Presentation is loading. Please wait.

Presentation is loading. Please wait.

Scalable Configuration Management For Secure Web Services Infrastructure Sanjai Narain Senior Research Scientist Telcordia Technologies

Published bySheena Rodgers Modified over 9 years ago

Similar presentations

Presentation on theme: "Scalable Configuration Management For Secure Web Services Infrastructure Sanjai Narain Senior Research Scientist Telcordia Technologies"— Presentation transcript:

1 Scalable Configuration Management For Secure Web Services Infrastructure Sanjai Narain Senior Research Scientist Telcordia Technologies narain@research.telcordia.com (732) 699 2806 Prepared For DIMACS Workshop on Security of Web Services and E-Commerce, May 5-6, 2005

2 DIMACS (Narain) – 2 Outline  Focus on architectural aspect of web-services security. Components can be robust, but architecture into which they are integrated can be fragile and vulnerable.  How do we answer questions such as “is there a single point of failure?”, “is there sufficient defense-in-depth?”  Show an approach based on model-finding  Show how to scale this approach to realistic size and complexity

3 DIMACS (Narain) – 3 Deploying Web Services Security Infrastructure Component Configuration Is Central Operation Gateway Router FWFW XML Gateway Cluster Application Servers FWFW Gateway Router FWFW XML Gateway Cluster Application Servers FWFW Gateway Router FWFW XML Gateway Cluster Application Servers FWFW WAN Bulk encryption via fault-tolerant network of IPSec Tunnels Authentication Authorization Credit card encryption Defense-in-depth via DMZ Gateway Router

4 DIMACS (Narain) – 4 Yet, there is no theory of configuration System requirements on security, functionality, fault-tolerance Components Configuration Synthesis Configuration Error Diagnosis Requirement Verification Configuration Error Fixing Requirement Strengthening Component Adds & Deletes Configuration Sequencing Operations on requirements

5 DIMACS (Narain) – 5 Quotes  Although setup (of the trusted computing base) is much simpler than code, it is still complicated, it is usually done by less skilled people, and while code is written once, setup is different for every installation. So we should expect that it’s usually wrong, and many studies confirm this expectation. – Butler Lampson, Computer Security In the Real World. Proceedings of Annual Computer Security Applications Conference, 2000. – http://research.microsoft.com/lampson/64-SecurityInRealWorld/Acrobat.pdf http://research.microsoft.com/lampson/64-SecurityInRealWorld/Acrobat.pdf  65% of attacks exploit configuration errors. – British Telecom/Gartner Group. http://www.btglobalservices.com/business/global/en/products/docs/28154_219475secur_bro_sin gle.pdf http://www.btglobalservices.com/business/global/en/products/docs/28154_219475secur_bro_sin gle.pdf ...operator error is the largest cause of failures...and largest contributor to time to repair... in two of the three (surveyed) ISPs.......configuration errors are the largest category of operator errors. – David Oppenheimer, Archana Ganapathi, David A. Patterson. Why Internet Services Fail and What Can Be Done About These? Proceedings of 4th Usenix Symposium on Internet Technologies and Systems (USITS ‘03), 2003. – http://roc.cs.berkeley.edu/papers/usits03.pdf  Consider this: ….the complexity [of computer systems] is growing beyond human ability to manage it….the overlapping connections, dependencies, and interacting applications call for administrative decision-making and responses faster than any human can deliver. Pinpointing root causes of failures becomes more difficult. –Paul Horn, Senior VP, IBM Research. Autonomic Computing: IBM’s Perspective on the State of Information Technology. – http://www.research.ibm.com/autonomic/manifesto/autonomic_computing.pdf

6 DIMACS (Narain) – 6 System components, e.g., hosts, servers, routers, firewalls System Components System Requirements in FOL Configurations Requirement Solver New Concept: Requirement Solver With policy-based networking, this work has to be done by system designer. Alloy (MIT) FOL  Boolean logic compiler SAT Solvers (Very fast) FOL formula model Transformations

7 DIMACS (Narain) – 7 S = System Requirement Configuration error diagnosis: Where C is current system configuration, is S  C satisfiable? Configuration error fixing:  Find new configuration C: S is satisfiable and cost of migration to C is acceptable Requirement Strengthening:  Solve S  NewReq Configuration synthesis: Find system configuration C: S is satisfiable Verification:  Where R is a requirement, to show that S  R is valid show S   R is unsatisfiable Formalizing Configuration Management Problems Component adds/deletes:  Solve S for new set of components Configuration Sequencing:  SAT for planning  Also Quantified Boolean Formulas

