Data security in e-business using intrusion signature analysis.
ABSTRACT - Data security is becoming one of the most serious problem threaten e-business
activity. Most people still worry about their personal information, especially their financial data
can be exposed to those computer criminal. Signature analysis system is the system that can help
detecting known attacking signature by detecting IP packet travel into the system. If any of the
packet match the database of the known attacking signature, the system should then alert the
administrator by e-mail or short message service (SMS) directly into administrator’s mobile
phone, to help them tackle security problem as soon as it happen. The detail of suspected IP
packet also written to relational database system for later analyze. This study conduct by using
all free open source software on Linux system machine.
KEY WORDS - Signature analysis, Security, Hack, Crack, Intrusion Detection.
บทคัดย่อ – ความปลอดภัยของข้อมูลสิ่งซึ่งมีความสำ คัญและเป็นปัจจัยสำ คัญที่ส่งผล
กระทบโดยตรงต่อกิจกรรมธุรกิจทางอิเลคทรอนิคส์ ผู้คนส่วนใหญ่ยังคงมีความกังวล
เกี่ยวกับข้อมูลส่วนตัวของตนเอง โดยเฉพาะอย่างยิ่งข้อมูลทางด้านการเงินอาจรั่วไหล
ไปสูเ่ หล่าอาชญากรทางอิเลคทรอนิคส์ได้ ระบบการวิเคราะห์รูปลักษณะการบุกรุก เป็น
ระบบที่จะสามารถช่วยในการตรวจจับการบุกรุกทางเครือข่ายโดยเทคนิคการตรวจสอบ
ชุดข้อมูล IP ที่เดินทางผ่านเข้ามายังระบบ ซึ่งหากตรวจพบแล้วก็จะทำ การแจ้งเตือนไป
ยังผูบ้ ริหารระบบโดยทางจดหมายอิเลคทรอนิคส์หรือทางบริการข้อความสั้น (SMS) ไป
ยังเครื่องโทรศัพท์เคลื่อนที่ของผู้บริหารระบบให้สามารถเข้ามาแก้ไขปัญหาที่เกิดขึ้นได้
ทันท่วงที รายละเอียดของชุดข้อมูล IP ที่ต้องสงสัยนั้น ก็จะถูกบันทึกลงในฐานข้อมูล
เชิงสัมพันธ์ เพื่อให้สามารถทำ การวิเคราะห์รายละเอียดเพิ่มเติมในภายหลังได้ต่อไป ใน
งานวิจัยครั้งนี้ทำ การศึกษาโดยใช้ซอฟต์แวร์แบบเปิดเผยรหัสชนิดให้เปล่าบนระบบ
ปฏิบัติการลินุกซ์
คำ สำ คัญ – การบุกรุกทางเครือข่าย, การตรวจจับการบุกรุก, ชุดข้อมูล IP
1. Introduction
Nowadays computer network security becoming more and more important issues. As all of the
computer become connected through local or wide area network or even the Internet. Business
organization use the network as part of the business strategy to become the advantage over their
competitors. And the network itself can become threaten to their computer system. Their valuable IT
resources can be threaten by various type of security. This study will be conduct by using Linux
machine act as Intranet server , installing necessary software to work in the manner design by
researcher. The Signature Analysis System can be used efficiently with other security tools especially
the well known firewall system.
2. Scope of this study
Scope of this study will be on the TCP/IP protocol suite. As TCP/IP is becoming world’s
standard protocol used in both small and large network. TCP/IP is also base system for many
important services available on the Internet such as www, ftp, e-mail etc. The system developed in
this study will capture all IP datagram comparing to the known pattern of attacking. If the pattern is
matched, the alert subsystem will work by sending e-mail to the administrator and short message
service (SMS). The detail of the IP suspected datagram will also keep into the relational database
system, namely Postgresql for later query the detail of the attacking.
3. Objective of the study.
Objective of this study is to
• Study the problem of computer network security
• Study the system currently available security system from various research system and
commercial security system.
• Analysis and design security system that can alert the network administrator through the e-mail
and SMS.
• Presenting an appropriate practice to maintain security of the system which can be easily
followed and can be really used.
4. Computer Network Security.
Computer Network Security can be classified into 4 categories [1]
• Secrecy is the practice to keep the data secret and will only be accessible by authorized person.
