Class 11 Enterprise Network Protection CIS 755: Advanced Computer Security Spring 2014 Eugene...
-
Upload
joseph-park -
Category
Documents
-
view
213 -
download
0
Transcript of Class 11 Enterprise Network Protection CIS 755: Advanced Computer Security Spring 2014 Eugene...
![Page 1: Class 11 Enterprise Network Protection CIS 755: Advanced Computer Security Spring 2014 Eugene Vasserman eyv/CIS755_S14](https://reader035.fdocuments.in/reader035/viewer/2022070412/56649f0d5503460f94c20e61/html5/thumbnails/1.jpg)
Class 11Enterprise Network Protection
CIS 755: Advanced Computer SecuritySpring 2014
Eugene Vasserman
http://www.cis.ksu.edu/~eyv/CIS755_S14/
![Page 2: Class 11 Enterprise Network Protection CIS 755: Advanced Computer Security Spring 2014 Eugene Vasserman eyv/CIS755_S14](https://reader035.fdocuments.in/reader035/viewer/2022070412/56649f0d5503460f94c20e61/html5/thumbnails/2.jpg)
Administrative stuff
• Exam I on March 25th
• Don’t accidentally come to class next week :)
• I’ll be here, but no fixed office hours:– Email if you need to see me–Or stop by if my door is open (it usually is)
![Page 3: Class 11 Enterprise Network Protection CIS 755: Advanced Computer Security Spring 2014 Eugene Vasserman eyv/CIS755_S14](https://reader035.fdocuments.in/reader035/viewer/2022070412/56649f0d5503460f94c20e61/html5/thumbnails/3.jpg)
Distributed Systems: Definition
• “A system of multiple communicating entities performing a coordinated function”
• “A system where a computer that you’ve never heard of, located somewhere you’ve never been, can cause your computer to stop functioning correctly”
–Humorous paraphrase of Lamport
![Page 4: Class 11 Enterprise Network Protection CIS 755: Advanced Computer Security Spring 2014 Eugene Vasserman eyv/CIS755_S14](https://reader035.fdocuments.in/reader035/viewer/2022070412/56649f0d5503460f94c20e61/html5/thumbnails/4.jpg)
Distributed Systems: Why?
• Increased robustness (maybe)– Eliminating single point of failure
• Resource sharing–e.g. Beocat–e.g. a mobile device and a server
• Improved scalability (maybe)–e.g. Beocat
![Page 5: Class 11 Enterprise Network Protection CIS 755: Advanced Computer Security Spring 2014 Eugene Vasserman eyv/CIS755_S14](https://reader035.fdocuments.in/reader035/viewer/2022070412/56649f0d5503460f94c20e61/html5/thumbnails/5.jpg)
Distributed Systems: Security
• Eliminating a single point of failure–Denial of service protection (robustness)
• Eliminating a single point of trust–What if your boss is malicious?
• If we want to reap benefits of distributed system designs, we have to take care of the “maybes” in previous slides
• How?
![Page 6: Class 11 Enterprise Network Protection CIS 755: Advanced Computer Security Spring 2014 Eugene Vasserman eyv/CIS755_S14](https://reader035.fdocuments.in/reader035/viewer/2022070412/56649f0d5503460f94c20e61/html5/thumbnails/6.jpg)
Distributed Systems: Privacy
• Local system – local information• Distributed system – more access to
potentially private information• Privacy vs. authentication• Sometimes privacy is not a security
requirement, sometimes it is• Are there other potential security
requirements related to privacy?
![Page 7: Class 11 Enterprise Network Protection CIS 755: Advanced Computer Security Spring 2014 Eugene Vasserman eyv/CIS755_S14](https://reader035.fdocuments.in/reader035/viewer/2022070412/56649f0d5503460f94c20e61/html5/thumbnails/7.jpg)
Questions?
![Page 8: Class 11 Enterprise Network Protection CIS 755: Advanced Computer Security Spring 2014 Eugene Vasserman eyv/CIS755_S14](https://reader035.fdocuments.in/reader035/viewer/2022070412/56649f0d5503460f94c20e61/html5/thumbnails/8.jpg)
(Security) Problems with networking
• Many different systems– LANs, WANs, WLANs–Routers and switches–VLANs– Firewalls, gateways, VPNs
• Lots of work to configure independently• Enforcement at different layers– Each needs different security considerations
![Page 9: Class 11 Enterprise Network Protection CIS 755: Advanced Computer Security Spring 2014 Eugene Vasserman eyv/CIS755_S14](https://reader035.fdocuments.in/reader035/viewer/2022070412/56649f0d5503460f94c20e61/html5/thumbnails/9.jpg)
Layering (OSI 7-Layer Model)
• Data link• Network• Transport
– Lowest level end-to-end protocol
– Header generated by sender is interpreted only by the destination
– Routers treat transport header as part of the payload
• Application9/54
App.App.
