Conclusions and Future Work

Conclusions and Future Work

In this work, the objective was to test and evaluate the effects of network diversity on network

security. To this end, we gathered network topology information of our test bed using the Nessus

Vulnerability Scanner. Using the collected data, we isolated the desired features and modeled

diversified network configuration based on these features. Initial configurations were diversified

by adding additional hosts and operating systems. We also added firewalls and DMZs as a

control. Using these virtual models we generated attack graphs using the toolkit designed by

Oleg Sheyner and updated by David Swasey.

To compare the security measure of each resulting configuration, we proposed a quantitative

security metric, VEA-bility. Our VEA-bility metric assigns a numeric value in the range [0,10]

to each network configuration where 0 indicates a poorly configured network and 10 indicates

the most secure network configuration possible.

Using our VEA-bility metric applied to our diversified configurations, we find that

diversification does indeed support the security of a network. Specifically, in our experiments,

diversity assists in increasing the average score in each dimension, thus increasing the overall

average VEA-bility of network configurations in each category. Therefore, observe that

diversifying a computer network can result in a more secure configuration. We show that by

diversifying services onto hosts where the resulting configuration is less vulnerable, the result is

a more secure network. However, just as investors research and monitor their investments to

maximize their profits, a network administrator should research the history of vulnerabilities for

software intended for use on a system or network. Once configured, the system should be

monitored by referring frequently to online vulnerability databases to patch or replace vulnerable

software as required.

There are a number of directions for extending this research in the future including improving

the metric and using the VEA-bility metric to investigate specific aspects of network security.

41

Moreover, improving the network model is another future direction. In this research we did not

have access to information provided by an intrusion detection system or intrusion prevention

system on the test bed. Obtaining this information and including it in the network model would

allow a network administrator to make more confident decisions concerning secure network

topologies.

Also, continuing from the work of Sheyner et al. [14], we did not model trust relations within the

network, but rather modeled the resulting authentications as connectivity relations. Since the

Sheyner/Swasey toolkit is designed to recognize host trust relations, representing these relations

can provide more accurate representations of a network.

One way to improve the VEA-bility metric includes adding more information provided by the

CVSS [18]. One such example is the environmental score, which assigns a numeric value based

on software implementation and network environment. The environmental score is calculated

based on user defined input such as the potential for damage and the target distribution.

Our VEA-bility metric could be used to investigate the security of a network to determine which

of our three defined dimensions has a greater impact on the overall security. The results of this

type of study would better allow network administrators to focus their efforts on events that

would have the most impact on the security of their networks.

42

References

[1] Common Vulnerabilities and Exposures (CVE). http://cve.mitre.org.

[2] Nessus Vulnerability Scanner. http://www.nessus.org.

[3] National Vulnerability Database Home. http://nvd.nist.gov.

[4]Geer, D. E. (2007, April). The Evolution of Security [Electronic Version]. ACM Queue, 5(3).

http://acmqueue.com/modules.php?name=Content&pa=showpage&pid=478&page=4

[5] Campbell, N., Reece, J., Taylor, M., & Simon, E. (2006). Biology: Concepts and

Connections. 5

th

Edition. San Francisco: Benjamin Cummings.

[6] Geer, D., Bace,R., Gutmann, P., Metzger, P., Pfleeger, C. P., Quarterman, J.S., and Schneier, B.

(2003, Sept 27). CyberInsecurity: The Cost of Monopoly How the Dominance of Microsoft's Products

Poses a Risk to Security. http://cryptome.org/cyberinsecurity.htm

[7] Lemos, R. (2004, January). Agriculture epidemics may hold clues to Net viruses. CNET News.com.

http://news.com.com/Seeds+of+destruction/2009-7349_3-5140971.html

[8] Jajodia, S., Pamula, J., Ammann, P., & Swarup, V. (2006). A Weakest Adversary Security Metric

for Network Configuration Security Analysis. In QoP-2006: Quality of Protection workshop, October

2006.

[9] Manadhata, P., Wing, J., Flynn, M., & McQueen, M. (2006). Measuring the Attack Surfaces of Two

FTP Daemons. In QoP-2006: Quality of Protection workshop, October 2006.

[10] Abedin, M., Nessa, S., Al-Shaer, E., & Khan, L. (2006). Vulnerability Analysis For Evaluating

Quality of Protection Security Policies. In QoP-2006: Quality of Protection workshop, October 2006.