• Authentication concerning process to prove that the person or process being communicate with is
the real person or process they told.
• Nonrepudiation is the protection against denial of any responsibility , concerning signature which
will prove that the person or client is the one that is desirable. Also this will prove to make sure
that the received message is not from the malicious intention.
• Integrity control is the control the correctiveness of message to be as it was supposed to be
such as sending registered mail or the encryption of data using password.
5. Person who can be dangerous.
Person threaten to computer network security can be classify into [2].
5.1 Hackers
The generic term applies to computer enthusiasts who take pleasure in gaining access to other
people’s computer or networks. Many hackers are content with simply breaking in and leaving their
“footprints”, which are joke applications or messages on computer desktops. Other hackers, often
referred to as “crackers” are more malicious, crashing entire computer system, stealing or damaging
confidential data, defacing Web pages, and ultimately disrupting business. Some amateur hackers
merely locate hacking tools online and deploy them without much understanding of how they work or
their effects.
5.2 Unaware Staff
As employees focus on their specific job duties, they often overlook standard network security
rules. For example, they might choose passwords that are very simple to remember so that they can
log on to their network easily. However, such passwords might be easy to guess or crack by hackers
using simple common sense or widely available password cracking software utility. Employees can
unconsciously cause other security breaches including the accidental contraction and spreading of
computer viruses. One of the most common ways to pick up a virusis from a floppy disk or by
downloading files from the Internet. Employees who transport data via floppy disks can unwittingly
infect their corporate networks with viruses they picked up from computers in copy centers or
libraries. They might not even know if viruses are resident on their PCs. Corporations also face the risk
of infection when employees download files, such as PowerPoint presentations, from the Internet.
Surprisingly, companies must also be wary of human error Employees, whether they are computer
novices or computer savvy, can make such mistakes as erroneously installing virus protection software
or accidentally overlooking warnings regarding security threats.
5.3 Disgruntled Staff
Far more unsettling than the prospect of employee error causing harm to a network is the
potential for an angry or vengeful staff member to inflict damage. Angry employees, often those who
have been reprimanded, fired, or laid off, might vindictively infect their corporate networks with
viruses or intentionally delete crucial files. This group is especially dangerous because it is usually far
more aware of the network, the value of the information within it, where high-priority information is
located, and the safeguards protecting it.
5.4 Snoops
Whether content or disgruntled, some employees might also be curious or mischievous.
Employees known as "snoops" partake in corporate espionage, gaining unauthorized access to
confidential data in order to provide competitors with otherwise inaccessible information. Others are
simply satisfying their personal curiosities by accessing private information, such as financial data, a
romantic e-mail correspondence between coworkers, or the salary of a colleague. Some of these
activities might be relatively harmless, but others, such as previewing private financial, patient, or
human resources data, are far more serious, can be damaging to reputations, and can cause financial
liability for a company.
6. Proposed Signature Analysis System Design.
The Signature Analysis System required by this study is the system that can monitor any
suspected intrusion attempted by capturing all IP packet running within the monitored system. if any
of the IP packet in the system have been founded containing the known signature, this should be
assumed to be an intrusion attempt has occured. The system will alert system administrator by e-mail
and/or short message service (SMS). The detail of the intrusion activities such as activity type, IP
address, date and time of occurrence will also keep into relational database system for later detail
investigation. Design of this system fall into 8 subsystem. (figure 1)
Intrusion
Detection
Subsystem
(Snort)
Linux’s System
logger
(syslogd)
Relational Database
System
(Postgresql)
Incident
Analysis Tools
(ACID)
www Services
(Apache + PHP)
Log file checking
subsystem.
(Logcheck)
SMS
Sending
Subsystem
(smsd)
E-mail Sending
Subsystem
(sendmail)
Any changed in alert file
Figure 1- Illustrate all major subsystem of the Network Intrusion Detection System
6.1 Intrusion Detection Subsystem.
Main part of the system which function is to capture all IP datagram running within the
monitored system (packet originated both from inside or outside the enterprise network should be
captured) and analyze content of the datagram. Comparing datagram with database of intrusion
signature, if found it will put all the detail of the datagram to database subsystem (Postgresql).
Moreover the brief detail of the intrusion activity will also send to system logger daemon
(syslogd).
