Presentation is loading. Please wait.

Presentation is loading. Please wait.

Maurizio Dècina, Politecnico di Milano/CEFRIEL

Similar presentations


Presentation on theme: "Maurizio Dècina, Politecnico di Milano/CEFRIEL"— Presentation transcript:

1 Maurizio Dècina, Politecnico di Milano/CEFRIEL
Networking Security Maurizio Dècina Politecnico di Milano/CEFRIEL Ordine degli Ingegneri di Milano, Cefriel, Clusit e Cisco Systems LA SICUREZZA DELLE RETI Milano, 8 Aprile 2003, Politecnico di Milano Networking Security, Seminario Ordine degli Ingegneri, Milano 8 aprile 2003

2 Generalized Moore’s Law
Most Important Information Technology Growth Parameters double every 2 – 3 Years Number of Transistors in a Chip Computation Cycles Memory Size, Magnetic/Optical Disks Devices Feature Size Backbone Bandwidth, The Power of Exponential Growth! © 2003 Maurizio Dècina Networking Security - Milano, 8 Aprile 2003

3 Il calcolo quantico secondo Biernbaum
102 106 1018 1016 1014 1012 1010 108 104 101 10-2 10-1 100 10-3 Numero di componenti per chip Dimensione del circuito (micron) Era Classica Era Quantica 1970 1980 1990 1995 2000 2005 2010 4°K 77°K 295°K Fonte: Joel Birnbaum, 1999 Muro di Moore © 2003 Maurizio Dècina Networking Security - Milano, 8 Aprile 2003

4 Internet Domain Survey Host Count January 2003, ISC
Jan Total Host Count 171,638,297 © 2003 Maurizio Dècina Networking Security - Milano, 8 Aprile 2003

5 Top Domain Names by Host Count ISC, January 2003
DOMAINS HOST Jan.'99 HOST Jan.'00 HOST Jan.'01 HOSTS Jan.’ 02 HOSTS Jan.’03 com - Commercial net - Networks edu - Educational jp - Japan ca - Canada uk - United Kingdom us - United States de - Germany mil - US Military 69% growth it Italy au - Australia nl - Netherlands org - Organizations fr - France tw - Taiwan br - Brazil gov - Government fi Finland se - Sweden es - Spain tw - Taiwan 17% growth TOTAL Internet Domain Survey di Internet Software Consortium (http://www.isc.org/ds/) © 2003 Maurizio Dècina Networking Security - Milano, 8 Aprile 2003

6 Total U.S. Internet Traffic Over Time
Historical and forecasted U.S. Internet Traffic 1 MB 10 MB 100 MB 1 GB 10 GB 100 GB 1 TB 10 TB 100 TB 1 PB 10 PB 100 PB 1EB 10 EB 100 EB New Measurements Future Growth Projected at 2–3/year TDM Voice Traffic Bytes per Month April Internet Traffic now 80% of all traffic and 10% of Revenue ARPA & NSF Data to ’95 Double, or more, every year 1970 1980 1990 2000 2010 Source: Larry Roberts – May 2002 © 2003 Maurizio Dècina Networking Security - Milano, 8 Aprile 2003

7 IP and Voice U.S. Backbone Revenue
IP revenue per bit is decreasing at 2:1 per year This means IP revenue is increasing at 50% / year 20,000 40,000 60,000 80,000 100,000 120,000 140,000 160,000 180,000 200,000 IP Revenue Of Total Voice & IP IP Revenue is 12% IP traffic is 91% $M/yr TDM Voice Revenue 2000 2002 2004 2006 2008 2010 2012 Source: Larry Roberts – May 2002 © 2003 Maurizio Dècina Networking Security - Milano, 8 Aprile 2003

8 Alcuni Protocolli per Internet e le loro dipendenze
NAT NAPT IGMP Data Link & Physical Internet Transport Application ICMP Network Management & Control Applications End User IPv4 RIPv2 OSPF SNMP RIPv1 DHCP HTTP Telnet SMTP BGP RSVP Data Link IEEE 802, PPP Physical Layer Twisted Pairs, Coax, Fiber, Radio, Powerline, .. IPv6 IPSec MobileIP UDP VoIP Video RTP/RTCP RTSP SIP ARP/RARP Source: M. Dècina, 2001 Some Internet protocols & their dependencies Some links represent mostly used configuration DNS TCP FTP ICMPv6 © 2003 Maurizio Dècina Networking Security - Milano, 8 Aprile 2003

