版权说明:本文档由用户提供并上传,收益归属内容提供方,若内容存在侵权,请进行举报或认领
文档简介
DesignandImplementationofHighlySurvivableNetworkSystem
高存活網路之設計與實現
Wai-TakWong,Ph.D.(王偉德)Email:wtwong@.twTel:03-518-60501/13/20231SurvivabilityTheabilityofasystemtofulfillitsmission,inatimelymanner,inthepresenceofattacks,failures,oraccidents.
SecuritySecurityisNotEnoughTheNetworkEnvironment
Cyberspace-InternetBorderless,Dynamic,Anonymous,Accessible
CriticalInfrastructuresDistributedandComplex,Interdependent,International,DataRichEnvironment,VulnerableAttacksCyberAttackPhysicalAttackCyberAttackCybercrime
Thedeliberatemisuseofdigitaldataorinformationflows.CyberterrorThedeliberateofdestruction,disruptionordistortionofdigitaldataorinformationflowswithwidespreadeffectforpolitical,religiousorideologicalreasons.TheResultsFromCyberAttackIndividualsmaylosetheirsocialidentityArmiesmayceasetomarchStockmaylosehundredspointsBusinessesmaybebankruptedThreatsnotfromnoviceteenagers,butpurposefulmilitary,political,andcriminalorganizationsTheImpact–RealandPotential
LossofCriticalServices
LossofPublicConfidenceDirectimpactonabilitytogovern
CostsofReactiontoThreatDeterminingvulnerabilitiesAssessingmostlikelythreatAdapting/ChangingpoliciesModifyingnetworkarchitecturesandconfigurationsFinding/acquiringthenecessaryexpertiseImpactsPoliticalTechnicalEconomicSocialImpactsareSocial,Economic,PoliticalaswellasTechnicalWhoShouldConcern?TelecommunicationsFinancialServiceEnergyEmergencyServicesGovernmentServicesTransportationInformationSophisticationofCybercrimeSimpleUnstructuredIndividualsorgroupsworkingwithlittlestructure,forethoughtorpreparationAdvancedStructuredGroupsworkingwithsomestructure,butlittleforethoughtorpreparationComplexCoordinatedGroupsworkingwithadvancepreparationwithspecifictargetsandobjectivesAttackSophisticationvs.
IntruderTechnicalKnowledgeHighLow19801985199019952000passwordguessingself-replicatingcodepasswordcrackingexploitingknownvulnerabilitiesdisablingauditsbackdoorshijackingsessionssweeperssnifferspacketspoofingGUIautomatedprobes/scansdenialofservicewwwattacksToolsAttackersIntruderKnowledgeAttackSophistication“stealth”/advancedscanningtechniquesburglariesnetworkmgmt.diagnosticsdistributedattacktoolsCrosssitescriptingDefenseinDepthSophisticatedCyberAttackOut-of-the-boxLinuxPChookedtoInternet
[30seconds]Firstserviceprobes/scansdetected[1hour]Firstcompromiseattemptsdetected[12hours]PCfullycompromised:
AdministrativeaccessobtainedEventloggingselectivelydisabledSystemsoftwaremodifiedtosuitintruderAttacksoftwareinstalledPCactivelyprobingfornewhoststointrudeTheTacticsusedforAttacksProbingFindtheunlockeddoororopenwindowPing–scanIPaddressWardialer–dialamodemWardriving–scanwirelessnetworkTheTacticsusedforAttacksViruses&WormsViruses–capturecontrolofanexistingprogramtoexecutetheircommandsWorms–executetheircommandsindependentlyCanbringdownanetwork,corruptfiles,copyandstorecriticalinformationforlaterretrieval,…TheTacticsusedforAttacksTrojanHorsesTheyarebroughtintoasystemviaanotherprogram.Theynestlethemselvesin,unnoticed,typicallyawaitingapreprogrammedtimeorasignaltobeactivated.Theyareofteninsertedaspartoftheprobingprocess.Createbackdoors,plantbombs,collectinginformation,deletingcriticalfiles,dial900number,weakenencryptionpackagesTheTacticsusedforAttacksDenialofServices/DistributedDosAfloodattackgenerallyfallintooneofthreecategories:TCPfloods(SYN,ACK,RSTmessage)UDPfloodsPingfloods(ICMPECHO_REQUESTandECHOREPLYmessage)Aseriesofhundreds/thousandsofpacketstoconsumethetarget’sprocessingpowerTrojanshavebecomeatoolusedinDos/DDosTypicalIntruderAttackDistributedCoordinatedAttackDistributedCoordinatedAttackTopGeneralVulnerabilitiesItmakesnodifferencewhatOSyourun;youarevulnerabletothesesevengeneralvulnerabilitiesDefaultinstallationsIncludeextraneousservicestomanyusersAccountswithweak/nopasswordThecommonaccountpasswordinNorthAmericais“password”Don’tusethedefaultpasswordonanadmin/rootlevelaccountTopGeneralVulnerabilitiesNonexistentorincompletebackupsMakebackupsandknowhowtorestorefromthemThebackupsshouldbeoff-siteLargenumberofopenportsRealizethenumberofopenportsinyoursystemandcloseasmanyaspossible.Notfilteringforcorrectingress/egressaddressesIngresstrafficshouldn’thaveanyIPofyournetworkEgresstrafficshouldn’thaveanyIPotherthanyournetworkCommonAbusedPortsTopGeneralVulnerabilitiesNonexistentorincompleteloggingLogswillhelpyoudetecttheattackinthefirstplacebyprovidinginformationaboutthenormalactivityonthenetwork.LogsareafrequenthackertargetVulnerableCGIprogramsCGIprogramsmustbeabletoactontheserver,theyoftencarryextensiveprivileges,makingthemanattractivetargetTopWindowVulnerabilitiesUnicodevulnernabilityDirectorytraversalattacktoanIISserverInternetServicesApplicationProgrammingInterface(ISAPI)extensionbufferoverflowsWhentheinputbufferisoverflowedforthescriptswritteninISAPIrunningintheIISserver,theresultisoftenacompletecompromiseIISRemoteDataService(RDS)RDSisameansofmanaginganIISserverremotely;itcanbeattackedandcompromisedTopWindowVulnerabilitiesNetbios–unprotectedwindownetworkingsharesDirectorytraversalattacktoanIISserverInformationleakagevianullsessionconnectionsWhenWindowNTandWindows2000computersneedinformationfromeachother,theyopenanullsessionbetweenthem.Attackershijackthisfunctiontopenetrateahostandgainprivilegedaccesstoit.TopWindowVulnerabilitiesLMHashNTandWin2000havemaintainedacertainlevelofbackwardcompatibilitywithit.OneofthemisthatitstorestheLANManager(anoutdatedLANsoftware)hashedpasswordsontheNTorWin2000server.ThesepasswordscanbebrokenfairlyeasilybecausetheLMhashingisveryweak.TopUNIXVulnerabilitiesBufferoverflowsinRPCservicesMultipleDDosattackshaveusedRPCtocreatetheirzombies.Youshouldapplythemostcurrentpatchesforthem.SendmailvulnerabilitiesSendmailhasmanyandvariousflaws.Sendmailmusthavethemostcurrentversionpossibleandbefullypatched.Thedaemonmodeversionshouldbeturnedoffunlessactuallyneeded(relayserverorsendmailserver)TopUNIXVulnerabilitiesBINDWeaknessBerkeleyInternetNameDomainisaDNSpackagethatisverywidelydeployed.ItisknowntohavemultipleweaknessDefaultinstallationsofUNIXpackagesoftenincludetheBINDdaemon;disableitunlessthisisactuallyanameserverrCommandrlogin,rsh,…allowasingleadministratortomanagemultiplehostsatdifferentphysicallocations.Ifanattackergainsaccess,oneoftheearlystepstheywilltakeistoenablercommandsTopUNIXVulnerabilitiesLPDTheLinePrinterDaemonissubjecttobufferoverflow.Ifitishandedtoomanyprintjobsintoolittletime,itwilleithercrashorrunarbitrarycodewithelevatedprivileges.Disableitifitdoesnotneedtobeaprintserver.TopUNIXVulnerabilitiessadmindandmountdsadmindisasystemadmindaemonthatprovideremoteadministrationofSolarishostsviaaGUI.mountdisthefile-mountingdaemon.Bufferoverflowscanresultinattackersgainingaccesswithrootprivileges.TheyshouldnotberunningonhostsaccessiblefromtheInternet.TopUNIXVulnerabilitiesDefaultSNMPstringSimpleNetworkManagementProtocol(SNMP)revealsagreatdealofinformationofwhatgoesoninthenetwork.Itcanmanagedevicesonthenetworktoo.Theonlymeansofauthenticationisanunencryptedcommunitystringanditisinsecure.FilterSNMPatyouringressrouters.MakeyourManagementInformationBasePackets(MIBs)readonly.PhysicalAttackNaturaldisasterUnnaturaldisaster(intentional)Unnaturaldisaster(un-intentional)NaturalDisasterDisasterwithadequatewarningMajorweathereventssuchashurricanes,typhoons,andcyclones,alongwithmajorwinterstormsIfyourpropertiesareinthisarea,youshouldhaveaplanthatencompasshowtoensureyournetworkkeepsfunctioningintheseevents.BasementfloodingLargequantitiesofwind-blownraintoenterwhenwindowsbrokenNaturalDisasterDisasterwithmodestwarningMan-madefloodingintobuildingDebrisflowsLandslidesFiresNaturalDisasterDisasterWithNoRealWarningEarthquakesVolcaniceruptionsUnnaturaldisaster(Intentional)Terroristshaveaveryhighsuccessrateinmeetingtheirimmediategoals,butaterribleoneinachievinganyformoflong-termsuccessPhysicalattackandCyberattackUnnaturaldisaster(Intentional)PhysicalattackBombPhysicaldestructiontobuildingsandtheircontentsElectromagneticPulsebomb(EMB)Asurgeofelectromagneticforcethattransfersomeofitsenergytoanyelectricitycarryingmediumitpassesthrough.Ifthepulseislarge,thecircuitrycanbemelted.Ifnot,itflowsdownthecircuitunititmeetsaninterfaceincapableofcarryingtheload,atwhichpointdamageoccurs.Unnaturaldisaster(Intentional)Chemical,biological,and/orradiologicalattack(CBR)Toxic,Contamination,sowconfusionanddoubtUnnaturaldisaster(Intentional)CyberattackobjectivesCyber-kidnappingTheremovaloffilesandbackup,suchascriticalinformationonaresearchprojectornewproductStealingthesourcecodesExtortionThreateningtodamageyoursystem,toremovethosecriticalfiles,toselltheinformationtoyourcompetitorsorexposethedataunlessyoupayUnnaturaldisaster(Intentional)CombinedAttacksImagineaphysicalattackinamajorpopulationcenterandaddacyber-attackthatclogstheInternetduetoawormorDDosattackUnnaturalDisaster(Unintentional)Serviceoutages(temporaryterminated)Accidents:Fiberspur(branch)linecutbyboring(drilling)equipment,…PoordesignPoorinfrastructureMisconfiguringroutingequipmentSoftwarecausedproblemsTheUnsinkableShipSankSurvivabilityModernsocietyisirreversiblydependentonlarge-scalecriticalinfrastructuresystemstosustainqualityoflife,economicgrowth,andnationalsecurity.Asaresult,societyfacesuncountable,butgenerallyacknowledgedassubstantial,risksofsystemfailureorcompromisewithpotentiallyseriousconsequences.SurvivabilitySurvivabilityfocusisonthesystemmissionAssumeimperfectdefensesandcomponentfailureAnalyzemissionrisksandtradeoffsIdentifydecisionpointswithsurvivabilityimpactProviderecommendationswithbusinessjustificationSurvivabilityDefinedSurvivabilityAsanemergingdiscipline,survivabilitybuildsonrelatedfieldsofstudy(e.g.,security,faulttolerance,safety,reliability,reuse,performance,verification,andtesting)andintroducesnewconceptsandprinciples.Survivabilityfocusesonpreservingessentialservices,evenwhensystemsarepenetratedandcompromisedSurvivabilitySurvivabilitydesignappliesresistance,recognition,andrecoverystrategiestomaintainessential-serviceworkflowswherepossibledespitecompromisedcomponents.The“ThreeRs”ofSurvivabilitySurvivabilityAsurvivablesystemisonethatsatisfiesitssurvivabilityspecificationofessentialservicesandadverseenvironments.Onthesystemside,survivabilityspecificationscanbedefinedbyessential-servicetracesthatmapessential-serviceworkflows,derivedfromuserrequirements,intosystemcomponentdependenciesandrequiredsurvivabilityattributes.SurvivabilityOntheenvironmentside,survivabilityspecificationscanbedefinedbyintrusiontracesthatmapintruderworkflows,derivedfromattackpatterns,intocompromisablesystemcomponents.Bothessential-serviceandintruderworkflowscaninducethedefinitionofevaluationmodelsforsurvivabilitytesting.SurvivableNetworkAnalysisSNAMethodSentinelSurvivabilityMapSentinelSurvivabilityMapSurvivabilityRequirementsImpactSurvivabilityImpact-1SurvivabilityImpact-2NewApproachToSurvivabilityFigure1depictsthedual-thread,three-stageapproachtosurvivabilityresearchanddevelopment.Thesurvivabilityisaddressedfromboththesystemside,intermsofspecificationanddesignforessential-servicepreservation,andfromtheenvironmentside,intermsofintrusionspecificationandanalysis.NewApproachToSurvivabilityNewApproachToSurvivabilityFigure2depictstherelationshipofsurvivabilityactivitiesandworkproductstotheoveralldevelopmentlifecycle.Servicetraces,intrusiontraces,andevaluationmodelsareembeddedwithinandsupportthelargeractivitiesofsystemspecification,design,andtesting.Survivabilityrequirementsandattackpatternsdrivethedefinitionofessential-serviceandintruderworkflows,respectively.NewApproachToSurvivabilityTheseworkflowsare,inturn,expandedintoarchitecturetraces,whichdrivetheselectionandintegrationofsurvivabilitystrategiesindesignandcontributetothedefinitionofthetestingenvironment.NewApproachToSurvivabilityTheOperationalContinuityPlanRedundancyisexpensiveNotbeingredundantisevenmoreexpensiveDesignYourWayOutofTroubleSinglepointfailureHighercostformoreconnectionAvoidsinglepointfailureCanreacheachrouterfromthecenterrouterDesignYourWayOutofTroubleTreestructureDesignYourWayOutofTroubleTreestructurewithmultipleconnectionsDefenseInDepthThefirstlineofdefenseareyourknowledgeableISstaffandemployeeTheexternalrouters(withfilter