Enhancing network security with agility and awareness

Despite the U.S. government’s $7.3 billion investment toward IT infrastructure last year, the state of operational network security remains abysmal. While many devices can be entry points to network breaches, printers and other IoT devices have recently been receiving a lot of bad press.

According to one group of CyLab researchers, one reason for these shortcomings is that firewalls have very little information about where network traffic is coming from.

“A firewall cannot distinguish between a device like a printer or a camera from a normal laptop, because all it sees is an IP address,” says Tianlong Yu, a Ph.D. student in the Computer Science Department (CSD). “It does not have the context of the device attributes and the device activity and therefore cannot apply customized policies to different devices.”

In a paper presented at the Network and Distributed System Security Symposium in San Diego, Yu and a team of researchers presented a new architecture that addresses the context issue and other problems that exist in enterprise network security.

Another issue, the researchers say, is that networks lack the agility required to defend increasingly agile attackers.

PSI empowers defenders with more agile and more expressive security capabilities.

Vyas Sekar, Professor, Electrical and Computer Engineering, Carnegie Mellon University

“Nowadays, attackers can be quite dynamic,” says Yu. “They’re not using just one static approach to attack—they may use a multi-stage attack.”

In their framework, which they named “Precise Security Instrumentation” or PSI, a dedicated controller orchestrates the security policies for individual network devices, allowing them to react quickly to potential threats.

PSI architecture also isolates network defenses from other devices in the network to keep security policies from interfering with each other and affecting performance. Each device’s security postures are implemented via dedicated enforcement points, allowing them to be customized and separated by-design from security engines of other devices.

“Say a security administrator needs to enforce deep packet inspection,” Yu explains. “In current defense, all the web servers share resources, so the inspection will affect the performance of all web servers.”

Michael Collins, chief scientist at security company RedJack and a co-author on the study, helped simulate attack scenarios in the PSI framework and understand how they might affect users.

“PSI has the potential to push security decisions deeper into the network structure,” he says. “We will be able to create tighter decisions and more secure defenses.”

“In contrast to traditional solutions that have been stuck with a static fortress mentality, PSI empowers the defenders with more agile and more expressive security capabilities,” says Vyas Sekar, a professor in the Department of Electrical and Computer Engineering (ECE). “In many ways, we should view PSI not as a solution but really as a solution enabler for realizing novel detection and prevention capabilities that would be exceedingly difficult—if not impossible— with existing mechanisms.”

Other researchers on the team included ECE Ph.D. student Seyed Fayaz and CSD professor Srinivasan Seshan.