Risk Propagation Assessment for Network Security FOCUS SERIES IN NETWORKS AND TELECOMMUNICATIONS Series Editor Marcelo Dias de Amorim Risk Propagation Assessment for Network Security Application to Airport Communication Network Design Mohamed Slim Ben Mahmoud Nicolas Larrieu Alain Pirovano Firstpublished2013 inGreatBritainandtheUnitedStatesbyISTELtdandJohnWiley&Sons,Inc. Apart from any fair dealing for the purposes of research or private study, or criticism or review, as permittedundertheCopyright,DesignsandPatentsAct1988,thispublicationmayonlybereproduced, storedortransmitted,inanyformorbyanymeans,withthepriorpermissioninwritingofthepublishers, or in the case of reprographic reproduction in accordance with the terms and licenses issued by the CLA. Enquiries concerning reproduction outside these terms should be sent to the publishers at the undermentionedaddress: ISTELtd JohnWiley&Sons,Inc. 27-37StGeorge’sRoad 111RiverStreet LondonSW194EU Hoboken,NJ07030 UK USA www.iste.co.uk www.wiley.com ©ISTELtd2013 TherightsofMohamedSlimBenMahmoud,NicolasLarrieuandAlainPirovanotobeidentifiedasthe authorofthisworkhavebeenassertedbytheminaccordancewiththeCopyright,DesignsandPatents Act1988. LibraryofCongressControlNumber: 2012954206 BritishLibraryCataloguing-in-PublicationData ACIPrecordforthisbookisavailablefromtheBritishLibrary ISSN:2051-2481(Print) ISSN:2051-249X(Online) ISBN:978-1-84821-454-5 PrintedandboundinGreatBritainbyCPIGroup(UK)Ltd.,Croydon,SurreyCR04YY Contents LISTOFFIGURES . . . . . . . . . . . . . . . . . . . . . . . . . . ix LISTOFTABLES . . . . . . . . . . . . . . . . . . . . . . . . . . xiii INTRODUCTION . . . . . . . . . . . . . . . . . . . . . . . . . . . xv PART1.NETWORKSECURITY RISK ASSESSMENT . . . . . . . 1 CHAPTER1.INTRODUCTIONTOINFORMATIONSYSTEM SECURITY RISK MANAGEMENTPROCESS . . . . . . . . . . . . 3 1.1.Ontheimportanceofnetworksecurityfornetwork designers . . . . . . . . . . . . . . . . . . . . . . . . . . 5 1.2.Ontheimpactofriskassessment inthedecision-makingprocessfornetwork securitydesigners. . . . . . . . . . . . . . . . . . . . . . 6 1.3.Quantitativeversusqualitativerisk assessmentapproaches . . . . . . . . . . . . . . . . . . . 7 1.4.Networksecurityriskpropagationconcept . . . . . . . 10 1.4.1.Impactofnodecorrelation . . . . . . . . . . . . . . 10 1.4.2.Networksecurityrisktransitivity . . . . . . . . . . . 11 1.4.3.Networksecurityriskpropagation illustrativecase . . . . . . . . . . . . . . . . . . . . . 12 vi RiskPropagationAssessmentforNetworkSecurity CHAPTER2.SECURITYRISKMANAGEMENT BACKGROUND . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 2.1.Qualitativesecurityriskmanagementmethods . . . . . 18 2.1.1.CRAMM . . . . . . . . . . . . . . . . . . . . . . . . 18 2.1.2.OCTAVE . . . . . . . . . . . . . . . . . . . . . . . . 18 2.1.3.EBIOS . . . . . . . . . . . . . . . . . . . . . . . . . . 19 2.1.4.MEHARI . . . . . . . . . . . . . . . . . . . . . . . . 19 2.1.5.CORAS . . . . . . . . . . . . . . . . . . . . . . . . . 20 2.1.6.Discussion . . . . . . . . . . . . . . . . . . . . . . . 20 2.2.Quantitativesecurityriskassessmentapproaches . . . . 20 2.3.Towardaquantitativepropagation-basedrisk assessmentmethodology. . . . . . . . . . . . . . . . . . 25 CHAPTER3.AQUANTITATIVENETWORK RISK ASSESSMENTMETHODOLOGYBASED ONRISK PROPAGATION . . . . . . . . . . . . . . . . . . . . . . 27 3.1.Quantifyingmethodologyparameters . . . . . . . . . . 27 3.1.1.Networkriskdecomposition . . . . . . . . . . . . . 