Quality of Service Routing Metrics Based on Selected ...

Quality of Service Routing Metrics Based on Selected Aspects of Network Security I.A. Almerhag and M.E. Woodward {i.a.almerhag, m.e.woodward}@bradford.ac.uk University of Bradford, Richmond road, Bradford, UK, BD7 1DP

Abstract Preserving data security is essential especially when sending information over a network. Clearly, it has many important aspects like authentication, encryption, firewalls, etc. However, the computer society has not yet agreed on a standard method to measure data security and consequently to date no specific security metric has been defined for routing purposes. In this paper available and running network security technologies namely access control, authentication and encryption are used to define a routing metrics based on network security. These metrics are believed to be good, reasonable and practical. Because authentication is regarded as the first line of defence against intrusion, cryptography is the key tool that ensures secure transmission of data while traversing the network and access control systems help in guaranteeing the availability of services been delivered by the information system. Each metric thus represents one of the three goals of security (confidentiality, integrity and availability) and demonstrates the level of achievement in preserving that goal.

Keywords Access control, Authentication, Encryption, Firewalls, Network Security, Quality of Service, Routing Metric.

Introduction Since the Internet has been publicised there has been a significant, and rapidly growing, interest in being part of this society. It consists of more than 50,000 interconnected networks and all their users; that number exceeded 650 million in Sep 2002 and expected to reach a billion in 2005. By connecting to the Internet one may gain access to a massive amount of data and be able to share, exchange and/or publish information. Therefore, securing data while travelling over the network becomes a great concern to network professionals, especially over the last few years following the growth in use of the web in businesses [1]. This paper will detail how three aspects of security (access control, authentication and encryption) can be integrated to define a security metric for quality of service (QoS) routing purposes.

Background A. CIA Concept Generally, the need for information security and trust in computer systems is described in terms of three fundamental goals: Confidentiality, Integrity and Availability (or Access) as illustrated in figure1 below.

Fig. 1 Relationship between CIA elements and security.

WP05/1

Confidentiality involves control over who has access to information. Integrity assures that information and programs are changed only in a specified and authorized manner, so that computer resources operate correctly and that the data in them is not subject to unauthorized changes. Availability refers to the readiness of a system to use. That is, making information available to users need them at the time they acquire them. The data sent across the network should be guaranteed to reach the destination unchanged and complete (nothing is missed or added). Doing so requires ensuring that all parts of the network are functioning properly and they are accessible only to authorised personnel. Authentication, Authorisation and Accountability are used as a yardstick for measuring the security of an information system that are known as the three A's of privacy. In an attempt to assure the 3A's of privacy one has to maintain and preserve the CIA of the information at all system levels: physical (securing the hardware), procedural (how people do their jobs) and logical (the security software) [2,3]. B. Encryption Encryption is that technique mostly used on data communication systems to enhance the security and privacy of information. It is (encryption) the process of transforming the original message (plain-text) to a scrambled data format (cipher-text) so that authorized people only can have access to the information. i. Encryption Algorithms Every cryptosystem consists of two major parts the algorithm and the key; they also determine how strong the cryptosystem would be. In this study we will assume that the algorithm is perfect, in other words it has no known weaknesses of its own; perfect encryption algorithms are vulnerable to a brute-force attack only. Under such circumstances the attacker should try all possible keys to find the correct bit combination (key) necessary to restore the original information [4]. All known cryptographic systems fall into one of the following two categories: Symmetrical (secret) key system or asymmetrical (public) key system. Data Encryption Standard (DES) and Rivest Shamir Adleman (RSA) respectively are the best examples of these systems. Figure 2 shows how the encryption/decryption process takes place in each system.

Fig.2 (a) Symmetrical and (b) Asymmetrical key system

The symmetric key system uses the same key both to encrypt the original message and to decrypt the scrambled text; therefore both sender and receiver must own the same key. This implies that: the key should be kept secret, interchanged securely, changed frequently and never sent over the same channel as the message. In other words such a system relies on good and firm key management policies [5]. The asymmetric key system generates for each user two different keys each is longer than a symmetric key, one is "private" and it is the user's responsibility to keep it secret, while the other is available to all users or "public" key.

WP05/2

Two different modes are possible in asymmetric key systems: public key cryptography and the "digital signature". The first uses the recipient public key to encrypt the message; the second uses the sender’s private key instead. These systems resolved the key management problem, but run longer and consequently require more processing power [6]. ii. Encryption and network security Each time data (even a single packet) is sent over a communication network it takes different paths to reach its destination, usually this path consists of number of nodes connected via communication links. During such a trip from source to destination each node will temporarily store, encrypt/decrypt or might process, in one way or another, that data. The data basically consists of the actual message and a header that specifies the destination's address. All available approaches rely on encryption techniques to transmit data across a network securely both in a node and over a link; two of the most common solutions in use nowadays are briefed below: Link encryption: encrypts data before sending it over the communication link, the next node on the route decrypt the data in order to access the header and decide which route to follow then encrypt it again before sending it out and so on. At each stage the node uses its own key for encryption and decryption. End-to-end encryption: deals with the message and the header differently, while encrypting the first leaves the second as plain text. Since, the header is available as plain text to the intermediate nodes the message is deciphered only at the final destination. End-to-end encipherment is considered to be faster because it applies the encryption/decryption operations only twice (at source and destination), whilst the link encryption method applies it at all nodes on the path and is also more secure than the end-to-end encryption method, as nodes temporarily store the data as plain text, which is a great risk. The main disadvantage of this approach is somebody can perform a "traffic flow analysis" as the header is always in plain text format. In other words one may monitor when and how information is exchanged on the network [7]. C. Router Authentication Neighbour router authentication, or simply "router authentication", is a mechanism used to guarantee that all topology change updates are received from a trusted party. It plays a very important role in enhancing the overall security of an organisation’s network. Several routing protocols are capable of benefiting from router authentication, examples of such protocols are: IGRP, IS-IS, OSPF and RIP-V2. A fabricated route update could be forwarded to the targeted router deliberately, to force it to redirect all the traffic going out of that router to a malicious destination. That traffic probably contains important and/or confidential information. Such an attack is avoidable if all the involved routers were configured to use neighbour authentication as router authentication can stop spoofing and routing attacks [8]. Routers configured to use neighbour authentication, agree on a secret key before any authentication process may take place. Every time a participating router receives a route update it authenticates the source of every packet using the authentication key. Then the router decides either to accept that packet or to reject it. Two authentication scenarios are possible; plain text authentication and message digest version5 authentication (MD5). Although the former technique is simple and easy to configure it is weak and vulnerable to common attacks. However, the later is more sophisticated and recommended. Both algorithms are identical in the way they work; still each of them is using a different method

WP05/3

to exchange the secret key. Basically, the first method transmits the actual key in a plain text format over the same channel that carries the data. On the other hand, the second approach sends a message digest generated using the key but never communicates the key itself [9]. The MD5 algorithm is based on a one way hash function which produces a 128 bit hash from the original message. Clearly routers using plain text authentication are vulnerable to update attacks as those routers that are not configured for router authentication. In contrast it is well known that MD5 is vulnerable to exhaustive key search attack only [4]. D. Access Control This includes the use of access control lists (ACL), intrusion detection/prevention systems (IDS/IPS) and firewalls to enhance the overall level of network security. This is achieved by examining every single packet of the incoming and outgoing traffic against a predefined criteria that will result in either forwarding that packet or dropping it. Usually access control lists are configured on perimeter routers also known as "firewall" routers, which are often situated at the edges of an enterprise network. Routers installed between two LANs also use access lists to control how traffic flows to and from specific parts of the internal network. Lists can control inbound traffic, outbound traffic or both on an interface, therefore to benefit from traffic filtration techniques at least border routers should be configured to use access lists. Basically an access list must be configured for each enabled network protocol on the router interface [10]. Routers are configurable to behave as a firewall and/or as an IDS, either configuration can prevent a subset of the whole set of known attacks against computer networks. For example firewalls can protect the network from routing based attacks, like source routing and path redirecting to malicious sites using Internet control message protocol (ICMP) redirects [11]. Intrusion detection systems, on the other hand, detect with high accuracy those attacks with known patterns only, like denial of service attack and then inform administrators of the incidents [12].

Fig 3: the percentage of known attacks that a firewall/IDS can prevent/detect.

Assume that a properly configured firewall router will eliminate 84% of common breaches and an IDS will protect the system from 79% of known attacks as shown in figure 3. Clearly, there will be a significant number of attacks that are preventable by both techniques; this leads to the conclusion that this network is vulnerable to 3% only of the total number of known attacks. For the sake of this study, we assumed that this data is available to system administrators and we believe that such information may be calculated based on historical data collected over a specified period of time. Furthermore, a routing algorithm may be designed to do that automatically and dynamically (online) during the normal operation of the network.