8 DIMACS (Narain) – 8 Fully Configured Fault-Tolerant VPN Full mesh of IPSec tunnels does not scale Spoke Router Hub Router Spoke Router Hub Router WAN Router GRE Tunnel IPSecTunnel XML GW Cluster XML GW Cluster

9 DIMACS (Narain) – 9 RIP Routing Domain OSPF Routing Domain Spoke Router WAN Router Hub Router Access Server (router subtype) Legacy Router Interface Physical Interface Internal Interface External Interface hubExternalInterface spokeExternalInterface Subnet Internal Subnet External Subnet Network Components Component Attributes  interface – chassis: router – network: subnet – routing: routingDomain  ipsecTunnel – local: externalInterface, – remote: externalInterface, – protocolToSecure: protocol  greTunnel – localPhysical: externalInterface – remotePhysical:externalInterface – routing:routingDomain  firewallPolicy – prot: protocol – action: permission – protectedInterface: physicalInterface  ipPacket – source:interface, – destination:interface, – prot:protocol Protocols ike esp gre IPSec Tunnel GRE Tunnel firewallPolicy Permissions permit deny ipPacket

10 DIMACS (Narain) – 10 Fault-Tolerant VPN Requirements Human administrators reason with these in different ways to synthesize initial network, then reconfigure it as operating conditions change. Can we automate this reasoning? SecureGRERequirements 14. For every GRE tunnel there is an IPSec tunnel between associated physical interfaces that secures all GRE traffic GRERequirements 12. There is a GRE tunnel between each hub and spoke router 13. RIP is enabled on all GRE interfaces SubnettingRequirements 5. A router does not have more than one interface on a subnet 6. All internal interfaces are on internal subnets 7. All external interfaces are on external subnets 8. Every hub and spoke router is connected to a WAN router 9. No two non-WAN routers share a subnet RouterInterfaceRequirements 1. Each spoke router has internal and external interfaces 2. Each access server has internal and external interfaces 3. Each hub router has only external interfaces 4. Each WAN router has only external interfaces RoutingRequirements 10. RIP is enabled on all internal interfaces 11. OSPF is enabled on all external interfaces FirewallPolicyRequirements 15. Each hub and spoke external interface permits esp and ike packets

