secure network access system
play

Secure Network Access System (SNAS) Indigenous Next Generation - PowerPoint PPT Presentation

Sep 07, 2022 •309 likes •701 views

Secure Network Access System (SNAS) Indigenous Next Generation Network Security Solutions Gigi Joseph, Computer Division,BARC. Gigi@barc.gov.in Intranet Security Components 1a. Network Authentication Network Admission Control 1b. End

  1. Secure Network Access System (SNAS) Indigenous Next Generation Network Security Solutions Gigi Joseph, Computer Division,BARC. Gigi@barc.gov.in

  2. Intranet Security Components 1a. Network Authentication Network Admission Control 1b. End Point Compliance (NAC) Check NAC Ethernet Switch Router server

  3. Intranet Security Components 1a. Network Authentication Network Admission Control 1b. End Point Compliance Intranet DMZ (NAC) Check (Servers) Firewall 2. Access Control (Firewall) NAC Ethernet Switch Router server

  4. Intranet Security Components 1a. Network Authentication Network Admission Control 1b. End Point Compliance Intranet DMZ (NAC) Check (Servers) Firewall 2. Access Control (Firewall) 3. Network Behavioral Anomaly Detection (IDS) NAC Ethernet Switch Router server

  5. Intranet Security Components 1a. Network Authentication Network Admission Control 1b. End Point Compliance (NAC) Check Intranet DMZ (Servers) Firewall 2. Access Control (Firewall) 3. Network Behavioral Anomaly Detection (IDS) NAC Ethernet Switch server Router 4. NMS

  7. Typical Network Setup Intranet DMZ (Servers) Firewall + IDS Switch Router Application level firewall +IDS/IPS Organization’s Intranet Internet DMZ Perimeter Security systems Internet Servers

  8. Network Backdoor Entry Laptop with WiFi access ( Adhoc Mode) Wireless Access Point User Connected to Public Wireless Network Switch Router Application level firewall Organization’s (UTM) Intranet Internet DMZ Perimeter Security Internet Servers systems

  9. Physically Separated Network for Intranet and Internet Internet User Segment Intranet User Segment Intranet servers

  10. Intranet and Internet Network Bridging Internet User Segment Network Bridging Intranet User Segment Intranet servers

  11. Intranet and Internet Network Bridging Internet User Segment Intranet User Segment Intranet servers

  12. SNAS: End System Identification End System Identification : IP Address of the End system : MAC Address Sr.No Identification Parameters 1 End system’s Network levels MAC Address IP Address NIC make & Models Network Applications running on the end system 2 End system’s OS OS version & Patch update 3 Software Present in End Product /Application name system Manufacture Date of installation 4 End system hardware Storage (HDD disk / Other media size ), memory details etc. A unique profile based on above parameters - identify a end system a network Parameters selection and threshold level of matching depends on Security Policy.

  13. Enterprise DDOS Handling Intranet DMZ (Servers) FIREWALL Organization Internet servers Perimeter Security F I DDOS systems R Attack Internet E DMZ W Router A L L Switch

  14. Enterprise DDOS Handling Intranet DMZ (Servers) FIREWALL Organization Internet servers F I R Internet E DMZ W Router A L L DDos Attack Switch

  15. DOS Attacks : ICMP Flooding (E.g Smurf Attack) IP: 100.0.0.1/A IP:100.0.0.2/A www.nkn.in (164.100.56.206) Network Broadcast address 100.255.255.255 Router Router of organization 1 PING <100.255.255.255>, Source IP = www.nkn.in (164.100.56.206 IP - 100.0.0.10/A Destination IP ( 100.255.255.255)

  16. DOS Attacks : ARP-Flooding Source MAC Packet type Checksum Data part (00:a0:b0:c0:d0:01) (0x0806) (ARP request) (CRC) Ethernet Switch ARP Request Op code Is gratuitous ? (ARP request) (Broadcast) Sender MAC Sender IP (A: 00:a0:b0:c0:d0:01) (10.0.0.1) Target MAC Target IP IP - 10.0.0.1 IP - 10.0.0.2 (00:00:00:00:00:00) (10.0.0.2) MAC-1: 00:a0:b0:c0:d0:01 MAC-2: 00:a0:b0:c0:d0:02 Sr.no Actions Effects 1 Large ARP requests / Sec Switch Performance degrades 2 Every ARP request will have Identification will be difficult & Ethernet different Source MAC switch table over flow address

