Vol 15, No 1 (2015)

(1)

IJCSBI.ORG

ISSN: 1694-2108 | Vol. 15, No. 1. JANUARY 2015 13

Layered Defense Approach:

Towards Total Network Security

Kalaivani Chellappan

Department of Electrical, Electronic and System Engineering Faculty of Engineering and Built Environment, UKM, Malaysia

Ahmed Shamil Mustafa

Mohammed Jabbar Mohammed

Aqeel Mezher Thajeel

ABSTRACT

Computer network security is one of the most critical issues facing different business organizations. Protecting organization’s data - which is the core of the organization existence- against attacks is very important. Multiple security tools should be implemented in the same time in order to protect this data, as modern attacks can easily bypass most single operated security systems. A well designed security system which take into considerations most possible network threats is necessary to prevent intruders and provide secure data exchange. In this paper, layered defense approach is presented as a best solution to build network security system. In this approach multiple mechanisms are used together to keep high security level.

Keywords: Network security; layered defense approach; risk analysis; computer network attacks.

1. INTRODUCTION

Growing number of computer networks and recent developments in information technology have led to increased demand on network security issues. Although it’s huge benefits such as shared data usage, network convergence introduced large amounts of threats to the organization’s network systems. Having more data flowing through the network poses security risks for both the facilities and IT teams, as a result a more complex protection schemes should be applied.

(2)

IJCSBI.ORG

ISSN: 1694-2108 | Vol. 15, No. 1. JANUARY 2015 14 staff and the system is required to achieve network protection against attacks [1]. As different staff members have different responsibilities, different roles should be assigned to them when building the secure network. To provide a secure network design, an analysis of possible threats should be carried out. Appropriate risk analysis can provide an outlook on possible network threats, network vulnerabilities and the best mechanisms to maintain and mitigate these effects. Different security mechanisms can be implemented to secure any organization’s network beginning from the core network and ending with securing user end point. However, some vulnerable point could be missed which can easily provide a base to attack the network. Well-designed security system can guarantee high security level which is required especially in protecting data. The essential approach towards high level network security is layered defense.

Layered defense is defined as the concept of protecting a computer network with a series of defensive mechanisms such that if one mechanism fails, another will already be in place to thwart an attack [2]. Because of the variety of attacks, no single technique can successfully protect the network.

By Utilizing layered defense strategy [1], any attack can be prevented or at least detected. This approach requires deep coordinates between users and network resources in order to assure secure data exchange. Rather than dropping few firewalls between network or installing additional malware detection software, layered defense implementing multiple strategies which are divided into different layers. Each layer introduce partial defense technique against specific attack, once the layer defense is passed, next layer defense should be able to mitigate the attack or at least detect it. Like any other security system design, layered security requires a deep analysis of the attacks in order to identify which mechanisms to employ and where. Figure 1 shows the basic steps to design a security system. In this paper, we introduce layered defense approach to provide total network protection. The paper is organized as follows: section 2 explains the most famous attack on computer networks, in section 3, we discuss the importance of risk analysis in building network security system. Section 4 introduces detailed layered defense approach, finally section 5 contains the conclusion on our work.

(3)

IJCSBI.ORG

ISSN: 1694-2108 | Vol. 15, No. 1. JANUARY 2015 15 2. ATTACK CLASSIFICATION

The common known attacks can be classified as follows [3, 4]:

A. Eavesdropping or packet sniffing

In this case the attacker captures each packet flows across the network with the aid of packet sniffer application program. Without strong encryption, the captured packed is plain text which simply reveal networks information [5].

B. Data modification

The attacker aims to modify the content of the captured packet without the knowledge of the sender or the receiver.

C.IP address spoofing

This attack enables the attacker to access network data, modify it or even delete it [5, 6].

D.Password based attacks

Once the attacker discloses the user’s password, he can access user’s data and has all the rights and privileges as real user.

