Proactive Network Surveillance Framework

Abstract

Network security paradigm should be the one that permeates the enterprise, including people, processes and technology. Security failures occur when there is presence of weak spots among any of these. An organization which can not detect and remove such weak spots is going to perish. As can be seen around, most of the organizations today apply a few or many of the existing tools and techniques like firewalls, intrusion detection systems, anti-viruses, anti-spywares etc., to safe-guard the systems against hacking community. But as the number of network breaches, from outside as well from inside, are still on rise, much works needs to be done. This work analyzes trends in network security through an investigation of reactive and proactive network security strategies. Many of common practices have been studied, analyzed, compared and reported in this work. Prior to proactive security research, there existed a meager know how about the â who is our enemy?â , â what tools and techniques they use to attack networks?â , â what are their motives to do so?â etc. This knowledge was quite limited and primarily anecdotal. This made it difficult to create, test and deploy integrated security solutions, for better and efficient Network Security. Various exploits and their detrimental effects have been explored, their respective signatures are captured, analyzed and reported in this thesis work. Many open source Honeypots have also been analyzed by configuring them at the workplace. Comparison of features, their respective levels of interactions and risk factors associated with deployment have been focused. Finally, A Proactive Network Surveillance Framework is proposed. The framework consists of five layers, addressing security at various levels, following the onion model of defense in which defense consists of many layers. First layer of the framework: Core Security addresses the physical security issues. This layer also recommends changes at filesystem level to enhance security of the installed framework. Second layer: Routing and Traffic Control offers continuous monitoring of network devices, managing bandwidth and implementing access control lists to restrict the traffic entering into and going out of the framework. Third layer: Security Information System layer focuses on reducing the complexity, thereby giving intelligence to the network. This layer generates trend reports and detailed analysis of network logs. It identifies the malfunctioning nodes on the network sending malicious traffic. This layer also stops flooding and denial of service attacks. Fourth layer: Perimeter Security recommends the placement of reactive security components within the network hierarchy and implements network traffic regulation rules based on various network profiles and policies. This layer also implements intrusion detection mechanism based on open source tool snort. Fifth layer: Learn and Monitor the Unknown recommends operating system hardening steps and gives learning vision to the network attacks, thereby monitoring the unknown entity. Starting from the core layer up to the final layer there are many significant contributions of this research effort, which would help network security implementations at large. Significance of Core layer is attributed to its file system design and configuration, which presents more robust, effective and secure operating system base for the Framework. At this layer, authorization using key-pair mechanism has enhanced the security of a login process considerably. Test results for this layerâ s robustness has been reported in the work. Second layer has contributed much to the traffic control module. This layer offers classification, sharing, prioritizing and limiting bandwidth for both inbound and outbound traffic. This results in helpful implementation of bandwidth throttling for/to certain computers and helps to protect against Denial of Service attacks. With Linux only egress shaping is possible, use of Intermediate Queuing Device in the framework helped to do the ingress shaping. Security Information System layer does the work of a central repository, where all the logs are gathered into a database and then fed to graph generator to create trend reports and other plots. Graph generation steps, their analysis and results are reported in the work. Perimetric security is the focus of fourth layer of the system, Open source IPTables and Snort are used for data control and payload inspection. Fifth layer contributed to whole framework in luring the hacker into a labyrinths of virtual honeypots. This layer provides the learning vision to the framework and keystrokes captured thereby can give a good lead towards the hostile activity that is going to happen. Proposed framework is implemented by laying out Linux distribution from scratch and on top of it layer by layer implementation is done. The whole framework is packaged 3 into a bootable image. The work of laying out Linux, its hardening and layer by layer implementation details are reported in the thesis. The framework is deployed and tested using various hacking tools and techniques, results thus obtained are reported in the thesis, which elaborate the usefulness of the framework in the network security arsenal hierarchy. As per the layering approach, Framework stands out as a unique model of integration and defence in depth concepts.