9 Sicurezza e Protocolli Internet alcune dipendenze
SET PGP S/MIME End User Applications Video VoIP Telnet FTP HTTP SMTP SMTP Application SSH IKE Kerberos RTSP RTP/RTCP SIP Network Management & Control Applications SNMP DNS DHCP RIPv1 RIPv2 OSPF RSVP BGP UDP TCP SSL/TLS PAT Transport MobileIP IPSec IGMP ICMP IPv4 NAT Internet IPv6 ICMPv6 ARP/RARP All Internet Protocols will soon include Security The red ones are Security Protocols PAP/CHAP Data Link & Physical Data Link IEEE 802, PPP Physical Layer Twisted Pairs, Coax, Fiber, Radio, Powerline, .. Source: M. Dècina, 2003 © 2003 Maurizio Dècina Networking Security - Milano, 8 Aprile 2003

10 A Taxonomy of Security Solutions
Security Management Intelligence & Incident Response Intrusion Detection, Monitoring Risk Assessment, Auditing Vulnerability Assessment, Penetration Testing Application Security Secure Electronic Transaction Secure WEB Server, SSL/TSL Secure Mail, S/MIME Content Security Digital Rights Management Content Filtering Managed Antivirus Communication Security Managed Virtual Private Network Encryption Access Security Biometrics Authentication/Authorization/Accounting Certification Authority/Public Key Infrastructure Managed Firewall System Security Disaster Recovery, Business Continuity BackUp and Remote BackUp Connectivity Source: M. Dècina, 2002 © 2003 Maurizio Dècina Networking Security - Milano, 8 Aprile 2003

11 Security Lyfe Cycle Protection Recovery/ Audit Detection Response
Information Assurance Detection Response Policies, Procedures, User Awareness, Security Team © 2003 Maurizio Dècina Networking Security - Milano, 8 Aprile 2003

12 Benefits Security Benefits A B
by product A B Security level enhancement Savings in: Incident recovery Business continuity Downtime recovery Reduced data losses Business image damages avoided Downtime reduced Crystal clear situation Management & maintenance rationalization Band optimization Secure and fast engineering & deployment to reach a crystal clear situation equals to add “organization” to an enterprise © 2003 Maurizio Dècina Networking Security - Milano, 8 Aprile 2003

13 Security Scenario “Oscar”, “Trudy”, “Eve”, “Mallory”... “Alice” “Bob”
Message Secret Info Security-related transformation Principal ‘Trusted Third Party’ Opponent “Oscar”, “Trudy”, “Eve”, “Mallory”... “Alice” “Bob” “Trent” © 2003 Maurizio Dècina Networking Security - Milano, 8 Aprile 2003

14 Meccanismi di sicurezza
Prevenzione: politiche, procedure, risk assessment, vulnerability assesment, progetto di reti sicure con meccanismi di protezione e rivelazione, rafforzamento dei sistemi informativi (hardening), audit, ... Protezione Encryption Firewall Nat/Pat Virtual Private Network, Tunneling Access Control Antivirus Honeypot ... Rivelazione Vulnerability Assessment, Penetration Test Intrusion Detection Systems Monitoring, ... Reazione: emergency response, intelligence, patch, restore, audit,.. © 2003 Maurizio Dècina Networking Security - Milano, 8 Aprile 2003

15 Managed Security Services
Vulnerability Assessment Monitoring Detection Detection + Response Event Info. Firewall, Content Filtering, VPN Intrusion Detection System (IDS) Protection Detection Response Time © 2003 Maurizio Dècina Networking Security - Milano, 8 Aprile 2003

16 Maurizio Dècina, Politecnico di Milano/CEFRIEL
CPE Managed Security Protection and detection tools at customer premises SOC Response team Security Management/ Monitoring System Managing Perimeter Security Monitoring Internal and External Attacks Internet FW VPN IDS AV Client A FW Client C FW VPN Client B © 2003 Maurizio Dècina Networking Security - Milano, 8 Aprile 2003 Networking Security, Seminario Ordine degli Ingegneri, Milano 8 aprile 2003

17 Security, VPN, Routing, and QoS
Maurizio Dècina, Politecnico di Milano/CEFRIEL Security, VPN, Routing, and QoS VPN Gateway Server (Voice & Data VPN) Router Intrisically Secure Network Element Firewall Bandwidth Manager IPSec & VPN Server NAPT/ALG SSL/TSL Accelerator © 2003 Maurizio Dècina Networking Security - Milano, 8 Aprile 2003 Networking Security, Seminario Ordine degli Ingegneri, Milano 8 aprile 2003

