Presentation is loading. Please wait.

Presentation is loading. Please wait.

Unifying the Conceptual levels of Network Security through use of Patterns. PhD Proposal Ajoy Kumar Secure Systems Research Group – Florida Atlantic University.

Similar presentations


Presentation on theme: "Unifying the Conceptual levels of Network Security through use of Patterns. PhD Proposal Ajoy Kumar Secure Systems Research Group – Florida Atlantic University."— Presentation transcript:

1 Unifying the Conceptual levels of Network Security through use of Patterns. PhD Proposal Ajoy Kumar Secure Systems Research Group – Florida Atlantic University

2 Overview Firewall IDSVPN Application TLS IPSec Secure Systems Research Group – Florida Atlantic University

3 Problem Statement In each of the layers such as the application layer, transport layer, and the IP layer, security is of utmost concern. At each of these layers we discuss the different security components such as Firewall, IDS and VPNs and analyze security criteria and identify the non existing patterns and develop them. Secure Systems Research Group – Florida Atlantic University

4 Network Architecture FireWallIDSVPNProtocol ApplicationXML FWXML IDSXML VPNSAML TCPProxy FWTCP IDSTLS/SSL VPN TLS IPPacket FWPacket IDSIPSec VPNIPSec AUTHENTICATIONAUTHENTICATION SECRECYSECRECY AUTHORIZATIONAUTHORIZATION IDENTIFICATIONIDENTIFICATION Security Mechanisms Secure Systems Research Group – Florida Atlantic University

5 VPN XML VPN TLS VPN IP VPN SAML TLS IPSec Supports Secure Systems Research Group – Florida Atlantic University

6 Pattern Diagram for VPN VPN TLS VPNIP VPNXML VPN Authentication Secure Channel TLSIPSec SAML Realize Secure Systems Research Group – Florida Atlantic University

7 We can create similar diagrams for Firewalls and IDS. Previous Work - Survey Secure Systems Research Group – Florida Atlantic University

8 Class Diagram for a Packet FW[Fe06] Secure Systems Research Group – Florida Atlantic University

9 Class Diagram for Proxy FireWall[Fe03] Secure Systems Research Group – Florida Atlantic University

10 Work Already Completed IDS Pattern(Signature Based) VPN Pattern (Abstract) Secure Systems Research Group – Florida Atlantic University

11 Class Diagram for Signature basedIDS.[Fer05] Viking PLOP Secure Systems Research Group – Florida Atlantic University

12 Network End Point VPN Authenticator Secure Channel Identity Base Identity * * * 1 1 1 Class Diagram For VPN * Secure Systems Research Group – Florida Atlantic University

13 Proposed Work Missing Patterns for the Functions and Protocols Study of Combinations –IDS + Firewalls –Firewalls + VPN Secure Systems Research Group – Florida Atlantic University

14 Expected Contributions Unification of Security Functions in the Network Layer. Consider a Case study like a SCADA system and see how these patterns apply to a SCADA system. Development of Specific Patterns Secure Systems Research Group – Florida Atlantic University

15 Case Study SCADA Architecture SCADA can be used as an example of a distributed system where we apply these patterns. Secure Systems Research Group – Florida Atlantic University

16 SCADA Supervisory Control and Data Acquisition (SCADA) systems consists of geographically scattered units (field devices) controlled using centralized data acquisition and control (control center) [Sto06]. They are usually highly distributed systems. Field devices could be controlling local operations such as valve operations, collecting sensor data, and monitoring for disaster conditions. The next figure shows the general architecture of a SCADA system. Examples for SCADA systems are electric power systems, oil and gas pipelines, water utilities, and any system that requires remote monitoring and control. Secure Systems Research Group – Florida Atlantic University

17 General SCADA architecture (from [Sto06]). Secure Systems Research Group – Florida Atlantic University

18 The common attacks threatening a SCADA system are physical attacks to the field (remote) units and network attacks to the communication networks usually through the internet. The primary security concerns are availability and integrity. Confidentiality and non-repudiation are secondary concerns. Secure Systems Research Group – Florida Atlantic University

19 Example –An important example of SCADA application is electric power generation. Context –A SCADA system such as electric power generation system with a Distributed Architecture and connected to the Internet. Secure Systems Research Group – Florida Atlantic University

