Biological Network Security 83
mercut writes: "A friend of mine recently wrote a Guest Feature on SecurityFocus about Biological Network Security. It has some interesting implications and I thought the /. community could provide some good perspective into IDS communication and security."
So do we have to (Score:1)
I can just see it now - Bosses using this to run drug and other tests on us at the same time as we "authenticate"
Re:So do we have to (Score:2)
Biological defences (Score:5, Funny)
"A DDOS attack coming from some script kiddie in Newark... Fly, my pretties, fly..."
Re:Biological defences- Snake Oil. (Score:1, Interesting)
"little?"
What is this guy talking about? I've seen this kind before. Their facts are fudged in the 1st few sentences.
As an example, the decentralized design of ARPARNET then later on the Internet had lot of security in mind.
MILITARY(read security) + SCIENCE/ENGINEERING (read brains) = ARPARNET
Re:Biological defences- Snake Oil. (Score:3, Insightful)
Careless? No, I don't think so. You simply can't prevent something that yuo don't even know where it is coming from. No one would think to protect a city against a comercial airplane, now I bet people think about that, rather seriously.
Re:3rd - 1st person (Score:1)
very intelligent. (Score:3, Interesting)
The human body (used here only because it's the most familiar to the average person) works. It has some problems, but the design is solid. We don't experience network downtime, and the majority of infections or intrusions we suffer are automatically dealt with. It makes sense to look to a model that's had 4 billion years to evolve- computer networks are pretty similar in function if you're not too pedantic about it.
Re:very intelligent. (Score:3, Funny)
Yawn!
Re:very intelligent. (Score:1)
Er, I imagine a network that could automatically manage its resources well enough to be able to sleep (for powersaving reasons or otherwise) when not in use would be quite useful to most.
Re:very intelligent. (Score:2)
That's pretty much what a fever is, and couldn't be too good for a enterprise, mission critical, high dollar amount network.
However, the transport system on a cellular level,
internal packets could be treated as water, and "osmosis" would let packets flow one way, and selective permeability could allow certain packets in and keep others out. (Very much like a firewall protects, but a intricately layered firewall that protects and admits with stunning accuracy.)
Packets could only leave through an active
Re:very intelligent. (Score:1)
Re:very intelligent. (Score:5, Insightful)
I think the human body can only be said to work in the statistical sense. Pick any given cell, and you'll find that the body (any complex organism, really) is a pretty dangerous place. The body works as designed because the component parts are unbelievably vast in numbers and practically (in fact, literally) disposable.
Stephenson dealt with an idea like this in The Diamond Age, his book about nanotech. The idea is that, because of an absurd but logical application of economies of scale, it's about as expensive to produce one nanotechnological computer as it is to produce one trillion of them.
If we lived in a world like that, where fairly autonomous disposable computers could be practically manufactured and used, the "computer network as biological system" idea might make some sense.
Remember that life as we have observed it is basically tuned to the idea that the problem is hard, but the raw materials are cheap and time is no object. The only thing that situation has in common with our world is that the problems are hard; in our case, the materials are really expensive (in dollars, but also in labor and opportunity cost) and time is of the essence.
That's not an area in which biology does very well.
firewall. Re:very intelligent. (Score:1)
To protect a city and its occupants a wall was built around the city, with a few gates provided
to allow regulated access. If a city was conquered, the walls were simply rebuilt higher and wider. This is much the same approach people are taking with Firewalls; and ultimately it is ignoring the true problem,
In this anology there are more solutions. Some city's make countries. (ISP buy each other). cities contain houses.(and each house has his own front door). etc etc. The segmentation is comparable to WAN country.
If someone find a generic key to a house he can be fenced off at the firewall (be it at ISP/LAN/MACHINE level).
Does this help: yes, more and more filters are implemented by ISP's, windows XP contains its own filerwall, Firewalls ge to know more and more about the traffic they let trhough.
Even real countries (china) are firewalled completely).
And if a firewall goes down, a bigger wall is made (including .
Biological Network Security (Score:3, Funny)
speaking of cancer (Score:2, Interesting)
you know, there's something to be said about targeting the immune system.
