Secure Network Access System (SNAS) Indigenous Next Generation - - PowerPoint PPT Presentation

secure network access system
SMART_READER_LITE
LIVE PREVIEW

Secure Network Access System (SNAS) Indigenous Next Generation - - PowerPoint PPT Presentation

Sep 07, 2022 309 likes •707 views

Secure Network Access System (SNAS) Indigenous Next Generation Network Security Solutions Gigi Joseph, Computer Division,BARC. Gigi@barc.gov.in Intranet Security Components 1a. Network Authentication Network Admission Control 1b. End

slide-1
SLIDE 1

Secure Network Access System (SNAS) Indigenous Next Generation Network Security Solutions

Gigi Joseph, Computer Division,BARC. Gigi@barc.gov.in

slide-2
SLIDE 2

Intranet Security Components

  • 1a. Network Authentication
  • 1b. End Point Compliance

Check

NAC server

Network Admission Control (NAC)

Ethernet Switch Router

slide-3
SLIDE 3

Intranet Security Components

  • 1a. Network Authentication
  • 1b. End Point Compliance

Check

NAC server

Intranet DMZ (Servers)

  • 2. Access Control (Firewall)

Firewall

Ethernet Switch Router

Network Admission Control (NAC)

slide-4
SLIDE 4

Intranet Security Components

  • 1a. Network Authentication
  • 1b. End Point Compliance

Check

NAC server

Intranet DMZ (Servers)

  • 2. Access Control (Firewall)
  • 3. Network Behavioral

Anomaly Detection (IDS)

Firewall

Ethernet Switch Router

Network Admission Control (NAC)

slide-5
SLIDE 5

Intranet Security Components

  • 1a. Network Authentication
  • 1b. End Point Compliance

Check

NAC server

Intranet DMZ (Servers)

  • 2. Access Control (Firewall)
  • 3. Network Behavioral

Anomaly Detection (IDS)

  • 4. NMS

Firewall

Ethernet Switch Router

Network Admission Control (NAC)

slide-6
SLIDE 6
slide-7
SLIDE 7

Intranet DMZ (Servers)

Router Switch

Firewall + IDS

Typical Network Setup

Application level firewall +IDS/IPS

Internet DMZ

Internet Servers

Organization’s Intranet Perimeter Security systems

slide-8
SLIDE 8

Router Switch

Network Backdoor Entry

User Connected to Public Wireless Network

Application level firewall (UTM)

Internet DMZ

Internet Servers

Laptop with WiFi access ( Adhoc Mode) Organization’s Intranet Perimeter Security systems Wireless Access Point

slide-9
SLIDE 9

Internet User

Segment

Intranet User Segment Intranet servers

Physically Separated Network for Intranet and Internet

slide-10
SLIDE 10

Internet User

Segment

Intranet User Segment Intranet servers

Intranet and Internet Network Bridging

Network Bridging

slide-11
SLIDE 11

Internet User Segment Intranet User Segment Intranet servers

Intranet and Internet Network Bridging

slide-12
SLIDE 12

Sr.No Identification Parameters 1 End system’s Network levels MAC Address IP Address NIC make & Models Network Applications running on the end system 2 End system’s OS OS version & Patch update 3 Software Present in End system Product /Application name Manufacture Date of installation 4 End system hardware Storage (HDD disk / Other media size ), memory details etc. A unique profile based on above parameters - identify a end system a network Parameters selection and threshold level of matching depends on Security Policy.

SNAS: End System Identification

End System Identification : IP Address of the End system : MAC Address

slide-13
SLIDE 13

Perimeter Security systems Internet DMZ

Router

Switch

Intranet DMZ (Servers)

FIREWALL

Enterprise DDOS Handling

F I R E W A L L

Organization Internet servers DDOS Attack

slide-14
SLIDE 14

Internet DMZ

Router

Switch

Intranet DMZ (Servers)

FIREWALL F I R E W A L L

Organization Internet servers DDos Attack

Enterprise DDOS Handling

slide-15
SLIDE 15

DOS Attacks : ICMP Flooding (E.g Smurf Attack)

IP - 100.0.0.10/A www.nkn.in (164.100.56.206)

Network Broadcast address 100.255.255.255

  • f organization 1

IP: 100.0.0.1/A IP:100.0.0.2/A

Source IP = www.nkn.in (164.100.56.206 Destination IP ( 100.255.255.255)

