sign in sign up
<<
Home , Computer network

FORMAL ANALYSIS METHODS OF NETWORK DESIGN

Mariusz Stawowski Cybernetics Faculty, Military University of , Warsaw, Poland

Keywords: Principles, Security Design Analysis, Graph Models and Methods, Formal Security Analysis.

Abstract: An assessment of network security design correctness requires an analysis of many aspects, e.g. security zones correctness, access control protection layers as well as protections tightness against intrusions. Using based on in medium up to large-scale networks can greatly speed up and improve accuracy of performing security analysis. The analysis models and methods described in this document allow for quick identification of network security design errors resulted from breaking the “Compartmentalization of Information” and the “Defense-in-Depth” security principles, checking if protections used allow for security incidents handling as well as verification of many other security aspects. The analysis methods developed here can be used during network security design and also for security assessment of existing information systems.

1 INTRODUCTION 2 NETWORK SECURITY DESIGN PRINCIPLES Network security design verification is performed mainly based on IT systems security principles and The rules and guidelines for network security risk analysis results. Security analysis in medium designing were elaborated by the organizations and large-scale networks is a complicated and time- specializing in IT security (e.g. CERT, DISA, NIST, consuming task. Mistakes can be made easily and NSA, SANS). During an analysis of the network security holes can be overlooked. The difficulties security design, the following basic IT systems result mainly from the fact, that network security security principles should be taken into account: system is composed of many different, integrated ƒ "Compartmentalization of Information" - IT elements. Network security operations also depend system resources of different sensitivity levels on IT systems environment. (i.e. different value and threat susceptibility) The analysis can be performed using formal and should be located in different security zones. informal methods (e.g. engineering practices). An extension of this rule is an "Information Attempts to develop standards and formal analysis Hiding" principle, which says that IT system methods are being made in many scientific centres. makes available only such which are Proven world-wide frameworks and guidelines exist necessary for conducting the IT system tasks. in the fields of IT security management and insuring ƒ "Defense-in-Depth" – protection of IT system CIA Triad (e.g. COBIT, IATFF, ITIL, ISO 27001). resources is based on many security layers. There is an apparent progress in the development of The extensions to this principle are the network security analysis methods based on the following rules: "Layered Protections" – graph theory (e.g. Attack Graphs, Archipelago security layers complement and insure one project). The research is still required in the field of another; "Defense in Multiple Places" – formal assessment of network security design security layers are located in different places correctness (e.g. network security zones correctness, of the IT system. proper design of network protection layers like ƒ "The Principle of Least Privilege" – IT system firewalls, intrusion prevention, content control and subjects (e.g. users, administrators) should anti-virus systems).

313 Stawowski M. (2007). FORMAL ANALYSIS METHODS OF NETWORK SECURITY DESIGN. In Proceedings of the Second International Conference on Security and , pages 313-318 DOI: 10.5220/0002118903130318 Copyright c SciTePress SECRYPT 2007 - International Conference on Security and Cryptography

have minimal privileges necessary for proper Db – a binary describing the security functioning of the organization. This rule analysis scope. applies also to data and services made D b = d b available for external users. [ ij ] V × K (2) An extension to this rule is a "Need-To- where: Know" principle which says that users and V – set of IT systems threats, administrators of IT system have access to K – set of network safeguards types, information relevant to their position and dij is 1 if the j safeguard protects against the i duties performed. threat, and 0 otherwise. ƒ "Weakest link in the chain" – a security level of the IT system depends on the most weakly Vertices in the G graph represent different IT secured element of the system. system’s resources (i.e. information and service’s There is also known the "Defense Through resources, network L3 devices, security devices). In Diversification" principle which extends the order to perform an analysis more efficiently, the „Defense-in-Depth” rule. It says that security of IT resources should be grouped. The following rules for system resources should be based on protection grouping the resources are being applied: the layers consisting of different types of safeguards. resources are in the same location and in the same When two layers of the same type are being used, L2 , the resources have the same they should come from different vendors. The rule security requirements, the resources perform the should be used with caution because it increases same IT system tasks, e.g. services servers, complexity of security system and because of that remote access servers, e-commerce servers, internal obstructs its proper management and maintenance. application servers, , monitoring and management systems, etc.