Comment removed (Score:5, Insightful)
Re:The Author Is Wrong (Score:2, Insightful)
The main problem with your next step is that it relies on Joe User becoming smarter. It also completely ignores a DDoS attack. Better passwords does not stop attacks from occuring.
Computers were built to do complex things in shorter times than humans. Recognizing and acting upon those attacks seems to be a natural evolution of something computers should be doing, not relying on Joe User to get smart.
The thought that everyone will accomplish these things seems less likely than a "Biological System" being implemented.
Re:The Author Is Wrong (Score:4, Insightful)
This however gives a very false sense of security without stiff penalties for violating the security policies. Remember, security is only as secure as the *least* secure factor. or person.
Re:The Author Is Wrong (Score:2)
IMO, this is a key point that was almost completely ignored in the article, but I would apply it at the societal level. Since technological threats are created by humans, an effective defense strategy must include a deterrent (e.g. criminal prosecution) as well as a response. One of the tricky parts is that in order for this to work, the deterrent must be credible - investigation and prosecution must be a matter of course, and this must apply across national boundaries. Given the emerging definition of terrorism, we may well see this happen in the next decade. Of course, then we'll find ourselves faced with another tricky issue - where to draw the line. What constitutes malevolence vs. research, attack vs. investigation, prevention vs. tyranny? These are questions we already are starting to ask, but they will need to be answered before any effective deterrent can be implemented.
Re:The Author Is Wrong (Score:3, Interesting)
2. I agree with everything else. I think security policies and access control is the next great area for security research. There is a huge disconnect between low-level policies (e.g., file permissions) and higher-level policies (e.g, use groups). As things become more distributed, the gap will widen.
Re:The Author Is Wrong (Score:2, Insightful)
today, right now, with off the shelf products (OpenBSD to start).
Yes, and a REALLY GOOD programmer won't have buffer overflows or memory leaks, and a REALLY GOOD secretary won't reveal private data by social engineering or click on email attachments, and a REALLY GOOD..., oh, never mind.
Any security policy that depends on the whole human race suddenly getting genetically superior to what it is now is a non-starter.
The weak point isn't the hardware (Score:2)
You got that right. I have a security textbook. About 350+pages. 30 odd on encryption and such matters. The rest on organizational issues. Dumpster diving and social engineering are always a threat.
If you can pick some developer's brain for a password or pay the secretary $5K for a way in... cheaper than trying to crack a 128 bit encryption scheme. And probably more interesting because in addition to getting info on how to get in, you can get info on where what you want might be located!
Security starts with a well-thought out policy covering the organization, the employees, and the computer systems. Then the next step is implementation of those policies in a meaningful way. Passwords that are too short or easy to guess, people who write their passwords on their desk pad, employees who run anything that arrives in their inbox including viruses and trojans, etc - these are the threats to security that we have to beat before fancy shmancy AI biological and biometric systems matter a whit.
Interesting idea, (Score:3, Insightful)
The main problem, though, will be in establishing automatic systems that are able to judge "threat levels" and act accordingly. People will sign on to such a network only if it's more likely to benefit than to inconvenience them. Such a system won't be of much use if it requires human intervention every time an alert goes up, but it is notoriously difficult to program computers to take the place of simple human judgement.
Re:Interesting idea, (Score:2, Insightful)
Similar system (Score:2, Informative)
I agree that the "universal" IDS information format will be a long time comming. It's been worked on and thought about for years, but the security corporations seem to be doing just fine on their own. In the realm of security, implementation is usually the most difficult obstacle to any solution.
Allergies (Score:1)
Re:Allergies (Score:2)
Sorry I replied in such a terrible manner to an obvious joke. But anaphalactic shock is most certainly caused by inherent flaws in the auto-immune system and not so much as the attacking organisms.
Ahh, but the problem... (Score:3, Insightful)
Can you imagine the number of people who'd have to co-operate to make this happen? And it wouldn't even be possible for CONGRESS to make it happen, since the Internet is International now.