Router Router

PING <100.255.255.255>,

slide-16
SLIDE 16

Op code (ARP request) Is gratuitous ? Sender MAC (A: 00:a0:b0:c0:d0:01) Sender IP (10.0.0.1) Target MAC (00:00:00:00:00:00) Target IP (10.0.0.2) Source MAC (00:a0:b0:c0:d0:01) Packet type (0x0806) Data part (ARP request) Checksum (CRC)

Ethernet Switch

IP - 10.0.0.1 MAC-1: 00:a0:b0:c0:d0:01 IP - 10.0.0.2 MAC-2: 00:a0:b0:c0:d0:02

ARP Request (Broadcast)

DOS Attacks : ARP-Flooding

Sr.no Actions Effects 1

Large ARP requests / Sec Switch Performance degrades

2

Every ARP request will have different Source MAC address Identification will be difficult & Ethernet switch table over flow

slide-17
SLIDE 17

Client (100.100.100.100:2000) Server (164.100.56.206 :80) (www.nkn.in) SEQ=100, SYN SYN-SENT LISTEN State SYN-RCVD SEQ=200, ACK =101,SYN, ACK SEQ=101, ACK =201, ACK, DATA ESTABLISHED ESTABLISHED Half Open

Source IP ( 100.100.100.100) Destination IP ( 164.100.56.206) Source port (2000) Destination port (80) Sequence number ( 101) ACK number ( 201) HL (4) Reserved (6) URG ACK PSH RST SYN FIN Window (16) Check sum (16) Urgent pointer (16)

Denial of Service attack (TCP SYN Flooding)

slide-18
SLIDE 18

Denial of Service attack (TCP SYN Flooding)

Router Router Router

200.200.200.200 100.100.100.100 Source IP Source Port Destination IP Destination port 200.200.200.200 2000 164.100.56.206 80 (web) 200.200.200.200 2002 164.100.56.206 80 (web)

  • A.B.C.D

2001 164.100.56.206 80 (web) Random IPs 2002 164.100.56.206 80 (web)

  • www. nkn.in

(164.100.56.206)

slide-19
SLIDE 19

SNAS – DOS attack handling : Block @ Network entry )

Ethernet Switch Router

WAN DMZ0,1, 2,

Intranet Services Zones

Instruct network device To Block @ network entry

E.g No. TCP-SYN packet > 200 E.g Non –unicast packets / sec > 50

NAC Server

slide-20
SLIDE 20

Internet Local N/w UTM (Firewall IPS/IDS)

HTTP Client-Side Exploitation

Trusted Server (NKN) Step 3 : Establish a reverse shell back door using HTTPS

  • Any data on the user will go out,
  • It can monitor traffic or it can collect adjacent PC’s data etc.
  • End system is ready to take part in DDOS attack

Https: www.gigi.com (Command Control Server) https:

slide-21
SLIDE 21
  • SNAS identifies trust level of hosts, IPs, ports, service,

applications and software products as TRUSTED, UNTRUSTED and UNKNOWN_TRUST.

  • Only TRUSTED entities are allowed to exist in the network,

rest all are detected and can be isolated.

  • Any running application, installed product which causes

abnormal behaviour should be detected specially after an update

  • SNAS can detect any new application, process, port, remote

IP access in the network SNAS : Trust Model

LAN WAN

DDOS Client Controlling Hacker Server

SNAS APPLIANCE

slide-22
SLIDE 22

Time

  • No. of
  • pen

ports Network Traffic generated New service started New software installed Targeted application starts running

SNAS : Network Behavior Monitoring

slide-23
SLIDE 23

Router Ethernet Switch Trap Scanning

SNAS : End System Detection

NAC Server

slide-24
SLIDE 24

Access Management NAC (Network Access Control) Using SNAS Threat Management Authentication Unique end system Profile based a (SNAS) Access Right a) Network device levels b) ACL / Firewall Detection MAC Notification (Trap) & Periodic Network Scanning Identification Unique end system Profile (SNAS)

SNAS : Network Authentication/Admission Control

slide-25
SLIDE 25

Application Transport Network Data-link Physical

NIC Parameters MAC Address System Location IP Address Unicast Traffic Broadcast Traffic Port Status Running services

SNAS -End System Admission Control Parameters

Installed products Running applications Antivirus

slide-26
SLIDE 26

Network devices End system Get Data from End systems Get Data from network

Sr.No Authentication Parameters 1 Network levels authentication parameters (L1, L2, L3) Back door entry (Network Interface added or not ) Network parameters change (MAC Address, IP Address, gateway) Network broadcast storm 2 Network Transport level parameter (L4)

