Presentation is loading. Please wait.

Presentation is loading. Please wait.

The UMU-PBNM Antonio F. Gomez Skarmeta Gregorio Martínez

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "The UMU-PBNM Antonio F. Gomez Skarmeta Gregorio Martínez"— Presentation transcript:

1 The UMU-PBNM Antonio F. Gomez Skarmeta Gregorio Martínez
<skarmeta, University of Murcia SPAIN

2 Agenda Objective and Proposed Architecture The UMU-PKIv6
UMU-PBNM Design UMU-PBNM Implementation Analysis of VPNs over IPv6 References

3 Objective and Proposed Architecture

4 UMU-PBNM Main Objective
Design and set-up a security framework to manage distributed communication systems using the PBNM paradigm Features: Flexible Secure Service and application-independent Standard-based IP-based In collaboration with UCL-CS

5 Proposed Architecture
Trust Management System Policy Management Framework Cryptographic Middleware Policy Language UMU-PBNM (Policy Console, PMT, PDP,PEP) UMU-PKIv6 Java Card Network Layer Security Services IPsec Security Services

6 The UMU-PKIv6

7 UMU-PKIv6 Description Main Objective ... to establish a high security infrastructure for distributed systems Main Features: PKI supporting the IPv6 protocol Developed in Java  running on every Operating System Issue, renew and revoke certificates for every entity belonging to one organisation Final users can use either RAs or Web browsers to make their own certification operations LDAPv6 directory support

8 UMU-PKIv6 Description (II)
Main Features: (II) Use of smart cards (file system, RSA or Java Cards) ... allowing user mobility and increasing security PKI Certification Policy (CPS) support VPN devices certification support (using the SCEP protocol) Support for the OCSP protocol and Time Stamp Web Administration Supports DNSsec Used in both Euro6IX and 6NET projects (cross-certification)

9 UMU-PKIv6 Architecture
LDAP End User VPN Device VPN Device Administrator End End User User DNSsec Administrator Administrator Certification Authority Registration Authority Registration Authority Certification Certification WWW Secure WWW Secure Authority Authority Request Server Request Server Registration Registration Data Base IPv6 SSL connection IPv6 Plain connection SCEP Authority Authority SCEP SCEP over IPv6 Data Base Data Base

10 UMU-PKIv6 Architecture (II)
Certification Authority OCSPResponder TimeStamping Responder Time Stamp Server OCSP Server TSPClient Certificate OCSP Client msg_hash time stamp cert serial number status TSP Message OCSP Message

11 UMU-PBNM Design

12

13 Policy Enforcement Point (PEP)
UMU-PKIv6 PMT Policy DB Decision Taking Monitoring Network PEP Monitoring PSIP PEPs DB OCSP PSIP Client/Server Policy Adaptation PDP Config. Criptography Mangement LDAP Certificate Validation Policy Enforcement Point (PEP) PSIP COPS Server COPS Policy Decision Point (PDP)

14 Policy Management Process

15 Monitoring Process

16 UMU-PBNM Implementation

17 Relevant Implementation Issues
Policy Console Web Browser Microsoft CSP (Cryptographic Service Provider) PMT Assistant module to define new policies Managing and storing XML policy documents according to one XML schema PDP and PEP Using COPS and COPS-PR from Vocal 1.5 New S-Type for XML (and XML Path) added PEP-Network Node interaction VPN ETool

18 Analysis of VPNs over IPv6

19 IPsec/IKE Solutions Analyzed
Open-Source Solutions FreeS/WAN 1.91 with IPv6 support v0.2 (Linux) USAGI Stable Release 4 (Linux) KAME-integrated in FreeBSD 4.6 (FreeBSD) Commercial Solutions Microsoft IPv6 (Windows XP) Solaris 9 6WIND 6200 Edge Device

20 Designed Evaluation Plan
Objective: evaluate IPv6 IPsec/IKE interoperability and conformance Background: TAHI Project ( But, different objectives: Given an scenario, which is/are the more suitable implementation/s?? Interoperability tests Test scenarios Test suite Final reports Configuration and installations guides Test reports

