In this chapter, we discuss the evolution of the enterprise security federation, including why the framework should be evolved and how it has been developed and applied to real systems. Furthermore, we analyze the remaining vulnerabilities and weaknesses in current approaches and propose new approaches to resolve those problems. Then, to overcome those weaknesses and vulnerabilities, we propose the PSM (Policy-based Security Management) architecture for an integrated security framework, and the PM (Packet-Marking) architecture for a cooperative security framework. The PSM architecture is able to efficiently realize the security purposes of an organization by controlling, operating, and managing various kinds of security systems consistently based on security policies. The PM architecture is able to effectively deal with suspicious network traffic without requiring new protocol, while reducing the false-positive problem and perfectly protecting QoS for innocent traffic from attacks. We simulated the PSM and PM architectures to evaluate their performance. The simulation result shows that the PSM architecture can automatically detect and respond against network attacks, and the PM architecture can effectively handle suspicious traffic, such as DDoS traffics.
Background And Motivation
In the early stage of the Internet, security framework was not greatly addressed, because the destructive power and effects of cyber attackers against computer and network systems were not so high. Simple security framework typically consists of several security systems such as IDS or Firewall, and simple security management system for displaying attack information detected by security systems (Debar et al., 1999; Malik, 2002). A firewall accepts or denies incoming traffic according to a set of predefined rules called an access control list (ACL). An IDS detects suspicious traffic based on a predefined attack signature or behavior. A security administrator identifies the source of attack by manually analyzing alert information received from an IDS, and then blocks the attack traffic by directly inserting new ACL into Firewalls.
Key Terms in this Chapter
Integrated Security Framework: This is a framework that is able to provide consistent control and management of heterogeneous security systems.
Suspicious Network Traffic: This is a traffic that cannot be definitively categorized as either malicious or innocent traffic.
Cooperative Security Framework: This is a framework in which security systems cooperate with each other to increase effectiveness of responding to network attack.
Security Policy Server: This is a central management system that can realize the security purposes of an organization based on security policy.
DDoS Attack: This is a network attack that prevents normal users from getting network resources by letting a lot of the compromised nodes attack a victim node at the same time.
Security Autoconfiguration: This refers to the capability that security systems are able to configure security network for themselves.
Packet Marking-Based Attack Response: This deals with network attack traffic in the way that a downstream network node determines whether or not to discard packets marked as suspicious by an upstream security system.