CHAPTER 1 INTRODUCTION

1.1.General As the fast development of network technology and application, the computer network is playing a more and more important role in our daily life. Today, most of organizations, such as government, enterprises or other public service agencies, have connected their business to the Internet for convenience and expansion. However, these organizations are inevitably suffering from various security threats which come from Internet, for instance, viruses, hacker attacks, DoS and so on. Unfortunately, to the network administrators, it becomes more and more difficult to complete the task of monitoring with such huge amount of network information. In order to alleviate the heavy workload of these professional administrators, a clear and efficient network security visualization tool will be very helpful in analyzing data compared with the traditional tools In the modern time, security has not limited to a pure technological problem, because the security accessed only by technical means is insufficient at all. We also need reasonable management to give strong support. For such reasons, we develop a novel visualization tool to integrate the network security technology and network security management as a whole interface. By this means it can subdivide the conception of security to every people using the current network, as well as improve the security awareness of the whole organization and boost the network utilization. Network security is referred to the protection of network software, hardware and

information, so the damage from accident or malicious tampering and leakage to ensure the normal network, network services are not interrupted. Broadly speaking, the network security includes network hardware and information security. Hardware includes communication lines, communications equipment (switches, routers.), Host. To realize the information quickly and securely exchange, a reliable physical network is essential. Information security, including maintaining network services running on the operator software and application software, as well as user information stored and sent data in the network.

1.2.Motivation The rapid development of computer and network technology brings us convenience together with network security vulnerabilities: the web-based threat exists everywhere, and computer networks are important targets to attack. 1.3.Aim To do research on trusted networks and to prove why event the trusted networks are also becoming lack of network security. 1.4.Objective Using the available network tools and methods to validate the trusted networks. 1.5.Problem Description Traditional network security devices such as Intrusion Detection Systems (IDS), firewalls, and security scanners operate independently of one another, with virtually no knowledge of the network assets they are defending. This lack of information results in numerous ambiguities when interpreting alerts and making decisions on adequate responses. Network systems are suffering from various security threats including network worms, large scale network attacks, etc, and network security situation awareness is an effective way for solve these problems. The general process is to perceive the network security events happened in a certain time period and cyberspace environment, synthetically manipulate the security data, analyze the attack behaviors systems suffered, provide the global view of network security, and assess the whole security situation and predict the future security trends of the network. There exist several difficulties when implementing network security situation awareness. (1) The amount of alert events generated from various security sensors is tremendous and the false positive rate is too high. (2) The trivial alerts generated from large scale network attacks (e.g. DDoS) are very complex and the relationships among them are difficult to determine. (3) The data type of alert events generated from security sensors are very abundant, while there is a lack of knowledge needed by alert processing, and automatically acquiring these knowledge is rather difficult. 1.6.Related Work Detecting malware and covert threats is becoming increasingly difficult as their authors use more and more sophisticated methods to hide the code. Moreover, the complexity of detecting these threats is also increasing as it requires several different algorithms, in multiple stages, to

