The impact of active network devices mis-configuration in network
security
Research Design
1. Background:
Adversaries take advantage of the fact that network devices may become less securely configured over time as users demand exceptions for specific and temporary business needs, and network administrators honor those exceptions in order to support business operations. Despite these kinds of intentional configurations, network administrators make configuration mistakes when configuring their network devices, as seen in some studies below. Good examples of the network devices which can be mis-configured are firewalls and routers. Firewalls are intended to be security appliances, but they will perform this task only if they are configured properly, while routers, though their main purpose is not security, they can be configured to achieve security goals.
Configuring network devices is a complex and error-prone task which require skills, experience, and convenient working environment. Several studies [1,2,3,4] have shown that network devices mis-configurations are common and can have adverse impact to the operations of a network. Mis-configurations can compromise the security of an entire network or even cause global disruptions to Internet connectivity and availability of resources. In his study of firewalls engines, Wool[1] pointed out that “complex rule sets are apparently too difficult for administrators to manage effectively.” We can also see that Feamster and Balakrishnan[3] found 1000 plus errors in the router configurations of 17 networks. Configuration problem in
network have long been a source of adverse impacts and unforeseen cost for most organizations.
The above studies and many others in the area of network security have suggested/implemented engineering solutions to the underlying problem of network devices mis-configurations. The study we are planning to do is intended to follow a scientific approach to solving the problem by first researching and understanding the underlying problem area, then ………... The study will increase the security of the organizations networks by unveiling the different configuration mistakes performed by network administrators in current1 active network devices, and the level of
severity of the security challenges they can cause to an organization. By knowing these mistakes, it will be easier for administrator to take extra care while configuring the devices in order to avoid repeating the same mistakes. We believe that, currently, the administrators are repeating the same mistakes in configuration because there are no enough studies done in this area and therefore no enough literature.
2. Problem statement
Active network devices mis-configurations have long being happening as shown in the researchers above. A number of organization security challenges are a result of poor network devices configurations, and have costed organizations for years.
Network equipments such as routers (wired and wireless) and firewalls provide organizations with desired secure computing environment if they are well configured and updated. Unfortunately, what is considered proper configuration of these devices require a lot of skills, experience, and convenient working environment apart from other factors.
1
Available literature on devices mis-configurations is based on researches done more than five years ago. We believe that the advance in technology over past five years have changed the situation; the mis-configuration on the devices five years back might not be the same on current devices.
Several engineering solutions have been proposed for this problem area but still no one has shown existence of a decrease in network devices mis-configuration and therefore calls upon a more scientific approach to solving this problem.
3. Research Objective/Goal
The main objective of this research is to enhance network security by minimizing possibilities for network administrators to mis-configure network devices (e.g routers and firewalls).
Specific
1. Get to know the details of network administration job position 2. Know typical configurations of different network devices
3. Identify what device configuration actions are likely to cause vulnerabilities in the network
4. Identify common mis-configurations done during the configuration of network devices.
5. Identify which vulnerabilities are caused by which mis-configurations.
6. Categorize the vulnerabilities caused by devices mis-configurations depending on the effects they have in the security of an organization.
4. Research questions
1. What are the details (activities, skills, time etc) involved with network administration job?
2. What configuration actions are performed by network administrators in network devices?
3. What configuration actions are likely to introduce vulnerabilities in the network? 4. What are the common mistakes in these configuration actions?
5. Which vulnerabilities are results of which devices mis-configurations?
6. Which vulnerabilities (and why) are critical to network security, and which are not?
5. Hypotheses
6.1. Null Hypothesis (Ho): Improper configuration of network devices has no
impact on the network security of an organization.
6.2 Alternative Hypothesis (H1): Improper configuration of network devices has
impact on the network security of an organization.
6. Methodology
6.1. Population and sample
The sample will be non-probability in phase I and probability in phase II. In phase I a group of experts in three organizations in U.S.A (as mentioned below) will be selected; and in phase II the sample will be selected randomly from a population of large sized (more than 3000 employees) organizations in Tanzania and U.S.A. The subjects of this study will be network administrators/engineers in the selected organizations.