43

[11] Ammann, P., Wijesekera, D., & Kaushik, S. (2002). Scalable, Graph-Based Network Vulnerability

Analysis. In Proceedings of the 9

th

ACM Conference on Computer and Communications Security

(CCS ’02), November 2002.

[12] Jajodia, S., Noel, S., & O’Berry, B. (2005). Topological Analysis of Network Attack Vulnerability.

In Managing Cyber Threats: Issues, Approaches and Challenges, pages 248-266. V. Kumar, J.

Srivastava, and A. Lazarevic (Eds.), Springer-Verlag.

[13] Artz, M. (2002). NetSPA, A Network Security Planning Architecture, M.S. Thesis. Cambridge:

Massachusetts Institute of Technology, May 2002.

[14] Sheyner, O. & Wing, J. M. (2004) Tools for Generating and Analyzing Attack Graphs. In

Proceedings of Workshop on Formal Methods for Components and Objects, pp. 344-371.

[15] Scenario and Attack Graphs. http://www.cs.cmu.edu/~scenariograph.

[16] Nessus Client Guide. http://www.nessus.org/documentation/nessus_3.0_client_guide.pdf.

[17] National Vulnerability Database Search Page. http://nvd.nist.gov/nvd.cfm.

[18] A Complete Guide to the Common Vulnerability Scoring System (CVSS).

http://www.first.org/cvss/v1/guide.html.

[19] Security Metrics Guide for Information Technology Systems.

http://csrc.nist.gov/publications/nistpubs/800-55/sp800-55.pdf.

44

Appendix A: Sample Attack Graphs

Figure A.1 Single Path Attack Graph

Figure A.2 Multiple Path Attack Graph

45

Appendix B: Sample XML File

<network>

<host id="Solaris" ip="192.168.1.1" network="inside"> <services> <webport="80" /> <ftpport="21" /> <rpcport="135" /> <database/> </services> <vulnerabilities> <CVE_2004_0492/> </vulnerabilities> <connectivity> <remote id="Solaris"> <web/> <ftp/> <rpc/> </remote> <remote id="Intruder"> <web/> <ftp/> <rpc/> </remote> </connectivity> </host>

<host id="Intruder" ip="10.0.0.1" network="outside"> <connectivity> <remote id="Solaris"> <web/> </remote> <remote id="Intruder"> <web/>

46

<ftp/> <rpc/> </remote> </connectivity> </host> <adversary> <privileges>

<privilegehost="Intruder" level="root" /> <privilegehost="Solaris" level="none" />

</privileges> <knowledge>

<scanvalue="no" /> </knowledge>

</adversary>

<attack name="apache_buffer_overflow" description="Gives a root shell on the target machine."> <local_preconditions>

<privilegehost="source" rel="gte" value="user" /> <privilegehost="target" rel="lte" value="user" />

</local_preconditions> <global_preconditions>

<servicename="web" host="target" />

<vulnerabilityname="CVE_2004_0492" host="target" /> <connectivityfrom="source" service="web" />

</global_preconditions> <local_effects>

<privilegehost="target" value="root" /> </local_effects>

<global_effects>

<servicehost="target" name="web" value="FALSE" /> </global_effects>

</attack> </network>

47

Appendix C: Network Configurations

Base Configurations – Intruder can connect to ports 80, 135, and 21.

Configuration 1 - 1 intruder and 1 internal Solaris host running web, ftp, rpc, and database.

Configuration 2 – 1 intruder, 1 internal Solaris host running rpc, and 1 internal Solaris host running web, ftp, and database. Configuration 3 – 1 intruder, 1 internal Solaris host running ftp, and 1 internal Solaris host running web, rpc, and database. Configuration 4 – 1 intruder, 1 internal Solaris host running web, and 1 internal Solaris host running rpc, ftp, and database. Configuration 5 – 1 intruder, 1 internal Solaris host running database, and 1 internal Solaris host running web, rpc, and ftp. Configuration 6 – 1 intruder, 1 internal Solaris host running database and web, and 1 internal Solaris host running ftp and rpc. Configuration 7 – 1 intruder, 1 internal Solaris host running database and rpc, and 1 internal Solaris host running ftp and web. Configuration 8 – 1 intruder, 1 internal Solaris host running database and ftp, and 1 internal Solaris host running rpc and web. Configuration 9 – 1 intruder, 1 internal Solaris host running database, 1 internal Solaris host running rpc, 1 internal Solaris host running ftp, and 1 internal Solaris host running web.