This subsystem is implemented using lightweight network intrusion detection system called
Snort. Snort has been created by Martin Roesch which based on the libpcap packet capture
library, commonly used in may TCP/IP traffic sniffers and analyzers. It can perform protocol
analysis, content searching/matching, and can be used to detect a variety of attacks and probes,
such as buffer overflow, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts,
and much more.
Snort use database of known attacking pattern, also known as signature which came from
various source to create rules. Information about Intrusion signature came from web site that
specialize in security. User can create their own rule based on the known attacking signature.
6.2 Relational Database Subsystem.
The database subsystem will function as main storage area of the system where the
Intrusion Detection Subsystem send all detail captured to. The system administrator can use the
database as the main source where they can trace back to the activities that had happen to their
system and may used as source where they can trace back to the origin of the intruder.
6.3 Incident Analysis Tools
Data collected in the database may be large and hard to analyze. To make analysis of the
data not a tedious job a subsystem is needed. Analysis Console for Incident Databases (ACIS) was
chose. The subsystem is PHP-based analysis tool that can help analysis of the data much more
efficient.
6.4 WWW services subsystem.
This subsystem is function as a main interface for system administrator so that they can use
their web browser to query for further detailed. This subsystem work in accordance with prior
subsystem.
6.5 System Logger.
System logger is common process that exist in major operating system. In this study the
system logger of Linux (syslogd) was used as starting point of alerting subsystem by create log
file and write any alert data received from Intrusion Detection Subsystem to this file.
6.6 Logfile Cheking Subsystem.
This subsystem’s function is to checking for any changed in the alert log file, any changed
in the log file will activate another two subsystem to alert system administrator.
6.7 Mail Sending Subsystem.
Sending alert through e-mail is one major alerting mechanism in this study. Alerting through
e-mail can give moderate detail of the event. Sendmail is activated whenever the logfile
checking mechanism found any change in the alert log file.
6.8 SMS Sending Subsystem.
This subsystem responsible in communication with GSM digital mobile phone system using
AT command. The system also activate by log file checking mechanism. Major advantage of this
subsystem is that it can send alert message as soon as the intrusion occurred. However the major
drawback of this subsystem is the limited amount of data that can be send at a time.
7. System Implementation and Testing Result.
Signature Analysis System developed in this study has been tested on Linux based Internet
/Intranet Server of 50 clients. The server connect to Internet through two interfaces one is
Ethernet which link to Bangkok headoffice through Satellite communication. The other interface is
dial-up modem connected to Internet Service Provider as a backup channel. The system normally
served as proxy-cache server, DNS server, FTP server, Intranet Web Server. After installing all
required subsystem and making necessary configuration, It can detect many intrusion attempted
both by technical staff who want to test the system and by the real intrusion attempted by staff
from other department. Testing of the system has been done by using tools and some technique
of the well known intrusion attempts and try to break into the Linux Server. The system can send
alert to system administrator both by e-mail and SMS. However some limitation of the system is
7.1 The system developed in this study use all separated free open-source software set up to work
together so the configuration of the whole system is quite tedious and need the understanding all
that component’s configuration.
7.2 The alerting mechanism, if not properly configure can send lots of message to administration
and become a e-mail bomb or sms bomb itself.
7.3 System administrator should always keep the database of signature up-to-date so that it can
detected the most recent technique of intrusion.
8. Conclusion
Signature Analysis System is one major that tool that should be implemented by all
organization interest in e-business activities. As security is the most important issue that can cause
customers or trade partners to be uncertain of their electronics activities. The common used
security tools is firewall which act like security guard that checking any data coming in and out of the
system, if the data coming in or out pass the rules specified by firewall administrator it can go in and
out of the system regardless of what activity that data should effect the system. The Signature
Analysis System on the other hand, is like surveillance system that keep an eye on all activity within a
system regardless of the origin of the activity, if found any suspected activity it will log and alert the
system administrator or even stop related process. Working together of both tools can help improve
the system security.
