Presentation is loading. Please wait.

Presentation is loading. Please wait.

Monitoring for network security and management Cyber Solutions Inc.

Published byGeorgiana Iris Hawkins Modified over 9 years ago

Similar presentations

Presentation on theme: "Monitoring for network security and management Cyber Solutions Inc."— Presentation transcript:

1 Monitoring for network security and management Cyber Solutions Inc.

2 Why monitoring?  Health check of networked node  Usage and load evaluation for optimizing the configuration  Illegal access detection for both inbound and outbound traffic All networked information is on the LINE

3 Threats have to be monitored  Node alive or dead Network or node fault? Attacked?  Performance degradation Network fault? DoS possibility? Large-scale incident?  Policy enforcement Detecting policy violation (prohibited communication) Detecting configuration change  Potential attack originator Exploited / Compromised by attacker? Attacking by insider? Virus polluted? Malicious terminal connected?

4 Monitoring is the first step for security and network management  Monitoring basics Information collection from every networked node Packet monitoring  Advanced topics High-resolution monitoring Hash-based traceback Simple and light weight analysis for practical monitoring Information collection from mobile node/network Monitoring network inside

5 High-resolution monitoring  Traffic is so dynamic Peak rate is important for actual performance Malicious access is in peaky traffic (pulsing DoS)  Requirement Shift minutes, hours, daily measurement to msec, usec, and further precise measurement

6 34 Hours 5 Seconds Monitoring with high-resolution

7 time Manager Agent Query and response Current Method Delay time Manager Query and response 1000 *n MOs/packet Agent Scalability by Aggregation

8 The drafts http://wwwietf.org/internet-drafts/ draft-glenn-mo-aggr-mib-02.txt

9 Problems in current counter DoS attack solutions

10 Take the battle to the foe Traceback Traceback potential

11 Internet Source Do you know ? Target Yes ! Around Here! PP Packet Trace Agent Yes ! No ! ← Packet Trace Yes ! The traceback concept

12 The Architecture PRA PR PRB Packet Tracker(PT) Packet Query/Response

13 The Architecture PRA PR PRB Packet Tracker ( PT) Packet Query/Response Conf: Query/Response Setting

14 Requirements: Packet Record Protocol  Mapping: PacketRecord (encoded) Packet s Additional Data for corroboration s Scope of Packet Record which IP header fields are masked) how much of the payload

15 Requirements: Packet Record Protocol Packet Data Key Generation Packet Record Agent Key Storage IP Datagram Key Generation Kg (IP Datagram) Packet Recorder Additional data Key Storage Additional Data

16 Requirements: Communication Protocol  Authenticated s Non Repudiation s Lightweight s Check for existence of a datagram s Query for Packet Recording parameters  Privacy, Integrity

17 The Process: Packet Data Transform PRA Packet Record Base IP Datagram Transform Tr (IP Datagram) PR Additional data Packet Record Base Additional Data IP Datagram Transform PT Yes/No

18 Demonstration: Tracking Attacks using SNMP based packet tracing The Internet PRA Packet Record Agent PRA2 IETF wired network Attacker2 IETF wireless network Attacker1 Victim on remote network 1.Attacker1 sends packet to Victim. 2.IDS detects it and sends SNMP trap to manager along with packet’s “record”. 3.Manager queries packet record agents PRA1, PRA2 and PRA3 for packet record 4.Manager receives responses from PRA1, PRA2, PRA3 and traces packet path. attack IDS Manager SNMP Trap Query and Response PRA1 PRA3 Intrusion Detect Sensor IDS

19 Demonstration: Screen shot

20 For practical network monitoring  Simple and right weight monitoring Focusing on stability of traffic Simple event generation and deep inspection Monitoring and Stability analysis Deep inspection Packet Sample DB Event notification

21 Stability example Observed source address is stable in large scale network

22 Mobility issues Some times disconnected changing network changing place/environment Access to more information

23 Mobility issues (1) not continuously connected Usual polling paradigm will not work Agent initiated polling Agent intitiated informs Store locally (Offline) Store and forward (Semi-online)