However, there is already a good amount of work done to secure the Internet - take a look at Bind 9 and its secure DNS, IPv6, ISP border address verification, etc.
The foundations of the failure of these ideas is that of "trust" - who do you trust, anyway? What happens when somebody you trust suddenly changes heart?
Following your representation of the "biological" model, can you successfully argue for "biological" home security? How many houses do you know don't lock their doors and rely on super-intelligent robots or dogs to defend them?
I thought so.
Notice that even your "biological" model breaks down for biology! Nearly every organism has skin, an exoskeleten, cellular wall, etc - in other words, a biological firewall!
These other methods work in conjunction with a good firewall, but the firewall is here to stay.
neural nets (Score:1)
This sounds a lot like setting up neural network for defense... i seem to recall some people working on neural nets that might be applicable. http://hebb.cis.uoguelph.ca/home/ns.html [uoguelph.ca]
Flawed analogy (Score:4, Insightful)
When the attacker has human-level intelligence, on the other hand, the immune system folds like a beat puppy - thus the success of poisoners. To defeat poisoners you have to harden your kitchen.
So computer immune systems are liable to work, as long as intruders are no smarter than bacteria. That oughta keep out the script kiddies, though...
Biological? Ahhh, no. (Score:1)
The proposed method of preventing a (DoS) attack by notifying your upstream provider to cut off traffic has been proposed before, and discarded as a bad idea. Imagine if I sent a bunch of messages from my workstation to my ISP which had just such a system :
"Help Help! microsoft.com is DoSsing me!"
.. and then the automated "biological" response system at my ISP acted on it, forwarded it to microsoft.com's ISP and had them cut off from the Internet. Actually, on the other hand, that might not be such a bad idea
But in all seriousness, the scope for misuse is so large that nobody would ever put this kind of system in place.
problems (Score:1)
The currently used shorthand of this security posture is the use of active defenses such as Sentry. While useful in a remote network with a limited range of applications (read: small, and by applications, I'm talking layer7, not Word), rigidly predefined responses to certain incident conditions almost always cause trouble on a large system used for a wide variety of purposes. Even if one were to make the incident response logic near-omnipotent in its ability to respond appropriately, the openness of the standards involved would mean that any intruder would have a VERY good idea of how your systems will react to attack, to say nothing of being able to monitor the response by looking for outbound BNS traffic.
There is also another more sinister possiblity for how this type of protocol might be used. If network security structures could be organized into an "authoritative cloud" of trusted BNS devices controlling the Internet, it would provide a great way for people currently annoyed at the free exchange of information on the Internet to have a good chance of shutting it down.
Would you want to hear about legislation pending in your state government that would force your ISP to shut you down for surfing porn?
Ironically, this is a DoS tool itself.. (Score:4, Interesting)
Given how easy it is to spoof traffic over the insecure IP and TCP protocols, all an attacker would have to do is spoof some attacks coming from some of AOL's IPs, and all of a sudden all AOL users can't access your site, since the CAS system told the backbone routers to block all the AOL IPs
If you use the biology metaphor, this is an alergy. Your system is reacting aggressively to something that isn't a threat.
IDSs have had the ability to configure firewall ACLs for years via OPSEC SAMP, etc., but almost no-one uses it for this very reason, it's just too easy to trick.
The real solution is to redesign the internet protocols with security in mind. Something like IPSec does a lot more than this proposes system ever would.
The one good idea the article had was centralized analysis, but as the article mentioned, this was discussed more thoroughly in a previous article on securityfocus.
Don't you know... (Score:4, Insightful)
Interesting, but flawed (Score:5, Insightful)
Semi-permeable membranes, aka firewalls. A person's skin acts as a pretty good firewall, allowing certain substances in or out and is mostly successful. It is possible to exploit it through making harmful substances appear to have the signature of allowed substances, in the same way that allowing inbound connections of any kind permits other connection types to mimic it: eg, hijacking a terminated telnet connection and sending traffic in the reverse direction. I can't think of a skin analogy for access-list allow host port established syntax, but I'm sure one exists. Firewalls thus play an important part of a biological system.
