Presentation is loading. Please wait.

Presentation is loading. Please wait.

Class 11 Enterprise Network Protection CIS 755: Advanced Computer Security Spring 2014 Eugene Vasserman

Published byJoseph Park Modified over 8 years ago

Similar presentations

Presentation on theme: "Class 11 Enterprise Network Protection CIS 755: Advanced Computer Security Spring 2014 Eugene Vasserman"— Presentation transcript:

1 Class 11 Enterprise Network Protection CIS 755: Advanced Computer Security Spring 2014 Eugene Vasserman http://www.cis.ksu.edu/~eyv/CIS755_S14/

2 Administrative stuff Exam I on March 25 th Don’t accidentally come to class next week :) I’ll be here, but no fixed office hours: – Email if you need to see me – Or stop by if my door is open (it usually is)

3 Distributed Systems: Definition “A system of multiple communicating entities performing a coordinated function” “A system where a computer that you’ve never heard of, located somewhere you’ve never been, can cause your computer to stop functioning correctly” –Humorous paraphrase of Lamport

4 Distributed Systems: Why? Increased robustness (maybe) – Eliminating single point of failure Resource sharing – e.g. Beocat – e.g. a mobile device and a server Improved scalability (maybe) – e.g. Beocat

5 Distributed Systems: Security Eliminating a single point of failure – Denial of service protection (robustness) Eliminating a single point of trust – What if your boss is malicious? If we want to reap benefits of distributed system designs, we have to take care of the “maybes” in previous slides How?

6 Distributed Systems: Privacy Local system – local information Distributed system – more access to potentially private information Privacy vs. authentication Sometimes privacy is not a security requirement, sometimes it is Are there other potential security requirements related to privacy?

7 Questions?

8 (Security) Problems with networking Many different systems – LANs, WANs, WLANs – Routers and switches – VLANs – Firewalls, gateways, VPNs Lots of work to configure independently Enforcement at different layers – Each needs different security considerations

9 Layering (OSI 7-Layer Model) Data link Network Transport – Lowest level end-to-end protocol – Header generated by sender is interpreted only by the destination – Routers treat transport header as part of the payload Application 9/54 App. 6 6 5 5 6 6 5 5 Transport Network Data Link Physical Transport Network Data Link Physical Network Router 2 2 2 2 1 1 1 1

10 Security goals Strict admission control Topology hiding (why?) Link-layer enforcement (below IP) – Less likely to unintentionally allow access Single trusted component Simple management Simple and fast revocation Compare to Kerberos…

11 Potential solutions Self-configuring systems – Difficult to determine “correct” protection without administrator intervention Gossiping security devices – Translations between rule-sets SANE uses a centralized infrastructure – Access control database – Automated rule generation and device programming

12 The SANE approach Domain controller provides – Authentication service – Network service directory (NSD) – Protection layer controller Least-privilege approach (for enterprise) Capability-based routing SANE protocol header right after Ethernet IPs used for wide-area, ignored locally

13 Initialization/authentication

14 All roads lead to the DC DC is root of minimum spanning tree (MST) – Switches are the other nodes – Communication using distance vector (DV) Like Ethernet Switches don’t learn network topology – they only see their neighbors in the tree – Can they misbehave in order to observe topology?

15 DC: Bootstrapping topology info Communicate with nearest switches Compute shared keys Receive topology updates Repeat with next switch layer Construct tree communication capabilities What can go wrong?

16 Protection layer controller Capability provider Maintains global network view to compute routes Processes link state updated from authenticated switches Dynamically reprograms switches

17 Types of packets HELLO – discovery – Never forwarded, no authentication DC – capability (or revocation) request – Forwarded just to DC if no routing capability – Contains client authentication FORWARD – data packets (majority) – Capability, capability ID, expiration REVOKE – Capability ID, expiration, DC signature

18 Source routing with capabilities B, data S3 S2 S1 B S3 S2 S1 A

19 What the switches do DC packets, revocation requests – Use tree (MST) to send to DC FORWARD packets – Check capability for validity Semantically correct (valid MAC) Not expired Not revoked – If valid, forward, otherwise discard

20 Capabilities Require no payload Onion-wrapped Encrypted/MACed IV to prevent topology inference Principal names in capability incorporate both identity and route (sanity checks)

21 Backward compatibility Incoming and outgoing translation proxies Capabilities are strictly richer than IP infrastructure – Includes naming and addressing; can be translated seamlessly by correct software UPnP-like broadcast must be handled by DC – Increased load!