11 DIMACS (Narain) – 11 hostname SN1BS-RTR ! crypto isakmp policy 1 authentication pre-share crypto isakmp key PN1BS-RTR_key_with_SN1BS-RTR address 148.148.148.2 crypto isakmp key AI-RTR_key_with_SN1BS-RTR address 158.158.158.2 crypto isakmp key SN2-RTR_key_with_SN1BS-RTR address 138.138.138.2 ! crypto ipsec transform-set IPSecProposal esp-des esp-sha-hmac ! crypto map vpn-map-Ethernet0/0 33 ipsec-isakmp set peer 148.148.148.2 set transform-set IPSecProposal match address 142 crypto map vpn-map-Ethernet0/0 34 ipsec-isakmp set peer 158.158.158.2 set transform-set IPSecProposal match address 143 crypto map vpn-map-Ethernet0/0 35 ipsec-isakmp set peer 138.138.138.2 set transform-set IPSecProposal match address 144 ! interface Tunnel0 ip address 31.31.31.1 255.255.255.0 tunnel source 128.128.128.2 tunnel destination 148.148.148.2 crypto map vpn-map-Ethernet0/0 ! interface Tunnel1 ip address 35.35.35.1 255.255.255.0 tunnel source 128.128.128.2 tunnel destination 158.158.158.2 crypto map vpn-map-Ethernet0/0 interface Tunnel2 ip address 34.34.34.2 255.255.255.0 tunnel source 148.148.148.2 tunnel destination 138.138.138.2 crypto map vpn-map-Ethernet0/0 ! interface Ethernet0/0 ip address 128.128.128.2 255.255.255.0 crypto map vpn-map-Ethernet0/0 ! interface Ethernet0/1 ip address 50.50.50.1 255.255.255.0 ! router rip version 2 network 50.0.0.0 network 31.0.0.0 network 34.0.0.0 network 35.0.0.0 ! ip classless ip route 0.0.0.0 0.0.0.0 128.128.128.1 no ip http server ! access-list 142 permit gre host 128.128.128.2 host 148.148.148.2 access-list 143 permit gre host 128.128.128.2 host 158.158.158.2 access-list 144 permit gre host 128.128.128.2 host 138.138.138.2 ! end hostname SN2-RTR ! crypto isakmp policy 1 authentication pre-share crypto isakmp key PN1BS-RTR_key_with_SN2-RTR address 148.148.148.2 crypto isakmp key AI-RTR_key_with_SN2-RTR address 158.158.158.2 crypto isakmp key SN1BS-RTR_key_with_SN2-RTR address 128.128.128.2 ! crypto ipsec transform-set IPSecProposal esp-des esp-sha-hmac ! crypto map vpn-map-Ethernet0/0 33 ipsec-isakmp set peer 148.148.148.2 set transform-set IPSecProposal match address 142 crypto map vpn-map-Ethernet0/0 34 ipsec-isakmp set peer 158.158.158.2 set transform-set IPSecProposal match address 143 crypto map vpn-map-Ethernet0/0 35 ipsec-isakmp set peer 128.128.128.2 set transform-set IPSecProposal match address 144 ! interface Tunnel0 ip address 32.32.32.1 255.255.255.0 tunnel source 138.138.138.2 tunnel destination 148.148.148.2 crypto map vpn-map-Ethernet0/0 ! interface Tunnel1 ip address 36.36.36.1 255.255.255.0 tunnel source 138.138.138.2 tunnel destination 158.158.158.2 crypto map vpn-map-Ethernet0/0 ! interface Tunnel2 ip address 34.34.34.1 255.255.255.0 tunnel source 138.138.138.2 tunnel destination 128.128.128.2 crypto map vpn-map-Ethernet0/0 ! interface Ethernet0/0 ip address 138.138.138.2 255.255.255.0 crypto map vpn-map-Ethernet0/0 ! interface Ethernet0/1 ip address 60.60.60.1 255.255.255.0 ! router rip version 2 network 60.0.0.0 network 32.0.0.0 network 34.0.0.0 network 36.0.0.0 ! ip classless ip route 0.0.0.0 0.0.0.0 138.138.138.1 no ip http server ! access-list 142 permit gre host 138.138.138.2 host 148.148.148.2 access-list 143 permit gre host 138.138.138.2 host 158.158.158.2 access-list 144 permit gre host 138.138.138.2 host 128.128.128.2 ! end ip classless ! interface Tunnel2 ip address 32.32.32.2 255.255.255.0 tunnel source 148.148.148.2 tunnel destination 138.138.138.2 crypto map vpn-map-Ethernet0/0 ! interface Ethernet0/0 ip address 148.148.148.2 255.255.255.0 crypto map vpn-map-Ethernet0/0 ! interface Ethernet0/1 ip address 192.110.175.1 255.255.255.0 ! router rip version 2 network 192.110.175.0 network 31.0.0.0 network 33.0.0.0 network 32.0.0.0 ! ip classless ip route 0.0.0.0 0.0.0.0 148.148.148.1 no ip http server ! access-list 142 permit gre host 148.148.148.2 host 128.128.128.2 access-list 143 permit gre host 148.148.148.2 host 158.158.158.2 access-list 144 permit gre host 148.148.148.2 host 138.138.138.2 ! end hostname PN1BS-RTR ! crypto isakmp policy 1 authentication pre-share crypto isakmp key SN1BS-RTR_key_with_PN1BS-RTR address 128.128.128.2 crypto isakmp key A1-RTR_key_with_PN1BS-RTR address 158.158.158.2 crypto isakmp key SN2-RTR_key_with_PN1BS-RTR address 138.138.138.2 ! crypto ipsec transform-set IPSecProposal esp-des esp-sha-hmac ! crypto map vpn-map-Ethernet0/0 33 ipsec-isakmp set peer 128.128.128.2 set transform-set IPSecProposal match address 142 crypto map vpn-map-Ethernet0/0 34 ipsec-isakmp set peer 158.158.158.2 set transform-set IPSecProposal match address 143 crypto map vpn-map-Ethernet0/0 35 ipsec-isakmp set peer 138.138.138.2 set transform-set IPSecProposal match address 144 ! interface Tunnel0 ip address 31.31.31.2 255.255.255.0 tunnel source 148.148.148.2 tunnel destination 128.128.128.2 crypto map vpn-map-Ethernet0/0 ! interface Tunnel1 ip address 33.33.33.1 255.255.255.0 tunnel source 148.148.148.2 tunnel destination 158.158.158.2 crypto map vpn-map-Ethernet0/0 Current VPN Configuration Process interface Tunnel2 ip address 36.36.36.2 255.255.255.0 tunnel source 158.158.158.2 tunnel destination 138.138.138.2 crypto map vpn-map-Ethernet0/0 ! interface Ethernet0/0 ip address 158.158.158.2 255.255.255.0 crypto map vpn-map-Ethernet0/0 ! interface Ethernet0/1 ip address 80.80.80.1 255.255.255.0 ! router rip version 2 network 80.0.0.0 network 35.0.0.0 network 33.0.0.0 network 36.0.0.0 ! ip classless ip route 0.0.0.0 0.0.0.0 158.158.158.1 no ip http server ! access-list 142 permit gre host 158.158.158.2 host 128.128.128.2 access-list 143 permit gre host 158.158.158.2 host 148.148.148.2 access-list 144 permit gre host 158.158.158.2 host 138.138.138.2 ! end New Cisco IOS configuration needs to be implemented at all VPN peer routers! For 4 node VPN that is more than 240 command lines hostname AI-RTR ! crypto isakmp policy 1 authentication pre-share crypto isakmp key SN1BS-RTR_key_with_AI-RTR address 128.128.128.2 crypto isakmp key PN1BS-RTR_key_with_AI-RTR address 148.148.148.2 crypto isakmp key SN2-RTR_key_with_AI-RTR address 138.138.138.2 ! crypto ipsec transform-set IPSecProposal esp-des esp-sha-hmac ! crypto map vpn-map-Ethernet0/0 33 ipsec-isakmp set peer 128.128.128.2 set transform-set IPSecProposal match address 142 crypto map vpn-map-Ethernet0/0 34 ipsec-isakmp set peer 148.148.148.2 set transform-set IPSecProposal match address 143 crypto map vpn-map-Ethernet0/0 35 ipsec-isakmp set peer 138.138.138.2 set transform-set IPSecProposal match address 144 ! interface Tunnel0 ip address 35.35.35.2 255.255.255.0 tunnel source 158.158.158.2 tunnel destination 128.128.128.2 crypto map vpn-map-Ethernet0/0 ! interface Tunnel1 ip address 33.33.33.2 255.255.255.0 tunnel source 158.158.158.2 tunnel destination 148.148.148.2 crypto map vpn-map-Ethernet0/0