:accesslists)areyoursecondlineofdefenseFirewallsaremorelikelythethirdDesignYourWayOutofTroubleMorepracticaltopologyPublicAreaSecondlinedefenseThirdlinedefenseThePriceofDefensePerformance(suffering)orThecostofPerformance(Networkequipments)TheOperationalContinuityPlanToprepareforoperationalcontinuity,youmustanswersomequestionsWhatNetwork’scapabilitiesarecritical?Whatfacilitiesprovidethosecapability?Willtheentirecapabilitiesneedtobereplaced?Canotherexistingfacilitiesprovidethosefunctionsnow?Doeseveryoneknowwhowillgetwhat?Doestheredundantlocationhavetheinformationneededtofunction?TheOperationalContinuityPlanDoeseveryoneknowhowtoactivatetheredundancy?Hastheprocedureeverbeentested?Wasitretestedtocheckthefixes?Isthereacriticalpersonhere?Whatistheprobablecostifyounotprovideredundancy(nomoreservices)?Howlongcanyouoperateinthismode?WhomustbenotifiedinternallyandexternallyOnSeptember11SuccessStoryAfterSeptember11LehmanBrothersAmajorfinancialservicesfirm.Itsheadquarterswerein1,2,and3WorldFinancialCenterandinTowerOne.Duringthechaos,theCTOtriggeredLehman’sdisasterrecoveryplanandalertedtheCIO,whowasworkingfromLondononSeptember11.Lehmanlostatotalof5,000desktops,itsentireNewYorkdatacenter,andalltheassociatednetworkingequipment.SuccessStoryAfterSeptember11However,thecompanylostnoinformationLehman’sdisasterplanallowedforthecompletelossofeitherofthetwodatacenters.ThedisasterrecoveryplanensuredcompleteredundancyassuredLehman’scontinuity..SuccessStoryAfterSeptember11ThebackupfacilityisinNewJersey.AfiberlinkconnectedToweronewiththeofficesintheWFCandcontinuedtothebackupsite.Thewide-arealinkswereredundant,andthebackupsitehadadatacenteridenticaltotheoneinTowerOne.Allbranchofficesconnectedtobothdatacenters,andthecentersreplicatedtoeachotherautomatically.PreparingforDisasterThedefinitionofsurvivaldependsonthebusiness’sneeds.Oncethebusiness’sneedsareunderstood,youcantaketheprocesstothenextstepanddefinewhatyournetworkmustbeabletodotosupportthebusiness’ssurvivalIfthebusinessdoesnotcontinue,keepingthenetworkgoingisnotimportant.However,alackofcontinuityensurestheabsenceinbusiness.PreparingforDisasterSurvivalRequirementofNetworkContinuityWhatthebusinessrequirestocontinueinoperationWhatitmustdeliverTowhomWhatdegreeofreponsivenessWhenthosecapabilitiesmustbepresentHowtoprovideitPreparingforDisasterExampleSTLNetworkServicesInc.AnetworkserviceproviderProvideacompleteexternalconnectivitytoitsbusinesscustomersServesasanISP,providingWANconnectivitybetweencustomersites,managedextranetsamongitscustomers,VPNs.STLwantstooffernetworkcontinuity,evenintheeventofadisaster,asapremiumservice.SurvivableNetworkAnalysisDefinethemissionoftheSTLnetworkintermsofhigh-levelessentialservicesProvidenetworkcontinuitywithintheSTLmanagementnetworkProvidethefollowingservicestoSTLcustomers:ISPservicesVPNservicesWANservicesSurvivableNetworkAnalysisProvidetheseinternalandcustomerservicesonanuninterruptedbasiswithintheSTLnetworkProvideuninterruptedaccesstoexternalnetworkswhenthetraffic’sdestinationliesbeyondSTL’sdirectconnectivitySurvivableNetworkAnalysisSurvivableNetworkAnalysisDecomposethehigh-levelservicesintotheirconstituentservicesuntiltheleveloffundamentalprocessesonthenetworkelements.Eachfundamentalprocesseswillhavemission-criticalattributes(quantitativeandqualitative)relatedtosecurity,safety,reliability,performance,and/orusability.SurvivableNetworkAnalysisSurvivableNetworkAnalysisSTLisprovidingfourhigh-levelservices:ContinuityofitsnetworkmanagementabilityISPservicesVPNservicesWANservicesSurvivableNetworkAnalysisContinuityofitsnetworkmanagementabilityAseparatenetworksubsystemsmustbeused;atleastaprioritizationsystemmaybeusedISPservicesThesubordinateservicesincludeInternetconnectivity,DHCPaddressassignmentforbusinessesthatdonotwanttoadministeritthemselves,DNS,andWebhostingservicesSTLprovideseachoftheISPservicesitsownattributesSurvivableNetworkAnalysisVPNservicesTheessentialservicesaretunnelingandencryptionsupportAttributesinbothcasesemphasizethesecurityofthecustomer’straffic,thereliabilityofthenetworkservice,andtheperformance–securitymustnotseriouslydelaythroughputSurvivableNetworkAnalysisWANservicesProvideaseriesofpoint-to-pointlinksbetweenofficesofcustomers,betweenthemandparentorganizations,andbetweencustomer’sofficesandtheirextranetpartners.Nosubordinatesservices;essentialattributesfocusonreliabilityandperformanceReturningfromtheWildernessCyber-RecoveryTwoeffortsmustproceedsimultaneouslyOperationalProceduresForensicProceduresReturningfromtheWildernessOperationalProceduresPrimarytasksaretodetermineWherethesystemsarecompromisedThenatureofthecompromiseUndothedamageReturningfromtheWildernessSecondtasksDeterminetheextenttowhichwormhasalreadyreachedsothatthelogicalareacanbecontainedincyber-quarantine.EnsurethathostsinthepathofinfectionarevaccinatedAnti-virussoftwarehasthelatestupdatesOSandapplicationsoftwarehavethelatestpatchesUnnecessaryserviceshavebeenremovedReturningfromtheWildernessForensicProceduresMaytakealegalactionCollectthecyberattackinformationandprovehowyoucollecteditislegallyimportant.Nottodisclosetomanypeoplealloftheinformationyoucollect.YouwillneedtheanswerstothefollowingquestionsHowyouwerepenetratedWhenyouwerepenetratedReturningfromtheW
温馨提示
- 1. 本站所有资源如无特殊说明,都需要本地电脑安装OFFICE2007和PDF阅读器。图纸软件为CAD,CAXA,PROE,UG,SolidWorks等.压缩文件请下载最新的WinRAR软件解压。
- 2. 本站的文档不包含任何第三方提供的附件图纸等,如果需要附件,请联系上传者。文件的所有权益归上传用户所有。
- 3. 本站RAR压缩包中若带图纸,网页内容里面会有图纸预览,若没有图纸预览就没有图纸。
- 4. 未经权益所有人同意不得将文件中的内容挪作商业或盈利用途。
- 5. 人人文库网仅提供信息存储空间,仅对用户上传内容的表现方式做保护处理,对用户上传分享的文档内容本身不做任何修改或编辑,并不能对任何下载内容负责。
- 6. 下载文件中如有侵权或不适当内容,请与我们联系,我们立即纠正。
- 7. 本站不保证下载资源的准确性、安全性和完整性, 同时也不承担用户因使用这些下载资源对自己和他人造成任何形式的伤害或损失。
最新文档
- (新版)中职创新创效创业竞赛考试题库500题(含答案)
- 助力员工成长的计划与目标
- 水务行业的科技创新研究计划
- 学期目标与职责分工明确计划
- 数字化时代品牌营销的未来趋势计划
- 房地产行业安全风险管控计划
- 培养幼儿团队合作精神的方法计划
- 房地产行业品牌宣传策略计划
- 制定年度目标的实施方案计划
- 【人教版】pep六年级英语下全册教案(表格版)
- 第3课+秦朝统一多民族封建国家的建立【中职专用】《中国历史》(高教版2023基础模块)
- 2023年湖南省郴州市中考语文试卷
- 光栅衍射现象衍射光栅
- 08-第八章-公共部门绩效管理
- 【川教版】《生命 生态 安全》一年级上册第5课 上学路上 课件
- 快速康复外科理念ERAS与围手术期护理
- ESG指标对企业估值的影响
- 屋顶光伏发电商业计划书
- 生产设备更新方案
- 护士资格证考前培训
- 生物多样性与生态系统服务功能
评论
0/150
提交评论