1 / 27

Security Assurance Policy Helper (SAPH)

Security Assurance Policy Helper (SAPH). A Framework for Network Security Assurance Design. 鄭伯炤 bcheng@ccu.edu.tw. Speaker : Information Networking Security and Assurance LAB Department of Communication Engineering National Chung Cheng University. Outline. What is the Problem ?

misu
Télécharger la présentation

Security Assurance Policy Helper (SAPH)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security Assurance Policy Helper (SAPH) A Framework for Network Security Assurance Design 鄭伯炤 bcheng@ccu.edu.tw Speaker: Information Networking Security and Assurance LAB Department of Communication Engineering National Chung Cheng University

  2. Outline • What is the Problem ? • Security Management Life Cycle • SAPH (Security Assurance Policy Helper) • SLC (Security Language Composer) • VAST (Vulnerability Assessment & Security Testing) • SAPH and Security Assurance • Conclusion • Reference

  3. Data and Application Security Information and Networking Security Assurance & Survivability Security Technologies Used How many Incidents By Percentage (%) The Reality Source : SSI/FBI Gartner Group 估計出現在的駭客攻擊有75% 是發生在應用層(OSI第七層)上,而且一次成功的入侵將會產生令人震驚的破壞。

  4. Data manipulation • System access • Elevated privileges • Deny of Service • Revenge • Political activism • Financial gain Attack Motivations, Phases and Goals • Analyze Information & Prepare Attacks • Service in use • Known OS/Application vulnerability • Known network protocol security weakness • Network topology • Actual Attack • Network Compromise • DoS/DDoS Attack • Bandwidth consumption • Host resource starvation • Collect Information • Public data source • Scanning and probing

  5. Vulnerability 1 Vulnerability 2 Vulnerability n Security Operation Center (SOC) What is the Problem ? Vulnerability Database e.x. Bugtraq Solution 1 Solution 2 ………. ………. Solution n Quick & Dirty !!!

  6. Business Requirement How to automate security management cycle (i.e. eliminating the gaps and smoothing processes between different security management phases) ? Service Provision ? How to evaluate the risk of exposure and the cost of security breaches ? Security Operation Center (SOC) How to map business and service requirements into security policy Security Management Cycle Problems Monitoring & Audit Implementation Design Security Policy Assessment & Testing

  7. Security Management Cycle Problems • Design • Defining a good security policy and the topology of network in accordance with the requirements of an enterprise and the goal of the business • Monitoring & Audit • Performing testing and scanning to appraise risk values on the target network • Implementation • Including installing, system level testing, education and technical transference, etc • Assessment & Testing • Check whether the security policy is implemented correctly and investigate any intrusions

  8. Import/Interpreter Enforcement Black Hat White Hat Object Storage Verifier Script Generator Lighter DTN SAPH Architecture VAST: Vulnerabilities Assessment & Security Testing DTN: Defense Target Network Audit/System Log SLC: Security Language Composer SAPH x Security Guardian Policy & Topology Model Conf. Profile SLC VAST GUI

  9. SLC: Get The Highest Level of Security • Make good security policies to protect your networks and services • Accomplishable • Enforceable • Definable • Identify real security needs for service and match business requirements • Assessment and risk evaluation

  10. SAPH Components – Security Language Composer • GUI : a Graphic User Interface providing user interactions • Policy & Topology model: allowing user to define security policies and network topology based on business and service requirements . • Security Guardian : an engine evaluates the risk of exposure and the cost of security breaches based on built-in and user-define functions • Object Storage : store network objects and security policy definitions • Enforcement : an intelligent agent is able to produce configuration profiles based on acceptable risks, security policy settings and network topology. • Configuration Profile : a set of configuration parameters and running scripts for network element and security device

  11. Enforcement Object Storage x Security Guardian Policy & Topology Model Conf. Profile SLC GUI Policy & Topology Model • Display an idea • Communicate to System and other engineer • OAB (Object Association Binding) • Object • Entity、Concept or Group • Data & Attribution • Association • Relation Between Two Object • Direction、Condition、Action & Transition • Binding • Relation Between Two Model • Object in Policy Model & Object in Topology Model

  12. OAB (Object Association Binding) Policy Mode Security Policy Association If protocol =! FTP accept rule 1:George can access the Marketing Dep. Network George George Marketing Dep. Attribution Info. Dep Engineer Attribution Emp. 15 Computer 12 rule 2:Deny FTP connection Binding Topology Mode Binding Subnet 140.123.113.0/24 Host 140.123.114.14 Firewall 140.123.113.25