Configuration 10 – 1 intruder and 1 internal Linux host running web, ftp, rpc, and database.

Configuration 11 – 1 intruder, 1 internal Linux host running rpc, and 1 internal Linux host running web, database, and ftp. Configuration 12 – 1 intruder, 1 internal Linux host running ftp, and 1 internal Linux host running rpc, web, and database. Configuration 13 – 1 intruder, 1 internal Linux host running web, and 1 internal Linux host running rpc, ftp, and database. Configuration 14 – 1 intruder, 1 internal Linux host running database, and 1 internal Linux host running web, rpc, and ftp. Configuration 15 – 1 intruder, 1 internal Linux host running web and database, and 1 internal Linux host running ftp and rpc. Configuration 16 – 1 intruder, 1 internal Linux host running rpc and database, and 1 internal Linux host running ftp and web. Configuration 17 – 1 intruder, 1 internal Linux host running ftp and database, and 1 internal Linux host running web and rpc. Configuration 18 – 1 intruder, 1 internal Linux host running database, 1 internal Linux host running rpc, 1 internal Linux host running ftp, and 1 internal Linux host running web.

Configuration 19 – 1 intruder and 1 internal Windows host running web, rpc, ftp, and database.

Configuration 20 – 1 intruder, 1 internal Windows host running rpc, and 1 internal Windows host running ftp, web, and database. Configuration 21 – 1 intruder, 1 internal Windows host running ftp, and 1 internal Windows host running rpc, web, and database. Configuration 22 – 1 intruder, 1 internal Windows host running web, and 1 internal Windows host running ftp, rpc, and database. Configuration 23 – 1intruder, 1 internal Windows host running database, and 1 internal Windows host running rpc, ftp, and web. Configuration 24 – 1 intruder, 1 internal Windows host running web and database, and 1 internal Windows host running ftp and rpc. Configuration 25 – 1 intruder, 1 internal Windows host running rpc and database, and 1 internal Windows host running ftp and web. Configuration 26 – 1 intruder, 1 internal Windows host running ftp and database, and 1 internal Windows host running rpc and web. Configuration 27 – 1 intruder, 1 internal Windows host running database, 1 internal Windows host running rpc, 1 internal Windows host running ftp, and 1 internal Windows host running web.

48

Configuration 29 – 1 intruder, 1 internal Solaris host running database, ftp, and web, and 1 internal Windows host running rpc. Configuration 30 – 1 intruder, 1 internal Solaris host running database, ftp, and rpc, and 1 internal Windows host running web. Configuration 31 – 1 intruder, 1 internal Solaris host running web, ftp, and rpc, and 1 internal Windows host running database. Configuration 32 – 1 intruder, 1 internal Windows host running database, web, and rpc, and 1 internal Solaris host running ftp. Configuration 33 – 1 intruder, 1 internal Windows host running database, ftp, and web, and 1 internal Solaris host running rpc. Configuration 34 – 1 intruder, 1 internal Windows host running database, ftp, and rpc, and 1 internal Solaris host running web. Configuration 35 – 1 intruder, 1 internal Windows host running web, ftp, and rpc, and 1 internal Solaris host running database. Configuration 36 – 1 intruder, 1 internal Windows host running database and ftp, and 1 internal Solaris host running web and rpc. Configuration 37 – 1 intruder, 1 internal Windows host running database and web, and 1 internal Solaris host running ftp and rpc. Configuration 38 – 1 intruder, 1 internal Windows host running database and rpc, and 1 internal Solaris host running ftp and web. Configuration 39 – 1 intruder, 1 internal Solaris host running database and rpc, and 1 internal Windows host running ftp and web. Configuration 40 – 1 intruder, 1 internal Solaris host running database and web, and 1 internal Windows host running ftp and rpc. Configuration 41 – 1 intruder, 1 internal Solaris host running database and ftp, and 1 internal Windows host running web and rpc. Configuration 42 – 1 intruder, 1 internal Solaris host running database, rpc, and ftp, and 1 internal Linux host running web. Configuration 43 – 1 intruder, 1 internal Solaris host running database, ftp, and web, and 1 internal Linux host running rpc. Configuration 44 – 1 intruder, 1 internal Solaris host running database, rpc, and web, and 1interanal Linux host running ftp. Configuration 45 – 1 intruder, 1 internal Solaris host running ftp, web, and rpc, and 1 internal Linux host running database. Configuration 46 – 1 intruder, 1 internal Solaris host running ftp, and 1 internal Linux host running database, rpc, and web. Configuration 47 – 1 intruder, 1 internal Solaris host running rpc, and 1 internal Linux host running ftp, web, and database. Configuration 48 – 1 intruder, 1 internal Solaris host running web, and 1 internal Linux host running ftp, rpc, and database. Configuration 49 – 1 intruder, 1 internal Solaris host running database, and 1 internal Linux host running ftp, web, and rpc. Configuration 50 – 1 intruder, 1 internal Solaris host running database and rpc, and 1 internal Linux host running ftp and web. Configuration 51 – 1 intruder, 1 internal Solaris host running database and web, and 1 internal Linux host running ftp and rpc. Configuration 52 – 1 intruder, 1 internal Solaris host running database and ftp, and 1 internal Linux host running web and rpc. Configuration 53 – 1 intruder, 1 internal Solaris host running rpc and ftp, and 1 internal Linux host running database and web. Configuration 54 – 1 intruder, 1 internal Solaris host running web and rpc, and 1 internal Linux host running database and ftp. Configuration 55 – 1 intruder, 1 internal Solaris host running web and ftp, and 1 internal Linux host running rpc and database. Configuration 56 – 1 intruder, 1 internal Windows host running database, rpc, and web, and 1 internal Linux host running ftp. Configuration 57 – 1 intruder, 1 internal Windows host running web, ftp, and database, and 1 internal Linux host running rpc. Configuration 58 – 1 intruder, 1 internal Windows host running database, ftp, and rpc, and 1 internal Linux host running web. Configuration 59 – 1 intruder, 1 internal Windows host running ftp, rpc, and web, and 1 internal Linux host running database. Configuration 60 – 1 intruder, 1 internal Windows host running web, and 1 internal Linux host running database, ftp, and rpc. Configuration 61 – 1 intruder, 1 internal Windows host running rpc, and 1 internal Linux host running database, web, and ftp.