detect multiple threat types. Two important threats are considered in this paper: 1) malware which are malicious code that runs on a users system and 2) covert channels which are used by malware or individuals to hide traffic in a network packet stream. Our goal in this paper is not to develop new algorithms for detecting these threats, but rather, to parallelize existing detection methods for higher throughput. Moreover, we would like to run other algorithms simultaneously such as encryption and decryption. With very high line rates, it is challenging to process the network packet stream fast enough without introducing significant delay. There are different types of analysis that can be used to detect network threats. These include statistical analysis, static analysis, and pattern matching. From an architecture perspective, there are several ways of applying security applications using these algorithms with the data being streamed from a disk or a network interface. For real-time application of these security applications, the most obvious way would be to implement the algorithm on a network processor that will be attached to a firewall or a router at the egress/ingress of the monitored network. The network processor can be implemented using standard servers with multiple cores. The disadvantage of this approach is that the server may become the bottleneck when the line rates are high and/or the detection algorithm requires deep packet inspection and complex analysis tasks. An alternative to the above approach would be a network appliance device specifically designed for a small subset of network security applications. One such device, the Ambric Am2045 processor, which is a specialized massively parallelized processing architecture (MPPA), with 336 interconnected processors on chip. Existing studies have shown this product can perform similar functions as a FPGA using a simpler programming model. With this architecture it is possible to speed up many classes of algorithms beyond what is possible within the computation limitations of a standard server. This is especially important given the recent occurrence of faster 1Gbps and 10Gbps network connections. In this paper, we demonstrate three applications: malware detection using an entropy function, detecting covert timing channel in a network packet stream, and finally acceleration for encrypting a data stream. We describe the parallel implementations of these applications and present the experimental results. The steganography application is able to collect statistics on multiple connections simultaneously. The malware detection shows high accuracy in detecting samples, while being less susceptible to small changes that may be designed to fool the scanner. The encryption application is able to fully utilize the MPPA hardware.

1.7.Requirements 1.7.1. Hardware Requirements y y y Intel Core2 Duo Processor @2.12GHz 512MB RAM Minimum of 5GB free hard disk space

1.7.2. Software Requirements y y y Fedora 12 Nagios Other network related softwares

CHAPTER 2 RELATED WORK

2.1. Literature Study 2.1.1. Security level quantification and benchmarking in complex networks The security of complex networks with multiple elements is very difficult to evaluate and characterize by numbers. The interaction between the network elements, the different layer topologies and the numerous features makes the security quantification almost impossible. On the other side, the lack of security benchmarking is very problematic for the budget and invests allocation by companies. Numerical economical indexes for the costs and potential benefits are used to set the budgets. The security is not be quantified and it cannot be mapped to these economical indexes, thus the budget is not set objectively. This paper suggests a novel framework for quantification of network security, thus security benchmarking. The relative vector expresses the different layers, physical connections, operation risk, and human resources. The benchmark is relative and not absolute value, which is an indirect indication for the security. The relative security vector maps to economical values and helps the management to take the decisions. The suggested framework extends the common standards like ISO 27000, BSI, ITIL, which characterize single network elements or processes in corporations. This framework is the missing link between the security standards, subjective expert analysis and the monetary instruments. The benchmarking is not saying if a system is secured, then it gives a relative indirect comparison between systems. 2.1.2. An Approach for Automated Network-Wide Security Analysis Network design is a complex task. Network specialists are expected to fulfill customers requirements, while considering the limits of underlined technologies. The goal is to provide reliable network services as requested. Once the design is finished, the deployment phase is launched. It consists of installation and physical interconnection of the devices, setting up their configurations, and finally, network troubleshooting, in order to assure network functionality.

Identification of potential problems as early as possible in the design phases is a serious argument for extra techniques and methodologies that verify and validate the results of the design process. 2.1.3. A Compositive Education Scenario for Network Security Protocols The Principal and technique of Security Protocols are the basic contents for information security, as well as the most complex research and application problems. Research on security protocols perfectly integrates technology from computer network and cryptography. From the education analysis, the biggest issue of course education on principals of computer networks is that students always feel obfuscated to grasp the real-world work process of network protocols, while the students on the cryptography class are prone to dedicate on the theory of cryptographic algorithms and miss the cryptographic applications. Therefore, studying the proper education way for the course on security protocols is not only important for information security research but also necessary for fertilizing the cross field of computer network and cryptography. 2.1.4. Problem of Network Security Threats COMPUTER systems connected to the global network are applied in nearly all branches of economy and human activity. Due to the universal use of the Internet (it is estimated that the network is used by approximately 1.5 billion people) and the attractiveness of the Internet resources, they constitute the area susceptible to various unlawful activities. The vulnerability of networks and computer systems to attacks is mainly the result of defects of system and application software installed, faulty system administration, and accessibility of tools used to carry out attacks. Furthermore, the fact of neglecting the system security as well as the imperfection of security mechanisms add to the problem. The responsibility for security lies with systems engineers, administrators and users. 2.1.5. Characteristics of Network Non-optimum and Extensionality Security Mode A primary model of network security is to evaluate the implications of networks system risk. However, in cases with a high degree of complexity and uncertainty, it is not always obvious which security variables to focus on in order to improve performance, nor is it evident to what extent these variables should be changed. Furthermore, the number of possible different networks system configurations, even in relatively simple models, is so large that it is impossible from a practical standpoint to enumerate them all to find the best configuration.

