05-03-2013, 02:38 PM
DISTRIBUTED NETWORK SECURITY
DISTRIBUTED NETWORK.doc (Size: 561 KB / Downloads: 23)
ABSTRACT
IP-based networks form the base of today’s communication infrastructure. The interconnection of formerly isolated networks brings up severe security issues. The standard approach, to protect the own network from abuse, is the usage of filter mechanisms at the border to the foreign network. The raising complexity of protocols and the use of encryption techniques render most of these border oriented systems useless, as there are not able to track or analyze the transferred data. The approach discussed in this article splits into three parts – first we invent distributed sensors which enlarge the amount of data available for analysis by accessing information directly at its source. To integrate these into the classic border oriented system we create an abstract interface and management system, based on the Common Information Model. Finally we will divide the management system itself into independent components, distribute them over the network and gain significant increase of performance.
INTRODUCTION
The interconnection of formerly private and isolated communication networks enables new forms of services and applications, but brings also new threats and the need for appropriate defense mechanisms. Until today, most networks are secured by firewalls which apply IP-packet-filtering at the interface between the internal and the external network.
This raises two major problems:
First, as traffic is allowed or denied only based on IP-packet information, it is impossible to associate traffic to certain applications or process on the client machines in the internal network. If a client is infected by malicious software, collecting and sending information to an outside attacker e.g. through the standard HTTP port, the firewall may identify this as allowed traffic to a webpage server and hence allows the packets to leave the network.
Network Security Management
Security management is a task of maintaining the integrity, confidentiality and availability of systems and services. The reality of the present time is that increasing number of people, organizations, and enterprise are installing and subscribing to the Internet, consequently raising the concerns of security. Thus, the security management is an issue of paramount importance. First of all, it is necessary to identify the risks by identifying the attacks and intrusions that the networks are exposed to. Applying security management is a two-fold activity.
Distributed Network Architecture:
Global enterprises and large, multi-site hospitals, universities, or government agencies are increasingly facing a common challenge – how to bring all of their disparate buildings into an easy to manage enterprise security system. Most multi-site organizations have a variety of sites, ranging in size from small branch offices to large multi-building campuses.
Distributed services
Upon now we had a very simple setup with one security gateway and some clients that act only as a sensor. The concentration of all decisions to one point in the network makes the whole system slow and sluggish so we tried to distribute the single tasks over the network to decrease the necessary amount of requests to the central server and increase the level of security.
Network Security Incidents
A network security incident is any network-related activity with negative security implications. This usually means that the activity violates an explicit or implicit security policy (see the section on security policy). Incidents come in all shapes and sizes. They can come from anywhere on the Internet, although some attacks must be launched from specific systems or networks and some require access to special accounts. An intrusion may be a comparatively minor event involving a single site or a major event in which tens of thousands of sites are compromised. (When reading accounts of incidents, note that different groups may use different criteria for determining the bounds of an incident.)
Sources of Incidents
It is difficult to characterize the people who cause incidents. An intruder may be an adolescent who is curious about what he or she can do on the Internet, a college student who has created a new software tool, an individual seeking personal gain, or a paid "spy" seeking information for the economic advantage of a corporation or foreign country. An incident may also be caused by a disgruntled former employee or a consultant who gained network information while working with a company. An intruder may seek entertainment, intellectual challenge, a sense of power, political attention, or financial gain.
One characteristic of the intruder community as a whole is its communication. There are electronic newsgroups and print publications on the latest intrusion techniques, as well as conferences on the topic. Intruders identify and publicize misconfigured systems; they use those systems to exchange pirated software, credit card numbers, exploitation programs, and the identity of sites that have been compromised, including account names and passwords. By sharing knowledge and easy-to-use software tools, successful intruders increase their number and their impact.
Root Compromise
A root compromise is similar to an account compromise, except that the account that has been compromised has special privileges on the system. The term root is derived from an account on UNIX systems that typically has unlimited, or "super user", privileges. Intruders who succeed in a root compromise can do just about anything on the victim's system, including run their own programs, change how the system works, and hide traces of their intrusion.
Packet Sniffer
A packet sniffer is a program that captures data from information packets as they travel over the network. That data may include user names, passwords, and proprietary information that travel over the network in clear text. With perhaps hundreds or thousands of passwords captured by the sniffer, intruders can launch widespread attacks on systems. Installing a packet sniffer does not necessarily require privileged access. For most multi-user systems, however, the presence of a packet sniffer implies there has been a root compromise.