24 time Manager Current Method

25 time Manager Current Method

26 time Manager Agent initiated Polling

27 time Manager Agent initiated informs

28 Conventional defense strategy Intranet WEB seriver Mail server Firewalling DMZ Monitoring by IDS  Monitoring access from outside to inside

29 Risks network inside Exploited and/or compromised Prohibited user access From DHCP/Wireless network Virus influenced node Potential insider attacks

30 Monitoring inside Detection non-authorized terminal Prevent illegal outbound access  Monitoring Log collection and audit DHCP and/or connection activity monitoring Application traffic from inside to outside Connectivity and log monitoring

31 Summary  Monitoring is the real base of network security and the management  Further advanced monitoring is required High-resolution  New security applications are required Packet traceback  Further practical analysis is required Stability based analysis  Future network environment support is required Mobile node and network support  New monitoring target is required Network inside

Download ppt "Monitoring for network security and management Cyber Solutions Inc."

Similar presentations

Top-Down Network Design Chapter Nine Developing Network Management Strategies Copyright 2010 Cisco Press & Priscilla Oppenheimer.

Top-Down Network Design Chapter Nine Developing Network Management Strategies Copyright 2010 Cisco Press & Priscilla Oppenheimer.
Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
IUT– Network Security Course 1 Network Security Firewalls.

IUT– Network Security Course 1 Network Security Firewalls.
1 SANS Technology Institute - Candidate for Master of Science Degree 1 SIEM Based Intrusion Detection Jim Beechey March 2010 GSEC Gold, GCIA Gold, GCIH,

1 SANS Technology Institute - Candidate for Master of Science Degree 1 SIEM Based Intrusion Detection Jim Beechey March 2010 GSEC Gold, GCIA Gold, GCIH,
Hash-Based IP Traceback Best Student Paper ACM SIGCOMM’01.

Hash-Based IP Traceback Best Student Paper ACM SIGCOMM’01.
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
NetFlow Analyzer Drilldown to the root-QoS Product Overview.

NetFlow Analyzer Drilldown to the root-QoS Product Overview.
Advanced Internet Bandwidth and Security Strategies Fred Miller Illinois Wesleyan University.

Advanced Internet Bandwidth and Security Strategies Fred Miller Illinois Wesleyan University.
Check Disk. Disk Defragmenter Using Disk Defragmenter Effectively Run Disk Defragmenter when the computer will receive the least usage. Educate users.

Check Disk. Disk Defragmenter Using Disk Defragmenter Effectively Run Disk Defragmenter when the computer will receive the least usage. Educate users.
Secure Network Design: Designing a Secure Local Area Network IT352 | Network Security |Najwa AlGhamdi1 Case Study

Secure Network Design: Designing a Secure Local Area Network IT352 | Network Security |Najwa AlGhamdi1 Case Study
1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.

1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.
Lecture 11 Intrusion Detection (cont)

Lecture 11 Intrusion Detection (cont)
Network security policy: best practices

Network security policy: best practices
INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.

INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.
1 Enabling Secure Internet Access with ISA Server.

1 Enabling Secure Internet Access with ISA Server.
1 Integrating a Network IDS into an Open Source Cloud Computing Environment 1st International Workshop on Security and Performance in Emerging Distributed.

1 Integrating a Network IDS into an Open Source Cloud Computing Environment 1st International Workshop on Security and Performance in Emerging Distributed.
BY- NIKHIL TRIPATHI 12MCMB10.  What is a FIREWALL?  Can & Can’t in Firewall perspective  Development of Firewalls  Firewall Architectures  Some Generalization.

BY- NIKHIL TRIPATHI 12MCMB10.  What is a FIREWALL?  Can & Can’t in Firewall perspective  Development of Firewalls  Firewall Architectures  Some Generalization.
LINUX Security, Firewalls & Proxies. Course Title Introduction to LINUX Security Models Objectives To understand the concept of system security To understand.

LINUX Security, Firewalls & Proxies. Course Title Introduction to LINUX Security Models Objectives To understand the concept of system security To understand.

Similar presentations

Ads by Google