Download TU3_2-3O - icalepcs 2005

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
page
28
page
29
page
30
page
31
page
32
page
33
Document related concepts

Schistosoma mansoni wikipedia , lookup

Transcript 
Construction and Management
of
a Secure Network in SPring-8
M. Ishii, T. Fukui, M. Kodera, T. Ohata, R. Tanaka
SPring-8, JAPAN
ICALEPCS 2005, Geneva, Switzerland
11-Oct-2005
Contents
•
•
•
•
Introduction
Network system in SPring-8
Worm attacks
Toward a secure network
– Installation of Security Gateway
• Operation
• Summary
Introduction
• In August of 2003, the computer worm,
W32/Blaster worm, explosively went
around the world.
• We couldn’t provide a fast, stable and
secure network environment
to the experimental users
because of the worm infection.
• We had introduced
– a firewall system against attacks from outside,
– Virtual-LAN (VLAN) and IP filtering to establish
the independency of experiment environment.
• A firewall, VLAN and IP filtering weren’t
enough secure against worm attacks from
inside.
• We required a new technical solution…
SPring-8
• SPring-8 was opened to the public use in 1997.
• The total number of experimental users exceeded
9,000 in a year of 2003.
Experimental Hall
in the storage ring building
Beamline
SPring-8 has 48
beamlines for
synchrotron radiation
experiments.
Each beamline has an
experimental station.
Beamline-No.1
Beamline-No.2
Network system
• Experimental users require a fast,
stable and secure network environment.
• We had provided
– Gigabit Ethernet backbone (for fast)
– redundant system (for stable)
– firewall, VLAN, IP filtering (for secure)
Control-LAN
is used to control
accelerators, ID, BL.
Office-LAN
A firewall passes
packets through
only predefined IP
addresses and
opens limited
service ports.
100Mbps
internet
reject http,
ftp, ping,
ssh,…
is a network for
the facility public.
IP packets directly
like
can’t pass through
The network switch a firewall from Office-LAN by
NAT.
performs access
VLAN for a logically
control by IP filtering.
independent LAN
1GbE
…
BL-USER-LAN
Beamline-No.1
is a network
for the
experimental
station.
Beamline-No.48
internet
Control-LAN
is used to control
accelerators, ID, BL.
Office-LAN
is a network for
the facility public.
A firewall blocks
worm attacks from
the BL-USER-LAN.
A firewall blocks
worm attacks from
the internet.
A network switch blocks
worm attacks from
the Office-LAN by NAT.
A network switch blocks
worm attacks from a beamline
to other beamlines by using
VLAN and IP filtering.
…
BL-USER-LAN
Beamline-No.1
Beamline-No.48
Worm attacks
OA-LAN
internet
3. The network switch was
overloaded by significantly
increased ping traffic.
100%
The CPU utilization
of a network switch
It was caused by
performing NAT on
the CPU.
The worm traffic was about 200 kbps.
( A ping packet size was about 100 byte. )
1. A user connects the worm-infected laptop
PC to the BL-USER-LAN.
2. The worm checked active machines as
target for attack by sending ping.
Beamline-No.1
Toward a secure network
Necessity of technical solution
• We have to protect the BL-USER-LAN
from computer worms.
– We installed a security gateway in the
summer of 2004.
Selection criteria
Security type : Host or Network
Host type
We selected
Network type.
Network type
The security
equipment is installed
into the backbone.
Host type needs many software licenses.
The software guards each PC from worm attack.
We don’t install software license to the
PCs of many users coming from various
institutions.
security
equipment
Selection criteria
Security system : IDS or IPS
IDS is Intrusion Detection System.
Worm packet passes through.
Hub
IDS
IDS monitors a
packet, it checks
whether the packet
is worm or not.
If IDS detects worm packet,
it sends e-mail to a network
administrator.
Selection criteria
security system : IDS or IPS
IPS is Intrusion Prevention System.
Our requirement
IPS blocks worm packet.
We want to block
the spread of worm A.S.A.P.
IPS
When IPS receives
a packet, it checks
whether the packet
is worm or not.
“The greatest happiness
of
the greatest number”
We selected IPS.
Selection criteria
other items
• Traffic throughput of IPS
– We required more than 200 Mbps.
Before installation of the security gateway, total
throughput was about 100 Mbps at a maximum.
• Easy management and easy operation
• A modification has to be minimum for
system installation.
Installation of Security Gateway
Control-LAN
Office-LAN
In the summer of 2004,
we installed a Security
Gateway, InterSpect, inside
the BL-USER-LAN.
BL-USER-LAN
Beamline-No.1
Beamline-No.48
InterSpect
• InterSpect is a product of