The security metrics A routing metric is defined in [13] as: A number associated with a route indicating the goodness of the route. If a router has learned more than one route to a destination using the same routing protocol, the route with the lowest metric is considered the best route.

WP05/4

In the above context “goodness” is defined in terms of the level of security the chosen path can maintain; basically the metric value of the selected route has to be the best (i.e. having the minimum degree of vulnerability or the maximum level of security) amongst the available routes. Jelen also stated that good metrics are those known to be Specific, Measurable, Attainable, Repeatable, and Time-dependent (SMART) [14]. Precisely, useful security metrics are those who could show the degree to which goals, like data confidentiality, are being achieved and hence drive the process of the whole security program perfection. However, the means of indicating to which extent some security attributes are in existence defines security metrics specifically [15]. In previous studies [16, 17, 18, 19, 20] the notion of a security metric was mentioned for the sake of developing multi-metric routing algorithms. Since it was beyond the scope of their work and because the problem was poorly researched, the metric they used was oversimplified and imprecisely defined it had been represented using a single valued metric. While [16, 19] proposed a value between 0 and 1, in [20] a binary value was used. Moreover, different authors apply different composition rules, [16] claimed that security is an additive metric but [20] dealt with it as a binary metric and [19] as a bottleneck (concave) metric. Among different security aspects router authentication, encryption (namely the key size) and access control systems have been used to define the new metrics. We tried to incorporate the most important issues of network security in the new metrics. The selected features are those that can demonstrate to what extent the three goals of data security (CIA) can be maintained.

Use of the metrics Wang and Crowcroft defined three types of metrics: additive, concave and multiplicative; they are also known as composition rules. Typically each metric obeys a single composition rule; for example delay is additive, bandwidth is concave and probability of packet loss is multiplicative [21]. The security metric is composed of three components. There are two approaches to deal with this situation; either by combining the three metrics into a single value or leave them as separate metrics. While the compound metric represents the whole situation using a single value, which eases the process of path computation. The later choice is preferable since this preserves the details of every measured network characteristic that is captured by each metric. The three sections below explain the different composition rules which each metric follow; where Wp is the metric value of the entire path and Wn is the weight of link n: • Neighbour router authentication: Here three situations are possible, either router authentication on that router is configured or not. When it is configured to authenticate other peer routers the key can be exchanged in either plain text format or using MD5. The first two methods (not configured and plain text) are believed to be vulnerable to attacks mentioned earlier. However, when MD5 is used to exchange keys, that link is considered to be secure. Therefore, this metric will follow a binary composition rule. That is the metric value is true (or 1), if the router is using MD5 and false (or 0) otherwise. Then the path value is equal to W P = W1 ∪ W 2 ∪ W 3 ∪ L L L ∪ W n 1 if MD 5 authentication is used Wi =  0 otherwise

…………………………………………(1)

• Encryption is treated as a bottleneck characteristic so it will follow the concave composition rule. In terms of this metric, a path is considered to be as secure as the weakest link amongst those links forming the path. In [22] a security metric has been defined based on the key length used in the encryption/decryption process; the metric is called the degree of vulnerability (DoV) that carries a value between zero and one, where zero denotes a secure link and vice versa. Precisely, if the data sent over a link is encrypted using a key that is not breakable for the next 30 years that link is considered as a secure link.

WP05/5

WP = Min [W1 , W2 , W3 , LLL , Wn ] 1  Wi =  − 0 . 99 0 . 033 × Y 

………(2)

if key size used is below the recommende d size y is the time in years the key can retain sec ure communicat ion

• And access control: the trust in a certain message (or packet) is directly proportional to the number of nodes it passes through while travelling from source to destination; given that those nodes employ the filtration techniques mentioned earlier, because a packet encounters a series of checks at each node becomes more trustful. Each node along the path may enclose a firewall and/or an IDS. So the metric value (Wi) of all links leaving that node is given by equation (3) where Pfw and PIDS respectively are the probability that the firewall will not prevent and the IDS will not detect the attack. This metric follows a multiplicative composition rule and the path’s metric value is given by the following equation. W P = 1 − [W 1 × W 2 × W 3 × L L L × W n ] W i = P fw + PIDS − ( P fw × PIDS )

…………………………………………(3)

Conclusion Measuring the level of security of a certain path is a complicated problem, because of the nature of the problem. This work suggests how router authentication, key length and traffic filtration techniques can be used to define security metrics that could be used by routing algorithms to find the most secure path within interconnected networks. Each metric follows a different composition rule: the first is binary, the second is concave and the last is multiplicative. Ensuring a specified level of security for a network transaction can thus be treated as a multiple metric QoS routing problem.

