Architectural Considerations for Protecting End Hosts Vern Paxson International Computer Science Institute and Lawrence Berkeley National Laboratory

Slides:

Advertisements

Similar presentations

The role of network capabilities Xiaowei Yang UC Irvine NSF FIND PI meeting, June

Advertisements

Secure Routing Panel FIND PI Meeting (June 27, 2007) Morley Mao, Jen Rexford, Xiaowei Yang.

Themes From the Security Assessment Exercise Vern Paxson International Computer Science Institute and Lawrence Berkeley National Laboratory

The Role of Trust Management in Distributed Systems Authors Matt Blaze, John Feigenbaum, John Ioannidis, Angelos D. Keromytis Presented By Akshay Gupte.

Mobile Agents Mouse House Creative Technologies Mike OBrien.

1 Intrusion Monitoring of Malicious Routing Behavior Poornima Balasubramanyam Karl Levitt Computer Security Laboratory Department of Computer Science UCDavis.

Josh Alcorn Larry Brachfeld An in depth review of ad hoc mobile network & cloud security concerns.

FastPass: Availability Tokens to Defeat DoS Presented at CMU Systems Seminar by: Dan Wendlandt Work with: David Andersen & Adrian Perrig.

Secure web browsers, malicious hardware, and hardware support for binary translation Sam King.

1/32 Internet Architecture Lukas Banach Tutors: Holger Karl Christian Dannewitz Monday C. Today I³SI³HIPHI³.

Internet Protocol Security An Overview of IPSec. Outline:  What Security Problem?  Understanding TCP/IP.  Security at What Level?  IP Security. 

Understanding Botnets: How Massive Internet Break-Ins Fuel an Underground Economy Jason Franklin and Vern Paxson.

Internet Indirection Infrastructure Ion Stoica and many others… UC Berkeley.

Introduction and Overview “the grid” – a proposed distributed computing infrastructure for advanced science and engineering. Purpose: grid concept is motivated.

Internet Indirection Infrastructure Ion Stoica UC Berkeley.

1 Quality Objects: Advanced Middleware for Wide Area Distributed Applications Rick Schantz Quality Objects: Advanced Middleware for Large Scale Wide Area.

Overview of Computer Vision CS491E/791E. What is Computer Vision? Deals with the development of the theoretical and algorithmic basis by which useful.

The Design Philosophy of the DARPA Internet Protocols D. D. Clark.

Future Research Directions Jennifer Rexford Advanced Computer Networks Tuesdays/Thursdays 1:30pm-2:50pm.

Report by: Loizos Konomou EL933 Fall 2005 Prof: Yong Liu Ruoming Pang, Mark Allman, Mike Bennett, Jason Lee, Vern Paxson, Brian Tierney Princeton University,

Design of an Intrusion Response System using Evolutionary Computation Rohit Parti.

A Pluralist Approach to Interdomain Communication Security Ioannis Avramopoulos Princeton University Joint work with Jennifer Rexford.

Internet Indirection Infrastructure (i3) Ion Stoica, Daniel Adkins, Shelley Zhuang, Scott Shenker, Sonesh Surana UC Berkeley SIGCOMM 2002.

Building a Strong Foundation for a Future Internet Jennifer Rexford ’91 Computer Science Department (and Electrical Engineering and the Center for IT Policy)

PROTECTION OF CONSUMER & PROPERTY RIGHTS CE.13E. Question What is the role of the United States government in protecting consumer rights and property.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

Authorization architecture sketches draft-selander-core-access-control-02 draft-gerdes-core-dcaf-authorize-02 draft-seitz-ace-design-considerations-00.

NW Security and Firewalls Network Security

1 Deployment of Computer Security in an Organization CE-408 Sir Syed University of Engineering & Technology 99-CE-282, 257 & 260.

1 FIPS 140 Validation for a “System-on-a-Chip” September 27, 2005 NIST Physical Testing Workshop.

5 th Global Organization for Earth System Science Portal (GO-ESSP) “Community Workshop” June 19 th -21st, 2006 Held at the Lawrence Livermore National.

Click Trajectories: End-to-End Analysis of the spam value chain Kirill Levchenko, Andreas Pitsillidis, Neha Chachra, Brandon Enright, Tristan Halvorson,

Architectural Considerations for GEOPRIV/ECRIT Presentation given by Hannes Tschofenig.

Vulnerabilities in peer to peer communications Web Security Sravan Kunnuri.

SANE: A Protection Architecture for Enterprise Networks

Doc.: IEEE 802 ec-12/0006r0 Submission Liaison presentation to SC6 regarding Internet Security Date: 2012-February-13 Authors: IEEE 802 LiaisonSlide 1.

Toward a Culture of Cybersecurity Research Aaron Burstein TRUST & ACCURATE Research Fellow Samuelson Clinic & BCLT, Boalt Hall UC Berkeley.

Review 2 Chapters 7, 8, 9. 2  Define a network and its purpose.  Explain how communications technologies are used in our every day lives.  Understand.

CONDUCTING CYBERSECURITY RESEARCH LEGALLY AND ETHICALLY By Aaron J. Burstein; Presented by David Muchene.

Engineering Essential Characteristics Security Engineering Process Overview.

By : Fiona Minear. What is a networks ? A network is a group of two or more computer systems linked together.