• It is invisible to the IP network. (transparent
mode)
• Traffic throughput is 500 Mbps.
– We measured actual throughput.
– InterSpect certainly guarantees a throughput up
to 500 Mbps.
• We will be able to integrate management the
firewall and the InterSpect in the future.
1U
• The Hardware is a Dell Inc computer.
• We purchased an InterSpect at $ 25,000.
– Additionally maintenance contract per year is $ 8,000.
• It took about 4 hours to install an InterSpect.
–
–
–
–
–
unpacking
Mounting InterSpcet to 19” rack
Coffee break
Setting the configuration of InterSpect
Running START!!
Quarantine (isolate)
For 30 min,
InterSpect drops all packets
from the worm infected PC.
If the PC activity still exists at
the end of quarantine period,
it is once more automatically
quarantined.
TRASH
BOX
When a PC performs
many port scans,
InterSpect automatically
quarantines the PC for
30 min.
Beamline-No.1
Beamline-No.48
User have to guard their
PC by themselves.
InterSpect passes
through all packets
from a clean PC in
same beamline.
The worm infected PC
can communicate with
other PCs in same
beamline.
Beamline-No.1
Beamline-No.48
Operation of
InterSpect
Operation experience
• Block, ( i.e. quarantine ), the sweep port scanning
(SPS) at the InterSpect !
InterSpect
– The Worm infection uses many SPS (ping) to seek
target machines.
– Merit : The blocking of SPS can prevent the
preemptive attacks.
 A PC that performs SPS is automatically quarantined.
– Demerit : Once the SPS is blocked, we have no
way to identify the variety of worms.
 A quarantined host is classified just as “suspicious”.
number of quarantined host
Statistics
90
suspicious host
miss setting
identified worm
80
70
60
50
40
30
We didn’t
block SPS.
Fewer suspicious hosts
than usual
20
10
zero
0
Aug04
Sep04
Oct04
Nov04
Dec04
Jan05
Feb05
Mar05
Apr05
May05
Jun05
Jul-05
“miss setting” was caused by the wrong detection of pattern string.
A pattern string for detection worm is simple.
The detection strings of Sasser worm is “\\sarpc$”.
Normal connections such as Active Directory of Microsoft uses this string.
Don’t make rules of a pattern string for the worm detection too strict !!
• “Identified worm”
– When I checked “quarantine list” of InterSpect, I found a host
scanning many ports. I rushed to the suspicious host and searched
the worm by using the virus scan software.
 “Bingo!!” -- > Trojan Horse.
The host turned from “suspicious” to “real”.
• Anti-virus software was installed in the PC
infected Trojan Horse, the definition file was
old.
– The license had already expired.
• For a year
The total number of
quarantined suspicious hosts :
282
The total number of claim from
quarantined users :
0
Quarantined PCs weren’t used for their experiment ??
Summary
• We had introduced
– a firewall system : against attacks from outside
– VLAN and IP filtering : to established the
independency of beamline. These technologies
prevent the spread of worms between different
beamlines.
• We introduced a Security Gateway to protect
the backbone of the BL-USER-LAN.
• The total number of quarantined suspicious
host was 282 for a year.
• It requires the management policy to operate
the Security Gateway well.
The BL-USER-LAN has been working well for a year
being protected by a Security Gateway.
Take care of your PC
by yourself.
Worm attacks damages the
network switch.
• It is related to the NAT architecture of the network switch.
CPU
ASIC
1. When the network switch receives a packet, it
translates IP address on the CPU.
2. When the network switch receives same sessions
(same source and destination), it handles the sessions by
using the ASIC (Application Specific IC).
--> The CPU is released from the packet processing
load.
Worm infection sent ping packets to many different destination IP addresses,
while swept one network segment.
The CPU had to translate all of the received IP addresses.
--> Finally reached to the performance limitations.
Related documents
Characteristics of Life Wkst
Characteristics of Life Wkst
4061_26
4061_26
Infectious Disease
Infectious Disease
Payload-based polymorphic worm defense
Payload-based polymorphic worm defense
CIS3360: Security in Computing (online session, Spring 2012)
CIS3360: Security in Computing (online session, Spring 2012)
General Characteristics
General Characteristics
Dangerous Computer Worms
Dangerous Computer Worms
Security “Tidbits” - The Stanford University InfoLab
Security “Tidbits” - The Stanford University InfoLab
File
File
Worms - Latter
Worms - Latter
Slow Worm - Scottish Environment LINK
Slow Worm - Scottish Environment LINK
Dreaded Diseases - inetTeacher.com
Dreaded Diseases - inetTeacher.com