A Research Project of InterSOC Cooperation b/w Keio and Hitachi - - PowerPoint PPT Presentation

a research project of intersoc cooperation b w keio and
SMART_READER_LITE
LIVE PREVIEW

A Research Project of InterSOC Cooperation b/w Keio and Hitachi - - PowerPoint PPT Presentation

Aug 27, 2022 383 likes •525 views

A Research Project of InterSOC Cooperation b/w Keio and Hitachi Graduate School of Science and Technology, Keio Univ. Headquarters of Information Technology Center, Keio Univ. 11/20/2017@Mita Campus, Keio Univ. Takao KONDO latte@itc.keio.ac.jp

slide-1
SLIDE 1

A Research Project of InterSOC Cooperation b/w Keio and Hitachi

Graduate School of Science and Technology, Keio Univ. Headquarters of Information Technology Center, Keio Univ.

11/20/2017@Mita Campus, Keio Univ.

Takao KONDO latte@itc.keio.ac.jp

slide-2
SLIDE 2

Security Operation in Keio Univ.

  • KEIO-NET has 3 PoPs for upstream networks

– For WIDE-BB: 1 PoP – For SINET: 2 PoPs

  • Installed next generation firewalls at upstream networks

boundary and campus boundary

– Conducts application protocol analysis – Separates security zones by each campus (zero trust approach)

11/20/2017 2

The Internet SINET

AS2904

WIDE-BB

AS2500 Hiyoshi Yagami Mita Shinano machi Fujisawa Shiba

: Router : Firewall

KEIO-NET

AS38635

KEIO-NET Prefix: 131.113.0.0/16 133.27.0.0/16 2001:df0:eb::/48 2001:200:167::/48 2001:200:1c0::/48

slide-3
SLIDE 3

Features of University Networks

  • Research and Education (RandE) networks

– Assigned to each faculty and department – Basically, operated by the assigned faculty and department (due to regard for research and education activities) – Information Technology Center (ITC) monitors RandE network traffic by FWs

  • Administration (Adst) networks

– Assigned to administration offices – Basically, operated by ITC – ITC installed full-stacks security software (TLS proxy, Mail security, vulnerability scanner etc.) into the Adst networks

11/20/2017 3

Necessary to suppress too much security scan in RandE networks

slide-4
SLIDE 4

Keio SOC / WIDE SOC

  • WIDE-BB: nationwide RandE backbone network

– Operational and experimental network – Commodity traffic and Darknet traffic can be captured

  • KEIO-NET: Service network in Keio Univ.

– Flow info (5 tuples) analysis, L7 analysis by FWs

11/20/2017 4

WIDE-BB

AS2500

Darknet

Hiyoshi Hiyoshi Mita Shiba Fujisawa Shinano machi

: Router : Firewall

KEIO-NET

AS38635

WIDE Neighbors

: : Flow collector L7 Analyzer

slide-5
SLIDE 5

Use-cases of InterSOC Cooperation

  • Vulnerable hosts list (stub => upstream)

– E.g., Hosts which have bad CVSS score

11/20/2017 5

  • Darknet analysis result (upstream => stub)

– Early threat warning: (e.g., the num of dst port 445 accesses shapely raised about two weeks before the world first affected report

  • f WannaCry.

Necessary to conduct access control for cooperation

CVSS scoring in Keio Univ. Access pattern analysis in WIDE-BB Finding vulnerable hosts in the other stubs Vulnerable hosts list (WIDE = Keio) Analysis results (WIDE = Stub Nets)

slide-6
SLIDE 6

InterSOC Modules Overview

  • AAA agent conducts access control of gathered info.

– In User Apps, InterSOC cooporation

  • Uniformed format in DB input/output

– For flexible changing of gathering info. – E.g., Fluentd, logstash etc.

  • SOCs are communicated via InterSOC Agents

– For hide the actual DB from external entities

  • User Apps retrieve gathered info via REST API

11/20/2017 6

REST API AAA fluentd, logstash etc. Uniformed format (e.g., JSON) syslog sflow netflow DNS ... RDMS DNS query log FW log xflow log

  • Vul. Scan

log ... Inter-SOC Agent User Apps (e.g., Visualization) ...