18 Wireless Access Networks There is a Local Hero: Wireless-Fidelity!
Applications WEB ACCESS VOIP DOWNLOAD VIDEO STREAMING VIDEO ON DEM SMS CABLE REPLACEMENT Bluetooth Ultra Wide Band 802.11a/g HiperLan/2 Wi-Fi HOME, OFFICE, PUBLIC ACCESS Range UMTS CITY, SUBURBS GPRS COUNTRY WIDE GSM 10 kbit/s 100 kbit/s 1 Mbit/s 10 Mbit/s 100 Mbit/s 1 Gbit/s Bandwidth Source: Re:Think!, revised by M. Dècina, 2002 © 2003 Maurizio Dècina Networking Security - Milano, 8 Aprile 2003

19 Wi-Fi Security Solutions
Maurizio Dècina, Politecnico di Milano/CEFRIEL Wi-Fi Security Solutions Auth. Server + VPN Public Access VPN 802.1x + WEP/WPA 802.1x Auth. Server Large Enterprise SSID MAC Filter. WPA WEP WEP2 Small Enterprise Home/SOHO È possibile combinare soluzioni per l’autenticazione e soluzioni di encryption in modo da avere una soluzione di sicurezza completa Encryption Authentication © 2003 Maurizio Dècina Networking Security - Milano, 8 Aprile 2003 Networking Security, Seminario Ordine degli Ingegneri, Milano 8 aprile 2003

20 Maurizio Dècina, Politecnico di Milano/CEFRIEL
Full IP Network Network Environment Internet Application Servers Wired Access Mobility, Location, Connection & Control Servers Internet Application Platforms RSU FTTx RSU Broadband Gateway xDSL Service Environment LRE Wireless Access Internet BTS 2G/3G IP Backbone AP Mobility Gateway Intelligent Edge Media Gateway PSTN/ISDN Wi-Fi © 2003 Maurizio Dècina Networking Security - Milano, 8 Aprile 2003 Networking Security, Seminario Ordine degli Ingegneri, Milano 8 aprile 2003

21 3GPP2 All IP Advertising Agent Service Application Databases MAP
EIR DSI Subscription Profile Policy Rules Databases Network Capability Gateway Subscription QoS Manager Roaming Signaling Gateway MAP Position Server Session Control Manager Trunk Signaling Gateway AAA Position Determining Entity Core QoS Manager Media GW Control Function Cdma 2000 Access Network Access Gateway Media Resource Function Media Gateway GSTN BTS BSC/RSC + PCF MM FA/ Attendant Mobile IP Home Agent Border Router Other Access Networks Legacy MS Domain Support Mobile Station Internet © 2003 Maurizio Dècina Networking Security - Milano, 8 Aprile 2003

22 Emerging Web Services Standards
Maurizio Dècina, Politecnico di Milano/CEFRIEL Emerging Web Services Standards Strategic Planning Assumption: Through 2006, market and competitive pressures will force vendors to merge competing specifications and deliver joint submissions to standards organizations within two years of technology introduction (0.7 probability). Business Semantics Standard ebXML, RosettaNet Identifying Liberty, Passport Building trust WS-Security, SAML, XRML Emerging Web Services for Remote Portals (WSRP) Web Services User Interface (WSUI) User interface Workflow/BPM Busin. Proc. Execution Lang. (BPEL4WS), BPML, WSCI Search & find UDDI - Universal Description, Discovery & Integration Established Description WDSL - Web Services Description Language Message SOAP - Simple Object Access Protocol In place Format Extensible Markup Language (XML) Transport Common Internet protcls. (e.g., TCP/IP, HTTP) Source: Gartner Group, 2002 © 2003 Maurizio Dècina Networking Security - Milano, 8 Aprile 2003 Key Issue: How and why are standards important to the future of Web services? The beauty of Web services today is in its simplicity, but as anyone who follows the software market knows, simplicity inevitably leads to formidable complexity. And so is the case with Web services standards. Vendors (and enterprises) are hard at work adding additional layers to the existing Web services stack to address perceived (and real) issues such as security, transaction management, user interface development, collaborative and peer-to-peer environments, B2B interactions, and more. The emerging stack comes in multiple flavors depending on the vendor, industry association and standards organization. There will be recurring attempts to build an entire stack of Web services standards that may satisfy every requirement an enterprise might foresee and, without exception, these attempts will fail due to the vastness of their scope. ebXML might be one such example. More importantly, Web services standards need to fit within a larger framework that can support comprehensive enterprise requirements. One such framework is depicted above. Action Item: Use a standards framework to measure the comprehensiveness of a vendor’s support of standards, but do not expect any one vendor or stack to provide everything. Networking Security, Seminario Ordine degli Ingegneri, Milano 8 aprile 2003