22 Tolerating horribleness What if a server “fails”? A switch? A gateway? The DC? – Multiple DCs with multiple spanning trees – Byzantine consensus may be problematic in practice The physical network fabric? – Trees are fragile! Lots of recent work on centralized management controllers

23 Performance Tested using real network traces DC can handle typical enterprise network load using a desktop box – Multi-DC configuration untested O(n 2 ) coordination messages may be a nasty surprise Switches need to be modified – Software-based forwarding almost impossible – Hardware-based crypto not easily upgradeable – Specific requirements unclear

24 Benefits Easier upgrades (may seem counter-intuitive) Host [anti-]mobility Transparent traffic rerouting – Logging – Transformation SSL, VPN Capabilities improve attack resistance Built-in DoS resistance via revocation push-back – No coordination issues like Internet-wide schemes

25 Drawbacks Centralization can come back to bite you – Byzantine consensus can be costly Switches need to be updated Incremental deployment requires “translator” devices – “4D” features better incremental deployability If you find this paper interesting I would strongly suggest reading “4D” ( http://portal.acm.org/citation.cfm?id=1096536.1096541 ) http://portal.acm.org/citation.cfm?id=1096536.1096541

26 Questions? Reading discussion

Download ppt "Class 11 Enterprise Network Protection CIS 755: Advanced Computer Security Spring 2014 Eugene Vasserman"

Similar presentations

IP Security have considered some application specific security mechanisms –eg. S/MIME, PGP, Kerberos, SSL/HTTPS however there are security concerns that.

IP Security have considered some application specific security mechanisms –eg. S/MIME, PGP, Kerberos, SSL/HTTPS however there are security concerns that.
Spring 2012: CS419 Computer Security Vinod Ganapathy SSL, etc.

Spring 2012: CS419 Computer Security Vinod Ganapathy SSL, etc.
Firewalls By Tahaei Fall 2012. What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
1 Configuring Virtual Private Networks for Remote Clients and Networks.

1 Configuring Virtual Private Networks for Remote Clients and Networks.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
SANE: A Protection Architecture for Enterprise Networks Authors: Martin Casado, Tal Garfinkel, Aditya Akella, Michael J. Freedman Dan Boneh, Nick McKeown,

SANE: A Protection Architecture for Enterprise Networks Authors: Martin Casado, Tal Garfinkel, Aditya Akella, Michael J. Freedman Dan Boneh, Nick McKeown,
SANE: A Protection Architecture for Enterprise Networks Offense by: Amit Mondal Bert Gonzalez.

SANE: A Protection Architecture for Enterprise Networks Offense by: Amit Mondal Bert Gonzalez.
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
1 Version 3.0 Module 8 Virtual LANs. 2 Version 3.0.

1 Version 3.0 Module 8 Virtual LANs. 2 Version 3.0.
CMSC 414 Computer (and Network) Security Lecture 16 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 16 Jonathan Katz.
Security Awareness: Applying Practical Security in Your World

Security Awareness: Applying Practical Security in Your World
Security & Efficiency in Ad- Hoc Routing Protocol with emphasis on Distance Vector and Link State. Ayo Fakolujo Wichita State University.

Security & Efficiency in Ad- Hoc Routing Protocol with emphasis on Distance Vector and Link State. Ayo Fakolujo Wichita State University.
August, 2006 Usenix Security 2006 SANE: Addressing the Protection Problem in Enterprise Networks Martin Casado Tal Garfinkel Michael Freedman Aditya Akaella.

August, 2006 Usenix Security 2006 SANE: Addressing the Protection Problem in Enterprise Networks Martin Casado Tal Garfinkel Michael Freedman Aditya Akaella.
CS335 Networking & Network Administration Tuesday, April 20, 2010.

CS335 Networking & Network Administration Tuesday, April 20, 2010.
Spring 20071 Routing & Switching Umar Kalim Dept. of Communication Systems Engineering 06/04/2007.

Spring Routing & Switching Umar Kalim Dept. of Communication Systems Engineering 06/04/2007.
Tesseract A 4D Network Control Plane

Tesseract A 4D Network Control Plane
1 Chapter 13: Representing Identity What is identity Different contexts, environments Pseudonymity and anonymity.

1 Chapter 13: Representing Identity What is identity Different contexts, environments Pseudonymity and anonymity.
Internet Protocol Security (IPSec)

Internet Protocol Security (IPSec)
Institute of Technology, Sligo Dept of Computing Semester 3, version 2.1.3 Semester 3 Chapter 3 VLANs.

Institute of Technology, Sligo Dept of Computing Semester 3, version Semester 3 Chapter 3 VLANs.

Similar presentations

Ads by Google