Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Security Research 2/7/2003 chow C. Edward Chow Department of Computer Science University of Colorado at Colorado Springs C. Edward Chow Department of.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "1 Security Research 2/7/2003 chow C. Edward Chow Department of Computer Science University of Colorado at Colorado Springs C. Edward Chow Department of."— Presentation transcript:

1 1 Security Research 2/7/2003 chow C. Edward Chow Department of Computer Science University of Colorado at Colorado Springs C. Edward Chow Department of Computer Science University of Colorado at Colorado Springs Security Related Research Projects at UCCS Network Research Lab

2 2 Security Research 2/7/2003 chow Outline of the Talk Brief Introduction to the Network/Protocol Research Lab at UCCS Network security related research projects at UCCS Network/Protocol Research Lab Autonomous Anti-DDoS Project Secure Collective Defense Project BGP/MPLS based VPN Project Discussion on Innerwall-UCCS Joint Research Project STTR N03-T010TITLE: Intrusion Monitoring, Detection and Reporting Brief Introduction to the Network/Protocol Research Lab at UCCS Network security related research projects at UCCS Network/Protocol Research Lab Autonomous Anti-DDoS Project Secure Collective Defense Project BGP/MPLS based VPN Project Discussion on Innerwall-UCCS Joint Research Project STTR N03-T010TITLE: Intrusion Monitoring, Detection and Reporting

3 3 Security Research 2/7/2003 chow UCCS Network Research Lab Director: Dr. C. Edward Chow Graduate students: –John Bicknell/Steve McCaughey/Anders Hansmat: Distributed Network Restoration/Network Survivability –Hekki Julkunen: Dynamic Packet Filter –Chandra Prakash: High Available Linux kernel-based Content Switch –Ganesh Godavari: Linux based Secure Web Switch –Angela Cearns: Autonomous Anti-DDoS (A2D2) Testbed –Longhua Li: IXP-based Content Switch –Yu Cai (Ph.D. research assistant): Multipath Routing –Jianhua Xie (Ph.D.): Secure Storage Networks –Frank Watson: Content Switch for Email Security –Paul Fong: Wireless AODV Routing for sensor networks –Nirmala Belusu: Wireless Network Security PEAP vs. TTLS –David Wikinson/Sonali Patankar: Secure Collective Defense –Murthy Andukuri/Jing Wu: Enhanced BGP/MPLS-based VPN –Patricia Ferrao/Merlin Vincnet: Web-based Collaborative System Support Director: Dr. C. Edward Chow Graduate students: –John Bicknell/Steve McCaughey/Anders Hansmat: Distributed Network Restoration/Network Survivability –Hekki Julkunen: Dynamic Packet Filter –Chandra Prakash: High Available Linux kernel-based Content Switch –Ganesh Godavari: Linux based Secure Web Switch –Angela Cearns: Autonomous Anti-DDoS (A2D2) Testbed –Longhua Li: IXP-based Content Switch –Yu Cai (Ph.D. research assistant): Multipath Routing –Jianhua Xie (Ph.D.): Secure Storage Networks –Frank Watson: Content Switch for Email Security –Paul Fong: Wireless AODV Routing for sensor networks –Nirmala Belusu: Wireless Network Security PEAP vs. TTLS –David Wikinson/Sonali Patankar: Secure Collective Defense –Murthy Andukuri/Jing Wu: Enhanced BGP/MPLS-based VPN –Patricia Ferrao/Merlin Vincnet: Web-based Collaborative System Support