  • No. of TCP connection request
  • No. of TCP connection request to un-trusted IP
  • No. of TCP connection Established to un-trusted IP
  • No. of un-trusted network application listening

(services) 3 End system’s OS Trust level of OS version & Patch 4 Software Present in End system Trust level of Product /Application name Manufacture 5 Process in the end system Trust level of each process, arguments & process path

Security Policy

Authentication Success Actions : Access to Zones as per policy Authentication Failures Actions Network Entry Level Block, DMZ access Block, Alarms Critical, Info, Emergency)

SNAS -End System Admission Control Parameters

NAC Server

slide-27
SLIDE 27

SNAS Access Right Management ( Authentication Success )

Ethernet Switch Router

WAN DMZ0,1, 2,

Intranet Services Zones

Instruct Host aware SNAS firewall to pass through

NAC Server Host Aware Firewall

slide-28
SLIDE 28

SNAS Access Right Management ( Authentication Fail )

Ethernet Switch Router

WAN DMZ0,1, 2,

Intranet Services Zones

Instruct Host aware SNAS firewall To block System A

NAC Server Host Aware Firewall

slide-29
SLIDE 29

SNAS Access Right Management ( Authentication Fail )

Ethernet Switch Router

WAN DMZ0,1, 2,

Intranet Services Zones

Instruct Ethernet Switch To block System A

NAC Server Host Aware Firewall

slide-30
SLIDE 30

SNAS Host Aware Firewall

Management port Organizational LAN

End-Point

End-Point

LAN port Intranet Services Zone – 0 Intranet Services Zone – N Internet Zone WAN port DMZ0 port DMZ N Port

SNAS: Host Aware Firewall Firewall Rules are dynamic and based

  • n security state of end systems

Host Aware Firewa

slide-31
SLIDE 31
slide-32
SLIDE 32

Blended Threats (When Applications Exploit Each Other )

Different Software package on a single Machine IE (7) load “schannel.dll” & “ sqmapi.dll” from various location including user’s desktop Apple Safari browser encounter unknown content type – It downloaded into default location ( i.e. Desktop) Hacker create unknown content type for Safari browser with name “schannel.dll” & “ sqmapi.dll”

slide-33
SLIDE 33

Router Switch

Application level firewall +IDS/IPS

Internet DMZ

Organization’s Intranet Perimeter Security systems

Pirated Software Issues When Software try to update themselves , the organizational IPs appear on software update server logs Legal implications if software banned for purchase

slide-34
SLIDE 34

Sr.No Parameters Supported by SNAS 1 Detection of presence of USB in user PC Supported 2 USB usage details Supported When the USB connected to PC When it is removed from the PC Size of USB, Space used, free etc 3 Any Application running from PC SNAS can detected Application running from USB 4 Any Application uses resource in USB SNAS can detected applications which uses USB data 5 Same USB putting in Multiple PC SNAS can track USB based on Serial number on which systems, the same USB are used 6 Amount data Copied into USB SNAS can find out amount of Data copied into USB 7 Content of Data copied Not supported by present SNAS version (For this SNAS Client required to be on each PC)

USB Detection on user PC by SNAS

slide-35
SLIDE 35

SNAS NMS: Network & End System’s Security Visualization

slide-36
SLIDE 36

Internet DMZ

Router

Switch

Perimeter Security systems (ITMA) Intranet DMZ (Servers)

SNAS Placement in Enterprise Network Security Setup

Organization Internet servers

SNAS APPLIANCE

Appliance

slide-37
SLIDE 37

Internet User Segment Intranet User Segment Nationwide Intranet

SNAS APPLIANCE SNAS APPLIANCE

SNAS based Solution for Critical Sector network

Perimeter Security systems

Existing Firewall +IDS

Internet DMZ

Internet Servers

Perimeter Security systems

Existing Firewall +IDS

Intranet DMZ

Intranet Servers

Router Router Switch Switch Appliance Appliance

slide-38
SLIDE 38

SNAS Demo Setup

Ethernet Switch Router

DMZ 2 (192.168.2.1/c) DMZ 0…n Web Server (192.168.2.10/c) LAPTOP (10.10.10.60/c) 10.10.10.10/c

SNAS APPLIANCE

10.10.10.2/C Wireless Access point