An advanced network security module based on non-optimum analysis. This model uses traditional methods to select non-optimum features, Its principal contribution makes use of an innovative dynamic networks analysis procedure that is activated at certain intervals during the suboptimum process in order to make use of information obtained during that process, with the goal of speeding the search for sub-optimum solutions. Our approach describes work in progress. It has elements in common with, and may be applied in, areas such as bioinformatics, which make use of small simulations in order to create fitness functions for an objective performance measure. 2.1.6. A Network Security Evaluation Method based on FUZZY and RST The security evaluation for an information network system is an important management tool to insure its normal operation. We must realize the comprehensive network security risks and take effective security measures. A network evaluation model and the corresponding fuzzy algorithm are presented and adapt the hierarchical method to characterize the security risk situation. The model combined with the importance of the security measure, environment and the key nodes. The evaluation method based on RST is used to evaluate the key nodes and the fuzzy mathematics is used to analyze the whole network security situation. Compared with others, the method can automatically create a rule-based security evaluation model to evaluate the security threat from the individual security elements and the combination of security elements, and then evaluation the network situation. It is shown by experimental results that this system provides a valuable model and algorithms to help to find the security rules, adjust the security measure, improve the security performance and design the appropriate security risk evaluation and management tools. With the continuous development of computer network technology, various information systems have to rely on computer networks increasingly. The research of network security has been widely appreciated increasingly. Specially in the quantitative evaluation of network security research a lot of research results have been made. These studies greatly enhance the network system's security. With the rapid development of network technology, the network brings not only convenience to people's lives, but also a lot of threat. Computer crime, hackers, viruses, is being so more and more flood. Network security is increasingly drawn wide attention. The security evaluation to a network is an important technology in network security defense, and is an important component of information security engineering. Computer Network Information

quantitative evaluation to various threats is an important basic research field. It is one of the forefront topics in the IT field. Network security evaluation, also known as network security threat evaluation, based on the purpose of the reality system security, in accordance with scientific procedures and methods, make an adequate qualitative and quantitative analysis to the threat elements of the system, and make a comprehensive evaluation. In order to deal with the problems, according to the current science and technology and economic conditions, it introduce effective security measures to eliminate risk or reduce the danger to minimum. 2.1.7. Architecture

Figure 1: An Architecture Model

CHAPTER 3 IMPLEMENTATION
3.1. Requirement Analysis Requirement analysis describes the functional and non-functional requirements of the project. 3.1.1. Functional Requirements A functional requirement defines a function of a system or its components. A function is described as a set of inputs, the behavior, and outputs. The functional requirements are typically phrased with subject/predicate constructions, or noun/verb. The functional requirement is a system/software requirement that specifies a function that a system/software system or system/software component must be capable of performing. These are software requirements that define behavior of the system, that is. The fundamental process or transformation that software and hardware components of the system perform on inputs to produce outputs. y y Nagios Linux

3.1.2. Non Functional Requirements Nonfunctional requirement is a software requirement that does not describe what the software will do, but describes how the software will do it, like: software external interface requirements, design constraints etc. Nonfunctional requirements are difficult to test; therefore they are usually evaluated subjectively. Reliability The system is more reliable because of the qualities that are inherited from the chosen platform java. The code built by using java is more reliable.

