A robust SNMP based Infrastructure for Intrusion Detection and Response in tactical MANETs Sascha Lettgen University of Bonn, Germany Inst. of Computer Science IV Marko Jahnke, Jens Tölle, Uwe Weddige, Michael Bussmann FGAN/FKIE, Wachtberg, Germany Computer Networks Dept. July 2006 RESEARCH INSTITUTE FOR COMMUNICATION, INFORMATION PROCESSING AND ERGONOMICS Computer Networks KIE July 2006
Outline • Introduction • Deployment Scenario: Tactical MANETs • Network Management Domain: SNMP • Modelling IDS Infrastructures w/ SNMP • Performance Simulation • Implementation Status • Conclusions & Further Work RESEARCH INSTITUTE FOR COMMUNICATION, INFORMATION PROCESSING AND ERGONOMICS Computer Networks KIE July 2006 2
Terminology: Distributed IDS Components • Agent – Sensors – Detectors – Responders – Message processing modules • Console – Message consolidation – Databases – Correlation engines – Other analysis modules RESEARCH INSTITUTE FOR COMMUNICATION, INFORMATION PROCESSING AND ERGONOMICS Computer Networks KIE July 2006 3
Types of IDS Infrastructures To Meta IDS • Event Message IS Console node(s) • Sensor Data IS • Response Trigger IS IDS Agent IDS Console • Configuration IS IDS Agent IDS Agent IDS Agent Observed node Observed node Observed node RESEARCH INSTITUTE FOR COMMUNICATION, INFORMATION PROCESSING AND ERGONOMICS Computer Networks KIE July 2006 4
Existing Data Models & Communication Protocols <IDMEF-Message version="1.0"> <Alert ident="abc123456789"> • IETF IDWG <Analyzer analyzerid="hq-dmz-analyzer01"> <Node category="dns"> <location>Headquarters DMZ Network</location> Recommendations <name>analyzer01.example.com</name> </Node> who reports </Analyzer> <CreateTime ntpstamp="0xbc723b45.0xef449129"> IDMEF 2000-03-09T10:01:25.93464-05:00 when </CreateTime> <Source ident="a1b2c3d4"> <Node ident="a1b2c3d4-001" category="dns"> IDXP BEEP <name>badguy.example.net</name> <Address ident="a1b2c3d4-002" category="ipv4-net-mask"> <address>192.0.2.50</address> <netmask>255.255.255.255</netmask> TLS TCP </Address> </Node> who </Source> <Target ident="d1c2b3a4"> IP <Node ident="d1c2b3a4-001" category="dns"> <Address category="ipv4-addr-hex"> <address>0xde796f70</address> </Address> </Node> • Drawbacks: Overhead where </Target> <Classification origin="bugtraqid"> – TCP/SSL/BEEP Handshakes <name>124</name> <url>http://www.securityfocus.com</url> what happened – Channel Management </Classification> </Alert> </IDMEF-Message> – XML Encoding RESEARCH INSTITUTE FOR COMMUNICATION, INFORMATION PROCESSING AND ERGONOMICS Computer Networks KIE July 2006 5
Deployment Scenario: Tactical MANETs Environment: – Infantry Mission – 5-15 high performance PDAs – Network characteristics similar to IEEE 802.11 – IPsec and application encryption – Fully equipped node w/ HQ Backlink Differences to civilian Challenges: scenarios: – Limited Resources – Precisely defined, homogeneous – Attacks e.g. against environment MANET routing – Significant resources for security – Insider attacks measures RESEARCH INSTITUTE FOR COMMUNICATION, INFORMATION PROCESSING AND ERGONOMICS Computer Networks KIE July 2006 6
Management Domain: SNMPv3 • Monitoring & Configuration • Agent/Manager based concept • UDP based • Security in SNMPv3 • Management Information Base (MIB) • Object and Instance Identifier (OID/IID) • get/setValue Requests (single value, list or bulk) • Traps and Notifications RESEARCH INSTITUTE FOR COMMUNICATION, INFORMATION PROCESSING AND ERGONOMICS Computer Networks KIE July 2006 7