66
55
App.App.
66
55
TransportTransport
NetworkNetwork
Data LinkData Link
PhysicalPhysical
TransportTransport
NetworkNetwork
Data LinkData Link
PhysicalPhysical
NetworkNetwork
Router
22 22
11 11
![Page 10: Class 11 Enterprise Network Protection CIS 755: Advanced Computer Security Spring 2014 Eugene Vasserman eyv/CIS755_S14](https://reader035.fdocuments.in/reader035/viewer/2022070412/56649f0d5503460f94c20e61/html5/thumbnails/10.jpg)
Security goals
• Strict admission control• Topology hiding (why?)• Link-layer enforcement (below IP)– Less likely to unintentionally allow access
• Single trusted component• Simple management• Simple and fast revocation
Compare to Kerberos…
![Page 11: Class 11 Enterprise Network Protection CIS 755: Advanced Computer Security Spring 2014 Eugene Vasserman eyv/CIS755_S14](https://reader035.fdocuments.in/reader035/viewer/2022070412/56649f0d5503460f94c20e61/html5/thumbnails/11.jpg)
Potential solutions
• Self-configuring systems–Difficult to determine “correct” protection without
administrator intervention
• Gossiping security devices– Translations between rule-sets
• SANE uses a centralized infrastructure–Access control database–Automated rule generation and device
programming
![Page 12: Class 11 Enterprise Network Protection CIS 755: Advanced Computer Security Spring 2014 Eugene Vasserman eyv/CIS755_S14](https://reader035.fdocuments.in/reader035/viewer/2022070412/56649f0d5503460f94c20e61/html5/thumbnails/12.jpg)
The SANE approach
• Domain controller provides–Authentication service–Network service directory (NSD)–Protection layer controller
• Least-privilege approach (for enterprise)• Capability-based routing• SANE protocol header right after Ethernet• IPs used for wide-area, ignored locally
![Page 13: Class 11 Enterprise Network Protection CIS 755: Advanced Computer Security Spring 2014 Eugene Vasserman eyv/CIS755_S14](https://reader035.fdocuments.in/reader035/viewer/2022070412/56649f0d5503460f94c20e61/html5/thumbnails/13.jpg)
Initialization/authentication
![Page 14: Class 11 Enterprise Network Protection CIS 755: Advanced Computer Security Spring 2014 Eugene Vasserman eyv/CIS755_S14](https://reader035.fdocuments.in/reader035/viewer/2022070412/56649f0d5503460f94c20e61/html5/thumbnails/14.jpg)
All roads lead to the DC
• DC is root of minimum spanning tree (MST)– Switches are the other nodes–Communication using distance vector (DV)• Like Ethernet
• Switches don’t learn network topology – they only see their neighbors in the tree–Can they misbehave in order to observe
topology?
![Page 15: Class 11 Enterprise Network Protection CIS 755: Advanced Computer Security Spring 2014 Eugene Vasserman eyv/CIS755_S14](https://reader035.fdocuments.in/reader035/viewer/2022070412/56649f0d5503460f94c20e61/html5/thumbnails/15.jpg)
DC: Bootstrapping topology info
• Communicate with nearest switches
• Compute shared keys• Receive topology updates• Repeat with next switch layer• Construct tree communication
capabilities• What can go wrong?