23 Certificate Authority Functions
Managed PKI Certification Distribution Escrowing Users Registration Cifratura e firma digitale (a valore legale) La Certification Authority ha un ruolo centrale di garante Problematiche di interoperabilità Difficoltà di introduzione nelle applicazioni VPNs Authorization Privileges and SSO Identify Users and Servers Session Confidence (SSL) Message Integrity (Signature) Certificate Authority Functions Version Serial Number Register Users Generate Key Pairs Confidentially Exchange Keys Grant and Archive Certificates Generate/Verify Digital Signatures Act as Trusted Third Party (Optional) Revoke Certificates Approve and Coordinate Policies Operate Secure Servers and Agents Key Recovery Signature Algorithm Encrypt (S/MIME) Issuer (CA) Validity (to, from) Subject (End-entity) Time/ Date Stamp Subject Public Key Info Encrypt Files (ver. 3 only) (solo ver. 3) Extensions CA signature Fonte: Gartner Group, 2002 © 2003 Maurizio Dècina Networking Security - Milano, 8 Aprile 2003

24 Identità Digitale A Network Perspective
Value Delivered Adoption Timeline Supply chain integration Shared leads – CRM Inventory and fulfillment Channel optimization Real-time B2B negotiations and transactions Consumer single sign-on Shared security infrastructure Transaction context sharing Cost savings Ease of use/efficiency Future Application Immediate Application Outward-facing e-Commerce Partner Community Within the Enterprise Fonte: Burton Group e RSA, 2002 Internal Systems & Data Less-known Partner or xSP Loosely-coupled, Dynamic exterior Customers Tightly-coupled, Persistent interior Employees Unknown Extranets The Internet © 2003 Maurizio Dècina Networking Security - Milano, 8 Aprile 2003

25 Progetto Liberty Alliance
User Browser E-Commerce Sites Identity Providers SSO Modules Authentication Internet Exchange of Identity and Profile Information Trusted Third Parties, Trust Services, ... Trust Domain 1 Trust Domain 2 Fonte: HP, 2002 © 2003 Maurizio Dècina Networking Security - Milano, 8 Aprile 2003

26 A short term perspective
0.01 0.1 1 10 100 1000 Maximum Data Rate, Mbit/s WLAN PAN CELLULAR GSM GPRS UMTS Bluetooth Ultrawideband 802.11b Hiperlan2/802.11a HomeRF Smart antennas Reconfigurable radio Space/time coding Piconets Scatternets Year © 2003 Maurizio Dècina Networking Security - Milano, 8 Aprile 2003

27 Hop-by-hop Options Extension Header (Jumbo Patyload Length Option)
IPv6 Features } Version Class Flow Label Payload Length N. H. Hop Limit Hop-by-hop Options Extension Header (Jumbo Patyload Length Option) (Router Alert Option) Source Address Destination Address Destination Options Header Routing Header Fragment Header Authentication Header ESP Header QoS Active Networks Multicast Optimizing MAC Plug-n-Play Mobility Security Router Alert = 1 (RSVP) = 2 (AN) = 0 (MLD) ICMP v6 Route Optimize Binding Update (Piggybacking) New Services © 2003 Maurizio Dècina Networking Security - Milano, 8 Aprile 2003

28 Ubiquitous and Pervasive Computing
Small, lightweight, cheap, mobile processors in almost all everyday objects („embedded computing“) on human body („wearable computing“) embedded in the environment („ambient intelligence“) A world of “smart objects” Smart objects Can remember pertinent events they have memory Show context-sensitive behavior they have sensors Are responsive they communicate with their environment they are networked with other smart objects © 2003 Maurizio Dècina Networking Security - Milano, 8 Aprile 2003

29 Peer-to-Peer Wireless Networks Meshnetworks
Backbone To Internet & Telephone Networks Mobile User Devices Wireless Routers & Access Points Ad-Hoc, Peer-to-Peer Wireless Network Distributed Networking © 2003 Maurizio Dècina Networking Security - Milano, 8 Aprile 2003

30 Privacy and Pervasive Computing
Privacy is already a concern with the Internet Use of personal data ( address, …) Use of personal web browsing data (page views, clicks,..) More dramatic concern in a Pervasive Computing world many more events of very elementary actions are registered can be assembled to perfect profiles Source: F. Mattern, 2001 © 2003 Maurizio Dècina Networking Security - Milano, 8 Aprile 2003


Download ppt "Maurizio Dècina, Politecnico di Milano/CEFRIEL"

Similar presentations


Ads by Google