Fengmin Gong

IPSec/VPN Security Policy: Correctness, Conflict Detection, and Resolution

IPSec (Internet Security Protocol Suite) functions will be executed correctly only if its policies are correctly specified and configured. Manual IPSec policy configuration is inefficient and error-prone. An erroneous policy could lead to communication blockade or serious security breach. In addition, even if policies are specified correctly in each domain, the diversified regional security policy enforcement can create significant problems for end-to-end communication because of interaction among policies in different domains. A policy management system is, therefore, demanded to systematically manage and verify various IPSec policies in order to ensure an end-to-end security service. This paper contributes to the development of an IPSec policy management system in two aspects. First, we defined a high-level security requirement, which not only is an essential component to automate the policy specification process of transforming from security requirements to specific IPSec policies but also can be used as criteria to detect conflicts among IPSec policies, i.e. policies are correct only if they satisfy all requirements. Second, we developed mechanisms to detect and resolve conflicts among IPSec policies in both intradomain and inter-domain environment.

Design and implementation of a scalable intrusion detection system for the protection of network infrastructure

This paper presents the design, implementation, and experimentation of the JiNao intrusion detection system (IDS) which focuses on the protection of the network routing infrastructure. We used the open shortest path first (OSPF) routing protocol as an implementation example to illustrate our IDS design. However, the system architecture is generic enough that the JiNao IDS can be used for protecting other protocols. The system features attack prevention and intrusion detection with tightly integrated network management components. The prevention module functions like a firewall which consists of a small set of rules. Both misuse (protocol analysis) and anomaly (statistical based) approaches are implemented as detection mechanisms in order to handle both known and unknown attacks. Four OSPF attacks (i.e., MaxSeq, MaxAge, Seq++, and LSID attacks) have been developed for evaluating JiNaos detecting capability. Furthermore, an SNMP based network management interface has been designed and implemented such that the JiNao IDS can be easily integrated with existing network management systems.

DECIDUOUS: decentralized source identification for network-based intrusions

DECIDUOUS is a security management framework for identifying the sources of network-based intrusions. The first key concept in DECIDUOUS is dynamic security associations, which efficiently and collectively provide location information for attack sources. DECIDUOUS is built on top of the IETFs IPSEC/ISAKMP infrastructure, and it does not introduce any new network protocol for source identification in a single administrative domain. It defines a collaborative protocol for inter-domain attack source identification. The second key concept in DECIDUOUS is the management information integration of the intrusion detection system (IDS) and attack source identification system (ASIS) across different protocol layers. For example, in DECIDUOUS, it is possible for a network-layer security control protocol (e.g., IPSEC) to collaborate with an application-layer intrusion detection system module (e.g., IDS for the SNMP engine). In this paper, we present the motivations, design, and prototype implementation of the DECIDUOUS framework.

Securing QoS threats to RSVP messages and their countermeasures

In this paper, we study one type of DoQoNS (denial of quality of network service) attacks: attacks directly on the resource reservation and setup protocol. Particularly, we have studied and analyzed the RSVP protocol. Two contributions are: first, we performed a security analysis on RSVP which demonstrates the key vulnerabilities of its distributed resource reservation and setup process. Second, we proposed a new secure RSVP protocol, SDS/CD (selective digital signature with conflict detection), which combines the strength of attack prevention and intrusion detection. SDS/CD resolves a fundamental issue in network security: how to protect the integrity, in an end-to-end fashion, of a target object that is mutable along the route path. As a result, we will show that SDS/CD can deal with many insider attacks that can not be handled by the current IETF/RSVP security solution: hop-by-hop authentication.

Intrusion-detection for incident-response, using a military battlefield-intelligence process

Abstract A network device is considered compromised when one of its security mechanisms is defeated by an attacker. For many networks, an attacker can compromise many devices before being discovered. However, investigating devices for compromise is costly and time-consuming, making it difficult to investigate all, or even most, of a networks devices. Further, investigation can yield false-negative results. This paper describes an intrusion–detection (ID) technique for incident-response. During an attack, the attacker reveals information about himself and about network vulnerabilities. This information can be used to identify the networks likely compromised devices (LCDs). Knowledge of LCDs is useful when limited resources allow only some of the networks devices to be investigated. During an on-going attack, knowledge of LCDs is also useful for tactical planning. The ID technique is based on the US militarys battlefield-intelligence process. Models are constructed of the network, as the battlespace. Also, models are constructed of the attacker’s capabilities, intentions, and courses-of-action. The Economics of Crime, a theory which explains criminal behavior, is used to model the attackers courses-of-action. The models of the network and the attacker are used to identify the devices most likely to be compromised.

Celestial security management system

There has been a vast amount of research and development effort aimed at providing solutions and products that address the security needs in the information age. Each solution tends to address only a particular facet of the security problem and only accessible to limited protocols or applications. Moreover, ad hoc deployment of some solutions (e.g., firewalls and IPsec) can hinder our ability to collaborate across networks. A very important question is how any application can discover policy restrictions brought about by these solutions/mechanisms, and make efficient use of them to satisfy the applications security goals. The Celestial project addresses this question by developing a security management architecture that can (1) automatically discover effective security policies and mechanisms along any network path, (2) dynamically configure security mechanisms across protocol layers and across the network, (3) adaptively re-configure these mechanisms to maintain certain levels of security services when the network is under stress. This paper describes the Celestial system design and implementation, and reports the current status of the project.