Presentation is loading. Please wait.

Presentation is loading. Please wait.

Politecnico di Milano Networking Security Maurizio Dècina Politecnico di Milano/CEFRIEL Ordine degli Ingegneri.

Similar presentations


Presentation on theme: "Politecnico di Milano Networking Security Maurizio Dècina Politecnico di Milano/CEFRIEL Ordine degli Ingegneri."— Presentation transcript:

1

2 Politecnico di Milano Networking Security Maurizio Dècina Politecnico di Milano/CEFRIEL Ordine degli Ingegneri di Milano, Cefriel, Clusit e Cisco Systems LA SICUREZZA DELLE RETI Milano, 8 Aprile 2003, Politecnico di Milano

3 © 2003 Maurizio DècinaNetworking Security - Milano, 8 Aprile Generalized Moores Law Most Important Information Technology Growth Parameters double every 2 – 3 Years Number of Transistors in a Chip Computation Cycles Memory Size, Magnetic/Optical Disks Devices Feature Size Backbone Bandwidth, The Power of Exponential Growth!

4 © 2003 Maurizio DècinaNetworking Security - Milano, 8 Aprile Numero di componenti per chip Dimensione del circuito (micron) Era Classica Era Quantica °K 77°K 295°K Fonte: Joel Birnbaum, 1999 Muro di Moore Il calcolo quantico secondo Biernbaum

5 © 2003 Maurizio DècinaNetworking Security - Milano, 8 Aprile Internet Domain Survey Host Count January 2003, ISC Jan Total Host Count 171,638,297

6 © 2003 Maurizio DècinaNetworking Security - Milano, 8 Aprile Top Domain Names by Host Count ISC, January 2003 Internet Domain Survey di Internet Software Consortium (http://www.isc.org/ds/) DOMAINS HOST Jan.'99 HOST Jan.'00 HOST Jan.'01 com - Commercial com - Commercial net - Networks net - Networks edu - Educational edu - Educational jp - Japan jp - Japan ca - Canada ca - Canada uk - United Kingdom uk - United Kingdom us - United States us - United States de - Germany de - Germany mil - US Military mil - US Military it - Italy it - Italy au - Australia au - Australia nl - Netherlands nl - Netherlands org - Organizations org - Organizations fr - France fr - France tw - Taiwan tw - Taiwan br - Brazil br - Brazil gov - Government gov - Government fi - Finland fi - Finland se - Sweden se - Sweden es - Spain es - Spain tw - Taiwan TOTAL %growth HOSTS Jan.03 HOSTS Jan.03 HOSTS Jan. 02 HOSTS Jan %growth

7 © 2003 Maurizio DècinaNetworking Security - Milano, 8 Aprile MB 10 MB 100 MB 1 GB 10 GB 100 GB 1 TB 10 TB 100 TB 1 PB 10 PB 100 PB 1EB 10 EB 100 EB Total U.S. Internet Traffic Over Time Historical and forecasted U.S. Internet Traffic New Measurements Future Growth Projected at 2–3/year ARPA & NSF Data to 95 TDM Voice Traffic Bytes per Month April 2002 Internet Traffic now 80% of all traffic and 10% of Revenue Source: Larry Roberts – May 2002 Double, or more, every year

8 © 2003 Maurizio DècinaNetworking Security - Milano, 8 Aprile Source: Larry Roberts – May ,000 40,000 60,000 80, , , , , , , $M/yr IP Revenue IP and Voice U.S. Backbone Revenue TDM Voice Revenue IP revenue per bit is decreasing at 2:1 per year This means IP revenue is increasing at 50% / year Of Total Voice & IP IP Revenue is 12% IP traffic is 91%

9 © 2003 Maurizio DècinaNetworking Security - Milano, 8 Aprile Alcuni Protocolli per Internet e le loro dipendenze ICMPv6

