secure network access system
play

Secure Network Access System (SNAS) Indigenous Next Generation - PowerPoint PPT Presentation

Secure Network Access System (SNAS) Indigenous Next Generation Network Security Solutions Gigi Joseph, Computer Division,BARC. Gigi@barc.gov.in Intranet Security Components 1a. Network Authentication Network Admission Control 1b. End


  1. Secure Network Access System (SNAS) Indigenous Next Generation Network Security Solutions Gigi Joseph, Computer Division,BARC. Gigi@barc.gov.in

  2. Intranet Security Components 1a. Network Authentication Network Admission Control 1b. End Point Compliance (NAC) Check NAC Ethernet Switch Router server

  3. Intranet Security Components 1a. Network Authentication Network Admission Control 1b. End Point Compliance Intranet DMZ (NAC) Check (Servers) Firewall 2. Access Control (Firewall) NAC Ethernet Switch Router server

  4. Intranet Security Components 1a. Network Authentication Network Admission Control 1b. End Point Compliance Intranet DMZ (NAC) Check (Servers) Firewall 2. Access Control (Firewall) 3. Network Behavioral Anomaly Detection (IDS) NAC Ethernet Switch Router server

  5. Intranet Security Components 1a. Network Authentication Network Admission Control 1b. End Point Compliance (NAC) Check Intranet DMZ (Servers) Firewall 2. Access Control (Firewall) 3. Network Behavioral Anomaly Detection (IDS) NAC Ethernet Switch server Router 4. NMS

  6. Typical Network Setup Intranet DMZ (Servers) Firewall + IDS Switch Router Application level firewall +IDS/IPS Organization’s Intranet Internet DMZ Perimeter Security systems Internet Servers

  7. Network Backdoor Entry Laptop with WiFi access ( Adhoc Mode) Wireless Access Point User Connected to Public Wireless Network Switch Router Application level firewall Organization’s (UTM) Intranet Internet DMZ Perimeter Security Internet Servers systems

  8. Physically Separated Network for Intranet and Internet Internet User Segment Intranet User Segment Intranet servers

  9. Intranet and Internet Network Bridging Internet User Segment Network Bridging Intranet User Segment Intranet servers

  10. Intranet and Internet Network Bridging Internet User Segment Intranet User Segment Intranet servers

  11. SNAS: End System Identification End System Identification : IP Address of the End system : MAC Address Sr.No Identification Parameters 1 End system’s Network levels MAC Address IP Address NIC make & Models Network Applications running on the end system 2 End system’s OS OS version & Patch update 3 Software Present in End Product /Application name system Manufacture Date of installation 4 End system hardware Storage (HDD disk / Other media size ), memory details etc. A unique profile based on above parameters - identify a end system a network Parameters selection and threshold level of matching depends on Security Policy.

  12. Enterprise DDOS Handling Intranet DMZ (Servers) FIREWALL Organization Internet servers Perimeter Security F I DDOS systems R Attack Internet E DMZ W Router A L L Switch

  13. Enterprise DDOS Handling Intranet DMZ (Servers) FIREWALL Organization Internet servers F I R Internet E DMZ W Router A L L DDos Attack Switch

  14. DOS Attacks : ICMP Flooding (E.g Smurf Attack) IP: 100.0.0.1/A IP:100.0.0.2/A www.nkn.in (164.100.56.206) Network Broadcast address 100.255.255.255 Router Router of organization 1 PING <100.255.255.255>, Source IP = www.nkn.in (164.100.56.206 IP - 100.0.0.10/A Destination IP ( 100.255.255.255)

  15. DOS Attacks : ARP-Flooding Source MAC Packet type Checksum Data part (00:a0:b0:c0:d0:01) (0x0806) (ARP request) (CRC) Ethernet Switch ARP Request Op code Is gratuitous ? (ARP request) (Broadcast) Sender MAC Sender IP (A: 00:a0:b0:c0:d0:01) (10.0.0.1) Target MAC Target IP IP - 10.0.0.1 IP - 10.0.0.2 (00:00:00:00:00:00) (10.0.0.2) MAC-1: 00:a0:b0:c0:d0:01 MAC-2: 00:a0:b0:c0:d0:02 Sr.no Actions Effects 1 Large ARP requests / Sec Switch Performance degrades 2 Every ARP request will have Identification will be difficult & Ethernet different Source MAC switch table over flow address

  16. Denial of Service attack (TCP SYN Flooding) Server (164.100.56.206 :80) Client (100.100.100.100:2000) (www.nkn.in) LISTEN State SEQ=100, SYN SYN-SENT SYN-RCVD SEQ=200, ACK =101,SYN, ACK Half Open ESTABLISHED SEQ=101, ACK =201, ACK, DATA ESTABLISHED Source IP ( 100.100.100.100) Destination IP ( 164.100.56.206) Source port (2000) Destination port (80) Sequence number ( 101) ACK number ( 201) HL (4) Reserved (6) URG ACK PSH RST SYN FIN Window (16) Check sum (16) Urgent pointer (16)