Performance This system is developing in the high level languages and using the advanced front-end and back-end technologies it will give response to the end user on client system with in very less time. 3.2. Trusted Network

For trusted networks, people have different understanding: Some people think that " trusted "is based on the credibility of certification, and some people think that it is based on to integrate existing security technologies, and some people believe it should be the contents of the credibility of the network, and some people believe it should be the credibility of the network itself, and some people think that it is the credibility of to provide services on the network. But for the trusted network, there is a unified understanding of the purpose that is to raise the security of networks and services, whole humanity in the information society can benefit from it. Trusted Network can improve network performances, simplified monitoring, prevention and other expenses which caused by the no-confidence, and improve the system's overall performance. The relatively recognized description about the Trusted Network is the network, user behavior and the results are always predictable and manageable, and behavior state can be monitored, behavior results can be assessed, abnormal behavior can be managed. In particular, the credibility of the network should include a set of properties. From the user view, it needs to protect services, security and survivability; from the designer view, it needs to provide the network manageability.Unlike security, survivability and manageability in the traditional sense: scattered and isolated, trusted network will integrate the three basic properties, and around the network components of trust between the maintenance and behavior management to form an organic as a whole.
3.3. Trusted network and trusted terminals About network security, the "Trusted" has a deeper meaning: security is an external expression of the assertion; Trusted " is a measurable property, which is the result of the analysis of the behavior of the process [5]. This is a new consensus in network security research. How to build a trusted model that can effectively analyze, describe the network and user behavior, which is the basis of study on the trusted network. By relevant mathematical model analysis will help to identify security vulnerabilities; and help to improve the credibility of the network; contribute to network attacks or network vulnerability assessment, it is the prerequisite to achieve a credible monitoring, prediction and intervention. Trusted" should contains two parts: a "trusted identity" and trusted behavior," trusted behavior" also contains the service capabilities, protection

capability and confidence in recommended, and so on. Reference a study of the terminal access authorization and behavior throughout the life cycle of authorization, the process of terminal access to trusted network as shown in Fig 2

Figure 2: The process of terminal access to trusted network. 3.4. Nagios: The only way to know if everything on our network is operating as it should is to monitor it continuously. This implies the need of a highly flexible monitoring tool on duty around the clock, which not only notifies events but also responds to an event in an instance. This paper describes a tool called Nagios which is a network monitoring tool used for checking the availability of an organizations network and maintaining it. We have specifically concentrated on using the tool to monitor SIP services running on a particular host in the network.

3.4.1. About Nagios

Nagios is a powerful and a flexible open source tool which watches hosts and services that we specify, giving alerts when things go bad and when they get better. Monitoring : It is used to monitor hosts and the services running on them. Alerting : It sends out alerts when any host or any service that is running on a particular host is down. The alerts can be delivered via email. Response : As soon as any alert is sent we can fix the issue based on the type of alert. Reporting : All the events are written to the log files which can be later used to review. Presentation : A web-based GUI lets you quickly check on the status of nodes with intuitive green-yellow-red indicators. Plug-in: Nagios uses different plug-ins to check all the hosts and the services running on them.

3.4.2. Installing Nagiosi Nagios can be installed on any Linux machine. We installed it on Fedora core 11. Make sure youve installed the following packages on your Fedora installation before continuing. y y y y Apache PHP GCC compiler GD development libraries

You can use yum to install these packages by running the following commands (as root):    yum install httpd php yum install gcc glibc glibc-common yum install gd gd-devel

1)Create Account Information Become the root user.  su -l

Create a new nagios user account and give it a password.   /usr/sbin/useradd -m nagios passwd nagios

Create a new nagcmd group for allowing external commands to be submitted through the web interface. Add both the nagios user and the apache user to the group.    /usr/sbin/groupadd nagcmd /usr/sbin/usermod -a -G nagcmd nagios /usr/sbin/usermod -a -G nagcmd apache