28 3.1.2.Nodevalue . . . . . . . . . . . . . . . . . . . . . . . 29 3.1.3.Enhancednodevalue . . . . . . . . . . . . . . . . . 30 3.1.4.Impactofthreats . . . . . . . . . . . . . . . . . . . . 30 3.1.5.Likelihoodofthreats . . . . . . . . . . . . . . . . . . 32 3.2.Networksecurityriskassessmentprocess . . . . . . . . 36 3.3.Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . 39 PART2.APPLICATIONTOAIRPORTCOMMUNICATION NETWORKDESIGN . . . . . . . . . . . . . . . . . . . . . . . . . 41 CHAPTER4.THEAEROMACSCOMMUNICATION SYSTEMIN THESESARPROJECT . . . . . . . . . . . . . . . . . . . . . . . 43 4.1.OverviewoftheEuropeanSESARproject. . . . . . . . 43 4.2.Overviewofaeronauticalcommunicationsoperating conceptandrequirements . . . . . . . . . . . . . . . . . 44 4.3.IntroductiontotheAeroMACScommunication system . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 Contents vii 4.3.1.AeroMACSprotocolstack . . . . . . . . . . . . . . 48 4.3.2.AeroMACSreferencenetworkarchitecture . . . . . 50 4.3.3.AeroMACSsecurityconsiderations . . . . . . . . . 52 4.3.3.1. AnalysisofAeroMACSsecurity weaknesses . . . . . . . . . . . . . . . . . . . . 53 4.3.4.AeroMACSreferencenetworktopology . . . . . . . 55 4.3.4.1. IsolatedAeroMACSnetworkarchitecture . . 55 4.3.4.2. End-to-endAeroMACSnetworkarchitecture 56 CHAPTER5.AERONAUTICALNETWORKCASE STUDY . . . . . 59 5.1.Experimentalparameters . . . . . . . . . . . . . . . . . 59 5.1.1.Testbedinfrastructure . . . . . . . . . . . . . . . . . 59 5.1.2.Aeronauticalnodevaluesinstantiation . . . . . . . . 61 5.1.3.Aeronauticalservicesinstantiation . . . . . . . . . . 62 5.1.4.Isolatedvs.end-to-endemulationscenarios . . . . . 63 5.2.AeroMACScasestudy:experimentalresults . . . . . . 63 5.2.1.Maininputsforemulationscenarios . . . . . . . . . 63 5.2.2.IsolatedAeroMACSscenario:preliminaryresults . 63 5.2.2.1. Individualrisks . . . . . . . . . . . . . . . . . 63 5.2.2.2. Propagatedrisks . . . . . . . . . . . . . . . . . 68 5.2.2.3. Nodeandnetworkrisks . . . . . . . . . . . . . 70 5.2.3.IsolatedAeroMACSscenario:EAPvs.RSA sub-scenario . . . . . . . . . . . . . . . . . . . . . . 72 5.2.4.PreliminaryAeroMACSsecurityenhancement guidance. . . . . . . . . . . . . . . . . . . . . . . . . 76 5.2.5.AeroMACSimplementationimprovements:isolated scenariowithoutoperationalservervulnerabilities . 77 5.2.5.1. Experimentalinputs . . . . . . . . . . . . . . . 78 5.2.5.2. Networktopology . . . . . . . . . . . . . . . . 78 5.2.5.3. Vulnerabilitystatistics . . . . . . . . . . . . . 79 5.2.5.4. Individualriskresults . . . . . . . . . . . . . . 81 5.2.5.5. Propagatedriskresults . . . . . . . . . . . . . 81 5.2.5.6. Networkriskresults . . . . . . . . . . . . . . . 83 5.2.6.AeroMACStopologicalimprovements:isolated scenariowithtwoASNgateways . . . . . . . . . . . 84 5.2.6.1. Experimentalinputs . . . . . . . . . . . . . . . 84 viii RiskPropagationAssessmentforNetworkSecurity 5.2.6.2. Networktopology . . . . . . . . . . . . . . . . 85 5.2.6.3. Vulnerabilitystatistics . . . . . . . . . . . . . 85 5.2.6.4. Individualriskresults . . . . . . . . . . . . . . 85 5.2.6.5. Propagationriskresults . . . . . . . . . . . . . 87 5.2.6.6. Networkriskresults . . . . . . . . . . . . . . . 89 5.2.7.Scenariowithend-to-endAeroMACStopology . . 91 5.2.7.1. Experimentalinputs . . . . . . . . . . . . . . 91 5.2.7.2. Networktopology . . . . . . . . . . . . . . . . 92 5.2.7.3. Vulnerabilitystatistics . . . . . . . . . . . . . 93 5.2.7.4. Individualriskresults . . . . . . . . . . . . . . 