Research on Defense in-depth Model of Information Network Confrontation
Shengjian Liu1, Ping Zhang2, Huyuan Sun3
Department of Teaching and Research PLA Border Defense Academy Xi'an, 710108, P.R. China 123
xllsj@hotmail.com, xianzhangp@sohu.com, syh6171@sohu.com
Abstract—According to the specific demand of the construction of the information network confrontation defense system, this paper proposes a new network defense in-depth model of APR-WPDRRC based on closed-loop control mechanism. Since the model integrates variety of network defense in-depth new technology, it can achieve cooperation linkage and closed-loop control of quick pre-warning, active protection, dynamic detection, real-time response, disaster recovery and precision counterattack. The model has a good network defense agility of adaptability, intrusion tolerance attack and strong survivability especially when it suffers in large-scale, distributed, instantaneous changing network attacks.
II.
DEFENSE IN-DEPTH STRATEGY OF INFORMATION
NETWORK CONFRONTATION
Military confrontation history tells us that we can never rely on a single defense line. In fact, the scheme of a network security strategy is to assume that each network system component includes unknown vulnerability which is used by the attacker. Any network defense techniques can not be absolutely safe. People always cannot rely only on a single technical means to fight against network attackers. In order to use a balance strategy between reducing the risk and supporting for security, a multi-layer defense in-depth strategy is proposed, namely it can set more barrier layers to Keywords-network confrontation; defense in-depth; defense
the network attacker in the network confrontation system. model˗closed-loop control
Indeed, when an attacker tries to break into the network system, he can be blocked by more secure defense layers, I. INTRODUCTION
and each defense layer can realize the complementary
Network confrontation is the main style of information function. When a defense layer is broken, other defense confrontation. In the face of large-scale, distributed, layers can protect network security. So each defense layer instantaneous changing network attacks, the mainstream can reduce the probability of being attacked. model of network defense has been a great challenge in Because of the network with the sensitive information, recent years. Especially for network system, constructing a the establishment of multi-layer defense in-depth strategy of network defense model of initiative, strain, resistant to information network is particularly important. The attack, strong survivability of information network implementation mechanism of multi-layer defense strategy is confrontation system is facing a new task. not only to consider the full protection from the breadth of The means of network security defense has evolved from network architecture, operating systems, application systems, the initial passive defense, such as hardware firewall (HFW) database systems, but also pay greater attention to the to the later the active defense, such as intrusion detection integration of network intrusion tolerance technology, and system (IDS), and to the current more intelligent defense, such as intrusion prevention system (IPS), cloud firewall
Layer 1 ĂĂ Layer m (CFW) etc.. These defense means adopt the combination ĂĂ Layer n mode of security products and technology, namely deploying all kinds of security products in the isolated network key points. These means can easily discover and effectively
block known network attacks in a small scale, but in the Multipleattack event of a mass network attacks, because of the lack of a
sourcesunified security defense, they will not respond to unknown new network attacks, which not only increases the safety product installation cost, but also increases the difficulty of later period management. Facing a variety of unknown network attack and massive threat, the traditional security defense model based on fill-in-the-blanks and patch type has been challenged. Then, a multilayer defense in-depth Active protection Real time detection Intrusion tolerance attacks technology thought emerges as the times require. It is also becoming the security defense core strategy of network
Figure1. Network Defense in-depth Strategyconfrontation.
978-0-7695-4789-3/12 $26.00 © 2012 IEEE
DOI 10.1109/ICCIS.2012.239
267
strengthen active defense from the depth level of a desktop PC, the network boundary, the internal network and even the core server. It can not only increase the attack difficulty of network invaders, but also improve constantly defense strategy in the network confrontation process of attack and defense; even if a certain layer of protective mechanism is damaged, it can also quickly take advantage of deep configuration of security products so as to achieve the all-round defense with the greatest extent possible. Constructing a multilayer information network defense in-depth system strategy must be carefully designed from three aspects of active protection, real-time detection and intrusion tolerance attack, as shown in Fig. 1.
typical security equipment and technology. Based on the defense-in-depth technical strategy, information network security system in turn can be divided into a number of different security domains, such as secret layer, core layer, security layer, basic security layer, trusted security layer, Non-security layer and dangerous layer etc..
According to the different targets of defense levels, we can analyze the information categories of each security domain, evaluate their possible attack level, configure corresponding security defense mechanism, adopt the corresponding technology means of security defense, and build a defense-in-depth linear structure of information network, as shown in Fig. 2. It can achieve line speed analysis, full domain analysis monitoring, access
A. Active Protection verification, abnormal behavior monitoring, and blocking Since the information network system becomes more and illegal intrusion on network node 1~7 layer protocol in more complex, the network attack means also keep pace with implementation and service condition. the times and update styles. Therefore, network security rom the defenders’ point of view, the defensive products are usually impossible to find all the network capability of network system gradually promotes along with vulnerability and external attacks. Even if a safe product is the layer increase from inside to outside. From the attackers’ designed with a comprehensive security defense function and point of view, the Attack capability of network system service in the launch, but with the passage of time and the gradually reduces along with the layer increase from outside development of attack technology, there are always to inside. Thus, a multilayer linear defense model is formed. unknown, new attacks which are not repulsed and penetrate Facing a growing number of network attack sources, it not the protective layer. only recognizes the existence of security risk, but also
expects the ideal result that it decreases as much as possible
B. Real time detection
the attacked opportunities through defense layer, so that the
Even if multilayer defense also does not exclude the
Layer Multiple attack sources possibility of being successfully overcome, a variety of
technical means of real-time detection must be used to deal L0-safety protection with those attacks which have not been successfully repulsed. However, the current network intrusion detection L1-Security mechanism product can usually detect those attacks previously known and has a very high lack of detection, false alarm and other L2- Access control technical defects accompanied by regular detection. Undoubtedly, a network defense system may face a new L3-States Detection network attack which is always unpredictable to a detection
L4-Relation analysis system.
Hardware firewalls, cloud firewall, anti-virus gateways, VPN, UTM Authenticationbased on BPDU Guard, PVLAN, MPLSAccess control based on ACL, Honeynet, IPSec C. Intrusion tolerance attacks
Intrusion tolerance technology can integrate the immune theory, threshold cryptography, data recovery and other related technical theory as a whole; It can adopt the trusted computing, trusted network, fault-tolerant protocol and other components ,and use the data redundancy, recovery strategy and intrusion tolerance shielding technology, and integrate design of all defense subsystems. The subjective judgments are completely abandoned when it depends on IDS to detect all attacks successfully. It makes network system maximize the tolerance of various intrusion attacks, self-healing and strong survival ability. Even if network subject to strong attacks, it can still maintain the normal operation of the network, and provide continuously network service and achieve final safety operation of network system.
III. MULTILAYER LINEAR DEFENSE-IN-DEPTH MODEL OF
INFORMATION NETWORK CONFRONTATION Currently, the traditional construction mode of network security environment basically belongs to the combination of
L5-Behavior identificationCorrelation analysis based on feature matching L6-Threat identification Behavior identification based on content analysis L7-Applying identification Applying identificationbased on behavior Threat identification based on expert system Figure2.Network defense in depth of linear hierarchyDDoS protection based on State detection Core network
268
probability of crossing the last layer is almost zero.
