Executive For A Domestic Internet Service Provider

Published Date: 02 Nov 2017

A net is one of the most important basic resources a large institution needs to have. Today, a network plays a very important role in every group. With extensive dispersed positioning, supervision the security of a network becomes very complex especially from the viewpoint of an ISP. ISP's are by naturally more susceptible because they have to offer a multitude of public amenities. Both for their customers and on behalf of them.

Actual

Net

and

safety

supervision

Needs

to

be

executed

taking

Consideration the lack of bandwidth and availability of computing resources at the nodes. Safety supervision now productions a larger role as all communication is over the insecure Internet.

In this paper, the various issues involved in developing a Safety Supervision System for a low bandwidth system is discussed. Then, a solution executed based on open

Standards for a national ISP aiming on countryside zones .

1 . In t r o d u c t i o n

1.1 Safety Supervision :

Safety

Supervision

involves

protecting

network from all types of unconstitutional access. This includes many sub function s like gathering and broadcasting safekeeping related information, pro - actively detecting and preventing intrusions, etc. This adopts even greater significance with the rapid growth of the Internet

1.2 n- Logue:

n - Logue is an unfamiliar machinist in that its focus is on providing affordable voice plus Internet access in villages and small towns throughout India. As such, it has a far - flung network and must keep costs to a minimum . Net safety supervision is essential and the bandwidth ingested by observation traffic must be kept very low.

There is very little bandwidth available to us. There is no backbone management network and all communication is over the insecure public Internet. All nodes are already running services and the management overhead should not be too high.

Any system developed should easily integrate with the Linkage Administration System already being used .

Overview :

In section 2, we'll take an in- depth look into how the n- Logue network is organized and what kind of security management we actually need. We'll follow this up with Architecture, Design and Implementation in sections 3 and 4. And conclude with a discussion on some performance parameters in section 5.

2. Background

2.1

n- Logue network :

The

network consists of a national data center

and

Local

Service Providers

(LSP) distribu te d

over

India.

The national data

center is connected

to the Internet with a 256kb p s link and the LSP's have either a 64kbp s or a 128kb p s link based on the num ber of subscribers.

Figure 1. Topology of n- Logue network

1

Currently, n- Logue has around 25 LSPs and this is expected to grow to 100's shortly. Each LSP in n-Logue has the following elements to provide voice

and

Internet

services;

corDECT

WiLL

system,

Minnow

servers,

router

and

a

leased

Distributed management

is needed to keep costs

low and because the network is spread

very wide. It

is not economical to send

someone

over to the

to fix problems

regularly.

and the configuratio n manage me n t system will be running on these servers. The various services provided by RIS and MIS are

2.2 Security Management :

Security Management covers the following aspects:

Intrusion Detection (Network and Host)

Configuration Management of remote nodes

Analysis of data collected at the remote nodes

Taking action based on analysed data (delayed)

Real- time response to certain types of intrusions

A lot of research is currently going on in the area of Intrusion Detection. But most available products both open - source and commercial do not handle Distributed Intrusion Detection very well. The type and amount of data to be shared between multiple sensors has never been clear. In this regard, there are IETF drafts that try to set a standard on what types of messages need to be exchanged and the format of those messages.

Reliable Network Intrusion Detection Systems do exist which can operate at the gateway. The best open - source system is Snort. Extensive documentation exists for this tool and therefore, it can be used as a base for developing the Intrusion Detection part of the distributed system.

A lot of research has been going on in the field of remote configuration management of computer systems. One of the major systems being developed is cfengine (a system configuration engine for UNIX systems).

3 . Design

Each LSP has two servers already being used to provide all the services to the subscribers . The Master Internet Server (MIS) and the Redun da n t Internet Server (RIS).

Our Network Intrusio n Detection System (NIDS)

Figure 2. LSP organization

Proxy for WWW access

email

DNS

Web hosting

All other connections to the Internet are provided through Network Address Translation (NAT).

We need to protect these servers against attacks from the Internet and from the subscriber network.

Proposal and Execution

Network Intrusion Detection System :

The NIDS chosen is snort. Snort is a high performance, light weight, highly customizable open source NIDS. It supports a wide range of reporting formats, which will be really useful in our case.