3 NETWORK MODELS 3.2 Network Threats Model In order to efficiently perform an analysis of 3.1 Network Security Model network control, which can be exploited for conducting potential attacks, we In order to perform security design analysis using construct the network threat model. The model is formal methods, the mathematical model of IT constructed with an assumption that vulnerabilities system focused on mapping network protections has of applications and operating systems will arise been developed. The basic element of the model is a allways and it is only matter of time, they are graph describing IT system’s network structure as detected and exploited for security violations. Based well as functions defined in its vertices and edges on this assumption we can further assume, that when representing IT system network and protections the specific is available for an features. intruder, then he potentially can exploit it for The IT system network security model can be performing a security violation. Because of this, presented as a vector every network communication with IT system’s S = < G , { λ } , { β } , Db > (1) resources allowed by firewalls can potentially be where: exploited for performing an attack. G = < Z , L > - an undirected graph describing The IT system network threats model can be IT systems network structure (so called network presented as a vector b security graph), TZ = < GT , A > (3) Z – a set of G graph’s vertices representing IT where: system’s resources (i.e. information and service GT = < ZT , Ł > – a digraph describing resources, network and security devices), communication in a computer network, where L – a set of G graph’s edges representing direct potentially the attacks can appear (so called connections between IT system’s resources (i.e. network threats graph), cabling and L2 OSI devices), ZT – a set of GT graph’s vertices representing IT { λ } – set of functions on the G graph’s vertices, system’s resources, { β } – set of functions on the G graph’s edges,

314 FORMAL ANALYSIS METHODS OF NETWORK SECURITY DESIGN

Ł – a set of GT graph’s edges representing the communication in a computer network, b A – a binary mattrix describing network DMZ servers DB servers LAN servers services available in the communication.

Internet Ab =[a b ] ` ` ij Us × Ł (4) Perimeter Internal LAN users firewall /IPS where: Perimeter firewall access control rules US – set of the network services, No Source Destination Service Action 1 Any Perimeter firewall Any Drop aij is 1 if the i service is available in the network 2 LAN users Any HTTP, HTTPS Accept 3 LAN users DMZ servers IMAP Accept communication of the j edge, and 0 otherwise. 4 Any DMZ servers HTTP, SMTP, DNS Accept 5 DMZ servers DB servers SQL Accept 6 DMZ servers Any SMTP, DNS Accept 7 Any Any Any Drop GT graph constructing is based on G graph and performed in the following manner: Internal firewall access control rules No Source Destination Service Action 1. The vertices which do not represent information 1 Any Internal firewall Any Drop or service resources are removed from the 2 DMZ servers, LAN users DB servers SQL Accept 3 Any DB servers Any Drop graph. In order to make the further analysis 4 LAN users Any HTTP, HTTPS Accept 5 LAN users DMZ servers IMAP, DNS Accept easier, the numbering of vertices in the new 6 LAN users LAN servers FTP, NetBIOS Accept graph is the same as in the network security 7 Any Any Any Drop graph. G graph of network security model

2. The vertices of a new graph are linked by edges DMZ DB LAN servers servers servers if the following conditions are met: (3) (5) (6) ƒ there is a between vertices in the network security graph (i.e. potentially it

Internal Perimeter LAN might be the communication between the Internet firewall firewall users (1) /IPS (2) (7) resources represented by these vertices), (4) ƒ access control mechanisms (firewalls) allow for a specific communication in the G’ graph of network threats model

DMZ SQL DB LAN network between IT system resources servers servers servers (3) (5) (6)

represented by these vertices (i.e. an attack SMTP, DNS

SQL can potentially be performed using this HTTP, HTTPS, HTTP, HTTPS, FTP, NetBIOS HTTP, SMTP, IMAP, DNS path in the network). DNS LAN Internet users (1) HTTP, HTTPS (7)

4 ANALYSIS OF NETWORK Figure 1: An example of formal models construction. SECURITY DESIGN From the „Compartmentalization of Information” The basic security means of computer networks are principle results the following detailed network security design rules: firewalls (i.e. dedicated firewall devices, firewall 1. IT system resources of different sensitivity means in intrusion prevention system (IPS) devices level should be located in different security and access control lists (ACL) in network routers zones, i.e.: and ). Using firewalls a proper network ƒ devices and computer systems providing security architecture is created. Firewall protections services for external networks (e.g. the divide the IT system network infrastructire into Internet) should be located in different security zones and control communication between zones (so called DMZ) than internal them. An example of the network and its formal network devices and computer systems, models is shown in figure 1. ƒ strategic IT system resources should be The IT system’s network security design located in dedicated security zones, analysis is performed based on risk analysis results ƒ devices and computer systems of low and design rules. The fundamental principles of trust level such as remote access devices network security design are "Compartmentalization RAS and networks (WLAN) of Information" and "Defense-in-Depth". access devices should be located in dedicated security zones,

315 SECRYPT 2007 - International Conference on Security and Cryptography

2. IT system resources of different types should be values are calculated based on the risk analysis located in separate security zones, i.e.: results. ƒ user workstations should be located in different security zones than servers, b b X = [x ij ] (7) ƒ network and security management Z × V systems should be located in dedicated where: security zones, xij is 1 if the susceptibility of the i resource to the j ƒ systems in development stage should be threat is relevant, and 0 otherwise. located in different zones than production systems. The „Compartmentalization of Information” rule applies also to resources of different type (i.e. public Using the network security model (1) it can be servers, internal servers, RAS servers, test systems, verified that the network security design applies to management systems and workstations), which the „Compartmentalization of Information” and should be located in separate security zones. "Defense-in-Depth" principles. ∀ i, j∈ Z:λ R (i)=1∧ λ R ( j)=1 4.1 Assessment of Security Zones (8) M b[i, j] = 1 ⇒ []λ (i) = λ (j) = TRUE Design Correctness []T T