20 Forces Only Authorized personnel should be able to access the system at the Remote units and the Main control unit.. Messages sent from the supervisory control unit to the Remote field units and back should be confidential and data integrity should be preserved. Messages should be sent only by authorized personnel at the remote location and the main location. Authorized personnel should be able to do their respective duties based on Company defined Policies. Secure Systems Research Group – Florida Atlantic University

21 Forces (Contd…) Any message from unknown or spurious remote locations should be discarded. We should be able to detect any intrusions into the system and create alert logs. Field Units and Communication Lines should be free from Physical Attacks. Service should be available 24 hrs 7 days a week. Secure Systems Research Group – Florida Atlantic University

22 Solution Authentication is done at the Remote and the Central Controller unit to make sure that only Authorized personnel have entry access to the system. We can create secure VPN channels at the Central Controller and the Remote units so that we can send confidential messages. This also makes sure that the integrity of data is maintained. Intrusion Detection Systems are able to detect any intrusions to the systems based on misuse based detection or anomaly based detection. Firewalls prevent messages from unknown and dangerous sites from reaching the system. Secure Systems Research Group – Florida Atlantic University

23 Solution (Contd…) By providing Reference monitor or RBAC, we can make sure that the authorized personnel can perform their respective roles. By adding Physical Access control zones we can prevent physical attacks caused by external elements. All these security measures added make sure that there is no Denial of Service (DOS). The use of these security models in SCADA communication can significantly reduce the vulnerability of these critical systems. Secure Systems Research Group – Florida Atlantic University

24 Class Diagram (w/o Security Components) Central Controller User Interface Field Unit Controller Comm. Network Internet Zone * 1 * 1 1 Secure Systems Research Group – Florida Atlantic University

25 Class Diagram for Secure SCADA Secure Systems Research Group – Florida Atlantic University

26 Consequences Advantages –Users are authenticated by the system. This helps to maintain a good logging system also. –The RBAC model helps authorization policies to be implemented within the system based on roles of the personnel. –Secure channels use strong encryption which helps confidentiality and data integrity. –Firewall and IDS helps to make the system more secure. Secure Systems Research Group – Florida Atlantic University

27 Consequences(Contd…) Liabilities –High overhead with VPN connection, firewall and IDS. –If the protocol used is not a secure protocol, the risk increases.. Secure Systems Research Group – Florida Atlantic University

28 Known Uses –Any Power Utility company such as FPL. Related Patterns –VPN Patterns. –Firewall Patterns –IDS Patterns Secure Systems Research Group – Florida Atlantic University

29 References [Bar04] K. Barnes, B. Johnson and R Nickelson. “Review of Supervisory Control and Data Acquisition (SCADA) Systems. “ Idaho National Engineering and Environmental Laboratory, Bechtel BWXT, Idaho. http://www.inl.gov/technicalpublications/Documents/3310858.pdf [Cla04] Practical Modern SCADA Protocols: DNP3, 60870.5 and Related Systems GR Clarke, D Reynders - 2004 - books.google.comPractical Modern SCADA Protocols: DNP3, 60870.5 and Related Systems [Fer07] Eduardo B. Fernandez. Class Notes COT5930 – Fall 2007, Florida Atlantic University. [Fer05] Eduardo B. Fernandez, Jose Ballesteros, Ana C. Desouza-Doucet, and Maria M. Larrondo-Petrie. “Security Patterns for Physical Access Control Systems.” Class Notes COT5930 – Fall 2007, Florida Atlantic University. [Jeo07] Jeon Il Moon, Jung Sub Kim, Jong Bae Kim, Kye Young Lim and Byoung Wook Choi, “A hardware implementation of distributed network protocol.” Computer Standards & Interfaces, Volume 27, Issue 3, Pages 221-232 [Pat07] S C Patel and Y Yu, “Analysis of SCADA security Models.” International Management Review. Vol.3 No.2., 2007 Pages 68 – 76. [Sto06] K. Stouffer, J. Falco, and K. Kent, “Guide to supervisory control and data acquisition (SCADA) and industrial control systems security”, Spec. Pub. 800-82, National Institute of Standards and Technology (NIST), http://csrc.nist.gov/publications/drafts/800-82/Draft-SP800-82.pdf Secure Systems Research Group – Florida Atlantic University

30 Suggestions Additions Concerns Modifications Improvement Secure Systems Research Group – Florida Atlantic University


Download ppt "Unifying the Conceptual levels of Network Security through use of Patterns. PhD Proposal Ajoy Kumar Secure Systems Research Group – Florida Atlantic University."

Similar presentations


Ads by Google