In fact, in order to form the different levels of security defense solutions, we can choose different security products in the practical application of multilayer defense technology. In the information network defense in-depth architecture, we usually adopt the combination of hardware security products to build a first layer of security defense, such as HFW, CFW, antivirus gateway, VPN, multicore-based FPGA and UTM (Unified Threat Management: integrate HFW, IDS, IPS and anti-virus gateway function) platform; Using of security authentication service mechanism based on BPDU Guard, PVLAN and MPLS can set up a second layer of security defense; Using of safe access control method based on ACL, Honeynet and IPSec can deploy a third layer of security defense; thereafter, Using of isolation technology based on state detection, correlation identification based on flow analysis, behavior identification based on the content analysis, threat recognition based on expert system and application identification based on behavior model and so on, we can in turn build a four-layer of security defense, a five-layer of security defense and multi-layer of security defense with the technology development.
Indeed, the architecture can integrate the key defense technology of active protection, real-time detection and intrusion tolerance attack so as to achieve a multilayer linear security defense-in-depth model of information network confrontation: Firstly, it can not only provide a strong protection means, but also prevent illegal intrusion and malware attacks for information network; Secondly, in failing to effectively guard against attacks, it can provide dynamic detection means so as to realize the real-time response to the intrusion attacks; inally, when the information network suffers from various new attack threat, it can achieve recognition, monitor, real-time tracking and covert deception of the intrusion behavior, so as to ensure normal safe running of the information network system. IV. NETWORK DEFENSE IN-DEPTH MODEL BASED ON
CLOSED-LOOP CONTROL In recent years, along with the development of network security technology, the network security fields has proposed a variety of network defense models successively, particularly in the P-PDR model for mainstreaming representatives. The realization of P-PDR implementation process is actually in the security Policy (P) guidance to achieve Protection (P), Detection (D) and Response (R) three means of a linear hierarchy defense.
Although the model can accomplish dynamic defense through DR means, it can neither give any early warning before attacks, nor achieve real-time alarm in attack, and nor quickly recovery system after attack so as to form rapid counterattack ability using a valid network counterattack plan. Therefore, although P-PDR model has a defense level, it lacks strong counterattack ability in the face of the large-scale, distributed and instantaneous changes network attack. Neither can it defense the new network security threats, nor particularly can effectively enhance network system immunity.
In view of existing defects of network defense model, according to the construction needs of information network confrontation, using the defense in-depth technology strategy based on multilayer linear, we propose an APR-WPDRRC model of information network defense based on closed-loop control, as shown in Fig. 3.
It mainly includes three important aspects (APR): risk Analysis (A)ˈsecurity Policy (P) and technical equipment Resources (R). Network security risk analysis (A) is the primary link. In order to provide the determine basis for the safety strategy, it advocates to expect network system security risk through risk analysis, risk assessment and risk control mechanism. The safety defense Policy (P) can guide defense means to carry out effectively; it plays a guiding role in the network security defense system, but also it is the core of entire security defense model. Technology equipment resources (R) include strength, equipment and technology of network defense resources. The main force of network defense is from the new network confrontation equipment and network confrontation soldiers who can grasp the network technology.
The WPDRRC mainly includes six new techniques: W (intrusion pre-Warning), P (safety Protection), D (dynamic Detection), R (real-time Response), R (disaster Recovery) and C (quick Counterattack). It integrates linear defense-in-depth technology of PDR, adds warning in the PDR before, and increases the RC after, so that defense system has strong sequence, controllability and collaboration.
The WPDRRC highlights three aspects: WP can be applied before the attack occurs; DR can be applied while the attack occurs and RC can be applied after the attack occurs. It emphasizes strengthening security at the same time, pays more attention to forming fast reaction capability of network system which is attacked; it emphasizes improving the disaster recovery capability of network system at the same time, pays more attention to outstand counterattack ability of network system which is captured; it emphasizes the feedback mechanism based on closed-loop control at the same time, pays more attention to lift of the dynamic defense ability. Therefore, using WPDRRC sequentially six
Intrusion pre-Warning Quick CounterattackRisk Analysis Safety Protection Security Policy Technical Resources Disaster Restore Real-time Response Dynamic DetectionFigure 3. APR-WPDRRC model based on closed-loop control
269
techniques method based on closed loop control mechanism, a defense-in-depth model of information network confrontation is established. It realizes the active defense using WPD and consolidation defense using RRC. Comprehensive application of six technical means can be described as follows:
Intrusion pre-warning (W) can quick react according to the system security strategy, such as alarm, tracking, blocked and isolation through the establishment of an effective early warning mechanisms when the network violation mode and unauthorized access attempt takes place. At present, a variety of intrusion warning system based on process reasoning, proxy firewall, joint of IDS and FW have been used. When network attacks occur, the IDS can give us more effective intrusion pre-warning.