4 4 Security Research 2/7/2003 chow UCCS Network Lab Setup Gigabit fiber connection to UCCS backbone Switch/Firewall/Wireless AP: HP 4000 switch; 4 Linksys/Dlink Switches. Sonicwall Pro 300 Firewall 8 Intel 7112 SSL accelerators; 4 7820 XML directors donated by Intel. Cisco 1200 Aironet Dual Band Access Point and 350 client PC/PCI cards (both 802.11a and 802.11b cards). Intel IXP12EB network processor evaluation board Servers: Two Dell PowerEdge Servers. Workstations/PCs: 8 Dell PCs (3Ghz-500Mhz); 12 HP PCs (500-233Mhz) 2 laptop PCs with Aironet 350 for mobile wireless OS: Linux Redhat 8.0; Window XP/2000 Gigabit fiber connection to UCCS backbone Switch/Firewall/Wireless AP: HP 4000 switch; 4 Linksys/Dlink Switches. Sonicwall Pro 300 Firewall 8 Intel 7112 SSL accelerators; 4 7820 XML directors donated by Intel. Cisco 1200 Aironet Dual Band Access Point and 350 client PC/PCI cards (both 802.11a and 802.11b cards). Intel IXP12EB network processor evaluation board Servers: Two Dell PowerEdge Servers. Workstations/PCs: 8 Dell PCs (3Ghz-500Mhz); 12 HP PCs (500-233Mhz) 2 laptop PCs with Aironet 350 for mobile wireless OS: Linux Redhat 8.0; Window XP/2000

5 5 Security Research 2/7/2003 chow HP4000SW Gigibit Fiber to UCCS Backbone& Workstation Dell Server Intel IXP Network Processor

6 6 Security Research 2/7/2003 chow Intel 7110 SSL Accelerators 7280 XML Director Intel 7110 SSL Accelerators 7280 XML Director

7 7 Security Research 2/7/2003 chow DDoS: Distributed Denial of Service Attack DDoS Victims: Yahoo/Amazon 2000 CERT 5/2001 DNS Root Servers 10/2002 DDoS Tools: Stacheldraht Trinoo Tribal Flood Network (TFN)

8 8 Security Research 2/7/2003 chow How wide spread is DDoS? Research by Moore et al of University of California at San Diego, 2001. 12,805 DoS in 3-week period Most of them are Home, small to medium sized organizations Research by Moore et al of University of California at San Diego, 2001. 12,805 DoS in 3-week period Most of them are Home, small to medium sized organizations

9 9 Security Research 2/7/2003 chow Intrusion Related Research Areas Intrusion Prevention General Security Policy Ingress/Egress Filtering Intrusion Detection Anomaly Detection Misuse Detection Intrusion Response Identification/Traceback/Pushback Intrusion Tolerance Intrusion Prevention General Security Policy Ingress/Egress Filtering Intrusion Detection Anomaly Detection Misuse Detection Intrusion Response Identification/Traceback/Pushback Intrusion Tolerance

10 10 Security Research 2/7/2003 chow Security Related Research Projects Secure Content Switch Autonomous Anti-DDoS Project Deal with Intrusion Detection and Handling; Techniques: –IDS-Firewall Integration –Adaptive Firewall Rules –Easy to use/manage. Secure Collective Defense Project Deal with Intrusion Tolerance; How to tolerate the attack Techniques (main idea  Explore secure alternate paths for clients to come in) –Multiple Path Routing –Secure DNS extension: how to inform client DNS servers to add alternate new entries –Utilize a consortium of Proxy servers with IDS that hides the IP address of alternate gateways. BGP/MPLS based VPN Project Content Switch for Email Security. Secure Content Switch Autonomous Anti-DDoS Project Deal with Intrusion Detection and Handling; Techniques: –IDS-Firewall Integration –Adaptive Firewall Rules –Easy to use/manage. Secure Collective Defense Project Deal with Intrusion Tolerance; How to tolerate the attack Techniques (main idea  Explore secure alternate paths for clients to come in) –Multiple Path Routing –Secure DNS extension: how to inform client DNS servers to add alternate new entries –Utilize a consortium of Proxy servers with IDS that hides the IP address of alternate gateways. BGP/MPLS based VPN Project Content Switch for Email Security.

11 11 Security Research 2/7/2003 chow Design of an Autonomous Anti-DDOS Network (A2D2) Graduate Student: Angela Cearns Goals: Study Linux Snort IDS/Firewall system Develop Snort-Plug-in for Generic Flood Detection Investigate Rate Limiting and Class Based Queueing for Effective Firewall Protection Intrusion Detection automatically triggers adaptive firewall rule update. Study QoS impact with/without A2D2 system. http://cs.uccs.edu/~chow/pub/master/acearns/doc/ Graduate Student: Angela Cearns Goals: Study Linux Snort IDS/Firewall system Develop Snort-Plug-in for Generic Flood Detection Investigate Rate Limiting and Class Based Queueing for Effective Firewall Protection Intrusion Detection automatically triggers adaptive firewall rule update. Study QoS impact with/without A2D2 system. http://cs.uccs.edu/~chow/pub/master/acearns/doc/

12 12 Security Research 2/7/2003 chow

13 13 Security Research 2/7/2003 chow A2D2 Multi-Level Adaptive Rate Limiting

14 14 Security Research 2/7/2003 chow A2D2 QoS Results - Baseline 10-min Video Stream between Real Player & Real Server Packets Received: Around 23,000 (23,445) No DDoS Attack 10-min Video Stream between Real Player & Real Server Packets Received: Around 23,000 (23,445) No DDoS Attack QoS Experienced at A2D2 by Real Player Client with No DDoS Playout Buffering to Avoid Jitter

15 15 Security Research 2/7/2003 chow A2D2 Results – Non-stop Attack Packets Received: 8,039 Retransmission Request: 2,592 Retransmission Received: 35 Lost: 2,557 Connection Timed-out Packets Received: 8,039 Retransmission Request: 2,592 Retransmission Received: 35 Lost: 2,557 Connection Timed-out QoS Experienced at A2D2 Client Lost of Packets

16 16 Security Research 2/7/2003 chow A2D2 Results – UDP Attack Mitigation: Firewall Policy Packets Received: 23,407 Retransmission Request: 0 Retransmission Received: 0 Lost: 0 Look like we just need plain old Firewall rules, no fancy Rate Limiting/CBQ? Packets Received: 23,407 Retransmission Request: 0 Retransmission Received: 0 Lost: 0 Look like we just need plain old Firewall rules, no fancy Rate Limiting/CBQ? QoS Experienced at A2D2 Client

17 17 Security Research 2/7/2003 chow A2D2 Results – ICMP Attack Mitigation: Firewall Policy Packets Received: 7,127 Retransmission Request: 2,105 Retransmission Received: 4 Lost: 2,101 Connection Timed-out Just plain old firewall rule is not good enough! Packets Received: 7,127 Retransmission Request: 2,105 Retransmission Received: 4 Lost: 2,101 Connection Timed-out Just plain old firewall rule is not good enough! QoS Experienced at A2D2 Client Packet/Connection Loss

18 18 Security Research 2/7/2003 chow A2D2 Results – TCP Attack Mitigation: Policy+CBQ Turn on CBQ Packets Received: 22,179 Retransmission Request: 4,090 Retransmission Received: 2,641 Lost: 1,449 Screen Quality Impact! Turn on CBQ Packets Received: 22,179 Retransmission Request: 4,090 Retransmission Received: 2,641 Lost: 1,449 Screen Quality Impact! QoS Experienced at A2D2 Client Look OK But Quality Degrade

19 19 Security Research 2/7/2003 chow A2D2 Results – TCP Attack Mitigation: Policy+CBQ+RateLimiting Turn on Both CBQ & Rate Limiting Packets Received: 23,444 Retransmission Request: 49 – 1,376 Retransmission Received: 40 – 776 Lost: 9 – 600 No image quality degradation Turn on Both CBQ & Rate Limiting Packets Received: 23,444 Retransmission Request: 49 – 1,376 Retransmission Received: 40 – 776 Lost: 9 – 600 No image quality degradation QoS Experienced at A2D2 Client