(we need your advice!) Jon Peterson MIT– December 2010 IETF & Privacy.

Introduction to WOLFASI: Workshop on Logical Foundations of an Adaptive Security Infrastructure Leo Marcus The Aerospace Corporation Los Angeles July 13,

1 SOS: Secure Overlay Services A. D. Keromytis V. Misra D. Runbenstein Columbia University.

A Pattern Language for Firewalls Eduardo B. Fernandez, Maria M. Petrie, Naeem Seliya, Nelly Delessy, and Angela Herzberg.

Application Architecture Internet Architecture David D. Clark MIT CSAIL September 2005.

1 6/3/2003 IEEE Link Security Study Group, June 2003, Ottawa, Canada Secure Frame Format PAR: 5 Criteria.

1 Flexible, High-Speed Intrusion Detection Using Bro Vern Paxson Computational Research Division Lawrence Berkeley National Laboratory and ICSI Center.

Deny-by-Default Distributed Security Policy Enforcement in MANETs Joint work with Mansoor AlicherryAngelos D. Keromytis Columbia University Angelos Stavrou.

Supplemental Information on TOR (The Onion Router) CEH ed 8, Rev 4 CS3695 – Network Vulnerability Assessment & Risk Mitigation–

Securing the Grid & other Middleware Challenges Ian Foster Mathematics and Computer Science Division Argonne National Laboratory and Department of Computer.

© ITT Educational Services, Inc. All rights reserved.Page 1 IS3220 Information Technology Infrastructure Security Class Agenda 1  Learning Objectives.

3/5/2016Faculty : Trần Thị Ngọc Hoa1 From Proxy Server To ISA 2006  Overview  History  Functions  Caching Process  Caching Types  How does it work.

“DEVELOPMENT OF A NATIONAL ICT POLICY ICT Policy in the ECTEL Member States Mr. Donnie Defreitas MSc, (Hav.), ECTEL Caribbean Internet Forum Bay Gardens.

© BLR ® —Business & Legal Resources 1501 Dealing with Change How Supervisors Can Help.

1 Welcome to Designing a Microsoft Windows 2000 Network Infrastructure.

Computer Science and Engineering Computer System Security CSE 5339/7339 Session 27 November 23, 2004.

A Classification for Access Control List To Speed Up Packet-Filtering Firewall CHEN FAN, LONG TAN, RAWAD FELIMBAN and ABDELSHAKOUR ABUZNEID Department.

15-849: Hot Topics in Networking Policy and Networks Srinivasan Seshan 1.

Network Security SUBMITTED BY:- HARENDRA KUMAR IT-3 RD YR. 1.

By: Brett Belin. Used to be only tackled by highly trained professionals As the internet grew, more and more people became familiar with securing a network.

Firewalls and Tunneling Firewalls –Acts as a barrier against unwanted network traffic –Blocks many communication channels –Can change the design space.

HCNA-Security Huawei Certified Network Associate Security (HCNA-Security) validates the basics of network security knowledge and skills to support the.

Securian Financial Group June 27, 2016 Securian Financial Group Pathways to Prosperity Network Institute Hot Jobs in Cool Fields.

Computer Security Fundamentals

8 Reasons You Need a Security Penetration Test

Model Contract for Health

Firewalls Jiang Long Spring 2002.

How to Mitigate the Consequences What are the Countermeasures?

PLANNING A SECURE BASELINE INSTALLATION

Presentation transcript:

Architectural Considerations for Protecting End Hosts Vern Paxson International Computer Science Institute and Lawrence Berkeley National Laboratory June 28, 2007

Overview Previous session looked at architectural issues for the network securing its own infrastructure Now, we consider the networks role (if any) in protecting end systems Two parts: –What should its role be? –Architectural approaches for DoS defense

Agenda, Part 1 What should the networks role be? –Its inevitable that the network will be intrusive with end system traffic, lets architect for it (Vern Paxson) –No lets not, #1 (Paul Syverson) –No lets not, #2 (Nick Weaver) –Discussion

Agenda, Part 2 How should the network protect against DoS? –Framing of problem space (Stefan Savage) –The role of identifiers (Stefan Savage) –The role of indirection (Angelos Keromytis) –The role of capabilities (Xiaowei Yang) –Discussion

A Glum Vision That We Had Better Plan For Network operators want to control traffic –Control = inspect, modify, tune, censor, confine … for a large variety of reasons: –Policy enforcement –Endhost security –Wiretap / legal intercept –Censorship –Walled gardens / business reasons –Performance engineering

Glum Vision, cont Furthermore, they have the power to do so since they hold the fundamental property of connectivity … … unless they are constrained: –By law Unpredictably difficult to shape in a useful fashion –By competitive concerns But these are trumped by law and sole-sourcing

Glum Vision, cont We have existence proofs that network operators will go to significant lengths to shoehorn in such control Question: would we like this stuff shoehorned into our future Internet, or directly recognized as a tussle? (Q: will end-to-end crypto save us? A: No, reduces to steganography.)

How to Architect for this Tussle? One approach (w/ S. Shenker, M. Allman): –When instantiating communication, end nodes negotiate with network regarding degree of inspection/meddling What will be revealed, what can be modified How to express range of semantics? –If unacceptable, seek alternate paths –Both parties require mechanisms to police for adherence –Already today for SIP proxies, P3P