Post on 21-Dec-2015
transcript
CS 552 – Senior Design Project
Greg MortonOliver GouldScott Dryer
Allen LaquindanumDustin LongLucas Vickers
Gossip: Network Security Agent
Mark LoeserHaifan LuKen Henriques
Jon Voris
System Architecture
Agenda Project Summary Non-Functional Requirements System Architecture
Process View Logical View Physical View Development View Coupling and Cohesion
Project Management Use Case Scenarios Test Plan Summary Installation Process Current Project Status ICED-T/QFD
Project Summary System administration tool to aid in the
distribution of firewall policy based on trust-based network of peers
Firewall policy can be applied locally Trust and suspicion of a given
suspected address No need for any detection or policing
locally Can be built with extensions to
interface with platform-specific firewall modules and administrator chosen network detection systems
Project Summary (cont.)
An average user, running Gossip on his or her Linux machine with a network of 20
peers, would reduce the amount of alerts they must address by 26%.
Gossip MOV
Non-Functional Requirements All errors will log and all non-fatal
errors recovered from. In the event that the agent module
crashes, other modules will stop their current tasks and exit cleanly.
The enforcement component will not affect the firewall rules in the event that it crashes.
Non-Functional Requirements (cont.) The system will be written in a component
oriented manner to allow for extensibility. Modules that will be directly accepting
input from the network, the P2P and detection system modules, will operate in a chroot jailed environment in order to improve system security in the situation that one of them is compromised.
System ArchitectureProcess View #1
System Architecture (cont.)
Process View #2
System Architecture (cont.)
Logical View
System Architecture (cont.)
Physical View
System Architecture (cont.)
Development ViewComponent Technologies Used
Agent CBisonFlex
Detection System C++IDMEFXML
Firewall C++IPTables
Peer-to-Peer C++OpenSSL
All Modules SocketsSyslog
Coupling and Cohesion Inter-Process Communication protocol
enforces low coupling Agent is least cohesive module Otherwise, highly cohesive.
System Architecture (cont.)
Project Management
Use gna.org open source project hosting service which supplies us with: Mailing List Management Task Manager Bug Tracker Version/Document Control Web Space for File Distribution
Use Cases I notice that my gossipers are updating too
often, causing too much network traffic. I change the timer update interval and signal my gossipers to reconfigure.
I have setup a new machine and installed gossip on it. Now I would like to add it to my list of trusted friends on all of my gossipers.
A new vulnerability is disclosed which makes previously benign traffic very dangerous instead. I update my detection system, and from then on my gossipers should block foreign machines sending such traffic.
Use Cases (cont.)
Someone tries to brute force guess a password on my machine. After my detection system collects enough failed password attempts, it causes my gossiper to block the offending foreign machine.
One of my friends (B) says that a foreign machine (M) has a very high suspicion. My other friend (C) says that M has a low suspicion. Both B and C have perfect assurance. I give M some score at or above B's suspicion.
A list of my friends all say that some foreign machine (M) attacked them. Since combined this shows that M is malicious, we all block M.
Test Plan Summary Comprehensive test plan meant to ensure
quality and promote a high level of system trust. Plan will involve 4 complementary parts, each of
which focuses on a specific method of testing. Unit Testing - check the functionality of
individual function calls. Use Case Testing - verify that the system
works from the user perspective. Regression Testing - Ensures that changes do
not reintroduce bugs over time. Automated Testing
Installation Process OAM&P Requirements:
- IPTables Linux Kernel module & command-line tool - IDMEF-compatible Network Detection System (Snort) - OpenSSL's crypto library - Bison/Flex parser generator - Installation - GNU Toolchain (CMMI) - Vendor packages - Configuration File
Peers Constraints
Current Project Status Function Point Re-calculation
Original Calculation: 26.6 Staff Months Re-calculated:
• Agent Component: 4.3• Enforcement Component: 1• Alert Component: 1.7• Peer-to-Peer Component: 2.6
• Total for Entire Project: 9.6 Staff Months
Current Project Status (cont.)
Revision was made after the final design and architectural designs were made. Eliminated one component by integrating the
needed requirements into other components and simplifying the concept.
This simplified design a bit and enabled it easier to engineer by passing less parameters between each sub-system.
Current Project Status (cont.)
Time Saving Features, COTS, Reuse: Snort® is an open source network intrusion
prevention and detection system Syslog is an industry standard protocol that is
supported in Unix and Linux used for capturing log information for devices on a network.
Opensource XML parser: Using libidmef, which parses XML IDMEF (Intrusion Detection Message Detection Format) messages (using libxml2) sent by the detection systems.
Current Project Status (cont.)
WBS Task Resources % Complete Start Date End Date Predecessor1 Project Inception 20-Oct-05 23-Nov-051.1 Research All 100% 20-Oct-05 31-Oct-051.2 Requirements Engineering Gould, Loeser 100% 1-Nov-05 22-Nov-05 21.3 Develop Prototype Gould, Loeser 100% 1-Nov-05 22-Nov-05 21.4 Requirements Complete Milestone 23-Nov-05 23-Nov-05 32 Development 12-Dec-05 5-May-06 52.1 UML Diagrams Long, Gould 100% 12-Dec-05 30-Jan-062.2 System Architecture Design Gould 100% 19-Dec-05 6-Feb-062.3 Implementation 7-Feb-06 19-Apr-06 7,82.3.1 Agent Component Gould, Vickers 15% 7-Feb-06 19-Apr-062.3.2 Enforcement Component Morton, Loeser 15% 7-Feb-06 28-Mar-062.3.3 Alert Component Loeser, Morton 5% 16-Feb-06 28-Mar-062.3.4 Peer-to-Peer Component Voris, Long 5% 21-Feb-06 12-Apr-062.4 Implementation Complete Milestone 20-Apr-06 20-Apr-06 92.5 Design/Update Unit and Regression Test Long 40% 7-Feb-06 12-Apr-06 7,82.6 Testing Long, Lu, Henriques 0% 7-Feb-06 5-May-06 7,82.7 Documentation Laquindanum 10% 7-Feb-06 5-May-063 Analysis 15-Nov-05 9-May-063.1 ICED-T Lu, Henriques 50% 15-Nov-05 9-May-063.2 QFD Lu, Henriques 50% 15-Nov-05 9-May-064 Present Presentation and System Milestone 11-May-06 11-May-06 1,6,18
Current Project Status (cont.)
Current Project Status (cont.)
Risks/Problems encountered since last presentation Algorithmic Complexity System is succumb to being overwhelmed by
alerts• If it's coming from the same IP address, they
will eventually be blocked, but if it's a great deal of attacks from multiple IP addresses we could run into load problems.
Stale Data Being able to adequately test all the possible
scenarios with a limited number of computers on a limited size network
ICED-T
ICED-T (cont.)
ICED-T (cont.)
ICED-T (cont.)
ICED-T (cont.)
sQFD
Questions/Comments