  17. Denial of Service attack (TCP SYN Flooding) Server (164.100.56.206 :80) Client (100.100.100.100:2000) (www.nkn.in) LISTEN State SEQ=100, SYN SYN-SENT SYN-RCVD SEQ=200, ACK =101,SYN, ACK Half Open ESTABLISHED SEQ=101, ACK =201, ACK, DATA ESTABLISHED Source IP ( 100.100.100.100) Destination IP ( 164.100.56.206) Source port (2000) Destination port (80) Sequence number ( 101) ACK number ( 201) HL (4) Reserved (6) URG ACK PSH RST SYN FIN Window (16) Check sum (16) Urgent pointer (16)

  18. Denial of Service attack (TCP SYN Flooding) www. nkn.in (164.100.56.206) Router Router Router 100.100.100.100 200.200.200.200 Source IP Source Port Destination IP Destination port 200.200.200.200 2000 164.100.56.206 80 (web) 200.200.200.200 2002 164.100.56.206 80 (web) ------------- -------- A.B.C.D 2001 164.100.56.206 80 (web) Random IPs 2002 164.100.56.206 80 (web)

  19. SNAS – DOS attack handling : Block @ Network entry ) NAC Server WAN Router Intranet Instruct network device DMZ0,1, 2, Services To Block @ Zones network entry Ethernet Switch E.g No. TCP-SYN packet > 200 E.g Non – unicast packets / sec > 50

  20. HTTP Client-Side Exploitation Trusted Server (NKN) UTM Local N/w (Firewall IPS/IDS) Internet https: Https: www.gigi.com (Command Control Server) Step 3 : Establish a reverse shell back door using HTTPS • Any data on the user will go out, •It can monitor traffic or it can collect adjacent PC’s data etc. • End system is ready to take part in DDOS attack

  21. SNAS : Trust Model • SNAS identifies trust level of hosts, IPs, ports, service, applications and software products as TRUSTED, UNTRUSTED and UNKNOWN_TRUST. • Only TRUSTED entities are allowed to exist in the network, rest all are detected and can be isolated. • Any running application, installed product which causes abnormal behaviour should be detected specially after an update • SNAS can detect any new application, process, port, remote IP access in the network LAN WAN SNAS DDOS Client APPLIANCE Controlling Hacker Server

  22. SNAS : Network Behavior Monitoring No. of Network open Traffic ports generated Time New service New software Targeted started installed application starts running

  23. SNAS : End System Detection Scanning Router NAC Server Trap Ethernet Switch

  24. SNAS : Network Authentication/Admission Control NAC (Network Access Control) Using SNAS Access Threat Management Management Detection Identification Authentication Access Right MAC Notification Unique end Unique end a) Network (Trap) & system Profile system Profile device levels Periodic (SNAS) based a (SNAS) b) ACL / Firewall Network Scanning

  25. SNAS -End System Admission Control Param et ers Installed products Running applications Antivirus Application Running services Transport Port Status IP Address Network Unicast Traffic Broadcast Traffic Data-link MAC Address System Location Physical NIC Parameters

  26. SNAS -End System Admission Control Param et ers Network Get Data from network devices NAC Server Get Data from End systems End system Authentication Sr.No Authentication Parameters Success Actions : 1 Network levels Back door entry (Network Interface added or not ) Access to Zones as authentication Network parameters change (MAC Address, IP Address, per policy parameters (L1, gateway) Authentication Security Policy L2, L3) Network broadcast storm Failures Actions 2 Network Transport No. of TCP connection request Network Entry level parameter No. of TCP connection request to un-trusted IP Level Block, (L4) No. of TCP connection Established to un-trusted IP No. of un-trusted network application listening DMZ access Block, (services) Alarms Critical, 3 End system’s OS Trust level of OS version & Patch Info, 4 Software Present Trust level of Product /Application name Emergency) in End system Manufacture 5 Process in the end Trust level of each process, arguments & process path system

