Despite an ever increasing breadth of commercial and academic offerings into the field of security, the adoption of robust, fine granularity solutions by the enterprise has yet to occur on a significant threshold. While common lower end techniques such as virus scanners and firewalls have experienced near ubiquitous adoption, higher end solutions such as integrated endpoint security clients and others have seen only limited adoption with their adoption rates in fact shrinking in recent years. Given the choice between manageability at the cost of simplicity versus mechanism efficacy / richness of expressiveness at the cost of complexity, network administrators are choosing ease of management with insufficient resources as the primary driving factor.
We posit that new research is needed that places the manageability of the system at the forefront rather than as an issue to be solved after the system is secure. We define manageability of a security approach in that security should streamline the entire security process, policy distribution, policy validation, policy auditing, and most importantly, debugging when systems or security components fail. Put simply, we posit that given the implicitly distributed nature of the network, security approaches that create unfriendly obstacles to debugging will always experience adoption difficulties. The goal of this research is to make significant strides with regards to management of the security process, specifically focusing on the three issues of management, visualization, and debugging. We focus on delivering an economy of expressiveness for enforcement mechanisms to contain complexity while coupling streamlined, pervasive monitoring to dramatically assist debugging.
The key outgrowths of the research will address the following areas:
Management as a first order property of system design: The work will develop a suite of software tools to visualize the security network and to explore the benefits and tradeoffs of prioritizing management over coverage with regards to resource impact and risk management. Secondary aspects include bringing experimental studies regarding tool efficacy / productivity improvements with expertise from our collaborators in business (D'Arcy), psychology (Crowell), and our Office of Information Technology Information Security effort (Chapple).
Novel data mining / visualization: While visualization and exploration are the first steps, we intend to explore how to automate or guide the extraction of meaningful relationships, specifically drawing upon the rich work in social networking to assist with assessing the health of the network. Preliminary aspects include building modules into our visualization tool coupled with distributed execution on the grid of various machine learning algorithms (Chawla).
Creation of a streamlined framework for security management: Finally, the work will offer commentary on balancing expressiveness versus complexity to demonstrate minimal but effective security mechanisms. More importantly, the work will examine the tradeoffs of information gain for the monitoring of various properties not only with respect to security but also with respect to management and debugging (i.e. how much does characteristic X improve decision making versus characteristic Y).
The software toolkit is currently in development but available for download below. We are currently reworking the back end storage aspects and envision a mid-September release for the first official version of the software suite.
Visualization of Network Security Properties
Complex systems are hard to understand and visualize. The causes for the problem are either due to the specific data is not available or inability to correlate and present the data in a meaningful and understandable way. Current logging scheme such as NetFlow data provides activity in terms of addresses and ports but are unable to tell what users and applications running on the management network. The identity of the traffic flow is important. Since the users and applications are the essential components of the network, the identity should be associated with the users and applications in addition to the hosts.
On the other hand, the administrator faces an overwhelming amount of data. Managing a large scale enterprise network is a tedious and cumbersome task. Several hundred to thousands of network connections are generated on a daily basis by each host. Tracking down precisely who and what is responsible for the generation of network connectivity is a non-trivial task. Requiring administrators to sift through endless giga-bytes of connection logs, or use a tool that offers no clear advantage other than data organization is not a valid solution. Administrators need a tool that allows them to sift through massive amounts of traffic logs in a visually appealing and interactive manner that encourages data exploration, rather than hinder it. Additionally, it is necessary for the why of a connection, i.e. the user and application levels of network activity, to be known rather than simply where it came from and went to.
Common solutions to this problem have involved tie-ins of network flow data and authentication systems such as Active Directory and Kerberos. Critically, the existing logging systems are not geared toward real-world system administration. Network flow data will only detail the where of a connection, where as an Active Directory and Kerberos tie-in can explain the who. A few visualization and data exploration tools that exist, primarily rely on chaining together network connections based on the flow data. However, multiple hop connections are typically obfuscated due to the nature of network flows and the level of detail supplied is traditionally limited to the IP addresses and port numbers involved.
Rather, a method to interactively explore the inter-relationships of the data so as to gain insight as to what is occurring as opposed to inferring, due to lack of log details or time to trace-back and locate the necessary information, is needed. For example, if an account on a network is compromised then it needs to be known what hosts that user account attempted to log into, along with the applications and programs they attempted to run, and files that may have been modified or touched. Knowing who (users) or what (applications), not inferring from IP and port, at both sides of connections is of particular interest in policy compliance auditing. Being able to present all of this information in a single visual that is appealing and manageable for an administrator would be a tremendous asset for network administration.
Screenshots
Enforcement with Local Context
The administrator of an enterprise network has a responsibility to enforce the policies on the network. Yet, most security mechanisms do not map well to the intended policies. This has been due to the prevalence of simplistic tools that have poor enforcement but, yet are easy to manage. While advanced commercial solutions do exist that have stronger enforcement, they are significantly harder to manage. To that end, we propose Lockdown, a policy-oriented security approach that builds on the concept of local context to deliver a lighter weight approach to enterprise network security while striking a balance between the level of enforcement and level of management available to the network administrator.
We posit that the perspective at which enforcement and monitoring occurs needs to be shifted in such a way that the \emph{local context}, i.e. the why of a connection versus the where, forms the foundation of the security approach. By infusing enforcement with local context, high level policy can be followed more stringently as is seen in the Flash animation.
Professors Striegel and Thain have received a Sun Academic Excellence Grant (AEG) entitled "Unified SGD Support for Enterprise Network Management" for approximately $41k worth of equipment and software licenses. The purpose of the equipment will be to create a high-end database node / SunRay server for managing the Lockdown project which is focused on practical enterprise network security management as well as the creation of a new SunRay thin client pool. The new server offers exciting opportunities for the development of Lockdown in terms of application development from an Sun Global Desktop perspective (SunRay thin client) and trust dependency analysis of the SunRay itself from a management perspective. The equipment will enable the development of SGD-friendly tools for visualization of the Lockdown data (Java-based), optimizations focused on the CoolThreads architecture (database), and direct support for SunRay security analyses into Lockdown itself.
Visible Output:
Q. Liao, A. Blaich, A. Striegel, Q. Liao, "ENAVis: Enterprise Network Activities Visualization," to appear at LISA (Large Installation System Administration) Conference, San Diego, CA, Nov. 2008.
Thesis Q. Liao, "Improving Network Insight Through Local Context Gathering and Analysis," Master Thesis, University of Notre Dame. Adviser: Dr. Aaron Striegel, Committee: Dr. Douglas Thain, Dr. Nitesh Chawla.
Poster Andrew Blaich, Qi Liao, Brian Sullivan, Greg Allan, Aaron Striegel, Douglas Thain, "Lockdown: Distributed Policy Analysis and Enforcement within the Enterprise Network," poster at USENIX Security, August 2007. Writeup
Q. Liao, A. Blaich, A. Striegel, Q. Liao, "ENAVis: Enterprise Network Activities Visualization," to appear at LISA (Large Installation System Administration) Conference, San Diego, CA, Nov. 2008.
Copyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.