NATIONAL INFORMATION NETWORK SECURITY SHIELD (aka Dejafa, Dezhfa) Component Details

Gisted…

#Djafa (Dezhfa) is a set of systems that monitor threats and increase the ability to respond to cyber attacks by the Rescue Management Center, and coordinate computer events operations that play a critical the role in Iran’s national cert (CERT.IR). The components of this system are:

• National Telephony System
• Native Explorer System
• Native Samat System
• Bina native system
• Native Checkup System
• Syman native Systems
• Native System
• Sina Public System ( PTAAS )
• Native Strain System ( IDS )
• Umbrella Safe System

DETAILS ON EACH BELOW

More on Dezhfa

The Dezhfa Project (National Information Network Security Shield) is a project that, along with the development of technology, protects people’s privacy and aims to combat cyber attacks, support the continuation of digital services, prevent fraud, disseminate information, and detect malware.Of course, the plan now includes the following three projects:Telephony System: Malware Detection and CollectionNative Browser System: Scan suspicious files with anti-malware.

Native Samat System: Deployment of distributed systems and defenses to detect and mitigate the impact of DDOS attacks.Bina native system: centralized batch collection and vulnerabilities in the country’s IP space.Native Checkup System: SSL Certificate Security Assessment DNS Server and Internet Modem.Syman native system: Web system intrusion testing and simulation.Native System: Scanning the Information of the Total IP Space of the Country.Sina native system: Providing automated security assessment service on web platform.Sadid native system: Intrusion detection in Siemens based industrial networks.Secure Umbrella System: Provides DNS service by deleting records of bot networks

طرح دژفا (سپر امنیتی شبکه ملی اطلاعات) طرحی است که همراه با توسعه فناوری از حریم شخصی افراد محافظت می‌کند و هدف آن مقابله با حملات سایبری، حمایت از تداوم خدمات دیجیتال، جلوگیری از کلاهبرداری، نشر اطلاعات و شناسایی بدافزارهاست.البته این طرح اکنون دربرگیرنده ۱۰ زیر پروژه است که شامل:سامانه تله افزار: شناسایی و جمع آوری بدافزارها. سامانه بومی کاوشگر: پویش فایل‌های مشکوک با ضد بدافزار.
سامانه بومی سمات: مقابله با از کاراندازی توزیع شده برای تشخیص و کاهش اثر حملات.DDOSسامانه بومی بینا: جمع آوری متمرکز بات‌ها و آسیب پذیری‌ها در فضای IP کشور.
سامانه بومی چکاپ: سنجش امنیت گواهی SSL سرور DNS و مودم اینترنت.سامانه بومی سایمان: آموزش و شبیه سازی تست نفوذ سامانه وب.سامانه بومی دانا: پویش اطلاعات کل فضای IP کشور.سامانه بومی سینا: ارایه سرویس ارزیابی امنیتی خودکار بر بستر وب.
سامانه بومی سدید: تشخیص نفوذ در شبکه‌های صنعتی مبتنی بر زیمنس.سامانه چتر امن: ارایه سرویس DNS با حذف رکورد‌های شبکه‌های بات.

2020-03-29_15-43-15.jpg

GISTED

What is a fortress or an “IT fortress”?

On 29 May 1398 (Communications Day), Mohammad Javad Azari Jahromi unveiled a security project called “Dejfa” at Milad Tower Hall. According to the young IT minister, Dzhafa’s project to protect the country’s information security and digital infrastructure will act as a “national information network security shield”. The Dzhafa Project is a national information network security shield that, along with the development of technology, protects people’s privacy and aims to combat cyberattacks, support the continuation of digital services, prevent fraud, disseminate information, and detect malware.

In the process, he said, 20 billion tomans have been spent on “research” and 30 billion tomans on “operational” costs that will be allocated gradually. The Dzhafa Shield has 10 sub-projects and 7 ongoing projects. Engineer Azeri Jahromi also emphasized that “our defensive capability has been strengthened more than 30 times”.

It is worth noting that one of the above-mentioned 10 projects is a project called “malware traps” that has been unveiled and has been able to prevent malware such as malware. Capture Wannacry and Mirai, both known as Ransomware, which previously attacked the country’s infrastructure. He also added that the Dzhafa Shield project is one of the largest security projects in the world in the last 15 years.