10 © 2003 Maurizio DècinaNetworking Security - Milano, 8 Aprile Sicurezza e Protocolli Internet alcune dipendenze NAT PAT IGMP Data Link & Physical Internet Transport Application ICMP Network Management & ControlApplications End User Applications IPv4 RIPv2OSPFSNMPRIPv1 DHCP HTTPTelnet SMTP BGPRSVP Data Link IEEE 802, PPP Physical Layer Twisted Pairs, Coax, Fiber, Radio, Powerline,.. IPv6 IPSec MobileIP UDP VoIPVideo RTP/RTCPRTSP SIP Source: M. Dècina, 2003 All Internet Protocols will soon include Security The red ones are Security Protocols DNS TCP FTP SMTP S/MIMEPGPSET Kerberos SSL/TLS ICMPv6 ARP/RARP IKE SSH PAP/CHAP

11 © 2003 Maurizio DècinaNetworking Security - Milano, 8 Aprile A Taxonomy of Security Solutions Security Management Access Security Content Security Intelligence & Incident Response Intrusion Detection, Monitoring Risk Assessment, Auditing Vulnerability Assessment, Penetration Testing Digital Rights Management Content Filtering Managed Antivirus Communication Security Managed Virtual Private Network Encryption Connectivity Application Security Secure Electronic Transaction Secure WEB Server, SSL/TSL Secure Mail, S/MIME System Security Disaster Recovery, Business Continuity BackUp and Remote BackUp Source: M. Dècina, 2002 Biometrics Authentication/Authorization/Accounting Certification Authority/Public Key Infrastructure Managed Firewall

12 © 2003 Maurizio DècinaNetworking Security - Milano, 8 Aprile Recovery/ Audit Protection Detection Response Security Lyfe Cycle InformationAssurance Policies,Procedures, User Awareness, Security Team

13 © 2003 Maurizio DècinaNetworking Security - Milano, 8 Aprile Security Benefits Benefits AB by product Crystal clear situation Management & maintenance rationalization Band optimization Secure and fast engineering & deployment Security level enhancement Savings in: Incident recovery Business continuity Downtime recovery Reduced data losses Business image damages avoided Downtime reduced to reach a crystal clear situation equals to add organization to an enterprise

14 © 2003 Maurizio DècinaNetworking Security - Milano, 8 Aprile Security Scenario Message Message Secret Info Security-relatedtransformation Security-relatedtransformation Principal Principal Trusted Third Party Opponent Oscar, Trudy, Eve, Mallory... AliceBob Secret Info Trent

15 © 2003 Maurizio DècinaNetworking Security - Milano, 8 Aprile Meccanismi di sicurezza Prevenzione Prevenzione: politiche, procedure, risk assessment, vulnerability assesment, progetto di reti sicure con meccanismi di protezione e rivelazione, rafforzamento dei sistemi informativi (hardening), audit,...Protezione Encryption Firewall Nat/Pat Virtual Private Network, Tunneling Access Control Antivirus Honeypot...Rivelazione Vulnerability Assessment, Penetration Test Intrusion Detection Systems Monitoring,... Reazione Reazione: emergency response, intelligence, patch, restore, audit,..

16 © 2003 Maurizio DècinaNetworking Security - Milano, 8 Aprile Managed Security Services Response Time Event Info. Vulnerability Assessment Intrusion Detection System (IDS) Monitoring Firewall, Content Filtering, VPN Detection Protection Detection + Response

17 © 2003 Maurizio DècinaNetworking Security - Milano, 8 Aprile CPE Managed Security Protection and detection tools at customer premises Internet FWVPN IDS AV Client A FWVPN Client B SOC Security Management/ Monitoring System FW Client C Monitoring Internal and External Attacks Response team Managing Perimeter Security

18 © 2003 Maurizio DècinaNetworking Security - Milano, 8 Aprile Security, VPN, Routing, and QoS VPN Gateway Server (Voice & Data VPN) Router Firewall Bandwidth Manager IPSec & VPN Server NAPT/ALG Intrisically Secure Network Element SSL/TSL Accelerator

