Server DB – Exchange AAA related Domain C – For signaling in Multi- Diameter Overlay Diameter Network Domain B Server • Diameter application User DB Diameter User – Extension of Diameter base Server Domain A DB – Defines diameter message Diameter Diameter Diameter Inter- SOC App EAP App SIP App – e.g., Diameter EAP App. Diameter Base Protocol
Diameter Inter-SOC Application User-name AVP, Session ID AVP, 11/20/2017 Public-key AVP 12 is received command • Diameter message: Command + AVPs – Command code: specifies action when Diameter message – AVP (Attribute Value Pair): stores data delivered by • New command of Diameter InterSOC App. – Public key Request/Answer Command for AuthN & AuthZ • New AVP of Diameter InterSOC App – Carry AuthN & AuthZ information – Public key Request Command • Origin-Host AVP, Origin-Realm AVP, Destination-Realm AVP, – Public key Answer Command • Origin-Host AVP, Origin-Realm AVP, Session ID AVP,
Conclusion networks boundary and campus boundary RandE networks 11/20/2017 13 • Security operation in Keio Univ. – Installed next generation firewalls at upstream – Necessary to suppress too match payload scan in • InterSOC cooperation system – AAA agent conducts access control of gathered info. – Uniformed format in DB input/output – SOCs are communicated via InterSOC Agents – User Apps retrieve gathered info via REST API
Recommend
More recommend