The Dzhafa Shield is a set of systems under development to monitor the status of threats and increase the ability to respond to cyber-damage by the Rescue Management Center and to coordinate the country’s computer events operations, which plays the role of Iran’s national cert.

The components of the Desjafa system include:

  • National Telephony System
  • Native Explorer System
  • Native Samat System
  • Bina native system
  • Native Checkup System
  • Syman native system
  • Native Native System
  • Sina Public System (PTAAS)
  • Native Strain System (IDS)
  • Umbrella Safe System

As mentioned earlier, in the Dezfa project , the requirements are in the form of about 5 systems that are expected to be expanded to five services in the future. Below I am going to give a brief overview of each of these components or native systems.

Telephony System

The task of the system, also known as “National Malware Trap” or “Honeycomb Net”, is to detect and collect malware. In fact, around 5,000 nodes are installed nationwide and all of these nodes are observing the country’s space. It monitors and receives malware or malware that infiltrates the country’s infrastructure at various locations and can display contaminations at the entire country’s infrastructure with a very low error rate. Now the question is, what exactly is this project and what background does it have? In response, I should point out that the implementation of the “Dzezha” system includes “National Honey Net” (around 9,000 nodes are installed nationwide and all of these nodes are observing the country’s space). But what is “Honey Net”? Let us first take a look at the concept of Honeypot and Honeynet .

What is a Honeypot?

Honeypot (or Honeycomb) is a simulated infiltration system that is used in computer networks to capture intruders and record their intrusion or to collect malware sent by infected computers. Honeypot can be likened to a trap that is often used by server administrators to mislead hackers. When the hacker gets trapped in these traps, he thinks he is hacking the server, but in fact he is being hacked by the server administrators. Using a honeypot can increase security on a computer network. Honeypots come together on different subnets, the Honey Net.

But the Honeycomb Television Network, which aims to register computer system security vulnerabilities and attack types in the country, has been defined as a national project in 2010 with around 2000 sensors that traps an average of 1,600 malware or malware per month. . The Iranian Information Technology Organization is responsible for the Iran National Hani Project and the Computer Event Management Center of Iran and is ready to launch and deploy the Honeypot system and join the network. Honeynet has announced the country.
The Honeynet project has been implemented in various government agencies, including the West Azerbaijan Tax Administration, in 2011. Fars Science and Technology Park has also joined the Iranian National Honey Network in January 2011.

Honeynet Iran project specifications were posted on honeynet.ir before 2015, and for about 5 years the site has unfortunately not been updated and there is no news of the latest state of progress of the project in recent years.

Now the question here is that the HNI network, which has been installed and operated by many Iranian minimalist organizations and institutions for the past 9 years and that according to the skilled center, has around 2000 sensors, could not have run it when it had Wannacry ransomware. Attacked internal networks to block? And this is in complete contradiction with the assertion of Mr. Tasimi, the head of the skilled center.
Another question is whether or not this honey pot was written by a skilled center? The answer is that Noah and Honeypot actually use a honeypot known as Dionaea, which is an open-source honeypot.

Native System “Probe”

Scanning suspicious files with anti-malware. The “Browser” system is actually a Malware Protection system that works to scan for suspicious files with Anti-Malware or Anti-Malware.

But what is the native “explorer” system and where did it come from?

The native “raider” system, also referred to as “virus mining”, is serviced online by the skilled system and acts as an Anti-Virus and Anti-Malware infrastructure in the “Shield of Defiance”. The Virus KAV system, seen in the Dzhafa Project, is a free service provided to all public and private organizations, businesses and users, and the Skilled Center site is serviced online. It is.

The system has four different Anti-Virus systems installed, allowing the user to scan for infections and suspicious files on the system when connected. Although the Virus KAV System is not a new security service in the world and other countries are offering similar services, domestically, it is important because it is provided by a skilled and cost-effective Ministry of Communications Center. has it. The anti viruses, hardware, and bandwidth were allotted and licensed to be made available for free for system security testing.
It should be noted that the Virus KAV system was launched as a malware scanner by the Computer Event Relief and Operations Coordination Center. The virus detection system (multi-engine malware scanner) can detect suspicious files by having 4 antivirus upgrades and then upgrading to 30 antivirus per day. In fact, this “antivirus mining” system works almost like a VirusTotal site but uses fewer antivirus engines.