In the properly designed security system, which where: apply to the „Compartmentalization of Information” λT – function describing the IT principle, information and services resources of type. different sensitivity level should be located in separate security zones. Verification of security So the assessment of the network security design design correctness in this respect can be quickly correctness in respect of the security zones is performed based on the analysis of performed by the verification that (5) and (8) of the G graph from the network security model (1). conditions are fulfilled using the adjacency matrix b M and the functions λR, λT and λW. ∀ i, j∈ Z:λR (i)=1∧ λ R ( j)=1 (5) 4.2 Assessment of Firewall Protection b []M [i, j] = 1 ⇒ []λ W (i) = λ W ( j) = TRUE Layers Tightness where: Mb – G graph’s adjacency matrix, The compliance with "Defense-in-Depth" principle λR – function describing if the IT system resource requires that in network path between a threat source is the information or service resource, and a sensitive IT system resource there is at least λW – function describing the IT system sensitivity. two access control devices (i.e. two firewall devices). The security tightness analysis problem The IT system resource sensitivity depends on its described here can be solved by finding and value for the company and susceptibility to threats. analyzing the shortest path in the graph (1). A resource has a high sensitivity when its value and For the assessment of the network security design correctness, one of the well-known graph threat susceptibility are high. The λW function is b theory can be used, e.g. the Bellman- calculated based on the λA function and the X matrix, using the following formula. Ford or the Dijkstra . In order to do this, the G graph of the network security model should be |V| converted into G’ digraph, so all the G’ graph’s b λ W ()i = λ A ()i + ∑X (i,v); i∈ Z (6) edges are directed. The edges direction is specified v=1 based on the IP settings in the computer where: networks of IT system. λA – function describing the IT system resource The network security design analysis in respect value, of compliance with the "Defense-in-Depth" rule for V – set of IT system resources threats. access control protections is performed in the following sequence: Xb binary matrix describes the IT system 1. Finding in the G’ graph the shortest paths resources susceptibility to network threats. Matrix between vertices representing potential threat sources and vertices representing sensitive IT

316 FORMAL ANALYSIS METHODS OF NETWORK SECURITY DESIGN

system resources of information and services protections should operate on the network type. connections where the traffic is not encrypted. 2. If in the G’ graph, the path of cost lower than 3 The IPS protections tightness analysis problem is found, then "Defense-in-Depth" principle described here can be solved by finding and is violated in the network security design. analyzing the shortest paths in the graph (1). For this 3. If in the G’ graph the path of cost 0 is found, task one of the well-known graph theory algorithms then the sensitive resource is not protected at can be used. Similarly to the access control all by the access control protections. This protections analysis, the G graph should be means a serious design error. converted into the G’ digraph. The network security design analysis in respect The necessary condition for network access of compliance with "Defense-in-Depth" principle for control protections compliance with the „Defense- IPS protections is performed in the following in-Depth” principle can be formulated as follows. sequence: 1. Finding in the G’ graph the shortest paths |Kij| between vertices representing potential threat ⎡ ⎤ sources and vertices representing sensitive IT ∀ βW (a) ≥ 3 = TRUE (9) i,j∈Z:μmin(i,j)∈Dav⎢∑ ⎥ ⎣ a=1 ⎦ system resources of information and services type, for which IPS protection is required. where: 2. Finding in the G’ graph the path of 0 cost means that the security design is incorrect. βW – function describing if the network connection is protected by the access control The necessary condition for ensuring the IPS protections (firewall), protections tightness can be formulated as follows.