The specific organizations to be explored are:
Phase I will involve experts from organizations in U.S.A, that is Cisco, Internet2 and NCSU; in this sample we expect to get expert insights of the network administration.
Phase II will involve organizations in both countries (Tanzania and U.S.A), that is in Tanzania the organizations will be Tanzania Education and Research Network (TERNET), Tanzania E-governance Agency (EGA), Open University of Tanzania(OUT), Tanzania People Defense Force(TPDF) and Seacom. In U.S.A the organizations will be Google, ………. The selection of these organizations is partly based on availability of social connections and therefore easy of getting access to interviewees and information; and partly based on the extent of security required in these organizations.
6.2. Instruments and Procedures
Data about the details of network administration job will be collected from previous publications and in-depth interviews with experts (phase I). Then, in order to understand the details of network device configuration and their effects in network security, self-administered questionnaire and interviews research methods will be used, where questionnaire will be given to the subjects, and interviews will follow thereafter to ensure that we correctly captured all the aspects of the subject’s responses. The questionnaire and the interviews will focus on the configuration of active network devices (routers, switches and firewalls).
Areas of main focus
Device Configurations Details
Routers Basic configurations 1. Global parameters
2. WAN and LAN interfaces 3. Static and dynamic routes 4. IGRP and EGRP
5. DHCP and VLANs
6. Dial backup and Remote management
7. Command line access Security configurations 1. Authentication,
Authorization, and Accounting
2. Security server protocols 3. NAT
5. Public Key Infrastructure 6. Secure Infrastructure
(Autosecure, login block, IP source tracker etc)
Switches 1. Authentication,
Authorization, and Accounting
2. Port security
3. VLANs (management, voice, and normal traffic separation), secure VTP 4. Logging and debugging 5. Spanning tree 6. MACsec encryption 7. Trustsec 8. ARP inspection 9. DoS inspection 10.DHCP snooping 11.IP source guard 12.Traffic storm control
13.Network Admission control 14.Discovery protocol
15.SPAN and RSPAN 16.RMON
18.QoS
19.Multicast routing 20.Online diagnostics
Firewalls 1. Service policies
2. Access Control Policies and Lists
3. Inspection rules (applications)
4. Connection settings and QoS 5. Advanced Network
Protection(cloud web security, botnet traffic filter, threat detection etc)
6.3. Analyzing the data
After collecting the data, coding will be done, and SPSS will be used to analyze the data. It is preferred that an external person be used to code the data, but there is difficulties involved in this option due to the studentship environment, therefore the researcher herself will code the data. Raw data will be made available for replication purposes
6.4. Reporting the findings
The findings from this research will be reported in form of a research report which will be presented to the committee of my CSC 890-Doctorial Preliminary Exam. From this report a paper will be written to be presented to one of security related conferences, and form one of the NCSU Science of Security Lablet publications.
Among the many sections of the report, there will be a section where findings will be reported without interpretation in order to avoid influencing reader’s interpretations of the findings; and then the interpretation section will follow where researcher’s interpretations from the findings will be reported.
7. References
1. A. Wool, “A quantitative study of firewall configuration errors,” IEEE Computer, vol. 37, no. 6, pp. 62–67, Jun. 2004.
2. F. Le, S. Lee, T. Wong, H. Kim, and D Newcomb, “Detecting Network-Wide and Router-Specific Misconfigurations through Data Mining” IEEE/ACM transactions on networking, VOL. 17, NO. 1, Feb. 2009
3. N. Feamster and H. Balakrishnan, “Detecting BGP configuration faults with static analysis” in Proc. NSDI, Boston, MA, May 2005, online.
4. R. Mahajan, D. Wetherall, and T. Anderson, “Understanding BGP Misconfiguration”, in Proc. ACM SIGCOMM 2002, ACM Press, pp. 3-16, 2002