Security protection (P), dynamic detection (D) and real-time response (R) integrate linear hierarchy defense technology into defense-in-depth model. It can do all the preparations for the emergency response plan so as to adjust to a safe state when the network system has detects an intrusion attacks.
Disaster recovery (R) is to enhance quickly the survivability of network system when it is attacked, which can use various techniques, such as disaster assessment, security recovery, patching loopholes and reconstruction system and so on.
Quick counterattack (C) is using a variety of techniques of network wing plane, alarms, evidence collection, attack source tracing and attack deception and so on, so as to quickly organize force, fast track and pinpoint the source of attacks.
In APR-WPDRRC model, the external layer is linked to concentric hexagons connected in turn to six technical means of WPDRRC, and the inner layer is linked to hexagonal core which is made up of APR. Among them, risk analysis (A) is the basis; security policy (P) is the core; technology resource(R) is the guarantee. APR is close cooperation and WPDRRC is the organic linkage so as to enable the desired security policy into safety reality.
V.
CONCLUSION
The simulation test of information network confrontation proves that APR-WPDRRC defense-in-depth model based on closed-loop control has good adaptability, flexibility and strong survivability in the confrontation of large-scale,
distributed, instantaneous changing network attack, which can not only effectively defense a variety of known network attack, but also can take the initiative to defense new unknown intrusion attack, which has theoretical and practical significance for the establishment of a comprehensive information network system. From the whole perspective, further research needs to constantly improve integral function and integrate many new technologies into the model, such as network deception technology based on Honey-net, dynamic detection technology based on immune and collaborative linkage technology based on grid and so on. In order to establish a multi-level defense-in-depth information network system, we must work to track network warfare technology and establish a multi-level, multi-means security system which can achieve the strong ability, such as combination of peacetime and wartime, integration technology and management into a whole and full function and so on. With the high spread of the cloud security, new defense-in-depth model of information network system based on cloud computing is definitely the future development trend and become gradually mainstream technology.
REFERENCES
[1] Yu Lo. “Nooperative network confrontation”. Beijing National
Defense University Press,China, Aug. 2003 (In Chinese).
[2] Junmou Xiao. “Network information security and confrontation”.
Peking: PLA press㧘china, jun. 2001 (In Chinese).
[3] Yadong Chen. “Network attack and defense\". Peking:National
Defense University Press,china, March 2007.
[4] Shengjian Liu. “Network confrontation technology”. Changsha :
National Defense University of science and technology publishing house, December 2008 (In Chinese).
[5] Shengjian Liu. “A Study on Mechanisms of Policy –based Grid
Authorization”. IEEE press, Vol(2):442~445. DOI:10.1109/MINES 2009.59, May 2009.
[6] Li Fan. “Discussion on construction of safety defenseand architecture
of military information system”. computer security,china,2009(2). [7] Shengjian Liu. “A Study on Military networks Defense in-depth
Model Based on Closed-loop Control”. Computer science,china,October 2011 (In Chinese).
[8] Wang Qinquan. “Research on network attack and detection methods”.
IEEE Press, pp.630~633. DOI 10.1109/ETCS.2010.196, June 2010. [9] Weili Huang, Jian Yang. “New Network Security Based On Cloud
Computing”. IEEE Press, pp.604~609. DOI 10.1109/ETCS.2010.196, June 2010.
270
因篇幅问题不能全部显示,请点此查看更多更全内容