December 19, 2002 Kai Hwang, USC 1
Kai HwangInternet and Pervasive Computing Laboratory
University of Southern California
Email: [email protected]://ceng.usc.edu/~kaihwang
Wireless PKI and Distributed IDS Research Projects at USC
December 19, 2002 Kai Hwang, USC 2
Current Research Projects� Cost-effective cluster platform for supporting
wireless PKI (WPKI) with high security, scalability, availability, and interoperability
� Distributed Intrusion Detection Systems (IDS) for protecting clusters and Intranets in pervasive computing and mobile E-Commerce applications
� Wireless Gateway architecture with extensive software and middleware development for supporting PKI, AAA, and IDS in achieving proactive intrusion responses
December 19, 2002 Kai Hwang, USC 3
Securing Clusters, LANs, Intranets,WANs, Grids, and Internet Resources
with intrusion detection and automatic recovery from malicious attacks
Design Goals: Distributed dynamic security and privacy to support
fine-grain resource access with automatic
intrusion prevention, detection, and
responses
Intranets or WANsprotected by firewalls
under a static policy, fixed cryptography
and limited scalability
Server Clusters or Web siteswith no securityprotection
Incr
easin
g Se
curi
ty
Cluster/LANs Intranet/WANs Grid/InternetIncreasing scalability
No protection
Fullysecured
Core Technology in Wireless Internet
Multi-Mode
Mobile Station
RAN 1(WLAN)
RAN 2(CDMA)
RAN 3(WCDMAor UMTS)
RAN n(other access technology)
Unified All-IP Core Network
IP Backhaul
Intranets
Internet
Mobile Internet Edge :
• Mobile Internet Edge Product• WTCP and WTLS Software Suites• Cluster Platform for Wireless Gateway • Storage-area Networking and RAID
Multi-mode Mobile Station:
• WTCP• WTLS• 1x EV DO + WLAN• Chipset
MobileInternetEdge
December 19, 2002 Kai Hwang, USC 5
Market Analysis of PKI and WPKI in Internet Security Arena
December 19, 2002 Kai Hwang, USC 6
Basic Wireless Security Requirements:
� Confidentiality of exchanges – make sure that nobody can listen in.
� Authentication – Certify the identities of the parties involved.
� Data Integrity - assurance that data is not tampered on its journey.
� Non-repudiation of transactions –assure agreements are legally binding.
Wireless Internet access and WAP Gateway Functionality Based on WTLS
Technology
WTLS: Wireless Transport Layer Security
The Protocol to implement wireless security in the WPKI (Wireless Public Key
Infrastructure)
December 19, 2002 Kai Hwang, USC 8
Wireless PKI (WPKI) Platform: Software and System Development
for Securing Mobile E-Commerce
December 19, 2002 Kai Hwang, USC 9
W TLS Stack over W ireless G atew ay
Browser
W TLS
W D P
Phone W ireless G atew ay W eb Server
B earer
W TLS
W DP
Bearer
Server
TLS
TCP
IP
TLS
TCP
IP
Data in the C lear
W irelessN etw ork
Lin kLin k
W iredN etw ork
W ireless Transport Layer Security
December 19, 2002 Kai Hwang, USC 10
Interoperability of WPKIwith Traditional PKI
SSL/TLS
WTLS
WPKIExpansion
X.509
Mobile ServicesServer
Mobile ServicesServer
RA for Mobile
PKI portal
RA for Mobile
PKI portal
WAP GatewayWAP
GatewayMobil
DevicesMobil
Devices
X.500/LDAP
WTLS SSL/TLS
PKCS #10
Traditional PKI
MobilClient
MobilClient
SmartCardsSmartCards
WPKICA
Server
WPKICA
Server
TraditionalRA
TraditionalRA
DirectoryServer
DirectoryServer
Other CAServers
Other CAServers
OCSPOCSP PKCS #7
PKCS15
Conventional CAServers
Conventional CAServers
PUBLISH
WTLS CERTIFICATE REQUEST PKCS #10
WTLSCERT.
WTLSCERT.
X.509CERT
X.509CERT
December 19, 2002 Kai Hwang, USC 11
Layered Development of the WPKI Portal
December 19, 2002 Kai Hwang, USC 12
Distributed Micro-Firewalls for Protecting Intranets .
M. Gangadharan and K. Hwang, “ Intranet Security with Micro Firewalls and Mobile Agents for Proactive Intrusion Response”, IEEE International Conference on Computer Networks and Mobile Computing, Beijing, China October 16-19, 2001.