Modeling IDS Infrastructure w/ SNMP • Sensor IS – getValue – getNext / Bulk • Response Trigger IS – setValue • Configuration IS – get/setValue Aligned to IDMEF Structure • Message IS – Insert new alerts into MIB as single subtree structure – Send an acknowledged notification to console, containing most important fields – Console may request additional message fields RESEARCH INSTITUTE FOR COMMUNICATION, INFORMATION PROCESSING AND ERGONOMICS Computer Networks KIE July 2006 8
Performance Simulations (1): Overall Traffic • Network – IEEE 802.11b • Applications – VoIP (2.4 kbit/s) – C2IS (JMS) – UChat – SMTP/HTTP • IDS Messages – Events/Heartbeats (E/H) n → 1 – Neighborhood Watching (NW) n → m – Traffic Statistics (TS) n → 1 RESEARCH INSTITUTE FOR COMMUNICATION, INFORMATION PROCESSING AND ERGONOMICS Computer Networks KIE July 2006 9
Performance Simulations (2): Packet Delivery • PDF decreases due to significant amount of IDS traffic • Maximum rates for IDS Messages for PDF>99% – E/H: 2 Hz – NW: 0.1 Hz – TS: 0.1 Hz • Higher packet loss can be expected in reality: – Buffer overflows – Radio interference RESEARCH INSTITUTE FOR COMMUNICATION, INFORMATION PROCESSING AND ERGONOMICS Computer Networks KIE July 2006 10
Advantages of SNMP approach • Characteristics of MANETs are considered – Dynamic behaviour and short link lifetimes � Connectionless and robust communication – Low CPU performance and limited battery capacity � Lightweight protocol and architecture • Compatibility w/ existing protocols & data models � (Meta-)IDS-interconnection � Integration into SNMP Management Frameworks • Free configurability for different IDS setups due to different deployment scenarios and network sizes • Usage of existing products for message transport and security RESEARCH INSTITUTE FOR COMMUNICATION, INFORMATION PROCESSING AND ERGONOMICS Computer Networks KIE July 2006 11
External Implementation: IDS Agents Trust Sensor Management Data IDMEF / SNMP Message Neigh- IMF = Engine Local Resp. NIDS Logfile IMF bour- InterMediate Trust Selec- Watcher hood SNMPv3 Format Ass. tor Notific. IMF Ass. Generator Server Traps / Notifications MIB Manager Wrapper Wrapper IMF Request Handler SNMP API External Detectors SNMP API Detectors Sensors Internal Responders Check CPU GPS Integr. Kill Reconf. Shutd. Procs CPU Routing Signal GPS sums Checker Procs. Routing System Profiler Checker Sensor Data Request/Response Infrastructure (SNMPd) Encr. Encr. Integr. Integr. Authent. Authent. MANET MANET RESEARCH INSTITUTE FOR COMMUNICATION, INFORMATION PROCESSING AND ERGONOMICS MANET MANET Computer Networks KIE July 2006 12
Conclusions & Further Work • Current IDS infrastructure protocols do not meet the requirements of tactical MANETs. • SNMPv3 provides mechanisms for implementing all necessary types of IDS infrastructures. • Development of architecture components • Prototypical implementation – Sensor / detector / responder infrastructure – Dynamic storage of IDS event messages in the Management Information Base (MIB) • Further Work: – Integration of more sensors / detectors / responders – Anomaly detection approach for traffic statistics RESEARCH INSTITUTE FOR COMMUNICATION, INFORMATION PROCESSING AND ERGONOMICS Computer Networks KIE July 2006 13
RESEARCH INSTITUTE FOR COMMUNICATION, INFORMATION PROCESSING AND ERGONOMICS Computer Networks KIE July 2006 14
Implementation (2): Event Message Handling IMF = InterMediate Format Encr. NG = Notification Generator Encr. Integr. ACM = Agent Connection Manager Integr. MANET Authent. Authent. MANET SNMPv3 SNMPv3 Fully Equipped Node Lightweight Node SNMPTrapd Message Engine Detector Trap Receiver IMF NG Buffer G Server IDMEF ACM XML U XML XML Detector MIB Manager I Connector Adapter Pipe IMF Request Handler Notification Sockets Engine IDMEF based Wired IDS SNMPd SNMPd RESEARCH INSTITUTE FOR COMMUNICATION, INFORMATION PROCESSING AND ERGONOMICS Computer Networks KIE July 2006 15
Recommend
More recommend