  27. SNAS Access Right Management ( Authentication Success ) Instruct Host aware SNAS NAC Server firewall to pass through WAN Router Intranet DMZ0,1, 2, Host Aware Firewall Services Zones Ethernet Switch

  28. SNAS Access Right Management ( Authentication Fail ) NAC Server Instruct Host aware SNAS firewall WAN To block System A Router Intranet DMZ0,1, 2, Services Host Aware Firewall Zones Ethernet Switch

  29. SNAS Access Right Management ( Authentication Fail ) NAC Server WAN Router Instruct Ethernet Intranet DMZ0,1, 2, Switch Services Host Aware Firewall To block System A Zones Ethernet Switch

  30. SNAS: Host Aware Firewall Intranet Intranet Services Services Zone – 0 Zone – N DMZ0 port Management port DMZ N Port SNAS Host Aware Firewall Host Aware Firewa WAN port LAN port End-Point Internet Zone Organizational LAN Firewall Rules are dynamic and based on security state of end systems End-Point

  32. Blended Threats (When Applications Exploit Each Other ) Different Software package on a single Machine IE (7) load “schannel.dll” & “ sqmapi.dll” from various location including user’s desktop Apple Safari browser encounter unknown content type – It downloaded into default location ( i.e. Desktop) Hacker create unknown content type for Safari browser with name “schannel.dll” & “ sqmapi.dll”

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Secure and Efficient Access to Outsourced Data Secure and Efficient Access to Outsourced Data

Secure and Efficient Access to Outsourced Data Secure and Efficient Access to Outsourced Data

Secure and Efficient Access to Outsourced Data Secure and Efficient Access to Outsourced Data Weichao Wang, Zhiwei Li, Rodney Owens, Bharat Bhargava CCSW 2009: The ACM Cloud Computing Security Workshop 1 The Problem Providing secure and

414 views • 19 slides
Access Network Access Network Access network: local loop infrastructure It is the last

Access Network Access Network Access network: local loop infrastructure It is the last

Access network and access service Access Network Access Network Access network: local loop infrastructure It is the last mile of the network Connects the user with the first network POP Can use different technologies

369 views • 11 slides
CS416 Filesystem (NFS) NFS NFS allows a system to access files over a network One of

CS416 Filesystem (NFS) NFS NFS allows a system to access files over a network One of

CS416 Filesystem (NFS) NFS NFS allows a system to access files over a network One of many distributed file systems Extremely successful and widely used NFS Challenges Development of LANs made it really attractive to provide

354 views • 20 slides
Secure Coprocessor What is Secure coprocessor: Robust. (A system that is not easily or is

Secure Coprocessor What is Secure coprocessor: Robust. (A system that is not easily or is

Secure Coprocessor What is Secure coprocessor: Robust. (A system that is not easily or is not wholly affected by a bug in one aspect of it. ) General-purpose computational environments. Secure temper responsive physical package.

366 views • 14 slides
Secure, Fast, Easy and Comprehensive File Management System What is FileOrbis? FileOrbis is an

Secure, Fast, Easy and Comprehensive File Management System What is FileOrbis? FileOrbis is an

Secure, Fast, Easy and Comprehensive File Management System What is FileOrbis? FileOrbis is an on-premise file management system allowing you to: Access your files from everywhere , Manage authorizations and access to your files,

602 views • 27 slides
Access Control Origin Usage Control (UCON) Since the advent of timesharing system The

Access Control Origin Usage Control (UCON) Since the advent of timesharing system The

Access Control Origin Usage Control (UCON) Since the advent of timesharing system The main goal is to selectively determine who can access services, resources, and ISA 767, Secure Electronic Commerce digital contents and Xinwen

313 views • 10 slides
Web Security Secure Socket Layer (SSL) December 7, 2000 SSL 2 Web Security authentication:

Web Security Secure Socket Layer (SSL) December 7, 2000 SSL 2 Web Security authentication:

SSL 1 Web Security Secure Socket Layer (SSL) December 7, 2000 SSL 2 Web Security authentication: basic, digest often supplemented by cookies access control via network addresses multi-layered: SHTTP (secure HTTP) = just

713 views • 32 slides
Ext xtranet 24/7 Client Access Benefits ..secure 24/7 web access to live matters or data

Ext xtranet 24/7 Client Access Benefits ..secure 24/7 web access to live matters or data

Ext xtranet 24/7 Client Access Benefits ..secure 24/7 web access to live matters or data rooms giving current progress and financial updates Information Management ..facilities for buyers/investors/managers to view relevant

2.34k views • 12 slides
Secure Communications 1. The network employs the IMBE (Improved Multi-Band Excitation),voice

Secure Communications 1. The network employs the IMBE (Improved Multi-Band Excitation),voice

A Uni Unique que an and Po Powerful werful Com ommunications munications Sys ystem tem NETWORK INNOVATIONS SATELLITE RADIO/TELEPHONE ( FORMERLY SKYTERRA, MSV, LIGHT SQUARED ) Secure Communications 1. The network employs the IMBE

910 views • 54 slides
ImAc production tools Accessibility Secure access and according to profile permissions Web

ImAc production tools Accessibility Secure access and according to profile permissions Web

ImAc production tools Accessibility Secure access and according to profile permissions Web based and responsive interfaces for universal user access Content Manger Multi-language interface (ACM) Automatic background processes such

202 views • 5 slides
Flow-Secure Access Controls Integration of Simple flow controls into the access control

Flow-Secure Access Controls Integration of Simple flow controls into the access control

Flow-Secure Access Controls Integration of Simple flow controls into the access control mechanisms of say operating systems. General: p can read from x1,. . . , xm and write into Y1, . . . . Yn only if This automatically

1.06k views • 36 slides
CS 4803 Computer and Network Security Alexandra (Sasha) Boldyreva OS security. Access control.

CS 4803 Computer and Network Security Alexandra (Sasha) Boldyreva OS security. Access control.

Access control Access control determines access to files and processes in OS Old area of security, but not well understood CS 4803 Computer and Network Security Alexandra (Sasha) Boldyreva OS security. Access control. 1 2 System

889 views • 5 slides
Introduction to Computer Security Session 2.3 Designing Secure Network Systems Prof. Nadim

Introduction to Computer Security Session 2.3 Designing Secure Network Systems Prof. Nadim

CSCI-UA.9480 Introduction to Computer Security Session 2.3 Designing Secure Network Systems Prof. Nadim Kobeissi Goals of todays class. A look into some secure network systems: WireGuard: a modern VPN. A critical look at ProtonMail,

1.15k views • 71 slides
Challenges in Access Right Assignment for Secure Home Networks

Challenges in Access Right Assignment for Secure Home Networks

Challenges in Access Right Assignment for Secure Home Networks Tiffany Hyun-Jin Kim, Lujo Bauer, James Newsome, Adrian Perrig (CMU) Jesse Walker

484 views • 17 slides
Welcome GMLPN Network Meeting Wifi Network: BGC-Secure Password: bgc180609 www.gmlpn.co.uk

Welcome GMLPN Network Meeting Wifi Network: BGC-Secure Password: bgc180609 www.gmlpn.co.uk

Welcome GMLPN Network Meeting Wifi Network: BGC-Secure Password: bgc180609 www.gmlpn.co.uk Welcome Mark Currie Chair - GMLPN Welcome &amp; Introduction www.gmlpn.co.uk Ad Adult ult Ed Educ ucatio tion n Bu Budg dget et Devolved

1.21k views • 98 slides
CASD-TeraLab Secure Remote Access to Confidential Big Data Alexandre Marty [

CASD-TeraLab Secure Remote Access to Confidential Big Data Alexandre Marty [

1 CASD-TeraLab Secure Remote Access to Confidential Big Data Alexandre Marty [ alexandre.marty@casd.eu ] Outline 2 CASD-TeraLab Use Cases Live Demo The Secure Data Access Centre 3 Data Insertions/extractions are A group of