μ (i,j) – the shortest path between the i and the j min |Kij| vertices, ⎡ ⎤ ∀ βS (a) > 0 = TRUE (11) i,j∈Z:μmin(i,j)∈Dap⎢∑ ⎥ Kij – set containing all the G’ graph’s edges ⎣ a=1 ⎦ belonging to the μmin(i,j) path, Dav – set of all the shortest paths in the G’ graph where: between potential threat sources and sensitive IT βS – function describing if the communication in system information and services resources, the network connection is effectively controlled by the IPS (i.e. it is not encrypted and is Dav = {μmin (i, j) : controlled by the IPS), (10) λ G (i) =1∧λ R (j)=1∧λ W (j)>5; i, j∈ Z} Dap – set of all the shortest paths in the G’ graph between potential threat sources and the sensitive resources requiring IPS protection, λG – function describing if the resource can be a threat source. D ={μ (i, j) : ap min 4.3 Assessment of Intrusion Prevention (12) λG (i) =1∧λ R (j)=1∧λ I (j)=1; i, j∈ Z} Systems Tightness λI – function describing if the resource requires b b The IPS protections are responsible for detecting and IPS protection (calculated from X and D ). blocking penetrations and attacks conducted by intruders and malicious applications (e.g. Internet The network security design analysis can be worms). When designing IPS protections the threat enhanced by using the network threats model (3). of conducting attacks through encrypted sessions For example, using the GT graph’s path matrix, the (e.g. SSL) should also be taken into account. IPS is IT system resources reachable from the identified not able to inspect these sessions. An effective threat source can be quickly found and the security protection method is to decrypt the sessions prior to layers tightness analysis can be performed only for IPS devices and inspect unencrypted packets. them (e.g. IPS analysis not performed for the paths Ensuring a proper IT systems safety against blocked by the firewalls). intrusions requires designing a relevant IPS protections, i.e. in the network path between potential threat sources and sensitive IT system resources there should be security devices performing the IPS functions; furthermore the IPS

317 SECRYPT 2007 - International Conference on Security and Cryptography

4.4 Assessment of Incident Handling The effectiveness of the formal analysis methods Readiness was in some part practically evaluated by the author during security audits. Network security model (1) The IT system’s protections should be prepared for can be easily constructed and graph’s shortest paths security breaches. During the incident handling, it is found using available graph tools (e.g. David necessary to block the attack source and limit Symonds’ GraphThing). Computer-aided analysis spreading the incident to other systems. process is faster and more accurate then the analysis Administrator has at her/his disposal two basic done in conventional way (i.e. network scheme incident handling methods: disconnecting the system review and safeguards verification). For example, from the network and restoring its proper operation the experienced security needed about 8 (e.g. from the backup copy) or restoring the system hours to perform the analysis of e-banking system’s operation without disconnecting it from the network. protections compliance with The systems of high availability requirements the „Defense-in-Depth” principle. Using the formal (i.e. mission-critical systems) can not be method (9) and GraphThing application, the same disconnected from the network until the incident is task was performed in about 20 minutes. Practical handled and its effects eliminated. In such systems usage of all presented methods would require the available access control and intrusion prevention implementation for this purpose the dedicated tools. means should be used in order to limit possibilities of spreading the incident to other systems. Formal methods can be used for quick ACKNOWLEDGEMENTS verification if the network security design is correct in respect of its incident handling readiness. For This work is the part of the author's doctoral example, using the graph’s path matrix from (2) dissertation. The author thanks professor Ryszard model, all the resources reachable from the specific Antkiewicz of Military University of Technology in attack source can be found. Then using (1) model, Warsaw for useful discussions and support. the network protections (e.g. firewalls) located in the path between the attack source and endangered IT system’s resources, can quickly be identified. REFERENCES

DISA, 2003. Infrastructure Security Technical 5 CONCLUSIONS Implementation Guide, US Defense Information Systems Agency. The models and methods described in this paper FCC, 2001. Incident Response Guide, allow for quick identification of network security US Federal Commission. design errors resulted from violation of Noel, S., Jacobs, M., Kalapa, P., Jajodia, S., Multiple “Compartmentalization of Information” (i.e. Coordinated Views for Network Attack Graphs, 2005. In Proceedings of the Workshop on for correctness of network security zones) and Computer Security. Minneapolis, Minnesota. „Defense-in-Depth” (i.e. tightness of firewall and NSA, 2000. Defense in Depth - A practical strategy for IPS protections layers) security principles as well as achieving Information Assurance in today’s highly checking if network protections allow for proper networked environments, NSA. incident handling. Also other principles (e.g. "The Phillips, C., Swiler, L., 1998. A Graph-Based Network- Principle of Least Privilege", "Defense Through Vulnerability Analysis System. In Proceedings of the Diversification") and network protections (e.g. VPN, New Security Paradigms Workshop. Charlottesville, anti-virus) analysis can be supported with formal VA. methods. Stang, T.H., Pourbayat, F., 2003. Measuring using , Oslo University College. An inspiration for the development of the methods Stawowski, M., 2006. The Principles and Good Practices was real problems that were experienced by the for Intrusion Prevention systems Design, CLICO. author in the security audits. Formal methods can Stoneburner, G., Hayden, C., Feringa, A., 2004. speed up and improve the accuracy of network Engineering Principles for Information Technology security design analysis of complex IT systems. Security, NIST. Mathematical description allows for simple Straub, K.R., 2003. Managing Risk implementation of the methods in the form of with Defense in Depth, SANS Institute. computer programs as well as using for analysis the Zimmerman, S.C., 2001. Secure Infrastructure Design, available mathematical tools. CERT Coordination Center.

318