  17. Denial of Service attack (TCP SYN Flooding) www. nkn.in (164.100.56.206) Router Router Router 100.100.100.100 200.200.200.200 Source IP Source Port Destination IP Destination port 200.200.200.200 2000 164.100.56.206 80 (web) 200.200.200.200 2002 164.100.56.206 80 (web) ------------- -------- A.B.C.D 2001 164.100.56.206 80 (web) Random IPs 2002 164.100.56.206 80 (web)

  18. SNAS – DOS attack handling : Block @ Network entry ) NAC Server WAN Router Intranet Instruct network device DMZ0,1, 2, Services To Block @ Zones network entry Ethernet Switch E.g No. TCP-SYN packet > 200 E.g Non – unicast packets / sec > 50

  19. HTTP Client-Side Exploitation Trusted Server (NKN) UTM Local N/w (Firewall IPS/IDS) Internet https: Https: www.gigi.com (Command Control Server) Step 3 : Establish a reverse shell back door using HTTPS • Any data on the user will go out, •It can monitor traffic or it can collect adjacent PC’s data etc. • End system is ready to take part in DDOS attack

  20. SNAS : Trust Model • SNAS identifies trust level of hosts, IPs, ports, service, applications and software products as TRUSTED, UNTRUSTED and UNKNOWN_TRUST. • Only TRUSTED entities are allowed to exist in the network, rest all are detected and can be isolated. • Any running application, installed product which causes abnormal behaviour should be detected specially after an update • SNAS can detect any new application, process, port, remote IP access in the network LAN WAN SNAS DDOS Client APPLIANCE Controlling Hacker Server

  21. SNAS : Network Behavior Monitoring No. of Network open Traffic ports generated Time New service New software Targeted started installed application starts running

  22. SNAS : End System Detection Scanning Router NAC Server Trap Ethernet Switch

  23. SNAS : Network Authentication/Admission Control NAC (Network Access Control) Using SNAS Access Threat Management Management Detection Identification Authentication Access Right MAC Notification Unique end Unique end a) Network (Trap) & system Profile system Profile device levels Periodic (SNAS) based a (SNAS) b) ACL / Firewall Network Scanning

  24. SNAS -End System Admission Control Param et ers Installed products Running applications Antivirus Application Running services Transport Port Status IP Address Network Unicast Traffic Broadcast Traffic Data-link MAC Address System Location Physical NIC Parameters

  25. SNAS -End System Admission Control Param et ers Network Get Data from network devices NAC Server Get Data from End systems End system Authentication Sr.No Authentication Parameters Success Actions : 1 Network levels Back door entry (Network Interface added or not ) Access to Zones as authentication Network parameters change (MAC Address, IP Address, per policy parameters (L1, gateway) Authentication Security Policy L2, L3) Network broadcast storm Failures Actions 2 Network Transport No. of TCP connection request Network Entry level parameter No. of TCP connection request to un-trusted IP Level Block, (L4) No. of TCP connection Established to un-trusted IP No. of un-trusted network application listening DMZ access Block, (services) Alarms Critical, 3 End system’s OS Trust level of OS version & Patch Info, 4 Software Present Trust level of Product /Application name Emergency) in End system Manufacture 5 Process in the end Trust level of each process, arguments & process path system

  26. SNAS Access Right Management ( Authentication Success ) Instruct Host aware SNAS NAC Server firewall to pass through WAN Router Intranet DMZ0,1, 2, Host Aware Firewall Services Zones Ethernet Switch

  27. SNAS Access Right Management ( Authentication Fail ) NAC Server Instruct Host aware SNAS firewall WAN To block System A Router Intranet DMZ0,1, 2, Services Host Aware Firewall Zones Ethernet Switch

  28. SNAS Access Right Management ( Authentication Fail ) NAC Server WAN Router Instruct Ethernet Intranet DMZ0,1, 2, Switch Services Host Aware Firewall To block System A Zones Ethernet Switch

  29. SNAS: Host Aware Firewall Intranet Intranet Services Services Zone – 0 Zone – N DMZ0 port Management port DMZ N Port SNAS Host Aware Firewall Host Aware Firewa WAN port LAN port End-Point Internet Zone Organizational LAN Firewall Rules are dynamic and based on security state of end systems End-Point

  30. Blended Threats (When Applications Exploit Each Other ) Different Software package on a single Machine IE (7) load “schannel.dll” & “ sqmapi.dll” from various location including user’s desktop Apple Safari browser encounter unknown content type – It downloaded into default location ( i.e. Desktop) Hacker create unknown content type for Safari browser with name “schannel.dll” & “ sqmapi.dll”

Recommend


More recommend