21 Designed Test Scenarios

22 Scenarios Used for Testing

23 Example Test Scenario Secure Gateway To Secure Gateway
Elements involved in the Scenario: End Hosts … normal PC (1 GHz of CPU, 128 MGs of Memory) connected to a 10 Mbps Ethernet network Secure Gateways: PC Routers … normal PC (1 GHz of CPU, 128 MGs of Memory) connected to a 10 Mbps Ethernet network 6WIND 6200 Edge Router connected to a 10 Mbps Ethernet network Router: CISCO 2600 connected to a 10 Mbps Ethernet network Things to measure Duration of the IKE negotiation (modified daemons) RTT

24 Example Test Scenario (II)
Secure Gateway To Secure Gateway with ESP in Tunnel Mode

25 Results: Duration of IKE Negotiation

26 Results: RTT

27 Results: Conclusions Duration of the IKE Negotiation RTT But …
Use of certificates does not increment too much the delay Interoperability implies a strong increment RTT Using authentication increases lowly the RTT The use of IPsec increases in 15-20% the RTT But … It is real that implementations are far from being mature

28 References

29 Basic References UMU-PKIv6 - Public Key Infrastructure with IPv6 support VPN Enforcement Tool UMU-Policy Mangement Tool (old version of the IPsec Policy Schema)

30 The UMU-PBNM Antonio F. Gomez Skarmeta Gregorio Martínez
<skarmeta, University of Murcia SPAIN

Download ppt "The UMU-PBNM Antonio F. Gomez Skarmeta Gregorio Martínez"

Similar presentations

New Security Services Based on PKI

New Security Services Based on PKI
PKIX BASED CERTIFICATION INFRASTRUCTURE IMPLEMENTATION ADAPTED TO NON PERSONAL END ENTITIES Jacob E., Liberal F., Unzilla J. {jtpjatae, jtplimaf,

PKIX BASED CERTIFICATION INFRASTRUCTURE IMPLEMENTATION ADAPTED TO NON PERSONAL END ENTITIES Jacob E., Liberal F., Unzilla J. {jtpjatae, jtplimaf,
TAHI IPsec test suites Mar 30,2000 at IETF47-ipsecwg Hiroshi HOSHINO TAHI Project

TAHI IPsec test suites Mar 30,2000 at IETF47-ipsecwg Hiroshi HOSHINO TAHI Project
5.1 Overview of Network Access Protection What is Network Access Protection NAP Scenarios NAP Enforcement Methods NAP Platform Architecture NAP Architecture.

5.1 Overview of Network Access Protection What is Network Access Protection NAP Scenarios NAP Enforcement Methods NAP Platform Architecture NAP Architecture.
Chapter 10 Securing Windows Server 2008 MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration.

Chapter 10 Securing Windows Server 2008 MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration.
1.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.

1.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.
Chapter 9 Deploying IIS and Active Directory Certificate Services

Chapter 9 Deploying IIS and Active Directory Certificate Services
1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.

1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 12 Applying Cryptography.

Security+ Guide to Network Security Fundamentals, Third Edition Chapter 12 Applying Cryptography.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
Make Secure Information Sharing (SIS) Easy and an Reality C. Edward Chow, PI Osama Khaleel Bill Kretschmer C. Edward Chow, PI Osama Khaleel Bill Kretschmer.

Make Secure Information Sharing (SIS) Easy and an Reality C. Edward Chow, PI Osama Khaleel Bill Kretschmer C. Edward Chow, PI Osama Khaleel Bill Kretschmer.
16.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.

1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.
6winit at IPv6 Concertation Meeting 14/10/02 1 Peter T. Kirstein University College London Dynamic VPN Needs for UCL-CS.

6winit at IPv6 Concertation Meeting 14/10/02 1 Peter T. Kirstein University College London Dynamic VPN Needs for UCL-CS.
Chapter 11: Active Directory Certificate Services

Chapter 11: Active Directory Certificate Services
Security and Policy Enforcement Mark Gibson Dave Northey

Security and Policy Enforcement Mark Gibson Dave Northey
802.1x EAP Authentication Protocols

802.1x EAP Authentication Protocols
CN1276 Server Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+

CN1276 Server Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+
Hands-On Microsoft Windows Server 2003 Networking Chapter 1 Windows Server 2003 Networking Overview.

Hands-On Microsoft Windows Server 2003 Networking Chapter 1 Windows Server 2003 Networking Overview.
4/17/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.

4/17/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.

Similar presentations

Ads by Google