20 20 Security Research 2/7/2003 chow A2D2 Future Works Extend to include IDIP/Pushback Precise Anomaly Detection Improve Firewall/IDS Processing Speed Scalability Issues Tests with More Services Types Tests with Heavy Client Traffic Volume Fault Tolerant (Multiple Firewall Devices) Alternate Routing Extend to include IDIP/Pushback Precise Anomaly Detection Improve Firewall/IDS Processing Speed Scalability Issues Tests with More Services Types Tests with Heavy Client Traffic Volume Fault Tolerant (Multiple Firewall Devices) Alternate Routing

21 21 Security Research 2/7/2003 chow Wouldn’t it be Nice to Have Alternate Routes? DNS1... Victim AAAAAAAA net-a.comnet-b.comnet-c.com DNS2 DNS3... RRR R R2 R1 R3 Alternate Gateways DNS DDoS Attack Traffic Client Traffic How to reroute clients traffic through R1-R3?

22 22 Security Research 2/7/2003 chow Implement Alternate Routes DNS1... Victim AAAAAAAA net-a.comnet-b.comnet-c.com DNS2 DNS3... RRR R R2 R1 R3 Alternate Gateways DNS DDoS Attack Traffic Client Traffic Need to Inform Clients or Client DNS servers! But how to tell which Clients are not compromised? How to hide IP addresses of Alternate Gateways?

23 23 Security Research 2/7/2003 chow SCOD DNS1... Victim AAAAAAAA net-a.com net-b.comnet-c.com DNS2 DNS3... RRR R Proxy1 Proxy2 Proxy3 R2R2 R1 R3 block Reroute Coordinator Attack Traffic Client Traffic 1. IDS detects intrusion Blocks Attack Traffic Sends distress call to Reroute Coordinator block

24 24 Security Research 2/7/2003 chow SCOD DNS1... Victim AAAAAAAA net-a.com net-b.comnet-c.com DNS2 DNS3... RRR R Proxy1 Proxy2 Proxy3 R2R2 R1 R3 block Attack Traffic Client Traffic 1. IDS detects intrusion Blocks Attack Traffic Sends distress call to Reroute Coordinator Reroute Coordinator 2. Sends Reroute Command with (DNS Name, IP Addr. Of victim, Proxy Server(s)) to DNS

25 25 Security Research 2/7/2003 chow SCOD DNS1... Victim AAAAAAAA net-a.com net-b.comnet-c.com DNS2 DNS3... RR R Proxy1 Proxy2 Proxy3 R2R2 R1 R3 Attack Traffic Client Traffic Reroute Coordinator 2. Sends Reroute Command with (DNS Name, IP Addr. Of victim, Proxy Server(s)) to DNS 3. New route via Proxy3 to R3 3. New route via Proxy2 to R2 3. New route via Proxy1 to R1 R block

26 26 Security Research 2/7/2003 chow SCOD DNS1... Victim AAAAAAAA net-a.com net-b.comnet-c.com DNS2 DNS3... R Proxy1 Proxy2 Proxy3 R1 Attack Traffic Client Traffic Reroute Coordinator 3. New route via Proxy3 to R3 3. New route via Proxy2 to R2 3. New route via Proxy1 to R1 R block 4a. Attack traffic detected by IDS block by Firewall 4. Attack traffic detected by IDS block by Firewall RR R3 R2R2

27 27 Security Research 2/7/2003 chow SCOD DNS1... Victim AAAAAAAA net-a.com net-b.comnet-c.com DNS2 DNS3... RRR R 1.distress call Proxy1 Proxy2 Proxy3 4a. Attack traffic detected by IDS block by Firewall R2R2 R1 R3 block 3. New route via Proxy2 to R2 Reroute Coordinator Attack Traffic Client Traffic 3. New route via Proxy3 to R3 4. Attack traffic detected by IDS block by Firewall 4b. Client traffic comes in via alternate route 2. Sends Reroute Command with (DNS Name, IP Addr. Of victim, Proxy Server(s)) 3. New route via Proxy1 to R1