Complex system interactions. If one were to use an individual cell as an analogy for a computer network and pathways into and out of the cell as the routes through the firewall then you come close to the biological analogy proposed in the article. Note that cells do not in fact advertise that they are under attack from viruses. Other cells notice that a virus attack in underway and react accordingly, with varying degrees of success. It is this approach that would be more useful to take by analogy from biological systems and apply to the computer/network security field. The same problems exist.
Firstly there is the problem of the existing IDS not noticing an intrusion or failing to take sufficient action, such as for any biological infection which causes the death of the host. The biological solution to this is to immunise the system by exposing it to a non-lethal form of the pathogen to educate it for what to look for. A virus-scanner is a good example: Virus signature updates are the computer/network security version of immunisation.
Then there is the problem of overreaction. In a biological system this is equivalent to the so-called '20th Century Syndrome' of boy-in-bubble fame. The biological system's IDS incorrectly registers normal operations as an intrusion and acts as it would for a normal intrusion, causing illness or death. This is a 'false-positive' reaction and is even more likely in a poorly designed IDS. As an example, reference the number of false positives generated by end users who install ZoneAlarm or equivalent personal firewalls. This is the same 'Microsoft is DoS-ing me!' argument mentioned by another respondent.
So, the analogy has merit, but is poorly expressed in the article. I wish to point out that the main advance in IDS and security in general is not the establishment of a new analogy, paradigm or any other buzzword. I believe there are two key aspects that become increasingly important:
1. Correctness of implementation. This is fixing inherent security problems that allow infection to occur. This requires hardening of software, systems and networks. Most people in the field acknowledge this to be true.
2. Greater correlation. This is the ability to more correctly diagnose likely causes from symptoms. The security administrator becomes the highly trained doctor, using knowledge gained from analysis of known pathogens, methods of attack and problems inherent in existing symptoms and uses this knowledge to faster and more accurately diagnose root causes, and prescribe a solution. The use of tools, preferably automated, greatly increase the effectiveness of this approach. I believe it is in this area that the greatest advances have yet to occur.
Action related to IDS (Score:1)
IDS triggered action is not safe at all, it could cause unnecessary DoS to unintended target if IDS ever gets too smart.
The best solution with todays technology is still active alert (even better at real time) and have analysis by human to determine whether there was actually an attack.
Remeber, a lot of traffic is stange but there might be a legitimate reason behind it. Anyone remeber the faulty router at daemon.net?
Why This Won't Work (for many of us) (Score:3, Interesting)
Chris
Re:Why This Won't Work (for many of us) (Score:1)
So, no, there's not many machine which analyzes Gbit/s but if you separate this traffic to many devices, you just have more devices who analyzes and centralize the information.
Political satire. (Score:1)
Oh well.
Quack? (Score:1)
computer immune systems (Score:1)
This link might give some good reading:
http://www.cs.unm.edu/~immsec/ [unm.edu]
Sounds like Frame Relay/ATM/Traffic Shaping (Score:2)
It's a concept that has existed in Frame Relay/ATM, for example, for a decade (at least on StrataCom/Cisco) equipment. They use an algorithm called ForeSight(tm) on their core switches to throttle VC traffic in the case of congestion at the source. This later evolved into the ATM ABR standard, with input from other vendors.
In this type of automatic "biological" response, as long as no other traffic is attempting to use the bandwidth, the activity is permitted (who knows, it could be a "normal burst"). When other traffic is active, the offender is throttled back to to the source to its minimum rate.
While it doesn't stop the problem, it makes the offender ineffective at impacting service. As a result, it's no longer a "denial of service". Some more information on ForeSight and ABR in this whitepaper [cisco.com]. The functionality predates the BPX product mentioned in the whitepaper (the StrataCom IPX had it), but that's before Cisco purchased StrataCom.
Frame and ATM are "session oriented"; a PVC or SVC defined the communications along a path, so it's easy to define the parameters to control traffic characteristics. I'm not that familiar with IP QOS; is there an equivalent functionality that would apply? If so, could the problem be solved by making the attack "unattractive" (nondisruptive)?
Easy to spoof CAS (Score:1)