References
[1] Prasong Praneetpolgrang, Management Information System, Thanathach Press, Bangkok, 2000,pp
447-448
[2] Graham,Robert. , FAQ : Network Intrusion Detection Systems , ,[Online] Available
http://www.robertgraham.com/ pubs/network-intrusion-detection.html [ September 2, 2001]
[3] Frederick, Karen. (2001, March 28 – last update) Network Monitoring for Intrusion Detection
[Online] Available http://www.securityfocus.com/focus/ids/ articles/networmon.html [ September
2, 2001]
[4] Frederick, Karen. (2000, October 13 - last update) Abnormal IP Packets [Online] Available
http://www.securityfocus.com/focus/ids/articles/abnormal1.html [September 2, 2001]
[5] Elson, David. (2000, March 27 - last update) Intrusion Detection, Theory and Practice [Online]
Available http://www.securityfocus.com/focus/ids/articles/ davidelson.html [ September 2, 2001]
[6]. Elson, David (2000, May 22 -last update) Intrusion Detection on Linux [Online] Available
http://www.securityfocus.com/focus/ids/articles/linux-ids.html [September 2, 2001]
[7] MacBride, Robert. (2000, April 6 -last update) Intrusion Detection : Filling in the Gaps [Online]
Available http://www.securityfocus.com/focus/ids/articles/ robmacbride.html [ September 2, 2001]
[8] Cisco Systems ( 2001 ) A Beginner’s guide to Network Security[Online] Available
http://www.cisco.com/warp/public/cc/so/neso/sqso/beggu_pl.pdf [ September 9, 2001]
[9]. Enterprise Management Associates . ( 2000, May ) An Introduction to Network Security ,[Online]
http://www.solsoft.com/library/ema_whitepapers.pdf [ September 9, 2001]
[10]. Jai Sundar Balasubramaniyan, et al. ( 1998, June 11 ) An Architecture for intrusion Detection
using Autonomous Agents. Center for Education and Research in Information Assurance and
Security, Purdue University. [Online] Available
http://www.cerias.purdue.edu/homes/aafid/docs/tr9805.pdf [ September 9, 2001]
[11] Lee, Wenke ,et al. A Data Mining Framework for building Intrusion Detection Model. Computer
Science Department, Columbia University. [Online] Available
http://www.snort.org/docs/ieee_sp99_lee.ps [ September 9, 2001]
[12] Brandenburg University of Technology at Cottbus. The Intrusion Detection System AID. [Online]
Available http://www-rnks.informatik.tu-cottbus.de/~sobirey/aid.e.html [September 9, 2001]
Saturday, November 15, 2008
Data security in e-business using intrusion signature analysis.
Saturday, August 9, 2008
Symantec NAC upgraded
Integrates on-demand client into Symantec Network Access Control
Enterprises can expect more consumer devices to enter their networks, says analyst Zeus Kerravala. The key is controlling how much access they get
BANGALORE, INDIA: Symantec has upgraded Symantec Network Access Control, providing enforcement for managed endpoints, guest users and unmanaged devices. Symantec is helping customers reduce overall cost and simplify network access control deployment by integrating the on-demand client into Symantec Network Access Control.
Symantec is releasing an upgrade to Symantec Network Access Control (NAC), which will allow IT administrators to exert control over unmanaged devices and set customized levels of access for guest users entering their corporate networks.
The upgrade is available at no additional cost to customers under warranty or maintenance. The software image will be available for download from Symantec’s Web site on Aug. 15.
In addition, consolidated network access control policy configuration and management for managed and guest users can all be done through the Symantec Endpoint Protection Manager. The Symantec Network Access Control upgrade is scheduled to be available in August 2008.
An integrated, dissolvable on-demand client for guest user access can now be delivered directly from the Symantec Network Access Control Enforcer appliance in Gateway or DHCP modes to simplify deployment.
This helps ensure that unmanaged endpoints attempting to connect to corporate networks have the appropriate protection and security software installed. The on-demand client performs predefined checks to ensure that antivirus, antispyware, firewall and service pack software is installed and up-to-date.
"This critical expansion of our network access control capabilities allows customers to centrally enforce endpoint compliance policies for both managed and unmanaged endpoints, through integration with Symantec Endpoint Protection, and guest users," said Brad Kingsbury, senior vice president, Endpoint Security and Management Group, Symantec Corp. "With Symantec Network Access Control, we have taken a flexible approach that goes beyond host-based enforcement and offers customers an array of options for enforcing network access control on the network."
Symantec Network Access Control also supports authentication and identity-based access control for guest users by offering a new Web login that can be enabled as part of the on-demand client download process. Users can be authenticated against logins centrally stored in ActiveDirectory, LDAP, RADIUS or logins stored locally on the Enforcer. When used with LAN Enforcement, RADIUS attributes can control which resources guest users can access on the network once they have authenticated.