References [1] Brookhaven National Laboratory, “About Strong Authentication & One-Time Passwords”, 2003; URL: http://www.bnl.gov/cybersecurity/strong_auth.asp [2] University of Purdue, “RASC: Confidentiality, Integrity and Availability (CIA)”, 2004, URL: http://www.itap.purdue.edu/security/files/documents/RASCCIAv13.pdf [3] The Information Security Glossary, “Confidentiality, integrity and availability”; URL: http://www.yourwindow.to/information-security/gl_confidentialityintegrityandavailabili.htm [4] B. Schneier, “Applied Cryptography: Protocols, Algorithms and Source Code in C”, NY.: John Wiley & Sons, 1994. [5] M. Hendry, “Practical Computer Network Security”, Norwood, MA.: Artech house, 1995. [6] M. Devargas, “Network Security”, Manchester, England.: NCC Blackwell, 1993. [7] J. Lubbe, “Basic Methods of Cryptography”, Cambridge: Cambridge: University Press., 1998. [8] R. A. Deal, “Cisco Router Firewall Security”, Indianapolis, USA: Cisco Press, 2005. [9] Cisco Systems Inc, “Cisco IOS Security Configuration Guide, Release 12.2”, Cisco, 1992-2005.

WP05/6

[10] Cisco systems Inc, “Internetworking Technologies Handbook”, Cisco Systems, Inc., 2002. [11] M. Goncalves, “Firewalls Complete”, McGraw-Hill, 2002, URL: http://www.secinf.net/firewalls_and_VPN/Firewalls_Complete/ [12] E. Biermann, E. Cloete, and L.M. Venter, “A Comparison of Intrusion Detection Systems”, Computers & Security, vol. 20, no. 8, pp. 676–683, 2001. TY - JOUR. [13] B. Parkhurst, “Routing first-Step”, Indianapolis, USA: Cisco Press, 2005. [14] G. Jelen, “SSE-CMM Security Metrics”, (Washington, D.C.), NIST and CSSPAB, 2000. [15] S. Payne, “A Guide to Security Metrics”, URL: http://rr.sans.org/audit/metrics.php, 2001. [16] A.M. Alkahtani, M.E. Woodward and K. Al-Begain, “The Analytic Hierarchy Process Applied to Best Effort QoS Routing with Multiple Metrics: a comparative evaluation,” in Personal Mobile Communications Conference, 2003. 5th European (Conf. Publ. No. 492), pp. 539–544, 2003. TY CONF. [17] M. Baltatu, A. Lioy, F. Maino and D. Mazzocchi, “Security Issues in Management, Control and Routing Protocols,” Computer Networks, vol. 34, pp. 881 – 894, 2000. [18] B. R. Smith and J. J. Garcia-Luna-Aceves, “Efficient Security Mechanisms for the Border Gateway Routing Protocol,” Computer Communications, vol. 21, no. 3, pp. 203–210, 1998. TY - JOUR. [19] A. Alghannam, M.E. Woodward and J. Mellor, “Security as a QoS Routing Issue,” in PGNET 2001 symposium, Liverpool John Moores University, 2001. [20] M.M. Al-Fawaz and M.E. Woodward, “QoS Routing With Multiple Constraints,” in Delson Group Inc. World Wireles Congress, (San Francisco, USA.), 2002. [21] Z. Wang and J. Crowroft, “Quality-of-Service (QoS) Routing for Supporting Multimedia Applications,” IEEE Journal on selected areas in communication, vol. 14, pp. 1228–1234, Sept. 1996. [22] I.A. Almerhag and M.E. Woodward, “Key Length as a QoS Routing Metric,” in Sixth informatics workshop (D. Rigas, ed.), (Bradford, West Yorkshire, UK), pp. 23–24, University of Bradford, March 2005.

WP05/7