49

Configuration 62 – 1 intruder, 1 internal Windows host running ftp, and 1 internal Linux host running rpc, web, and database. Configuration 63 – 1 intruder, 1 internal Windows host running database, and 1 internal Linux host running web, ftp, and rpc. Configuration 64 – 1 intruder, 1 internal Windows host running database and web, and 1 internal Linux host running ftp and rpc. Configuration 65 – 1 intruder, 1 internal Windows host running database and rpc, and 1 internal Linux host running ftp and web. Configuration 66 – 1 intruder, 1 internal Windows host running database and ftp, and 1 internal Linux host running web and rpc. Configuration 67 – 1 intruder, 1 internal Windows host running ftp and rpc, and 1 internal Linux host running database and web. Configuration 68 – 1 intruder, 1 internal Windows host running ftp and web, and 1 internal Linux host running database and rpc. Configuration 69 – 1 intruder, 1 internal Windows host running web and rpc, and 1 internal Linux host running database and ftp. Configuration 70 – 1 intruder, 1 internal Solaris host running web, 1 internal Linux host running ftp, and 1 internal Windows host running database and rpc.

Configuration 71 – 1 intruder, 1 internal Solaris host running web, 1 internal Linux host running database, and 1 internal Windows host running rpc and ftp.

Configuration 72 – 1 intruder, 1 internal Solaris host running web, 1 internal Linux host running rpc, and 1 internal Windows host running database and ftp.

Configuration 73 – 1 intruder, 1 internal Solaris host running ftp, 1 internal Linux host running database, and 1 internal Windows host running web and rpc.

Configuration 74 – 1 intruder, 1 internal Solaris host running ftp, 1 internal Linux host running rpc, and 1 internal Windows host running web and database.

Configuration 75 – 1 intruder, 1 internal Solaris host running ftp, 1 internal Linux host running web, and 1 internal Windows host running database and rpc.

Configuration 76 – 1 intruder, 1 internal Solaris host running rpc, 1 internal Linux host running web, and 1 internal Windows host running database and ftp.

Configuration 77 – 1 intruder, 1 internal Solaris host running rpc, 1 internal Linux host running ftp, and 1internal Windows host running web and database.

Configuration 78 – 1 intruder, 1 internal Solaris host running rpc, 1 internal Linux host running database, and 1 internal Windows host running ftp and web.

Configuration 79 – 1 intruder, 1 internal Solaris host running database, 1 internal Linux host running ftp, and 1internal Windows host running rpc and web.