2) Download Nagios and the Plug-ins Create a directory for storing the downloads.   mkdir ~/downloads cd ~/downloads

Download the source code tarballs of both Nagios and the Nagios plug-ins (visit http://www.nagios.org/download/ for links to the latest versions). These directions were tested with Nagios 3.1.1 and Nagios Plug-ins 1.4.11.   wget http://prdownloads.sourceforge.net/sourceforge/nagios/nagios-3.2.0.tar.gz wget 1.4.11.tar.gz http://prdownloads.sourceforge.net/sourceforge/nagiosplug/nagios-plugins-

3) Compile and Install Nagios Extract the Nagios source code tarball.    cd ~/downloads tar xzf nagios-3.2.0.tar.gz cd nagios-3.2.0

Run the Nagios configure script, passing the name of the group you created earlier like so:  ./configure --with-command-group=nagcmd

Compile the Nagios source code.  make all

Install binaries, init script, sample configuration files and set permissions on the external command directory.     make install make install-init make install-config make install-commandmode

Dont start Nagios yet - theres still more that needs to be done...

4) Customize Configuration Sample configuration files have now been installed in the /usr/local/nagios/etc directory. These sample files should work fine for getting started with Nagios. Edit the

/usr/local/nagios/etc/objects/contacts.cfg configuration file with vi and change the email address associated with the nagiosadmin contact definition to the address youd like to use for receiving alerts.  vi /usr/local/nagios/etc/objects/contacts.cfg

5) Configure the Web Interface

Install the Nagios web configuration file in the Apache conf.d directory.  make install-webconf

Create a nagiosadmin account for logging into the Nagios web interface. Remember the password you assign to this account - youll need it later.  htpasswd -c /usr/local/nagios/etc/htpasswd.users nagiosadmin

Restart Apache to make the new settings take effect.  service httpd restart

6) Compile and Install the Nagios Plug-ins Extract the Nagios plug-ins source code tarball.    cd ~/downloads tar xzf nagios-plugins-1.4.11.tar.gz cd nagios-plugins-1.4.11

Compile and install the plug-ins.    ./configure --with-nagios-user=nagios --with-nagios-group=nagios make make install

7) Start Nagios Add Nagios to the list of system services and have it automatically start when the system boots.   chkconfig --add nagios chkconfig nagios on

Verify the sample Nagios configuration files.

/usr/local/nagios/bin/nagios -v /usr/local/nagios/etc/nagios.cfg

If there are no errors, start Nagios.  service nagios start

8) Modify SELinux Settings Fedora ships with SELinux (Security Enhanced Linux) installed and in Enforcing mode by default. This can result in "Internal Server Error" messages when you attempt to access the Nagios CGIs. See if SELinux is in Enforcing mode.  getenforce

Put SELinux into Permissive mode.  setenforce 0

To make this change permanent, youll have to modify the settings in /etc/selinux/config and reboot. Instead of disabling SELinux or setting it to permissive mode, you can use the following command to run the CGIs under SELinux enforcing/targeted mode:   chcon -R -t httpd_sys_content_t /usr/local/nagios/sbin/ chcon -R -t httpd_sys_content_t /usr/local/nagios/share/

9) Login to the Web Interface You should now be able to access the Nagios web interface at the URL below. Youll be prompted for the username (nagiosadmin) and password you specified earlier. http://localhost/nagios/ Click on the "Service Detail" navbar link to see details of whats being monitored on your local machine. It will take a few minutes for Nagios to check all the services associated with your machine, as the checks are spread out over time.