Note: The VirusTotal site , the site where you can upload your suspicious files, is scanned by various antiviruses around the world and shows you the scan result.

Using this system launched by a skilled IT center affiliate of Iran, the user can upload the relevant file to this system when they encounter a suspicious file on their internet or computer or receive an email with a suspicious attachment. See the scan results of it with different antivirus.

The security and confidentiality of uploaded files are taken into account, and antivirus software can be used completely offline.

The virus mining system, which was previously available at scanner.certcc.ir (but for some reason is not currently available to the public), was commissioned by the Center for Applied Research at Amirkabir University of Technology. Is implemented. The aforementioned antivirus engines are not specifically written by skilled center specialists, but the KAV virus system only detects and detects suspicious files by referring to some of the antivirus files and is merely a GUI and reporting system.

Native Samat System

The Samat system is also a DDoS Mitigation system to counteract distributed deployments to detect and mitigate the effects of DDoS attacks on the DejaFa Shield, which is being developed at one of the university’s api centers and tests its laboratory level. And ready to be tested on more serious levels and for heavy traffic. It can help Internet operators (or FCPs) and digital businesses against DDoS attacks and has no other native instance, but it does have a number of external competitors that, along with these external competitors, can effectively serve users. Provide the National Information Network.

Bina native system

This system is responsible for centralized collection of bots and vulnerabilities in the country’s IP space. As you know Botnet attacks have different types including:

1. Direct (or direct) attack: In this type of attack, a hacker can issue a series of zombie systems (computers on the network that have previously mastered them).

2. Indirect (Centralized) or Centralized Attack: In this type of attack, the hacker actually uses a base system that interacts with the zombie systems instead of giving instructions directly to the zombies. In fact, in this attack, the base system, which can be an FTP server, Skype, social networks, Mail servers, etc. receives the hacker commands and sends them to the zombies. In fact, the base system in this type of attack is called Common and Control or C&C. In fact, C&C systems are the platform for exchanging messages and commands from hackers and zombies.

The other two types of Botnet attacks are also called P2P or Decentralized (third type) and Hybrid (fourth type) attacks. I will elaborate on these types of attacks later in more articles.
But this system can only clean up attacks of the first type, Direct.

Native Checkup System

It also measures SSL Certificate Security for DNS servers and Internet modems. The Checkup system consists of three commonly used security services and is run by a skilled hub. The system checks the 5 points of the most vulnerable users and declares the status of the user for free. The system is also set up by the Expert Center and tests the site’s SSL certificate (site security certificate) and announces the result to the user.

The system can also check the security of users’ DNSs (Domain Names) and alert the user if they are suspected of being malware-prone or controlled by hackers. On the other hand, the third test that the “check” system performs is the modem security test of each user to report vulnerability to the user using the IP modem.

Native Syman System

The task of this system is to train and simulate Web Penetration Testing. The system uses the Damn Vulnerable Web Application solution, or DVWA, a vulnerability-based web application to help develop web developer skills and test various types of attacks, such as Brute Force and CSRF attacks, and SQL Injection types. And it uses XSS and …

Native system “Dana”

Scanning the entire country IP data area. (More details have been avoided for now)

Sina native system

Providing automated security assessment service on the web platform. In fact, the Sina system is a PTaaS or Penetration Testing as a Service system that is used to perform security intrusion testing on cloud or cloud based platforms. This system can be used for intrusion testing teams. The system, which provides cost reductions and increased credibility for access to tools for companies and intrusion testing teams in the country, has been developed at one of the country’s academic ape centers. Since one of the problems that companies and teams of intrusion testing have in our country is that they do not have access to the tools or if they do, they cannot get the right data due to cost problems. But the Sinai system allows us to solve this problem centrally once.

Native System “Sadid” or “Strain”

Intrusion Detection in Siemens-based Industrial Networks. In fact, the security system is an IDS or Intrusion Detection System. In fact, the “Sadid” or “Strike” system is designed to detect cyber intrusions or subversive operations on industrial control networks based on the Siemens brand. It monitors and detects malicious and malware-based incidents that receive unauthorized and unusual commands from the PLC. It also issues necessary warnings to those in charge of the industrial complex, if needed.