12 DIMACS (Narain) – 12 Requirements In Alloy pred RouterInterfaceRequirements () { (all x:spokeRouter | some y:internalInterface | y.chassis = x) && (all x:spokeRouter | some y:spokeExternalInterface | y.chassis = x) && (all x:accessServer | some y:internalInterface | y.chassis = x) && (all x:accessServer | some y:externalInterface | y.chassis = x) && (all x:hubRouter | some y:hubExternalInterface | y.chassis = x)&& (all x:wanRouter | some y:externalInterface | y.chassis = x) } pred SecureGRERequirements () {all g:greTunnel | some p:ipsecTunnel | p.protocolToSecure=gre && ((p.local = g.localPhysical && p.remote = g.remotePhysical) or (p.local = g.localPhysical && p.remote = g.remotePhysical))}

13 DIMACS (Narain) – 13 Sample Output From Requirement Solver routing : samples/router/routingDomain = {externalInterface_0 -> ospfDomain_0, externalInterface_1 -> ospfDomain_0, externalInterface_2 -> ospfDomain_0, externalInterface_3 -> ospfDomain_0, externalInterface_4 -> ospfDomain_0, hubExternalInterface_0 -> ospfDomain_0, hubExternalInterface_1 -> ospfDomain_0, internalInterface_0 -> ripDomain_0, internalInterface_1 -> ripDomain_0, internalInterface_2 -> ripDomain_0, spokeExternalInterface_0 -> ospfDomain_0, spokeExternalInterface_1 -> ospfDomain_0} chassis : samples/router/router = {externalInterface_0 -> accessServer_0, externalInterface_1 -> wanRouter_0, externalInterface_2 -> wanRouter_0, externalInterface_3 -> wanRouter_0, externalInterface_4 -> wanRouter_0, hubExternalInterface_0 -> hubRouter_0, hubExternalInterface_1 -> hubRouter_1, internalInterface_0 -> spokeRouter_0, internalInterface_1 -> accessServer_0, internalInterface_2 -> spokeRouter_1, spokeExternalInterface_0 -> spokeRouter_1, spokeExternalInterface_1 -> spokeRouter_0} network : samples/router/subnet = {externalInterface_0 -> externalSubnet_0, externalInterface_1 -> externalSubnet_0, externalInterface_2 -> externalSubnet_1, externalInterface_3 -> externalSubnet_2, externalInterface_4 -> externalSubnet_3, hubExternalInterface_0 -> externalSubnet_2, hubExternalInterface_1 -> externalSubnet_3, internalInterface_0 -> internalSubnet_0, internalInterface_1 -> internalSubnet_0, internalInterface_2 -> internalSubnet_1, spokeExternalInterface_0 -> externalSubnet_0, spokeExternalInterface_1 -> externalSubnet_1}