10) Other Modifications Make sure your machines firewall rules are configured to allow access to the web server if you want to access the Nagios interface remotely. Configuring email notifications is out of the scope of this documentation. While Nagios is currently configured to send you email notifications, your system may not yet have a mail program properly installed or configured. Refer to your system documentation, search the web, or look to the Nagios Support Portal or Nagios Community Wiki for specific instructions on configuring your system to send email messages to external addresses. Configuring Nagios There are different configuration files which need to be edited or created before we can start monitoring. Main Configuration File This file contains directives that would direct the operation of the Nagios daemon. Resource File This file is used to store all the User-defined Macros. The main advantage of having this file is to hide the information (like passwords, paths) from the CGIs by using Macros in place of them. Object Definition Files Object configuration files contain definitions for hosts, host groups, contacts, contact groups, services, commands. This is where we define all the hosts and services which we want to monitor. CGI Configuration File This file contains information which affects the operation of the CGIs. We have edited the following object definition configuration files for our project which are described below.

Object Definition Files Objects are the fundamental elements that are involved in the process of monitoring or notifying. Objects include the following:

1. 2. 3. 4. 5. 6.

Hosts Host groups Services Service groups Commands Contacts

Each of these objects has a different configuration file, in which we have defined them in a flexible template form.

Adding Hosts:

Hosts are added to nagios using the hosts.cfg configuration file. It is done by using the host definition. A sample host definition would look like the following example.

Example:

define host {

host_name alias address check_command max_check_attempts check_period

v0807 VoIIT Rice VoIIT Production Rice <IP_ADDRESS> check-host-alive 4 24x7

notification_interval 60 notification_period notifications_enabled contacts 24x7 1 nagiosadmin

Adding Services:

The services which need to be monitored on each host are added using the services.cfg configuration file. Services can be attributes of a host like (CPU load) or services provided by the host(FTP).

Example:

define service{

use host_name service_description check_command max_check_attempts check_interval retry_interval check_period notifications_enabled notification_interval notification_period contacts

generic-service v0807 VoIIT Rice SIP test check_sip!sip:sip@rice.iit.edu 5 5 3 24x7 1 60 24x7 nagiosadmin

Adding Commands:

Commands are used to tell nagios what scripts are to be executed to perform checks. These can be configured in commands.cfg file.

define command{

command_name command_line -w 600 }

check_sip $USER1$/check_sip -u $ARG1$ -H $HOSTADDRESS$

Adding Contacts:

Contacts are the people, who should be reported in the event of a state change

define contact{

contact_name use alias email

nagiosadmin generic-contact Nagios Admin < CHANGE THIS TO YOUR EMAIL ADDRESS >

Logical Architecture

Physical Architecture

How Does Nagios Work? Nagios performs its service checks by polling each device via a network connection and waiting for a response (known as "active checks".) Example : a simple "host alive" or "ping" check confirming that a device is up and running.

Typically, we set threshold values for the services we are monitoring, and if a service exceeds a threshold value, that triggers an event. In the following trace we can see the nagios host sending a ping request to all the hosts which are being monitored. If the remote host is up then the nagios host would receive Echo (ping) reply.

SIP Service Check:

Our main idea of having a network management tool was to monitor the sip services on our network. We used the check_sip plug-in to monitor the sip service on different hosts. This plug-in checks whether the SIP service is running on a particular host or not. It sends a SIP Request: Options to the remote host and looks for a response. The remote host responds to this request either with a 200 OK or a 404 not found. The status of the service is dependent on the response received. It displays a status OK on the GUI if the response if a 200 OK else it generates a WARNING.

CHAPTER 4 CONCLUSION AND FUTURE ENHANCEMENTS

4.1. Conclusion

Configuring Nagios should be done in a proper way so that it integrates with your network to get the best results. Integration with in-house and third-party applications is easy with multiple APIs. It generates reports which provide a historical record of outages, events, notifications, and alert response for later review. 4.2. Future Enhancements

Check_logfiles is a plug-in which checks for log files for a defined pattern.

Configuration file is used to specify where to search, what to search and what to do if a matching line is found. Using this plug-in we are working to match patterns in the VoIIT server log files and act accordingly. Example: To check for the pattern Peer is not supposed to register we used the following regular expression and configured it in the services.cfg file.