28 28 Security Research 2/7/2003 chow Secure Collective Defense Main Idea  Explore secure alternate paths for clients to come in; Utilize geographically separated proxy servers. Goal: Provide secure alternate routes Hide IP addresses of alternate gateways Techniques: Multiple Path Routing Secure DNS extension: how to inform client DNS servers to add alternate new entries (Not your normal DNS name/IP address mapping entry). Utilize a consortium of Proxy servers with IDS that hides the IP address of alternate gateways. How to partition clients to come at different proxy servers?  may help identify the attacker! How clients use the new DNS entries and route traffic through proxy server?  Use Sock protocol, modify resolver library? Main Idea  Explore secure alternate paths for clients to come in; Utilize geographically separated proxy servers. Goal: Provide secure alternate routes Hide IP addresses of alternate gateways Techniques: Multiple Path Routing Secure DNS extension: how to inform client DNS servers to add alternate new entries (Not your normal DNS name/IP address mapping entry). Utilize a consortium of Proxy servers with IDS that hides the IP address of alternate gateways. How to partition clients to come at different proxy servers?  may help identify the attacker! How clients use the new DNS entries and route traffic through proxy server?  Use Sock protocol, modify resolver library?

29 29 Security Research 2/7/2003 chow New UCCS IA Degree/Certificate Master of Engineering Degree in Information Assurance Certificate in Information Assurance (offered to Peterson AFB through NISSC) Computer Networks; Fundamental of Security; Cryptography; Advanced System Security Design Master of Engineering Degree in Information Assurance Certificate in Information Assurance (offered to Peterson AFB through NISSC) Computer Networks; Fundamental of Security; Cryptography; Advanced System Security Design

30 30 Security Research 2/7/2003 chow New CS691 Course on Advanced System Security Design Use Matt Bishop new Computer Security Text Spring 2003: With one class at UCCS; one at Peterson AFB. Enhanced by Demo/Hand-on exercises at Distribute Security Lab of Northorp Grumman. Integrate security research results into course material such as A2D2, Secure Collective Defense, MPLS-VPN projects. Invite speakers from Industry such as Innerwall and AFA? Looking for potential joint exercises with other institutions such as AFA, Northorp Grumman, Innerwall. Use Matt Bishop new Computer Security Text Spring 2003: With one class at UCCS; one at Peterson AFB. Enhanced by Demo/Hand-on exercises at Distribute Security Lab of Northorp Grumman. Integrate security research results into course material such as A2D2, Secure Collective Defense, MPLS-VPN projects. Invite speakers from Industry such as Innerwall and AFA? Looking for potential joint exercises with other institutions such as AFA, Northorp Grumman, Innerwall.

31 31 Security Research 2/7/2003 chow Joint Research/Development Effort STTR N03-T010TITLE: Intrusion Monitoring, Detection and Reporting Penetration Analysis/Testing projects? Intrusion Detection/Handling projects? Other Cyberwarfare related projects? Security Forum organized by Dean Haefner/Dr. Ayen Security Seminar Series with CITTI funding support Look for Speakers (suggestion?) STTR N03-T010TITLE: Intrusion Monitoring, Detection and Reporting Penetration Analysis/Testing projects? Intrusion Detection/Handling projects? Other Cyberwarfare related projects? Security Forum organized by Dean Haefner/Dr. Ayen Security Seminar Series with CITTI funding support Look for Speakers (suggestion?)

Download ppt "1 Security Research 2/7/2003 chow C. Edward Chow Department of Computer Science University of Colorado at Colorado Springs C. Edward Chow Department of."

Similar presentations

1 © 2005 Cisco Systems, Inc. All rights reserved. CONFIDENTIAL AND PROPRIETARY INFORMATION Cisco Wireless Strategy Extending and Securing the Network Bill.