All previous attacks will result in some data being stolen or modified, anyway the network can continue work properly. When the attacker is more violent, it will develop more dangerous attacks which will lead not only to network data changed, but also to destroy the network and bring it down [6]. Once the attacker captured any network node, the node is said to be compromised. In this case the attacker can start a second group of network attacks which contains:

A. Trust exploitation

As devices in the shared environment should trust the information from each other, an attacker can use the compromised device to send and modify information as a trusted user.

B. Port redirection

By installing port redirection software like NetCat on the compromised device, the attacker can redirect packets to another port. In this case, all network data including IP addresses, passwords and other important information can be monitored by the attacker.

C.Man in the middle attack

In this attack, all packets exchanged between two users is passed through the compromised device. The attacker could modify the packets without being noticed by the sender or receiver.

(4)

IJCSBI.ORG

ISSN: 1694-2108 | Vol. 15, No. 1. JANUARY 2015 16 By flooding the network with extra traffic, the attacker aims to prevent the network from performing its job. For example, the attacker can flood the server with so many requests which makes it take a long time to process these request and become unavailable for other users. DoS attacks are the hardest attacks to mitigate as they are performed using the allowed traffic in the network [7].

E. Malicious software (Viruses, worms and Trojans)

Once the attacker becomes trusted within the network, he can send packets contains viruses, worms and Trojans to different network devices which will deal with the data as trusted data. These malware can affect devices in different ways, starting from erasing files to run arbitrary codes causing memory overloading, consequently switch of the device.

F. Network partitioning

Using port redirection attack and packet sniffing, the attacker can redirect all the packets to flow to certain device which is basically compromised. In this case, a lot of network nodes (devices) will be virtually out of the network, which can a virtual network partitioning.

3. RISK ANALYSIS

The first step towards building a secure network, is to carefully identify and analyze each attack and evaluate the risks introduced to the organization's network by these attacks. Risk analysis helps to define possible damage caused by the attacker and methods to mitigate this damage or even prevent it. The basic methodology of risk analysis can be summarized as in [8]

 Identify the assets.  Identify the threats.

 Identify the vulnerabilities.  Identify the existing controls

(5)

IJCSBI.ORG

ISSN: 1694-2108 | Vol. 15, No. 1. JANUARY 2015 17 intentionally exploited and result in a security breach or a violation of the system's security policy” [9]. The vulnerable points in the network will not cause any harm unless some threat exploit to it. All vulnerabilities should be well identified and monitored to detect any threat possibilities. The final stage in risk analysis is to identify the existing controls. Controls mean all existing procedures and mechanisms to mitigate the vulnerabilities. Existing controls can be identified with the help of documentation of controls and plans of risk treatment implementation. Multiple controls should be assigned to mitigate every vulnerability, if one control failed, a complimentary controls should be addressed to mitigate the threat.

Risk analysis can be done in two ways: Quantitative and qualitative [8].

Quantitative risk analysis is used to define the probability of risk occurrence and possible losses, and assign them numerical values. Quantitative analysis helps to estimate the assets, build cost, protect cost and repair cost. Qualitative analysis is used to predict the level of protection required to the network including asset and applications. Qualitative analysis represents the initial monitoring to identify risks and threats that need deeper analysis, and if the numerical threat estimation is required.

4. LAYERED DEFENSE APPROACH

(6)

IJCSBI.ORG

ISSN: 1694-2108 | Vol. 15, No. 1. JANUARY 2015 18 The layered defense approach is described in terms of defense layers which can be seen in Figure 2, these layers are as follows:

 First layer: Perimeter defense; which contains conventional procedures like firewalls, malware detection software and network monitoring software.

 Second layer core network defense using network monitoring, server end point protection and patching.

 Third layer: host defense such as desktops, mobiles and laptops devices.

 Fourth layer: applications defense, which contains both applications run on end user devices and applications run on dedicated servers.  Fifth layer: data defense, which is the main target of any security

system.