Note that earlier the Minister of Communications on the success of the country in the production of the firewall system equipment (firewall) with the aim of self-sufficiency in the face of attacks by cyber said: “ firewall native to a counter-offensive cyber on industrial control systems is now on all Siemens’s industrial control systems have been installed in the country. “He said that soon this native system will be developed for other industrial control brands. Specifically, as the Stuxnet virus penetrated through computers connected to industrial systems, the native firewall can be installed on industrial control and management networks and detect the issued commands. This native firewall has nothing to do with office automation networks and is merely an Industrial Firewall, not a Network Firewall.

Does the “Sadid” or “Strain” system work in a firewall like a firewall?

This system has two different working modes: Active and Passive. Firewall performance in this product refers to when the operating status is active. This product, of course, also has the ability to be disabled or passive IDS Firewalling. But under factory conditions, when the product is in active operation, it may unintentionally impose risks to that industry. Suddenly, for example, to prevent the PLC from ordering the production line. This creates risks for factories and industries. Of course, the probability of this is very small, but usually the same probability is not tolerated by industry managers.

For this reason, Passive mode is used in this system for industries and factories to use this product without alerting themselves. It monitors everything in industrial control systems, and if it finds malware-based or malicious activity in the system, it does not directly do anything to remove the malware, but instead alerts the product line operator.

At the same time, the system provides and maintains the right data for industries and provides all kinds of reports and analyzes at instant or real-time speeds. “Intrusion Detection System or Industrial Control Networks” is an instantaneous and real-time system that is defined by a variety of alert features including SMS and sirens, and so on.

This, of course, is half the way to deal with a subversive event, and the other half requires that organizations and technology managers have the necessary awareness of the topic and follow it up quickly.

Can the “Sidebar” or “Strain” system detect operations such as the Stuxnet virus?

Yes it certainly can. Because it basically does not allow unconventional behavior in the industrial control system layer of the production line, it can therefore prevent all similar operations. The basis of this system is that it can detect and block abnormal behavior or anomalies in the system. In these conditions, viruses such as Stuxnet, which enter the industrial control networks by abnormal methods and impose abnormal performance on the network, can be detected.

Does this product apply only to Siemens brand industrial control systems?

Basically the characteristic of IDS and industrial firewall is that it is brand dependent. Therefore, the product of “Intrusion Detection System in Industrial Control Networks” has been developed for Siemens brand but is planned to be invested in other brands this year as well. This requires the involvement of other relevant agencies such as the Ministry of Oil and Power in equipping the relevant laboratories. Because the project’s research resources were provided from the Ministry of Communications’ resources, the laboratory did not have the resources to equip it, and it was requested that the Ministry of Energy or the Ministry of Petroleum be able to provide the necessary resources and equipment even safely to establish laboratories in university centers. To provide.

Is most of the industrial control systems in the country currently operating on the Siemens brand?

No; in different industries this is different. But the system is currently being activated using Siemens communications ministry resources for the Siemens brand. But given the technical know-how of this system, if the equipment is available, it will move on to other brands in the next year (1399) and there will be technical know-how.

Safe Umbrella System

Provide DNS service by deleting records of bot networks. The purpose of this “secure umbrella” system is to provide users with a secure DNS. For now, the existing DNS can easily trap users in the “net” telephony networks that hackers around the world are constantly promoting. But the system monitors the botnet and prevents users from falling into the net. Because in some cyber attacks the user gets infected with DNS and if we give the user DNS securely, it causes the user to not be directed to the networks on which these botnets are active and to remove them and filter the user’s DNS output .

Are there any instances where various devices have been alerted to security devices in recent months, given the applications that these systems have and the vulnerability and cyber-pollution awareness of these devices?
We estimate that over the past six months, we have been conducting approximately 3 communications with various devices, including public and private organizations and companies, to inform them of the vulnerabilities we have observed on these devices on various devices.

In line with the instructions of the Minister of Communication and Information Technology, we are developing specific guidelines for informing devices to classify security alarms at different levels in the country and to report vulnerabilities, contamination and sensitive levels from the level of users to the highest levels of chiefs of staff.

This system known as the “Online Alert and Identification of Vulnerabilities” system is another “fortress” system that detects cyber-pollution of the country and alerts the alerts in a state classified by certain protocols.

Author: Meysam Nazemi