1 © 2005 Cisco Systems, Inc. All rights reserved. CONFIDENTIAL AND PROPRIETARY INFORMATION Cisco Wireless Strategy Extending and Securing the Network Bill.
Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
5-Network Defenses Dr. John P. Abraham Professor UTPA.

5-Network Defenses Dr. John P. Abraham Professor UTPA.
Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.

Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.
Overview of Distributed Denial of Service (DDoS) Wei Zhou.

Overview of Distributed Denial of Service (DDoS) Wei Zhou.
Distributed Denial of Service Attacks: Characterization and Defense Will Lefevers CS522 UCCS.

Distributed Denial of Service Attacks: Characterization and Defense Will Lefevers CS522 UCCS.
Extensible Networking Platform 1 1 - IWAN 2005 Extensible Network Configuration and Communication Framework Todd Sproull and John Lockwood

Extensible Networking Platform IWAN 2005 Extensible Network Configuration and Communication Framework Todd Sproull and John Lockwood
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
9/26/2001Godavari Thesis Proposal SSL Proxy1 The Design and Implementation of a SSL Proxy for Content Switch Thesis Proposal by Ganesh Kumar Godavari Department.

9/26/2001Godavari Thesis Proposal SSL Proxy1 The Design and Implementation of a SSL Proxy for Content Switch Thesis Proposal by Ganesh Kumar Godavari Department.
Design and Implementation of Alternative Route Against DDOS Jing Yang and Su Li.

Design and Implementation of Alternative Route Against DDOS Jing Yang and Su Li.
Explore the use of multiple gateways for intrusion detection defense Sunil Bhave & Sonali Patankar CS526 Fall 2002.

Explore the use of multiple gateways for intrusion detection defense Sunil Bhave & Sonali Patankar CS526 Fall 2002.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
On Proxy Server based Multipath Connections (PSMC) PhD Proposal Yu Cai 10/2003 University of Colorado at Colorado Springs.

On Proxy Server based Multipath Connections (PSMC) PhD Proposal Yu Cai 10/2003 University of Colorado at Colorado Springs.
Lan Nguyen Mounika Namburu 1.  DDoS Defense Research  A2D2 Design ◦ Subnet Flooding Detection using Snort ◦ Class -Based Queuing ◦ Multi-level Rate.

Lan Nguyen Mounika Namburu 1.  DDoS Defense Research  A2D2 Design ◦ Subnet Flooding Detection using Snort ◦ Class -Based Queuing ◦ Multi-level Rate.
1 TPAC 10/10/2003 chow C. Edward Chow Department of Computer Science University of Colorado at Colorado Springs C. Edward Chow Department of Computer Science.

1 TPAC 10/10/2003 chow C. Edward Chow Department of Computer Science University of Colorado at Colorado Springs C. Edward Chow Department of Computer Science.
Security Awareness: Applying Practical Security in Your World

Security Awareness: Applying Practical Security in Your World
PSMC Proxy Server-based Multipath Connection CS 526 Advanced Networking - Richard White.

PSMC Proxy Server-based Multipath Connection CS 526 Advanced Networking - Richard White.
ChowSCID1 Secure Collective Internet Defense (SCID) C. Edward Chow Yu Cai Dave Wilkinson Sarah Jelinek Part of this project is sponsored by a grant from.

ChowSCID1 Secure Collective Internet Defense (SCID) C. Edward Chow Yu Cai Dave Wilkinson Sarah Jelinek Part of this project is sponsored by a grant from.
ChowSCOLD1 Secure Collective Defense Network (SCOLD) C. Edward Chow Yu Cai Dave Wilkinson Sarah Jelinek Part of this project is sponsored by a grant from.

ChowSCOLD1 Secure Collective Defense Network (SCOLD) C. Edward Chow Yu Cai Dave Wilkinson Sarah Jelinek Part of this project is sponsored by a grant from.

Similar presentations

Ads by Google