19 © 2003 Maurizio DècinaNetworking Security - Milano, 8 Aprile Wireless Access Networks There is a Local Hero: Wireless-Fidelity! GPRS SMS VIDEOSTREAMING VOIPDOWNLOAD WEB ACCESS VIDEO ON DEM 10 kbit/s100 kbit/s1 Mbit/s10 Mbit/s100 Mbit/s CABLEREPLACEMENT HOME, OFFICE, PUBLIC ACCESS CITY,SUBURBS COUNTRYWIDE Range Applications Bandwidth GSM UMTS Source: Re:Think!, revised by M. Dècina, 2002 Ultra Wide Band Wi-Fi Bluetooth a/g HiperLan/2 1 Gbit/s

20 © 2003 Maurizio DècinaNetworking Security - Milano, 8 Aprile Wi-Fi Security Solutions Home/SOHO Small Enterprise Large Enterprise Public Access SSIDMACFilter. WPA VPNAuth.Server Authentication Encryption 802.1x+WEP/WPA802.1x Auth. Server + VPN WEPWEP2

21 © 2003 Maurizio DècinaNetworking Security - Milano, 8 Aprile Full IP Network Internet PSTN/ISDN IP Backbone Network Environment Service Environment Internet Application Platforms Internet Application Servers Media Gateway Mobility, Location, Connection & Control Servers Mobility Gateway Intelligent Edge Broadband Gateway BTS AP Wired Access RSU Wireless Access Wi-Fi 2G/3G xDSL FTTx LRE

22 © 2003 Maurizio DècinaNetworking Security - Milano, 8 Aprile GPP2 All IP Border Router Legacy MS Domain Support Mobile Station AAA Position Server Advertising Agent Service Application Media Gateway Media GW Control Function Mobile IP Home Agent Media Resource Function Cdma 2000 Access Network BTS BSC/RSC + PCF MM Other Access Networks Position Determining Entity Trunk Signaling Gateway Roaming Signaling Gateway Network Capability Gateway Session Control Manager Core QoS Manager Subscription QoS Manager Access Gateway FA/ Attendant EIR Subscription Profile Policy Rules GSTN Internet MAP DSI Databases

23 © 2003 Maurizio DècinaNetworking Security - Milano, 8 Aprile Common Internet protcls. (e.g., TCP/IP, HTTP) Extensible Markup Language (XML) SOAP - Simple Object Access Protocol WDSL - Web Services Description Language UDDI - Universal Description, Discovery & Integration Busin. Proc. Execution Lang. (BPEL4WS), BPML, WSCI WS-Security, SAML, XRML Web Services for Remote Portals (WSRP) Web Services User Interface (WSUI) Format Transport Message Description Search & find Workflow/BPM User interface Building trust Identifying Business Semantics Liberty, Passport Emerging Web Services Standards Standard Source: Gartner Group, 2002 Emerging Established In place ebXML, RosettaNet

24 © 2003 Maurizio DècinaNetworking Security - Milano, 8 Aprile Managed PKI VPNs MessageIntegrity(Signature) Encrypt (S/MIME) AuthorizationPrivileges and SSO EncryptFiles SessionConfidence(SSL) KeyRecovery Time/ Date Stamp Identify Users and Servers nRegister Users nGenerate Key Pairs nConfidentially Exchange Keys nGrant and Archive Certificates nGenerate/Verify Digital Signatures nAct as Trusted Third Party (Optional) nRevoke Certificates nApprove and Coordinate Policies nOperate Secure Servers nand Agents Certificate Authority Functions Version Version Serial Number Serial Number Signature Algorithm Signature Algorithm Issuer (CA) Issuer (CA) Validity (to, from) Validity (to, from) Subject (End-entity) Subject (End-entity) Subject Public Key Info Subject Public Key Info Extensions Extensions (solo ver. 3) (ver. 3 only) CA signature Certification Distribution Escrowing Users Registration Cifratura e firma digitale (a valore legale) La Certification Authority ha un ruolo centrale di garante Problematiche di interoperabilità Difficoltà di introduzione nelle applicazioni Fonte: Gartner Group, 2002