14 DIMACS (Narain) – 14 Configuration Synthesis: Physical Connectivity and Routing  To synthesize network, satisfy R1-R11 for – 1 hub router, – 1 WAN router, – 1 spoke router, – 1 internal subnet, – 2 external subnets – 1 internal interface, – 4 external interfaces, – RIP domain, – 1 OSPF domain Spoke Router WAN Router Hub Router OSPF Domain RIP Domain SubnettingRequirements 5. A router does not have more than one interface on a subnet 6. All internal interfaces are on internal subnets 7. All external interfaces are on external subnets 8. Every hub and spoke router is connected to a WAN router 9. No two non-WAN routers share a subnet RouterInterfaceRequirements 1. Each spoke router has internal and external interfaces 2. Each access server has internal and external interfaces 3. Each hub router has only external interfaces 4. Each WAN router has only external interfaces RoutingRequirements 10. RIP is enabled on all internal interfaces 11. OSPF is enabled on all external interfaces Requirement Solver generates solution. Note that Hub and Spoke routers are not directly connected, due to Requirement 9

15 DIMACS (Narain) – 15 Spoke Router Hub Router OSPF Domain RIP Domain To synthesize network, satisfy R1-R13 for  previous list of components &  1 GRE tunnel NOTE: GRE tunnel set up and RIP domain extended to include GRE interfaces automatically! GRE Tunnel Strengthening Requirement: Adding Overlay Network WAN Router GRERequirements 12. There is a GRE tunnel between each hub and spoke router 13. RIP is enabled on all GRE interfaces SubnettingRequirements 5. A router does not have more than one interface on a subnet 6. All internal interfaces are on internal subnets 7. All external interfaces are on external subnets 8. Every hub and spoke router is connected to a WAN router 9. No two non-WAN routers share a subnet RouterInterfaceRequirements 1. Each spoke router has internal and external interfaces 2. Each access server has internal and external interfaces 3. Each hub router has only external interfaces 4. Each WAN router has only external interfaces RoutingRequirements 10. RIP is enabled on all internal interfaces 11. OSPF is enabled on all external interfaces

16 DIMACS (Narain) – 16 Spoke Router Hub Router OSPF Domain IPSec Tunnel To synthesize network, satisfy R1-R14 for  previous list of components &  1 IPSec tunnel NOTE: IPSec tunnel securing GRE tunnel set up automatically Strengthening Requirement: Adding Security For Overlay Network WAN Router GRERequirements 12. There is a GRE tunnel between each hub and spoke router 13. RIP is enabled on all GRE interfaces SubnettingRequirements 5. A router does not have more than one interface on a subnet 6. All internal interfaces are on internal subnets 7. All external interfaces are on external subnets 8. Every hub and spoke router is connected to a WAN router 9. No two non-WAN routers share a subnet RouterInterfaceRequirements 1. Each spoke router has internal and external interfaces 2. Each access server has internal and external interfaces 3. Each hub router has only external interfaces 4. Each WAN router has only external interfaces RoutingRequirements 10. RIP is enabled on all internal interfaces 11. OSPF is enabled on all external interfaces SecureGRERequirements 14. For every GRE tunnel there is an IPSec tunnel between associated physical interfaces that secures all GRE traffic

17 DIMACS (Narain) – 17 Spoke Router Spoke Router  To add another spoke router satisfy requirements R1-R15 for previous components and one additional spoke router and related components  Note: New subnets, GRE and IPSec tunnels set up, and routing domains extended automatically Hub Router WAN Router Component Addition: Adding New Spoke Router

