Adrian Farrel

Chapter 10 – Intrusion Response Systems: A Survey

Publisher Summary nThis chapter considers the distributed systems as composed of multiple services and the services interact with one another through standardized network protocols. It describes the primary Intrusion Response Systems (IRSs) and label each in one of the following four categories. IRSs, called static decision making, provides a static mapping of the alert from the detector to the response that is to be deployed. The second class, called dynamic decision making, reasons about an ongoing attack based on the observed alerts and determines an appropriate response to take. The third class, called intrusion tolerance through diverse replicas, provides masking of security failures through the use of diverse replicas concurrently for performing security critical functions. The fourth class includes IRSs meant to target specific kinds of attacks, with our focus being on distributed denial-of-service attacks. Then, we present a discussion on the nascent field of benchmarking of IRSs. Finally, the chapter presents five key areas in which IRSs need to evolve for a widespread adoption. In addition, it considers the metrics that are relevant for evaluating an IRS.

Optical Network Survivability

Publisher Summary nThis chapter gives a brief overview of optical network survivability. Engineering the network for survivability plays an increasingly important role in transport networks. Protection techniques are well established in Synchronous Optical Networking (SONET) and Synchronous Digital Hierarchy (SDH) and include point-to-point, dedicated protection rings, and shared protection rings. Point-to-point protection schemes work for simple systems with diverse fiber routes between node locations. In addition, optical channel layer protection is needed if some channels are to be protected while others are not. Optical multiplex section (OMS) layer protection is more cost effective for those cases where all the traffic needs to be protected. The optical layer consists of the optical channel layer (or path layer), the OMS layer (or line layer), and the optical transmission section layer. The choice of protection schemes is dictated primarily by the service classes to be supported and by the type of equipment deployed. In the SONET/SDH world, protection is performed primarily by the SONET/SDH line terminals and add/drop multiplexers and not by digital cross connects.

Providing Quality of Service

MPLS TE and Diffserv can be deployed concurrently in an IP backbone, with TE determining the path that traffic takes on aggregate based upon aggregate bandwidth constraints, and Diffserv mechanisms being used on each link for differential scheduling of packets on a per-class of service basis. Diffserv-aware MPLS TE (DS-TE) provides the capability to enforce different bandwidth constraints for different classes of traffic through the addition of more pools of available bandwidth on each link. MPLS TE can be deployed either in an ad hoc fashion, with selective tunnels configured tactically to move a subset of traffic away from congested links, or systematically, with all backbone traffic transported in TE tunnels. The per-virtual networks (VNET) bandwidth allocation approach to Quality of Service (QoS) resource management is where bandwidth is allocated to the individual VNETs (high-priority key services VNETs, normal-priority services VNETs, and best-effort low-priority services VNETs). This allocated bandwidth is protected by bandwidth reservation methods, as needed, but otherwise shared. Each originating node (ON) monitors VNET bandwidth use on each VNET constraint-based routing label switched paths (CRLSP) and determines when the VNET CRLSP bandwidth needs to be increased or decreased.

Monitoring and Maintenance

RFC 4379 defines a diagnostic protocol for testing the continuity and connectivity of MPLS LSPs. This technique is commonly referred to as LSP Ping and provides a mechanism to trace the LSP in the forwarding plane under the control, and coordination of the control plane. The core of LSP Ping is an Echo Request message that is sent as a UDP datagram encapsulated as an IP packet, and then as an MPLS packet, and is forwarded along the path of the LSP. If the message is correctly received at the destination or is incorrectly received at some other LSR, it is responded to with an Echo Response that travels back as an IP datagram. Bidirectional Forwarding Detection (BFD) is a protocol intended to provide a lightweight method to detect faults in the bidirectional paths between forwarding engines. It can be applied in IP or MPLS networks, and it can be used to detect faults between neighbors at the ends of interfaces, data links, or LSPs. Its function is independent of data plane technologies or protocols. Virtual Circuit Connectivity Verification (VCCV) is a connection verification protocol developed specifically for application to virtual circuits such as pseudowires. A pseudowire is achieved by installing an MPLS LSP between two provider-edge LSRs, and encapsulating the signal from a native service for transmission down that LSP.