Customizing the NIDS :

Snort normally has thousands of rules. Having everything enabled will drastically increase resource requirements on the RIS/MIS servers. Therefore, the rules will have to be tuned to only include what we actually need Tuning the rules also helps in bringing down the number of false positives.

4.1.2 Reporting format :

For standards compliance and easy integration with any upper level NMS, the default format has to be

2

the Intrusion Detection Messages Exchange Format (IDMEF) which is an IETF draft. For real- time reporting however, SNMP traps are much better.

4.1.3 Attack Classification :

We should also look for only certain types of attacks and classify them according to severity. And then, based on this severity, we can decide whether we want to take any immediate automated action.

Attacks are classified as:

a. Denial of Service (DoS) attacks either directed at our servers or directed at some server on the Internet from within our network.

b. Worm traffic. This is a major problem faced by every ISP. Clogs up all available bandwidth.

Policy Violations.

Targeted attacks on LSP servers.

4.2 Configuration Management System :

A lot of research has been going on in the field of remote configuration management of computer systems. One of the major systems being developed is cfengine(a system configuration engine for UNIX systems).

Figure 3. cfengine integration

The system consists of one central server running a

cfengine

daemon( cfservd ) and

all

the

managed

nodes

running

a

cfengine

agent( cfagent ).

cfagent on each remote machine has minimal configuration done just to enable communication with the cfservd on the central server. All host specific configuration is done at the centralized location and then the agents import the proper configuration information from the server.

Extensions can be easily written for cfengine and an

extension has been

written that will enable cfengine

to

monitor

snort

logs

and

take

any

action if necessary.

Cfengine also has host intrusion detection. It can monitor files for changes and restore any changed files from backup copies. The basic cfengine based system that has been implemented is shown in Figure 3.

4.3 Integration with a higher level Network Management System

A standardised mechanism is needed for this. We need to be easily use/integrate the security management system with any higher level NMS. We need to be able to use a standard NMS to monitor and control the security management system.

To monitor the security management system, we need to use standard reporting formats for both statistical data and real - time updates. IDMEF is a XML based reporting mechanism recommended by the Internet Engineering Task Force (IETF). And this suits us best for transferring statistical information.

For real- time alerts, we've decided to use SNMP traps. This is supported by all NMSs being used today.

For secure control of the system, cfengine by itself provides a remote command execution mechanism that uses SSL. An interface has been implemented to allow a higher level NMS to use this.

5 . Presentation Limitations

The performance factors that will affect this system the most are:

3

5.1 Bandwidth used :

We have only around 64kbps available at each node and 256kbps at the Data Centrer (DC). At the DC, we will have to manage 100's of nodes.

Most of the bandwidth savings are obtained by writing cfengine extensions to take decisions for automated actions at the nodes instead of sending real- time reports to the DC.

5.2 Latency :

We need to minimize the time taken for any control action to take place. It could either be automated or operator assisted. In case of operator assisted actions, we need to provide an interface to make the operators job easier.

5.3 Load on the servers at the LSP :

The servers on the LSP are already providing various services to the customers. Any management system is an add - on that must not consume too much of the available resources.

The way host based intrusion detection is performed, the rules on the NIDS, the reporting mechanism, etc. play a role in how good the developed system is.

6. Performance Evaluation

Performance was evaluated with a 100 node simulator. Bandwidth and CPU utilization at the DataCenter were measured using actual traffic collected in the n- Logue network.

Some results showing bandwidth and CPU requirements at the DataCenter are presented along with a comparison between the proposed architecture and the normal centralized approach.

Numbe r

CPU(%)

Bandwidth(bps)

of Nodes

Central

Distrib ute d

Central

Distribute d

20

8

3.8

2735.8

550.4

30

13

7.5

4210.3

840.6

40

25

12

5503.2

1100. 2

50

35

16.3

6950.9

1387. 9

100

85

40.5

1420 0. 8

2850. 7

Table 1. Comparison of Centralized and Distributed Se -

curity Management

7. Conclusion

We've shown the basic design and architectu re of a Security Managemen t System that can work on low bandwidt h networks . Most of the challenges have been met. As shown in Table 1, considerable

improveme n t s

in

both

CPU

utilization

Bandwidt h utilization are obtained.

The

system

is

based

completely

on

stand ar d s and uses open source compo ne n t s wherever possible. This helps us to drive down costs and makes it easy to custo mi ze the various compo n e n t s involved.