Other AS

Inter-SOC Agent

ここの話題!

slide-7
SLIDE 7

Assumed Environment

  • Public Key Infrastructure (PKI) is available
  • AAA Server in each domain stores:

– its domain's public key signed by CA – its members' public keys signed by domain AAA server

  • Inter-domain routing of AAA signaling

– Requirements: policies b/w domains, scalability

  • Ticket-based Access Control System

– Access Control List (ACL) is distributed as Ticket to each User – Ticket contains: Subject, Action, Resource, Valid time – Ticket is signed by Owner and pre-distributed to User

11/20/2017 7

AAA Server Upstream ISP Domain Stub-net-1 Domain Inter-SOC Agent AAA Server Inter-SOC Agent User AAA Server Stub-net-2 Domain Inter-SOC Agent Owner

slide-8
SLIDE 8

User Authentication Procedures

Inter SOC Agent AAA AAA AAA

[info_request]Kprivuser + [ticket]Kprivowner

user_id_request user_id_reply nonce + user_id {nonce}Keyprivuser + user_id [Kpubuser]Kprivstub-net-1+ [Kpubstub-net-1]KprivCA user_authn_request

Authentication phase

Stub-net-1 Domain Upstream ISP Domain Stub-net-2 Domain User ID retrieval Challenge/Response AuthN User’s Pubkey retrieval & User’s AuthN

Inter-SOC AAA App

Info request by User

Inter SOC Agent Inter SOC Agent

user_authn_reply

11/20/2017 8

slide-9
SLIDE 9

User Authorization Procedures

Inter SOC Agent AAA Inter SOC Agent AAA Inter SOC Agent AAA

[Kpubowner]Kprivstub-net-2 + [Kpubstub-net-2]KprivCA info_reply + [{Skisp-stub-1 + nonce}Kpubuser]Kprivisp user_authr_request

Authorization phase

Owner’s Pubkey retrieval & User’s AuthR Inter-SOC AAA App

Session Key Stub-net-1 Domain Upstream ISP Domain Stub-net-2 Domain

user_authr_reply

11/20/2017 9

slide-10
SLIDE 10

Related Work

  • Access control per content

– Authenticated / authorized users can (i) know existence of content,(ii) retrieve content

  • Access control based on multi-domain routing

– AAA signaling mechanism on multi-domain overlay

  • Scalability

– The num of content files and domains

11/20/2017

Kerberos [1] Shibboleth[2] RADIUS[3] Diameter Inter-SOC App Per-content yes yes yes yes Multi-domain routing yes yes

no

yes Scalability No[4] no no yes

10

[1] C. Neuman et.al., "Kerberos: An Authentication Service for Computer Networks", In Proc. of IEEE Communications Magazine, 1994, pp. 33 –38 [2] W. Jieet.al., "A Guanxi Shibboleth based Security Infrastructure", In Proc. of IEEE EDOC WKSHPS'08, 2008, pp. 151 –158 [3] C. Rigney et.al., " Remote Authentication Dial In User Service (RADIUS)", RFC2138, IETF, 2000 [4] S. Sakaneet.al., "Problem Statement on the Cross-Realm Operation of Kerberos." RFC5868, IETF, 2010

slide-11
SLIDE 11

AAA Protocol "Diameter"

  • Diameter base protocol

– Exchange AAA related information safely – For signaling in Multi- domain Environment

  • Diameter application

– Extension of Diameter base protocol extension – Defines diameter message format for carrying app. specific data – e.g., Diameter EAP App. (AuthN and AuthZ for network access)

Diameter Server Diameter Server Diameter Server User DB User DB User DB

Domain A Domain C Domain B Diameter Overlay Network

11/20/2017 11

Diameter Base Protocol

Diameter EAP App Diameter SIP App Diameter Inter- SOC App

slide-12
SLIDE 12

Diameter Inter-SOC Application

  • Diameter message: Command + AVPs

– Command code: specifies action when Diameter message is received – AVP (Attribute Value Pair): stores data delivered by command

  • New command of Diameter InterSOC App.

– Public key Request/Answer Command for AuthN & AuthZ

  • New AVP of Diameter InterSOC App

– Carry AuthN & AuthZ information – Public key Request Command

  • Origin-Host AVP, Origin-Realm AVP, Destination-Realm AVP,

User-name AVP, Session ID AVP,

– Public key Answer Command

  • Origin-Host AVP, Origin-Realm AVP, Session ID AVP,

Public-key AVP

11/20/2017 12

slide-13
SLIDE 13

Conclusion

  • Security operation in Keio Univ.

– Installed next generation firewalls at upstream networks boundary and campus boundary – Necessary to suppress too match payload scan in RandE networks

  • InterSOC cooperation system

– AAA agent conducts access control of gathered info. – Uniformed format in DB input/output – SOCs are communicated via InterSOC Agents – User Apps retrieve gathered info via REST API

11/20/2017 13