18 DIMACS (Narain) – 18 Spoke Router Hub Router Access Server OSPF Domain Spoke Router Hub Router  To add another hub router satisfy requirements R1-R15 for previous components and one additional hub router (and related com[ponents)  New subnets, GRE and IPSec tunnels set up, and routing domains extended automatically WAN Router Component Addition: Adding New Hub Router

19 DIMACS (Narain) – 19 Spoke Router Hub Router OSPF Domain Spoke Router Hub Router  Symptom: Cannot ping from one internal interface to another  Define Bad = ip packet is blocked  Check if R1-R16 & Bad is satisfiable  Answer: WAN router firewalls block ike/ipsec traffic  Action: Create new policy that allows WAN router firewalls to pass esp/ike packets WAN Router Verification: Adding Firewall Requirements & Discovering Design Flaw

20 DIMACS (Narain) – 20 Scalability Approaches  Can we write specifications in such a way that they are “efficient”?  Two heuristics: – Small number of quantifiers in formulas – Scope splitting  Even with these, Alloy crashes for 10 sites (200 object instances)  New approach is required

21 DIMACS (Narain) – 21 Divide, Conquer, Verify  Heuristic: Instead of creating VPN for all sites all at once, create it incrementally by adding sites one at a time  Goal: Solve R for component set C  If C is large, Alloy will take a long time or crash  Split C into C1,..,Ck and solve R for C1,..,Ck generating solutions M1,..,Mk. Then take union of M1,..,Mk = M  Verify that M is a solution for R.  Using Alloy for verification will restore inefficiency  However, one can use Prolog

22 DIMACS (Narain) – 22 Any FOL formula can be expressed in full Prolog. pred greTunnelEveryHubSpoke () {all x:hubExternalInterface, y:spokeExternalInterface | some g:greTunnel | (g.localPhysical=x && g.remotePhysical=y) or (g.localPhysical=y && g.remotePhysical=x)} ----------------------------------------------------------------------------------------------------------------------------------- greTunnelEveryHubSpoke if not counterExampleGreTunnelEveryHubSpoke. counterExampleGreTunnelEveryHubSpoke if type(X,hub),type(Y,spoke), not existsGRE(X,Y). existsGRE(X,Y) if localPhysical(GT, P1),remotePhysical(GT,P2), chassis(P1, X), chassis(P2, Y) existsGRE(X,Y) if localPhysical(GT, P1),remotePhysical(GT,P2), chassis(P2, X), chassis(P1, Y) ------------------------------------------------------------------------------------------------------------------------------------  Represent model as a collection of Prolog ground facts. Now, evaluate Prolog requirement. This is a database integrity checking problem

23 DIMACS (Narain) – 23 Summary & Future Directions  Problem: Focus on architectural aspects of security  Configuration plays central role in web services infrastructure synthesis & management  We need a theory of configuration to solve following fundamental problems: 1. Specification languages 2. Configuration synthesis 3. Incremental configuration (requirement strengthening, component addition) 4. Configuration error diagnosis 5. Configuration error troubleshooting 6. Verification 7. Configuration sequencing 8. Distributed configuration  Proposed formalization of 1-6 via Alloy and SAT solvers  Proposed scalability approach by complementary use of Prolog  Future directions: – Scalable algorithms to solve above problems. – Combine FOL reasoning systems, Linear Programming systems, relational databases, graph algorithms into single programming model

24 DIMACS (Narain) – 24 Thank You

25 DIMACS (Narain) – 25  There is no theory of configuration. There is a deep logic that governs infrastructure.  Security and routing interfere  Move from coding to configuration  Why is diagnosis hard: work in isolation but not together  Policies across components, and across layers……! GUIs don’t even have expressive power of Boolean logic  Self-healing architecture VG  Emphasize Language (syntax/semantics). Semantics: services at each layer  Integrate fault-tolerant protocols  Scalability  LP

Download ppt "Scalable Configuration Management For Secure Web Services Infrastructure Sanjai Narain Senior Research Scientist Telcordia Technologies"

Similar presentations

Logically Centralized Control Class 2. Types of Networks ISP Networks – Entity only owns the switches – Throughput: 100GB-10TB – Heterogeneous devices:

Logically Centralized Control Class 2. Types of Networks ISP Networks – Entity only owns the switches – Throughput: 100GB-10TB – Heterogeneous devices:
Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
Setting Up a Virtual Private Network Chapter 9. Learning Objectives Understand the components and essential operations of virtual private networks (VPNs)

Setting Up a Virtual Private Network Chapter 9. Learning Objectives Understand the components and essential operations of virtual private networks (VPNs)
Agenda Virtual Private Networks (VPNs) Motivation and Basics Deployment Topologies IPSEC (IP Security) Authentication Header (AH) Encapsulating Security.