95 5.2.7.5. Propagatedriskresults . . . . . . . . . . . . . 97 5.2.7.6. Networkriskresults . . . . . . . . . . . . . . . 97 5.3.ImprovingAeroMACSnetworksecurity . . . . . . . . . 99 5.3.1.DHCPsecurity . . . . . . . . . . . . . . . . . . . . . 101 5.3.2.MobileIPsecurity . . . . . . . . . . . . . . . . . . . 103 CONCLUSION . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109 BIBLIOGRAPHY . . . . . . . . . . . . . . . . . . . . . . . . . . . 111 INDEX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117 List of Figures 1.1 Generalinformationsystemsecurityrisk managementprocess . . . . . . . . . . . . . . . . . . . . . 4 1.2 Risktransitivitybetweencorrelatednodes . . . . . . . . . 12 1.3 Networksecurityriskpropagationexample . . . . . . . . 14 4.1 COCRphases1and2conceptevolutionovertime . . . . 45 4.2 Generalairspacedecomposition . . . . . . . . . . . . . . . 46 4.3 Cleveland-HopkinsairportAeroMACStestbed . . . . . . 48 4.4 AeroMACSprotocolstack . . . . . . . . . . . . . . . . . . 49 4.5 AeroMACSnetworkreferencearchitecture . . . . . . . . 51 4.6 IsolatedAeroMACSnetworktopologyscenario . . . . . . 55 4.7 IntegratedAeroMACSnetworktopology . . . . . . . . . . 56 5.1 RiskassessmentframeworkusingMARIONNET . . . . . 60 5.2 Individualrisksforallnetworknodes . . . . . . . . . . . . 65 x RiskPropagationAssessmentforNetworkSecurity 5.3 Individualriskevolutionasafunctionof vulnerabilitiesforallnodes . . . . . . . . . . . . . . . . . 66 5.4 VulnerabilityCVSSstatistics . . . . . . . . . . . . . . . . 67 5.5 Propagatedriskevolutionasfunctionofconnected nodesforallnetworknodes . . . . . . . . . . . . . . . . . 69 5.6 Percentageofnetworkriskpernoderisk . . . . . . . . . . 70 5.7 ASNgatewaypropagatedriskcontribution perconnectednode . . . . . . . . . . . . . . . . . . . . . . 71 5.8 VulnerabilityCVSSscoredistribution forEAPandRSA . . . . . . . . . . . . . . . . . . . . . . . 73 5.9 Individualrisksforbasestations andtheASNgateway . . . . . . . . . . . . . . . . . . . . . 74 5.10 Propagatedrisksforallnodes(EAPvs.RSA) . . . . . . . 75 5.11 Percentageofnetworkriskpernoderisk (EAPvs.RSA) . . . . . . . . . . . . . . . . . . . . . . . . 76 5.12 AeroMACSnetworktopology: extendedisolatedscenario . . . . . . . . . . . . . . . . . . 79 5.13 ComparisonofCVSSscoredistribution(with andwithoutoperationalservervulnerabilities) . . . . . . . 80 5.14 Comparisonofpropagatedrisksasafunctionofthe numberofconnectednodes(withandwithout operationalservervulnerabilities) . . . . . . . . . . . . . . 82 5.15 Comparisonofthepercentageofnetworkrisk pernoderisk(withandwithoutoperational servervulnerabilities) . . . . . . . . . . . . . . . . . . . . . 84 ListofFigures xi 5.16 ThenewisolatednetworktopologyusingtwoASN gateways . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86 5.17 Comparisonofnetworkriskvalues . . . . . . . . . . . . . 90 5.18 WiMAXforumNWGend-to-endnetworkmodel . . . . . 93 5.19 FinalcomparisonofCVSSscoresdistribution . . . . . . . 94 5.20 Finalcomparisonoftotalnumberofvulnerabilities . . . . 94 5.21 FinalcomparisonofaverageCVSSscore . . . . . . . . . 95 5.22 Finalcomparisonofnetworkriskvalues . . . . . . . . . . 100 5.23 Finalcomparisonofthepercentage ofnetworkriskpernoderisk. . . . . . . . . . . . . . . . . 100 5.24 DHCPkeymanagementusingaDHCPrelay . . . . . . . 102 5.25 MobileIPregistration–PMIPcase . . . . . . . . . . . . . 105 5.26 MobileIPkeymanagement–PMIPcase . . . . . . . . . . 106 5.27 MobileIPregistration–CMIPcase . . . . . . . . . . . . . 107