A. Perimeter defense

Networks perimeter is the point where network connects to the outside so called untrusted networks, hence providing secure perimeter is the first step to prevent unwanted access to the network and so the system information. According to Microsoft TechNet the perimeter is defined as “every point where the internal network is connected to networks and hosts that are not managed by the organization’s IT team.” The firewall is the base of every

(7)

IJCSBI.ORG

ISSN: 1694-2108 | Vol. 15, No. 1. JANUARY 2015 19 good configured perimeter. As firewall is the security guard which controls the entry points of the network by checking every incoming and outgoing packet, a set of rules should be predefined by the organization to help configure the firewall properly. In this case, well configured firewall will be able to decide what packets to accept and what to discard. According to [12] two categories of firewalls exist; state-less firewalls and state-full. If the firewall tested the fate of the packet by examine the packet itself, then it is called state-less. But if the decision is made not only based on the packet test but also by looking to the previous accepted packets, then it is called state-full. As the packet flow is controlled, many harmful effects can be eliminated keeping the network safe.

B. Core network defense

The basic key for core network protection is the good designed architecture. DMZ which is network area separating between firewall and the first router in the network is an important defense tool. DMZ hardware is working as the second check point for the packets, by fragmenting the packet, DMZ can detect whether the payload is malicious or not. Figure 3 illustrate the implementation of the DMZ within the core network.

Intrusion detection and prevention systems IDPS forms the second defense line in securing the core network. By collecting information from different network sources, these systems can detect possible threats [13]. For example, when the attacker performs port redirection attack, most of the

(8)

IJCSBI.ORG

ISSN: 1694-2108 | Vol. 15, No. 1. JANUARY 2015 20 data flows to the compromised device. By analyzing the traffic in the network, IDPS can find the threat and report to the system administrator to take proper reaction. The secondary router in the system is also involved in the layered protection [14]. By dividing the network into different working groups (VPNs), the secondary router can disseminate the network traffic in to proper working groups.

C.End point defense

The end point in the network could be both user’s device and servers. User’s information can be protected by the mean of operating system protection by adjusting security configurations. Other procedures could be useful too such as closing unused ports, hard disk encryption and application whitelisting. Host intrusion detection systems is also can be used to protect hosts from outside attacks. Anti-viruses software protects the device from malicious software. These software manages databases which contain signature for all known malicious computer codes and use signature scanning to define malicious files. By detecting these file, many attacks and threats can be omitted.

D.Application defense

Many attacks target the applications especially those which run on the server. Some of these attacks are; buffer overflow attacks, password guessing attacks, directory traversal attacks, and poorly configured network applications that expose data to unauthorized users. Most client applications do not listen to network ports, so they usually are not susceptible to remote network attacks. Different tools and solutions could be used to protect applications like Internet Information Services hardening and SQL hardening for protecting servers [15], also installing applications and their updates should be done from their original vendors.

E. Data defense

As business data is the most valuable content of any organization, providing data protection is the main goal for any network security system. Adding to previous mechanics, data defense could be done by controlling the access to files and folders using access control lists (ACLs) [16], besides using some encryption techniques. To prevent data loss, data back up or restore should be done periodically using CDs or external hard disk. Finally saving data on external hard disks rather than keeping it on desktop device can also protect it from being stolen.

(9)

IJCSBI.ORG

ISSN: 1694-2108 | Vol. 15, No. 1. JANUARY 2015 21 second defense layer – in this case, it could be hard disk encryption- will be ready to defend the attack. If the attacker succeed to break the encryption, next defense layer – let’s say; host based intrusion detection system (IDS) - can detect the attack, by comparing attacker behavior with system logs. The intrusion detection system will report the attack to the administrator to take the proper reaction.