December 19, 2002 Kai Hwang, USC 13
Distributed Firewall Architecture built in Trojans Cluster at USC
Internet
Gateway FirewallPolicy Manager
Nodes with Micro-Firewall
DemilitarizedZone
Router
Router
Nodes with Micro-Firewall
SwitchNetwork
December 19, 2002 Kai Hwang, USC 14
System call interface
User Programs
User Programs
User Programs
User Programs
Micro-firewall
TCP/IP Stack
Network Cards
Memory, file and Process Managers
Disk Drives Main Memory
User Space
Kernel Space
Hardware
Packet Filter
Anomaly Detection
Access Logging
Implementing Micro-Firewall in The Linux Kernel
K. Hwang and M. Gangadharan, “Micro-Firewalls for Dynamic Security with Distributed Intrusion Detection”, IEEE International Symposium of Network Computing and Applications, Cambridge, MA. Oct. 8-12, 2001
December 19, 2002 Kai Hwang, USC 15
Distributed Intrusion Detection and Response in a Linux Cluster
3 3
December 19, 2002 Kai Hwang, USC 16
Wireless Gateway Platformfor Fast prototyping of Various
Gateway Products in All-IP Networks
Wireless Gateway Platform
WLANGGSN PDSNMedia
GatewaySGSN
December 19, 2002 Kai Hwang, USC 17
The Cluster Architecture of A GGSN Gateway in UMTS Network
Gn
Gp
Gi
PDN: Packet Data NetworkGi: Interface to PDNGn: Interface to SGSNGa : Interface to Billing and NMSGp: Interface to PLMNPN: Processing NodeDN: Database NodeRAID: Redundant Array of Independent Disks
Gi
Gn
Ga
Billing System
Network Management
System
Internet, Intranet,
PDN, PLMN
etc.
Back-bone IP Core Network
(SGSN)
Ga Ga
Dispatcher 1
Dispatcher 2PN
PN
P
DN
DN
RAID forOS/BackupEthernet
Switch
IP Database
ROUTER
PN
GGSN
December 19, 2002 Kai Hwang, USC 18
Cluster Middleware, Linux Extensions, and Hardware Support of High-Availability
IP Packet Applications
Hardware Support:Hotswap Devices, Router Interfaces
Linux OS Extensions:HA Interface, HA/HW Drivers
I/O Drivers, Platform Management Drivers
Cluster Management MiddlewareFault Management Availability Management
Failback SupportFailover Support Packet Switching
Linux Linux Linux
CPU CPU CPU
Redundant Cluster InterconnectsRedundant Power Redundant Cooling
December 19, 2002 Kai Hwang, USC 19
Upgrading AAA to Secure Mobile Internet Accesses through Wireless Gateways
• Access equipment include SGSN, GGSN, FA, HA, or PDSN, which can be prototyped on the IST wireless platform.
• To improves RADIUS server in providing AAA services with higher reliability, performance, and scalability in billing, auditing, and network planning.
• Must consider the integration capability, multi-vendor support, multi-access support, and multiple accounting record supports.
December 19, 2002 Kai Hwang, USC 20
Concluding Remarks :• HA clusters and Distributed RAID need
dynamic SAN Reconfiguration and fault-
tolerant Data Storage Management
• Explores wireless access technologies to
build gateways, WPKI, and WTCP platforms
for wireless Internet applications
• Providing superior security, high availability,
and cost-effective scalability in cluster, grid
and pervasive computing for a digital society
December 19, 2002 Kai Hwang, USC 21
USC Linux Clusterwith Middleware for Security
and Checkpoint Recovery
PentiumPC
PentiumPC
Pentium PC
Gigabit Network Interconnect
Security and Checkpointing Middleware
Single-System Image and Availability Infrastructure
Programming Environments(Java, EDI, HTML, XML)
Web WindowsUser Interface
Other Subsystems(Database, OLTP, etc.)
Linux Linux Linux
December 19, 2002 Kai Hwang, USC 22
Policy Update Mechanisms
XMLReport Format
SOAPMessage Exchange Protocol
IptablesFirewall
Snort, LogSentryIDS Software
December 19, 2002 Kai Hwang, USC 23
High-Availability Clusters and SAN Projects
� Distributed Software RAID built with Single I/O Space in Linux/Unix Clusters in SAN Environment
� Developing Software and Middleware Suites for DSM (Data Storage Management) and RAS (Reliability, Availability, and Serviceability) in SAN/RAID Applications
December 19, 2002 Kai Hwang, USC 24
Certificate validation with WTLS and SCVP protocols in Wireless Networks
••The WTLS operates over a datagram protocol and demands end-to-end security through certificate validation.
•The IST team implements a short-lived SCVP (simple certificate validation protocol) to protect.