Configuration 80 – 1 intruder, 1 internal Solaris host running database, 1 intern al Linux host running web, and 1internal Windows host running ftp and rpc.

Configuration 81 – 1 intruder, 1 internal Solaris host running database, 1internal Linux host running rpc, and 1 internal Windows host running web and ftp.

Configuration 82 – 1 intruder, 1 internal Solaris host running web, 1 internal Windows host running ftp, and 1 internal Linux host running database and rpc.

Configuration 83 – 1 intruder, 1 internal Solaris host running web, 1 internal Windows host running rpc, and 1 internal Linux host running database and ftp.

Configuration 84 – 1 intruder, 1 internal Solaris host running web, 1 internal Windows host running database, and 1 internal Linux host running rpc and ftp.

Configuration 85 – 1 intruder, 1 internal Solaris host running ftp, 1 internal Windows host running rpc, and 1 internal Linux host running web and database.

Configuration 86 – 1 intruder, 1 internal Solaris host running ftp, 1 internal Windows host running web, and 1 internal Linux host running database and rpc.

50

Configuration 87 – 1 intruder, 1 internal Solaris host running ftp, 1 internal Windows host running database, and 1 internal Linux host running web and rpc.

Configuration 88 – 1 intruder, 1 internal Linux host running ftp, 1 internal Windows host running web, and 1 internal Solaris host running rpc and database.

Configuration 89 – 1 intruder, 1 internal Linux host running database, 1 internal Windows host running ftp, and 1 internal Solaris host running web and rpc.

Configuration 90 – 1 intruder, 1 internal Linux host running database, 1 internal Windows host running web, and 1internal Solaris host running rpc and ftp.

Configuration 91 – 1 intruder, 1 internal Linux host running database, 1 internal Windows host running rpc, and 1 internal Solaris host running web and ftp.

Configuration 92 – 1 intruder, 1 internal Linux host running rpc, 1 internal Windows host running web, and 1 internal Solaris host running database and ftp.

Configuration 93 – 1 intruder, 1 internal Linux host running rpc, 1 internal Windows host running ftp, and 1 internal Solaris host running database and web.

Configuration 94 – 1 intruder, 1 internal Linux host running rpc, 1 internal Windows host running database, and 1 internal Solaris host running web and ftp.

Configuration 95 – 1 intruder, 1 internal Linux host running web, 1 internal Windows host running ftp, and 1 internal Solaris host running rpc and database.

Configuration 96 – 1 intruder, 1 internal Linux host running web, 1 internal Windows host running database, and 1internal Solaris host running rpc and ftp.

Configuration 97 – 1 intruder, 1 internal Linux host running web, 1 internal Windows host running rpc, and 1 internal Solaris host running ftp and database.

Configuration 98 – 1 intruder, 1 internal Solaris host running database, 1 internal Windows host running ftp, and 1internal Linux host running rpc and web.

Configuration 99 – 1 intruder, 1 internal Solaris host running database, 1 internal Windows host running rpc, and 1 internal Linux host running ftp and web.

Configuration 100 – 1 intruder, 1 internal Solaris host running database, 1 internal Windows host running web, and 1 internal Linux host running rpc and ftp.

Configuration 101 – 1 intruder, 1 internal Solaris host running rpc, 1 internal Windows host running web, and 1 internal Linux host running ftp and database.

Configuration 102 – 1 intruder, 1 internal Solaris host running rpc, 1 internal Windows host running ftp, and 1internal Linux host running web and database.

Configuration 103 – 1 intruder, 1 internal Solaris host running rpc, 1 internal Windows host running database, and 1 internal Linux host running ftp and web.

Configuration 104 – 1 intruder, 1 internal Linux host running ftp, 1 internal Windows host running database, and 1 internal Solaris host running web and rpc.

Configuration 105 – 1 intruder, 1 internal Linux host running ftp, 1 internal Windows host running rpc, and 1 internal Solaris host running database and web.

Firewalled Configurations – Intruder can connect to ports 80 and 21.

Configuration 106 - 1 intruder and 1 internal Solaris host running web, ftp, rpc, and database. Firewall between intruder and internal network.

Configuration 107 – 1 intruder, 1 internal Solaris host running rpc, and 1 internal Solaris host running web, ftp, and database. Firewall between intruder and internal network.

51

Configuration 108 – 1 intruder, 1 internal Solaris host running ftp, and 1 internal Solaris host running web, rpc, and database.

In document VEA-bility Analysis of Network Diversification (Page 41-79)