594 views • 8 slides
Virtual Parent Meetings: Return-to-School Leslie Nichols, Superintendent August 5, 6, &amp; 7,

Virtual Parent Meetings: Return-to-School Leslie Nichols, Superintendent August 5, 6, &amp; 7,

Virtual Parent Meetings: Return-to-School Leslie Nichols, Superintendent August 5, 6, &amp; 7, 2020 Schedule of Zoom Meetings Wednesday, August 5, 9:00am Wednesday, August 5, 5:30pm Thursday, August 6, 12:30pm Friday, August

298 views • 13 slides
Armageddon Redux The changing face of the Infocalypse DISCLAIMER The views expressed in

Armageddon Redux The changing face of the Infocalypse DISCLAIMER The views expressed in

Armageddon Redux The changing face of the Infocalypse DISCLAIMER The views expressed in this talk are my own and not approved by or representative of my employer or this conference. WHOIS @headhntr http://twitter.com/headhntr

914 views • 57 slides
Infrastructure Cybersecurity Introduction to Concepts, Language, Policy About me Jack

Infrastructure Cybersecurity Introduction to Concepts, Language, Policy About me Jack

Understanding Critical Infrastructure Cybersecurity Introduction to Concepts, Language, Policy About me Jack Whitsitt | http://twitter.com/sintixerr | jack@energysec.org Broad Background Lived in a little hacker compound as a

850 views • 47 slides
Enter a new world of web development where everything is serverless Whats possible and how

Enter a new world of web development where everything is serverless Whats possible and how

Enter a new world of web development where everything is serverless Whats possible and how will infrastructure be shaped in the future WAQ 18 Bastian Widmer - @dasrecht | @amazeeio Bonjour WAQ18! Bonjour WAQ18! Pardon my Franais - or

731 views • 55 slides
Select Topics in Implementing an Integrated Medicaid Managed Long-Term Care Program TennCare

Select Topics in Implementing an Integrated Medicaid Managed Long-Term Care Program TennCare

Select Topics in Implementing an Integrated Medicaid Managed Long-Term Care Program TennCare Overview Tennessees Medicaid Agency Tennessees Medicaid Program Managed care demonstration implemented in 1994 Operates under the

423 views • 15 slides
PREPARED STATEMENT OF LEONARD C. SLOSKY CHAIR-ELECT OF THE LOW-LEVEL RADIOACITVE WASTE FORUM,

PREPARED STATEMENT OF LEONARD C. SLOSKY CHAIR-ELECT OF THE LOW-LEVEL RADIOACITVE WASTE FORUM,

PREPARED STATEMENT OF LEONARD C. SLOSKY CHAIR-ELECT OF THE LOW-LEVEL RADIOACITVE WASTE FORUM, INC. AND THE ROCKY MOUNTIAN LOW-LEVEL RADIOACTIVE WASTE BOARD REPRESENTING THE LOW-LEVEL RADIOACTIVE WASTE FORUM, INC. AND THE STATES OF SOUTH

476 views • 6 slides
Investment Update Bulls winning? 1. Big picture 2. Markets 2017 - thus far 3. Portfolio

Investment Update Bulls winning? 1. Big picture 2. Markets 2017 - thus far 3. Portfolio

Investment Update Bulls winning? 1. Big picture 2. Markets 2017 - thus far 3. Portfolio returns 4. Business news Lothar Mentel CEO &amp; Chief Investment Officer October 2017 For professional use only Source: Hedgeye 1 1. Big picture

694 views • 46 slides
How colleges are trans nsform forming ng their r EdTech ch strate ategy gy Best st

How colleges are trans nsform forming ng their r EdTech ch strate ategy gy Best st

How colleges are trans nsform forming ng their r EdTech ch strate ategy gy Best st practi actice ce and d soluti ution ons s to help p you develo lop p your r onlin ine deliv ivery ry A webin inar ar seri ries funde

666 views • 24 slides

More recommend