• The validation will enable faster PKI integration and provide centralized certificate policy management and thus better control over trust
December 19, 2002 Kai Hwang, USC 25
Upgrading AAA to Secure Mobile Internet Accesses through Wireless Gateways
• Access equipment include SGSN, GGSN, FA, HA, or PDSN, which can be prototyped on the IST wireless platform.
• IST improves RADIUS to performs AAA with higher reliability, performance, and scalabilityin billing, audits, and network planning.
• Must consider the integration capability, multi-vendor support, multi-access support, and multiple accounting record supports.
December 19, 2002 Kai Hwang, USC 26
FLOGCHEK
FCMP
GPG
CERT_MAN
Sender’s Repository
Receiver’s Repository
CS
IPTABLES SNORT LOGCHECK
Key ring
Key ring NOTIFYRECEIVER
TRANSMITENCRYPTED&SIGNEDACs
UPDATED RULES
DATABASE QUERIES
DATABASE QUERIES
USERS
Dynamic Firewall Rule Update in Host-based Micro Firewall
December 19, 2002 Kai Hwang, USC 27
All-IP Backbone Network in 3G/UMTS
Gm
Ga
Gb
RAN
Gi
Gp
Other PLMN
Iu-PS
Ga
Gn
BSC/PCU
RNCSGSN GGSN The
Internet
Intranet
PDN
PSTN
GW
Multimedia Call Server
BS SGSN
Ga
NMS
Ga
IP Backbone Core Network
RADIUS
WAP/PTM Servers
Node B HLR/AC
Gc
Gi
GrLu-bis
December 19, 2002 Kai Hwang, USC 28
Value-Added Middleware Development(Hwang, et al, IEEE Concurrency, March 1999)
Implementationlevel
Managementlevel
Programming level
Job Management System (GLUnix, LSF, Codine)
Single File Hierarchy(NFS,AFS, xFS, Proxy)
Distributed Shared Memory, (TreadMark,
Wind Tunnel)
Checkpointing and Process Migration
Single ProcessSpace
Cluster Hardware and OS Platform
User Applications
Single I/O Space (SIOS)
Increasing Demand of Secure Wirelessand Pervasive Applications:
� LANs, clusters, Intranets, WANs, Grids, and the Internet all demand security protection, fault-tolerance, and hacker-proof operations, which are crucial to a digital society and economy.�Distributed storage-area networks demands HW/SW support of a single I/O space and global file and database management in all network-based computing applications.� Many innovative applications exist in mobile wireless services, E-commerce, telemedicine, distance education, collaborative design, pervasive computing, digital entertainment, etc.
December 19, 2002 Kai Hwang, USC 30
Dynamic Policy Update Cycle
Local attacks are detected
Policy manager Decide proper action
Policy managerBroadcast the updated policy
Report to policy manager
Local node Take actions
Upon the message 1
23
4
5
December 19, 2002 Kai Hwang, USC 31
WPKI Product Line and IP Chart:
The Platform and Software SuiteWPKI Product Line
WPKI Platform Software Suite
The CA Software
KPI Portal Software
Client Toolkits
Crypto LibraryWireless Gateway with enhanced security
CA system
PKI Portal (RA)
Directory Server
December 19, 2002 Kai Hwang, USC 32
Web Model and WAP (Wireless Application Protocol) Architecture
December 19, 2002 Kai Hwang, USC 33
Capabilities Mobile Agents CORBA Middleware RMI Middleware
Central policycoordination
Autonomous and requireno coordination oncedispatched
The policy managercoordinates allcommunications
The policy manager acts asthe RMI registry tocoordinate among all nodes
Reaction timeto policy change
The time increases withthe number of agentsdispatched.
Faster than agents orRMI to react to apolicy change
RMI slower than CORBAand faster than agent basedsystem for policy update
Hosts fortifiedwith micro-
firewalls
Agents carry mostmechanisms required toupdate security policy
Requires the ORBmiddleware support onall hosts in the Intranet
Requires JVM to be presenton all the hosts.
SecurityMechanisms
Use authentication andencryption. Still prone toattacks from hosts/agents.
Security implementedwith the CORBASec.
Security is the best among allthree, implemented with theJava sandbox model.