25 © 2003 Maurizio DècinaNetworking Security - Milano, 8 Aprile Identità Digitale A Network Perspective Value Delivered Adoption Timeline Supply chain integrationSupply chain integration Shared leads – CRMShared leads – CRM Inventory and fulfillmentInventory and fulfillment Channel optimizationChannel optimization Real-time B2B negotiations and transactionsReal-time B2B negotiations and transactions Consumer single sign-onConsumer single sign-on Shared security infrastructureShared security infrastructure Transaction context sharingTransaction context sharing Cost savingsCost savings Ease of use/efficiencyEase of use/efficiency Future Application Immediate Application Outward-facing e-Commerce Partner Community Within the Enterprise Fonte: Burton Group e RSA, 2002 InternalSystems & Data Less-known Partner or xSP Loosely-coupled, Dynamic exterior Customers Tightly-coupled, Persistent interior Employees Unknown Extranets The Internet

26 © 2003 Maurizio DècinaNetworking Security - Milano, 8 Aprile Progetto Liberty Alliance User Browser E-Commerce Sites Identity Providers SSO Modules Authentication SSO Modules SSO Modules Internet Exchange of Identity and Profile Information Trusted Third Parties, Trust Services,... Trust Domain 1Trust Domain 2 Fonte: HP, 2002

27 © 2003 Maurizio DècinaNetworking Security - Milano, 8 Aprile A short term perspective Maximum Data Rate, Mbit/s WLAN PAN CELLULAR GSM GPRS UMTS Bluetooth Ultrawideband b Hiperlan2/802.11a HomeRF Smart antennas Reconfigurable radio Space/time coding Piconets Scatternets Year

28 © 2003 Maurizio DècinaNetworking Security - Milano, 8 Aprile IPv6 Features Version Class Flow Label Payload Length N. H. Hop Limit Hop-by-hop Options Extension Header (Jumbo Patyload Length Option) (Router Alert Option) Source Address Destination Address Destination Options Header Routing Header Fragment Header Authentication Header ESP Header Destination Options Header QoS Active Networks Multicast Optimizing MAC Plug-n-Play Mobility Security Router Alert = 1 (RSVP) = 2 (AN) = 0 (MLD) ICMP v6 Route Optimize Binding Update (Piggybacking) New Services

29 © 2003 Maurizio DècinaNetworking Security - Milano, 8 Aprile Ubiquitous and Pervasive Computing Small, lightweight, cheap, mobile processors in almost all everyday objects (embedded computing) on human body (wearable computing) embedded in the environment (ambient intelligence) A world of smart objects Smart objects Can remember pertinent events they have memory Show context-sensitive behavior they have sensors Are responsive they communicate with their environment they are networked with other smart objects

30 © 2003 Maurizio DècinaNetworking Security - Milano, 8 Aprile Peer-to-Peer Wireless Networks Meshnetworks Mobile User Devices Wireless Routers & Access Points Ad-Hoc, Peer-to-Peer Wireless Network Backbone To Internet & Telephone Networks Distributed Networking

31 © 2003 Maurizio DècinaNetworking Security - Milano, 8 Aprile Privacy and Pervasive Computing Privacy is already a concern with the Internet Use of personal data ( address, …) Use of personal web browsing data (page views, clicks,..) More dramatic concern in a Pervasive Computing world many more events of very elementary actions are registered can be assembled to perfect profiles Source: F. Mattern, 2001


Download ppt "Politecnico di Milano Networking Security Maurizio Dècina Politecnico di Milano/CEFRIEL Ordine degli Ingegneri."

Similar presentations


Ads by Google