  13. Enforcement Object Storage x Security Guardian Security Policy Policy & Topology Model Conf. Profile Network Topology SLC GUI Security Guardian : Check Policy & Topology and Evaluate the Risk ■ User-Define Factors ■Information Asset ■Vulnerability ■Probability Loss ■Event Severity Security Guardian Risk Exposure

  14. Probability Severity Level Value Theft Fire Explosive ….. Radiation Level Value Service in use Known OS/Application vulnerability Known network protocol security weakness Network topology Risk Relationship Security Threat Classification Physical Assets Hardware Software OS Application Security Threat

  15. Pi: Probability Loss Si: Event Severity Ti: Threat Factor Evaluation Function (Built-In and User-Defined) Ci: Class Risk Ti: Threat Factor A: Asset Risk Exposure Ci: Class Risk  : Acceptable Risk Value X,Y : Accept Value (e.g., Boolean) If A <  then X otherwise Y

  16. Enforcement Script files Object Storage x Security Guardian Security Policy Policy & Topology Model Conf. Profile Network Topology SLC GUI Enforcement Equipment Adaptors Enforcement Configuration Network

  17. SLC: Get The Highest Level of Security • Make good security policies to protect your networks and services • Accomplishable • Enforceable • Definable • Identify real security needs for service and match business requirements • Assessment and risk evaluation

  18. Import/Interpreter Enforcement Black Hat White Hat Object Storage Verifier Script Generator Lighter DTN SAPH Architecture VAST: Vulnerabilities Assessment & Security Testing DTN: Defense Target Network Audit/System Log SLC: Security Language Composer SAPH x Security Guardian Policy & Topology Model Conf. Profile SLC VAST GUI

  19. VAST: Assure Information and Networking Security • Assessment • Information reconnaissance and network scan • Vulnerability assessment and threat Analysis • Penetration • System penetration test • Security policy certification • Auditing • Log analysis

  20. SAPH Components - Vulnerabilities Assessment & Security Testing (VAST) • Import/Interpreter: a converter to import audit log/syslog from security audit tools and network elements into Black Hat Database or transform attack severity/structure to Evaluator for further analysis. • Black Hat Database: real hacker signatures and methods • White Hat Database: network architecture and network element (e.g., router and firewall) configuration, security profiles and well know security holes • Verifier: an engine use both Black Hat and White Hat Database to forecast/analyze possible vulnerabilities • Script Generator: generating script files to exploit vulnerabilities • Lighter: an engine launch attacks based on hacker scripts

  21. VAST Import/Interpreter Black Hat White Hat Verifier Script Generator Lighter Lighter • Reconnaissance • Nslookup • Whois • ARIN • Dig • Target Web Site • Others • Network Scanning • Telnet • Nmap • Hping2 • Netcat • ICMP: Ping and Traceroute Script Generator • Vulnerability Assessment • Nessus • SARA

  22. VAST: Assure Information and Networking Security • Assessment • Information reconnaissance and network scan • Vulnerability assessment and threat Analysis • Penetration • System penetration test • Security policy certification • Auditing • Log analysis

  23. SAPH and Security Assurance • Design assurance • Policy & Topology Model : OAB (Object Association Binding) • Security Guardian • Development assurance • VAST • Operation assurance • Enforcement • GUI

  24. Increase Productivity Enhance Security Save Cost Extend Network Management Security Operation Center (SOC) Security Operation Center (SOC) Conclusion After Before SAPH

  25. Reference (1/2) • BCS Review 2001 Setting standards for information security policy http://www.bcs.org.uk/review/2001/html/p181.htm • B. Fraser, “RFC2196: Site Security Handbook”, IETF, September 1997. • BUGTRAQ http://www.securityfocus.com/archive/1 • E. Carter, Cisco Secure Intrusion Detection System, Cisco Press, 2001 • G. Stoneburner, A. Goguen, and A. Feringa "Risk Management Guide for Information Technology Systems", Special Publication 800-30, NIST. • J. Wack and M. Tracey, “Guideline on Network Security Testing”, Draft Special Publication 800-42, NIST, February 4, 2002

  26. Reference (2/2) • Microsoft Security Bulletin MS03-028 http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms03-028.asp • R. M. Barnhart, “High Assurance Security Mideical Information Systems”, Science Application International Corporation, 2000 • SANS Institute - Security Policy Project. http://www.sans.org/resources/policies/ • S. Northcutt, L. Zeltser, S. Winters, K. Kent Frederick, R. W.Ritchey, Inside Network Perimeter Security, New Riders , 2003 • T. Layton, “Penetration Studies – A Technical Overview” SANS, May 30, 2002

  27. Question ? Thank You !

More Related