Update ProcessTermination
Multiple agents usedautonomously, Policyupdate always completes
Implemented atapplication level usingRPC-like semantics
Implemented at applicationlevel using RPC-likesemantics
Comparison of Agents, CORBA, and RMI for Security-Policy Update on Intranets or Clusters
December 19, 2002 Kai Hwang, USC 34
Distributed Intrusion ResponsesSecurity Threats Effectiveness in using Micro-FirewallsInsider attacks Protect hosts against attack from insidersDenial-of-Service attacks
Protect against denial-of-service attacks from any source
Trojan Program Protect hosts from trapdoors by any sourceIP Address Spoofing
Can be reconfigured to prevent IP spoofing at the client host level
Probes and Scans
Use with IDS to block the probes and scans close to their sources
Unauthorized External access
Can prevent unauthorized access to the external networks at the source
Attacks on Intranet Infra-structure
Resist both internal and external attacks and provide fine-grained access control
December 19, 2002 Kai Hwang, USC 35
Adaptive Security Control Agents detect threats, learn from intrusionpatterns, and update security safeguards
SecuritySafeguards
• Firewall• Authentication
• Access control• Encryption
=
DetectThreats
Detect Vulnerabilities
+ +
Response
AdaptiveSecurity
December 19, 2002 Kai Hwang, USC 36
A Sensor Agent for Distributed Intrusion Detection
Host /agentsInteractionSequence
Memory
CommunicationSub-system
Saving
state
Infor
mation
Interactionswith localnodes
Interactionswith remote nodes
Decision Making System
December 19, 2002 Kai Hwang, USC 37
Distributed Intrusion Detection System (DIDS)
Intrusion DatabaseSecurity Policy
Decision Making System
Mobile firewalls on the Cluster Nodes
Subsystem For RMIIDS
SensorController
Intrusion data
storeRequest ResponseResponse
Response dispatch
December 19, 2002 Kai Hwang, USC 38
The DIDS Testbed Architecture
• 6 Pentium II 500 MHz 64 MB RAM Machines
- Redhat Linux 7.3 (kernel 2.4.18)
- 1 Policy Manager
- 4 Nodes
- 1 Attack machine
• Fast Ethernet Connection
• 3com SuperStack II 3300 Ethernet Switch
December 19, 2002 Kai Hwang, USC 39
Attack Generators
• Scanners– IP range scanner– Port Scanner– Ping Scanner
• Penetrators– FTP/ TCP/ UDP Flooder– Mail Spoofing– Buffer overloader
December 19, 2002 Kai Hwang, USC 40
Security Software Support
Intrusion Detection System (IDS)• Snort - NIDS• LogSentry – Log Auditor• Tripwire – File Integrity Check• PortSentry – Port Scan monitoring and auto-blocking
Firewall• IptablesAccess Control • TCP Wrapper – allow/deny host on basis of services
December 19, 2002 Kai Hwang, USC 41
Wireless Security Projects:� Development of wireless security features
in IEEE 802.11b and HiperLAN/2 Standards
� Securing gateways, SAN, clusters, and intranets with distributed micro-firewalls
� Certificate validation with WTLS and SCVP protocols in wireless networks
� Upgrading AAA solutions for securing wireless gateway infrastructure
� Completing the security chain among smart cards, PKI, and digital signatures
December 19, 2002 Kai Hwang, USC 42
Wireless Threats from Viruses and Malicious Mobile Code
• Masquerading - Identity misuse• Denial of Service - Resource occupation• Unauthorized Access - Intrusions• Repudiation - Dispute services provided• Eavesdropping - Secrecy interception• Alteration - Data/code integrity • Copy and Reply - Clone of agents
December 19, 2002 Kai Hwang, USC 43
Security Component Technologies
• Firewall Architecture and Cryptography• Cluster Middleware for Dynamic Security• Anti-virus and Digital Immune Systems• Intrusion Detection Systems (IDS)• Public Key Infrastructure (PKI)• Authentication, Authorization,
and Accounting (AAA)
December 19, 2002 Kai Hwang, USC 44
Wireles LAN Security inIEEE 802.11b and HiperLAN/2
• IEEE 802.11b operates in 2.4 GHz band with highest data rate of 11 Mbps
• HiperLAN/2 by ETSI operates at 5 GHz and support data rate over 50Mbps
• The two WLAN Standards are not interoperable • Security issues :War Driving, MAC Address,
Service Set ID, and Wired Equivalent Privacy (WEP) need to be solved with authentication (RADIUS), third-part products, and firewall gateway control
• Growing use and popularity of WLAN ($2.2 billion market by 2004) require increased focus on security
December 19, 2002 Kai Hwang, USC 45
Securing Gateways, SAN, Clusters, and Intranets with Distributed Firewalls
• Distributed micro firewalls and IDS built in the IST wireless gateway platform
•••• Dynamic security policy update with attributed certificates (AC) and mobile agents (Aglets)
•••• RMI, CORBA, FTP, HTTP, SMTP, and Aglets can be used for transporting security updates
•••• Provide full spectrum of VPN security using IPSec, L2TP, PPTP, and PKI infrastructures
December 19, 2002 Kai Hwang, USC 46
Charles Darwin (1809 - 1882)
“It is not the strongest of species that
survive, nor the most intelligent, but the one most
adaptable to change.”