Agenda Virtual Private Networks (VPNs) Motivation and Basics Deployment Topologies IPSEC (IP Security) Authentication Header (AH) Encapsulating Security.
11 TROUBLESHOOTING Chapter 12. Chapter 12: TROUBLESHOOTING2 OVERVIEW  Determine whether a network communications problem is related to TCP/IP.  Understand.

11 TROUBLESHOOTING Chapter 12. Chapter 12: TROUBLESHOOTING2 OVERVIEW  Determine whether a network communications problem is related to TCP/IP.  Understand.
Agenda VPN tunnels Configuration of basic core network components Maintenance of Cisco devices Exercises & troubleshooting.

Agenda VPN tunnels Configuration of basic core network components Maintenance of Cisco devices Exercises & troubleshooting.
Middleware for Building Adaptive Systems Via Configuration An SAIC Company S. Narain R. Vaidyanathan S. Moyer A. Shareef K. Parmeswaran Internet Architecture.

Middleware for Building Adaptive Systems Via Configuration An SAIC Company S. Narain R. Vaidyanathan S. Moyer A. Shareef K. Parmeswaran Internet Architecture.
A Security Pattern for a Virtual Private Network Ajoy Kumar and Eduardo B. Fernandez Dept. of Computer Science and Eng. Florida Atlantic University Boca.

A Security Pattern for a Virtual Private Network Ajoy Kumar and Eduardo B. Fernandez Dept. of Computer Science and Eng. Florida Atlantic University Boca.
This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
Configuration of a Site-to-Site IPsec Virtual Private Network Anuradha Kallury CS 580 Special Project August 23, 2005.

Configuration of a Site-to-Site IPsec Virtual Private Network Anuradha Kallury CS 580 Special Project August 23, 2005.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L4 1 Implementing Secure Converged Wide Area Networks (ISCW)

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L4 1 Implementing Secure Converged Wide Area Networks (ISCW)
Internet Protocol Security (IPSec)

Internet Protocol Security (IPSec)
Lecture Week 3 Introduction to Dynamic Routing Protocol Routing Protocols and Concepts.

Lecture Week 3 Introduction to Dynamic Routing Protocol Routing Protocols and Concepts.
1 © 2001, Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID Cisco Easy VPN Solutions Applications and Implementation with Cisco IOS.

1 © 2001, Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID Cisco Easy VPN Solutions Applications and Implementation with Cisco IOS.
TCP/IP Addressing Design. Objectives Choose an appropriate IP addressing scheme based on business and technical requirements Identify IP addressing problems.

TCP/IP Addressing Design. Objectives Choose an appropriate IP addressing scheme based on business and technical requirements Identify IP addressing problems.
© 2012 Cisco and/or its affiliates. All rights reserved. 1 CCNA Security 1.1 Instructional Resource Chapter 10 – Implementing the Cisco Adaptive Security.

© 2012 Cisco and/or its affiliates. All rights reserved. 1 CCNA Security 1.1 Instructional Resource Chapter 10 – Implementing the Cisco Adaptive Security.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 1 Network Security 2 Module 6 – Configure Remote Access VPN.

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 1 Network Security 2 Module 6 – Configure Remote Access VPN.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 9 Network Policy and Access Services in Windows Server 2008.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 9 Network Policy and Access Services in Windows Server 2008.
Creating an IPsec VPN using IOS command syntax. What is IPSec IPsec, Internet Protocol Security, is a set of protocols defined by the IETF, Internet Engineering.

Creating an IPsec VPN using IOS command syntax. What is IPSec IPsec, Internet Protocol Security, is a set of protocols defined by the IETF, Internet Engineering.
Chapter 6 Configuring, Monitoring & Troubleshooting IPsec

Chapter 6 Configuring, Monitoring & Troubleshooting IPsec

Similar presentations

Ads by Google