Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

eChallenges2005 Seinit


Published on

Presentation made of the paper J. McGibney, M. PoncedeLeon, J. Ronan, Security for Heterogeneous Mobile Network Services, eChallenges, Ljubljana, Slovenia, October 2005.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

eChallenges2005 Seinit

  1. 1. SEINIT Security for Heterogenous Mobile Network Services John Ronan, Miguel Ponce de Leon, Jimmy McGibney TSSG, Waterford Institute of Technology Ireland
  2. 2. Threats in Mobile/Wireless Networks <ul><li>Eavesdropping by a third party </li></ul><ul><ul><li>The medium is shared, public </li></ul></ul><ul><ul><li>Hard to precisely control transmission range </li></ul></ul><ul><ul><li>Often weak encryption </li></ul></ul><ul><ul><li>Sometimes no encryption </li></ul></ul><ul><li>Bogus user </li></ul><ul><ul><li>Masquerading as genuine customer to gain illegitimate access or perpetrate fraud (e.g. free calls on telecoms networks) </li></ul></ul><ul><ul><li>WiFi often has no authentication </li></ul></ul><ul><ul><li>Cloning of Subscriber Identity Module (SIM) </li></ul></ul><ul><ul><li>Stolen phones </li></ul></ul><ul><li>Bogus network </li></ul><ul><ul><li>Base station presenting itself as network to the user, for example to collect user data (not a major problem for GSM/UMTS at the moment) </li></ul></ul><ul><li>Denial of service </li></ul><ul><ul><li>e.g. by signal jamming </li></ul></ul>
  3. 3. The Need for a smart access point <ul><li>WLAN: An open medium far more vulnerable than its “wired cousin” </li></ul><ul><li>It needs powerful security functions: </li></ul><ul><li>Authentication,Firewall, IDS, Honeypot, … </li></ul>
  4. 4. What is an intrusion? <ul><li>“ Any attempt to compromise the confidentiality, integrity, or availability of a computer or network” </li></ul><ul><li>“ Any attempt to bypass the security mechanisms of a computer or network” </li></ul>
  5. 5. Intrusion Detection Systems <ul><li>“ Burglar alarm” within the network (or host) </li></ul>Protected Network Firewall Internet IDS <ul><li>Network-based Intrusion Detection System </li></ul>
  6. 6. Honeypots <ul><li>Definition: </li></ul><ul><ul><li>“ A resource whose value lies in being probed, attacked or compromised” </li></ul></ul><ul><ul><li>System or component with no real-world value, set up to lure attackers </li></ul></ul><ul><ul><li>By definition, all activity on a honeypot is highly suspect </li></ul></ul><ul><li>Advantages </li></ul><ul><ul><li>Collect small data sets of high value </li></ul></ul><ul><ul><li>Reduce false positives </li></ul></ul><ul><ul><li>Catch new attacks, false negatives </li></ul></ul><ul><ul><li>Work in encrypted or IPv6 environments </li></ul></ul><ul><ul><li>Simple concept requiring minimal resources </li></ul></ul><ul><li>Disadvantages </li></ul><ul><ul><li>Limited field of view </li></ul></ul><ul><ul><li>Fingerprinting allows attackers to spot honeypots </li></ul></ul><ul><ul><li>May introduce risk </li></ul></ul>
  7. 7. Outline <ul><li>Major ideas </li></ul><ul><ul><li>The need for a smart access point </li></ul></ul><ul><ul><li>Combining IDS and Honeypot </li></ul></ul><ul><ul><li>Collaboration and “Reputation” </li></ul></ul><ul><li>Architecture </li></ul><ul><ul><li>Generic architecture </li></ul></ul><ul><ul><li>5 main components </li></ul></ul><ul><ul><ul><li>Sensor, Alert analysis, Action engine, Data control, Collaboration </li></ul></ul></ul><ul><ul><li>IDMEF </li></ul></ul><ul><li>Implementation </li></ul><ul><ul><li>Prototype architecture </li></ul></ul><ul><ul><li>Hardware </li></ul></ul><ul><ul><li>CqureAP </li></ul></ul><ul><ul><li>Prelude-IDS </li></ul></ul><ul><ul><li>Snort </li></ul></ul><ul><ul><li>Honeyd </li></ul></ul>
  8. 8. Combining IDS and Honeypots <ul><li>Common components </li></ul><ul><ul><li>Data collection </li></ul></ul><ul><ul><li>Analysis and decision algorithm </li></ul></ul><ul><ul><li>Action module </li></ul></ul><ul><li>Main differences </li></ul><ul><ul><li>Honeypot must be used to be effective </li></ul></ul><ul><ul><li>IDS operate continuously on the data flow </li></ul></ul><ul><li>Both are necessary: </li></ul><ul><ul><li>IDS can provide information even if the honeypot is not the target of attacks . </li></ul></ul><ul><ul><li>When used the honeypot provides more accurate and valuable information . </li></ul></ul>
  9. 9. Major O utcomes /Results <ul><li>A network of collaborative access points </li></ul><ul><li>Exchange security information through a common vehicle </li></ul><ul><li>Compute a “level of trust” for each host </li></ul><ul><li>5 Main components </li></ul><ul><ul><li>Sensors </li></ul></ul><ul><ul><li>Alert Analysis </li></ul></ul><ul><ul><li>Action engine </li></ul></ul><ul><ul><li>Collaboration </li></ul></ul><ul><ul><li>Data control </li></ul></ul>
  10. 10. Implementation - Use available components <ul><li>CqureAP </li></ul><ul><ul><li>Linux based a 802.11 wireless AP </li></ul></ul><ul><li>Prelude-IDS </li></ul><ul><ul><li>Our core framework: an hybrid IDS </li></ul></ul><ul><li>Snort </li></ul><ul><ul><li>Used as a nids and a wireless sensor </li></ul></ul><ul><li>Honeyd </li></ul><ul><ul><li>Used to provide various honeypot services </li></ul></ul>
  11. 11. Implementation - Prelude IDS <ul><li>An hybrid, modular intrusion detection system, under GPL </li></ul><ul><li>Reason for choice: </li></ul><ul><ul><li>Hybrid IDS, means multilayered intrusion detection </li></ul></ul><ul><ul><li>Modularity: convenient plugin framework to add and remove module </li></ul></ul><ul><ul><li>Extensibility: easy integration of existing or new application in the framework thanks to the libprelude library </li></ul></ul><ul><ul><li>IDMEF compliant </li></ul></ul><ul><li>Main components : </li></ul><ul><ul><li>Libprelude, prelude-manager, sensors </li></ul></ul>
  12. 12. Conclusion and outlook <ul><li>Ideal is a system that: </li></ul><ul><li>Does not entirely rely on predetermined definitions such as signatures (so it can catch new attacks) </li></ul><ul><li>Can keep running in the event of an attack </li></ul><ul><li>Can learn to adapt to changing attack scenarios </li></ul><ul><li>Generates few false alerts </li></ul>