5. CONCLUDING REMARKS

In this paper, we introduced a layered approach for computer network security. The layered network defense can provide better security level by the mean of arranging defense mechanism in consecutive layers such that each mechanism has less attacks to deal with compared with the mechanism in previous layer. Different security mechanisms are required to be implemented in order to provide total network protection which increase the cost and complexity of security system. Anyway, a good risk analysis of the organization network can reduce the cost of implemented security mechanisms by predicting which mechanism to apply and at which layer.

REFERENCES

[1] Banathy, A., Panozzo, G., Gordy, A. and Senese, J., 2013. A Layered Approach to Network Security, indestrial IP database, available at :< http://www.industrial-ip.org> [accessed 15 November 2014].

[2] Shenk, J., 2013. Layered security: Why it works, SANS institute reading room database. availabel at: < http://www.sans.org/reading-room> [accessed 15 November 2014].

[3] De Capite, D., 2006. Self-Defending Networks: The Next Generation of Network Security, Cisco press, NewYork.

[4] Kumaravel, A., 2013. Multi-classification Approach for Detecting Network Attacks. IEEE conference on information and communications technology ICT, Jeju island, April 11-12 2013. Available at:<http://www.ieeexplore.com>, pp.1114-1117 [accessed 12 December 2014].

[5] Orebaugh, A. and Pinkard, B., 2008. Nmap in the Enterprise: Your Guide to Network Scanning. [e-book] Syngress press. available at: <http://www.amazon.com/> [accessed 03 December 2014].

[6] Harris, J., 2002, Cisco Network Security Little Black Book. [e-book] Paraglyph press. available at: <http://www.amazon.com>[accessed 17 December 2014].

[7] Hsu, F. H., and Chiueh, T., 2008. Scalable Network-based Buffer Overflow Attack Detection, IEEE Xplore database, available at: <http://www.ieeexplore.com>, pp.163-172, [accessed 10 December 2014].

(10)

IJCSBI.ORG

ISSN: 1694-2108 | Vol. 15, No. 1. JANUARY 2015 22

[9] Stonebumer, G., Goguen, A., and Feringa A., 2002. Risk Management Guide for Information Technology Systems, National Institute of Standards and Technology e-library, available at:< http://www.nis.gov>, p.54 [accessed 23 December 2014].

[10] Fraser, B., 1997. Site Security Handbook, RFC 2196, available at:<http://www.ietf.org> [accessed 10/12/2014].

[11] Malik, S., 2002. Network Security Principles and Practices. [e-book] Cisco Press. available at: <http://www.amazon.com> [accessed 23 December 2014].

[12] Gouda, M. and Liu, A., 2007. Structured firewall design, International Journal of Computer and Telecommunications Networking, Vol 51, Issue 4 ; pp1106–1120.

[13] Beigh, B., Peer, A., 2012. Intrusion Detection and Prevention System: Classification and Quick Review, ARPN Journal of Science and Technology, Vol 2, No 7, pp.661-675.

[14] Conkil, WM. and White G., 2010. Principles of Computer Security: CompTIA Security+ and Beyond. 3rd ed [e-book] McGraw-Hill/Osborne Media, available at:

<http://www.amazon.com>, [accessed 01 December 2014].

[15] Shucheng, Y. et al., 2010. Achieving secure, scalable, and fine-grained data access control in cloud computing, IEEE conference on computer communications, San Diego, Ca, March 15-19 2010. Avaialbel at <www.ieeexplore.com>, pp. 1-9, [accessed 07 December 2014].

[16] Huu, T. et al., 2005. A trust based access control framework for P2P file-sharing systems, Proceedings of the 38th Annual Hawaii International Conference on System Sciences. Hawaii island, US, January 3-6 2005. Available at:

<http://www.ieeexplore.com>, pp. 1-10, [accessed 16 December 2014].

This paper may be cited as:

Chellappan, K., Mustafa, A. S., Mohammed, M. J., and Thajeel, A. M., 2015. Layered Defense Approach: Towards Total Network Security.

International Journal of Computer Science and Business Informatics, Vol.