A Large Scale Network
Security Architecture
The College of New Jersey
Javan Hemmel
Mark Armento
May 10th, 2002
Submitted in partial completion of the requirements of CMSC497
ABSTRACT
The following information was presented in the spring 2002 semester of CMSC497 Research Presentation. After examining a variety of current network security solutions, we felt that although there were many useful security systems available, none of them seemed to be able to handle a very large network without some degree of redundancy. To solve this problem, we designed our own network security architecture capable of performing well in the largest of modern networks. This architecture is comprised of the latest network components on the market today, and care was taken to make sure that these components would be compatible and functional together.
Our objective was to create a system that performs the tasks necessary to filter, monitor, and store network data for the purpose of security and analysis on a large, corporate scale.
Our project began by conducting a thorough examination of many of the industries most current network security systems. We concluded that although the technology was present, a system that could handle very large corporate networks without redundancy was not. It was then that the group decided we should develop our own architecture to handle this unmet need. We established that the architecture created should be able to performing filtering, monitoring, and storing of data that was coming into the network in real time. Once this was decided, we narrowed the list of components needed down to a large router, an optical splitter, a dedicated server for filtering, some type of security administration tool, a large storage network, and a database system to access the storage network. We then set up a flow chart that mapped the layout of the components.
From this flowchart, a packet life cycle was derived. First, the packet is generated from a source outside the trusted network, and it enters a router, which points it to the trusted network that is being protected. While en route, the packet enters an optical splitter that creates an exact replica that can be used for security purposes, while the original packet continues to its destination. The copy of the packet enters the dedicated server running filtering software, and here it is determined whether or not the packet is of interest. If it is desirable, it is sent on, but if not it is discarded. Desirable packets now enter the security monitoring system where they undergo several types of analysis. Depending on the results of the analysis, they are given a specific indexing and then passed along to the storage network. Here they will be kept for a limited number of days, and then once they are deemed useless, they will be discarded.
After reviewing all the available technologies that currently exist it was decided to design a theoretical working solution. The design begins with an untrusted outside network. This connects into a Cisco 12000 Series Gateway Router. This router can scale up to OC-192 and channelize down to DS-1 speeds to meet the needs of any corporate user. It provides a 10 Gbps system with capacity, performance, service enablers, and operational efficiencies to build the most competitive IP network. It also gives guaranteed priority packet delivery.
From here, the information will pass through a Numerex ITR-192 Optical Splitter. This is a passive optical splitter, which mirrors information into the trusted corporate IP network and a Cisco NetFlow Server. The splitter possesses two-way capability allowing data into and out of the network. It does this with no network interference, and thus does not slow down or alter network performance at all.
Cisco NetFlow Server provides filtering of raw data flows through access list acceleration. With NetFlow turned on it only processes the header information for each flow, where access lists alone checks the entire packet and each subsequent packet. This simplification enables NetFlow to maintain high performance when access lists are used for packet filtering. This step in the process does the filtering necessary to provide administrators with “interesting” data. It’s more efficient because it keeps data flows together and reduces the total amount of data, which becomes very important during storage.
Aggregation and Filtering Schemes:
· Source and destination IP address
· Source and destination TCP/User Datagram Protocol (UDP) ports
· Type of service (ToS)
· Packet and byte counts
· Start and end timestamps
· Input and output interface numbers
· TCP flags and encapsulated protocol (TCP/UDP)
· Routing information (next-hop address, source autonomous system (AS) number, destination AS number, source prefix mask, destination prefix mask)
When the data leaves the NetFlow Server it enters a Niksun NetDetector box. NetDetector provides security administrators with a tool that non-intrusively records all network traffic on WAN and LAN interfaces, analyzes packets and flows to detect certain network anomalies, and collects all the information for complete post-event analysis of any network incident. NetDetector will also send alerts if thresholds are surpassed and/or network anomalies are discovered. This provides a platform for all security-monitoring operations. It also provides a means of indexing so the data can be recovered efficiently.
The NetDetector allows for:
· Anomaly Detection – Detects Denial-of-Service attacks (DoS) and network transmitted worms by identifying traffic anomalies. Administrator has ability to customize the alert thresholds.
· Virus/Worm Detection & Damage Recovery – Tracks down Virus/Worm sources, and identifies effected systems. Also provides post-event analysis.
· Impact Analysis – Provides comprehensive impact analysis on any security breach. Determines how protection mechanisms were bypassed, what was compromised, and what preventative measures could be taken.
The data is then passed into a Sun StorEdge T3
Array. This is the means by which all
the data will be stored. The T3 Array
provides reliable high performance storage that provides scalable capacity,
performance and availability. It is
completely redundant to enhance reliability.
It provides great performance being able to add, remove, and replace
data at a very high rate. It is easily
scalable to meet the increasing needs up to petabyte storage.
· Front-End Server connects with RAID Storage using fibre channel.
· Hot-swap/redundant RAID controllers
· Front-to-back fibre architecture allows configuration for high transaction, high bandwidth, or high performance computing
· Technology for storage network interoperability and manageability
· Linear scalability to a massive 169TB on a single server, which can allow systems to reach petabyte storage capabilities.
· Ability to provide necessary data throughput so “bottlenecking” does not occur.
· Path fail-over with power supplies, cooling fans, backup batteries, interconnect cards, and drives
Finally the data is entered into an Oracle 9i Database. The local Oracle Database would run off a Unix platform. This was chosen because it is compatible with Niksun proprietary software. It is also a large scale, highly reliable database.
Upon completion of the design, it was felt that the selected data would be kept for two to three weeks for analysis. This analysis would be used as a way to decrease and eliminate downtime against future attacks. Any real-time attacks would be handled appropriately by detection from the Niksun NetDetector by the network administrator. This is made possible through the use of access lists and by other security means. It was felt that this is an effective real-world solution to the problem we faced. The costs of such an architecture would however be very high.
Sources
6. www.emc.com
10. www.netviz.com
11. www.niksun.com
12. www.oracle.com
13. www.secinf.net
14. www.sun.com