Furthermore, enhanced MAC address authentication functionality enforces network access for unmanaged devices in 802.1x-enabled environments. In LAN Enforcement mode, the Enforcer can check the MAC address of a device connecting to an 802.1x-enabled switch port, validate it against a store of known/authorized MAC addresses, and allow or block the device depending on whether it finds a match.
“We’ve actually brought all of the power of Symantec’s NAC agent for managed systems and put up that for the unmanaged world,” said senior manager of product management Rich Langston, who runs the NAC product line.
The on-demand product is a brand new, ground-up rewrite for unmanaged devices that gives administrators the exact same capabilities they currently have with the managed agent for guests and contractors, he explained.
It works by having users access the network through a Web browser, which takes them to a portal that requires a login. After presenting valid credentials, users download the on-demand agent, which runs in resident memory and dissolves when the user exits the system.
The agent ensures unmanaged devices meet predefined criteria for endpoint compliance before connecting to the network. This includes appropriate levels of security and protection, including up-to-date antivirus, antispyware, firewall and service pack software.
If a device fails to meet the criteria, automated remediation capabilities can work to resolve the issue. “Some of the competing solutions will take the user to a Web page and say, ‘You’re not on the network because your antivirus isn’t up-to-date so click on this URL,’” said Langston. “We automate everything.”
Non-compliant devices can be blocked or quarantined from the network. “The idea is to keep the network safe by keeping impurely configured systems off the network,” he said.
Symantec Network Access Control securely controls access to corporate networks, enforces endpoint security policy and easily integrates with existing network infrastructures. Regardless of how endpoints connect to the network, Symantec Network Access Control discovers and evaluates endpoint compliance status, provisions the appropriate network access, provides automated remediation capabilities, and continually monitors endpoints for changes in compliance status. The result is a network environment where corporations realize significant reductions in security incidents, increased levels of compliance to corporate IT security policy and confidence that endpoint security mechanisms are properly enabled.
Page 1 of 2
Symantec NAC upgrade aims at manageability
By: Jennifer Kavur - Network World Canada (01 Aug 2008)
Enterprises can expect more consumer devices to enter their networks, says analyst Zeus Kerravala. The key is controlling how much access they get
Symantec is releasing an upgrade to Symantec Network Access Control (NAC), which will allow IT administrators to exert control over unmanaged devices and set customized levels of access for guest users entering their corporate networks.
The upgrade is available at no additional cost to customers under warranty or maintenance. The software image will be available for download from Symantec’s Web site on Aug. 15.
“We’ve actually brought all of the power of Symantec’s NAC agent for managed systems and put up that for the unmanaged world,” said senior manager of product management Rich Langston, who runs the NAC product line.
The on-demand product is a brand new, ground-up rewrite for unmanaged devices that gives administrators the exact same capabilities they currently have with the managed agent for guests and contractors, he explained.
It works by having users access the network through a Web browser, which takes them to a portal that requires a login. After presenting valid credentials, users download the on-demand agent, which runs in resident memory and dissolves when the user exits the system.
The agent ensures unmanaged devices meet predefined criteria for endpoint compliance before connecting to the network. This includes appropriate levels of security and protection, including up-to-date antivirus, antispyware, firewall and service pack software.
If a device fails to meet the criteria, automated remediation capabilities can work to resolve the issue. “Some of the competing solutions will take the user to a Web page and say, ‘You’re not on the network because your antivirus isn’t up-to-date so click on this URL,’” said Langston. “We automate everything.”
Non-compliant devices can be blocked or quarantined from the network. “The idea is to keep the network safe by keeping impurely configured systems off the network,” he said.
Another key feature of the upgrade is a new Web login for guest users. “We now have the capability of giving them different levels of access,” said Langston. “This is important because most enterprises are interested in giving as little access to the network as necessary. For example, they might want to offer Internet access as a courtesy to casual guests, vendors, or the board of directors…If anything changes, they will get kicked off the network,” said Langston.
“We really have one the most powerful agents for client-side NAC that is available, which means that we are fully on board with the client,” said Langston. This includes performing very deep inspections of endpoints to make sure they are compliant with “all the policies the administrator wants…whatever his policies may be.”