![Page 16: Class 11 Enterprise Network Protection CIS 755: Advanced Computer Security Spring 2014 Eugene Vasserman eyv/CIS755_S14](https://reader035.fdocuments.in/reader035/viewer/2022070412/56649f0d5503460f94c20e61/html5/thumbnails/16.jpg)
Protection layer controller
• Capability provider• Maintains global network view to
compute routes• Processes link state updated from
authenticated switches• Dynamically reprograms switches
![Page 17: Class 11 Enterprise Network Protection CIS 755: Advanced Computer Security Spring 2014 Eugene Vasserman eyv/CIS755_S14](https://reader035.fdocuments.in/reader035/viewer/2022070412/56649f0d5503460f94c20e61/html5/thumbnails/17.jpg)
Types of packets
• HELLO – discovery– Never forwarded, no authentication
• DC – capability (or revocation) request– Forwarded just to DC if no routing capability– Contains client authentication
• FORWARD – data packets (majority)– Capability, capability ID, expiration
• REVOKE– Capability ID, expiration, DC signature
![Page 18: Class 11 Enterprise Network Protection CIS 755: Advanced Computer Security Spring 2014 Eugene Vasserman eyv/CIS755_S14](https://reader035.fdocuments.in/reader035/viewer/2022070412/56649f0d5503460f94c20e61/html5/thumbnails/18.jpg)
Source routing with capabilities
B, dataS3S2S1 BS3
S2
S1
A
![Page 19: Class 11 Enterprise Network Protection CIS 755: Advanced Computer Security Spring 2014 Eugene Vasserman eyv/CIS755_S14](https://reader035.fdocuments.in/reader035/viewer/2022070412/56649f0d5503460f94c20e61/html5/thumbnails/19.jpg)
What the switches do
• DC packets, revocation requests–Use tree (MST) to send to DC
• FORWARD packets–Check capability for validity• Semantically correct (valid MAC)• Not expired• Not revoked
– If valid, forward, otherwise discard
![Page 20: Class 11 Enterprise Network Protection CIS 755: Advanced Computer Security Spring 2014 Eugene Vasserman eyv/CIS755_S14](https://reader035.fdocuments.in/reader035/viewer/2022070412/56649f0d5503460f94c20e61/html5/thumbnails/20.jpg)
Capabilities
• Require no payload• Onion-wrapped• Encrypted/MACed• IV to prevent topology inference• Principal names in capability incorporate
both identity and route (sanity checks)
![Page 21: Class 11 Enterprise Network Protection CIS 755: Advanced Computer Security Spring 2014 Eugene Vasserman eyv/CIS755_S14](https://reader035.fdocuments.in/reader035/viewer/2022070412/56649f0d5503460f94c20e61/html5/thumbnails/21.jpg)
Backward compatibility
• Incoming and outgoing translation proxies• Capabilities are strictly richer than IP
infrastructure– Includes naming and addressing; can be
translated seamlessly by correct software
• UPnP-like broadcast must be handled by DC– Increased load!
![Page 22: Class 11 Enterprise Network Protection CIS 755: Advanced Computer Security Spring 2014 Eugene Vasserman eyv/CIS755_S14](https://reader035.fdocuments.in/reader035/viewer/2022070412/56649f0d5503460f94c20e61/html5/thumbnails/22.jpg)
Tolerating horribleness
• What if a server “fails”?• A switch?• A gateway?• The DC?– Multiple DCs with multiple spanning trees– Byzantine consensus may be problematic in practice
• The physical network fabric?– Trees are fragile!
• Lots of recent work on centralized management controllers
![Page 23: Class 11 Enterprise Network Protection CIS 755: Advanced Computer Security Spring 2014 Eugene Vasserman eyv/CIS755_S14](https://reader035.fdocuments.in/reader035/viewer/2022070412/56649f0d5503460f94c20e61/html5/thumbnails/23.jpg)
Performance
• Tested using real network traces• DC can handle typical enterprise network load
using a desktop box– Multi-DC configuration untested
• O(n2) coordination messages may be a nasty surprise
• Switches need to be modified– Software-based forwarding almost impossible– Hardware-based crypto not easily upgradeable– Specific requirements unclear
![Page 24: Class 11 Enterprise Network Protection CIS 755: Advanced Computer Security Spring 2014 Eugene Vasserman eyv/CIS755_S14](https://reader035.fdocuments.in/reader035/viewer/2022070412/56649f0d5503460f94c20e61/html5/thumbnails/24.jpg)
Benefits
• Easier upgrades (may seem counter-intuitive)• Host [anti-]mobility• Transparent traffic rerouting– Logging– Transformation
• SSL, VPN
• Capabilities improve attack resistance• Built-in DoS resistance via revocation push-back– No coordination issues like Internet-wide schemes
![Page 25: Class 11 Enterprise Network Protection CIS 755: Advanced Computer Security Spring 2014 Eugene Vasserman eyv/CIS755_S14](https://reader035.fdocuments.in/reader035/viewer/2022070412/56649f0d5503460f94c20e61/html5/thumbnails/25.jpg)
Drawbacks
• Centralization can come back to bite you– Byzantine consensus can be costly
• Switches need to be updated• Incremental deployment requires “translator”
devices– “4D” features better incremental deployability
If you find this paper interesting I would strongly suggest reading “4D”
(http://portal.acm.org/citation.cfm?id=1096536.1096541 )
![Page 26: Class 11 Enterprise Network Protection CIS 755: Advanced Computer Security Spring 2014 Eugene Vasserman eyv/CIS755_S14](https://reader035.fdocuments.in/reader035/viewer/2022070412/56649f0d5503460f94c20e61/html5/thumbnails/26.jpg)
Questions?
Reading discussion