Virtual Private Networks

Publisher Summary The virtual private networks (VPNs) enable two companies to connect their private networks across the Internet. One of the options provided by a VPN is that the addresses within the private networks may be kept private. This allows the companies to use identical address spaces, and lets each have hosts that have the same addresses. IPsec is essentially a tunneling protocol devised to securely transport IP across a public network. IPsec has considerable potential in VPN implementation because it offers a full suite of security features from encryption and authentication to protection against replay. MPLS can be used to set up tunnels through an MPLS capable network. These tunnels can be used to establish layer 2 VPNs in ATM, Frame Relay, or other MPLS-capable networks. Each tunnel provides a virtual wire between source and destination to connect different parts of the VPN. Alternatively, MPLS packets can be encapsulated in some other tunneling mechanism to allow them to be transported across the IP core network. A hybrid VPN solution that utilizes both BGP and MPLS is described in RFC 2547 and is being further developed within the IETF. This solution is scalable and flexible. BGP is used to advertise which edge nodes provide access to which VPNs, the reachability information for addresses in each VPN at each edge node, and an MPLS label used to identify which VPN is targeted.

MPLS Traffic Engineering Recovery Mechanisms

Multi-Protocol Label Switching (MPLS) traffic engineering (TE) global default restoration is the default recovery technique. Once a failure is detected by some downstream node, the head-end label switched router (LSR) is notified by means of Resource Reservation Protocol (RSVP) and the routing protocol (FIS). Upon receiving the notification, the head-end LSR recomputes the path and signals the Label Switched Path (LSP) along an alternate path. When using MPLS TE local protection, there are three properties, a TE LSP can have that include fast reroute desired, bandwidth protection desired, and node protection desired. The various TE LSP recovery requirements allow an operator to define multiple CoRs, and assign a different CoR to each TE LSP according to its recovery requirements, such as very sensitive traffic like voice-over-IP/MPLS or ATM-over-MPLS could be routed over protected TE LSPs with bandwidth and node protection. In the case of a multiarea (OSPF), multilevel (IS-IS), or multiautonomous systems network, if the failure does not occur in the head-end LSR area/level, no Internet Gateway Protocol (IGP) notification would be received by the head-end LSR. This means that the head-end LSR exclusively relies on the receipt of the RSVP Path Error message to be informed that a local repair is performed on a downstream node.

The Internet Protocol

This chapter reviews the Internet Protocol (IP) that is the fundamental building block for all control and data exchanges across and within the Internet. IP and the Internet are so closely woven that the ordering of the definition is not of much importance, but it is indubitable that the Internet is deeply dependent on the definition and function of IP. IP is a protocol for universal data delivery across all network types. Data are packaged into datagrams that comprise some control information and the payload data to be delivered. Datagrams are connectionless because each is sent on its own and may find its own way across the network, independent of the other datagrams. Each datagram may take a different route through the network. The control information in an IP datagram is necessary to identify the sender and recipient of the data and to manage the datagram while it is in transit.

Concepts in IP Security

This chapter provides an overview of some of the issues related to Internet security and shows the workings of the key security protocols. Security within an IP network can be applied at any or all of a set of different levels: (1) Physical security governs the connectivity and access to private networks; (2) protocol-level security controls and safeguards the essential protocols that make the Internet work; (3) application security can be used to protect sensitive data and to limit access to applications; and (4) transport and network layer security is used to protect data flows across public or exposed networks and connections. Network security has become an issue because of the large number of computers connected together, and the increase in quantity and sensitivity of the information held on computer and distributed across the Internet. Various techniques are used to compromise Internet security. The most obvious technique involves simply impersonating another user to access that users computer. Remote access protocols such as Telnet and File Transfer Protocol (FTP) make this particularly easy.

Security in Wireless Systems

This chapter examines the requirements needed for privacy and authentication of wireless systems and discusses how each of the cellular and personal communications services systems supports these requirements. The chapter also discusses four levels of voice privacy and then identifies requirements in the areas of privacy, theft resistance, radio system requirements, system lifetime, physical requirements as implemented in mobile stations, and law enforcement needs. In addition, it examines different methods that are in use to meet these needs. The objective of security for most wireless systems is to make the system as secure as the public switched telephone network. The technical features for security are only a small part of the security requirements; the greatest threat is from simpler attacks such as disclosure of the encryption keys, an insecure billing system, or corruption. A balance is required to ensure that these security processes meet these requirements.

Chapter 2 – Network Attacks

Publisher Summary nThis chapter provides an overview of issues, terminology, and techniques related to the security of the network. Network security comprises ongoing activities that assess the network for its current state of security, have in place protection and prevention mechanisms against security threats, implement detection mechanisms to rapidly identify security attacks that may have been successful, and have policies, procedures, and techniques in place to respond to attacks. These aspects are discussed in a succinct manner. Protection against attacks using firewalls and prevention mechanisms that make use of cryptography are considered with examples of Kerberos, IP Security Protocol, and Secure Sockets Layer. To block malicious packets from entering a network, it is common to employ firewalls. Firewalls in olden days were referred to as thick walls of brick constructed especially for preventing the spread of fires from one building to another. Firewalls today are being referred to as hardware, software, and policies to prevent the spread of security attacks into an organizations (or individuals) network or host.