Seraphim : A Security Architecture for Active Networks

Slides:



Advertisements
Similar presentations
Internet Protocol Security (IP Sec)
Advertisements

Security by Design A Prequel for COMPSCI 702. Perspective “Any fool can know. The point is to understand.” - Albert Einstein “Sometimes it's not enough.
Efficient Public Key Infrastructure Implementation in Wireless Sensor Networks Wireless Communication and Sensor Computing, ICWCSC International.
1 Network Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
NS-H /11041 Attacks. NS-H /11042 The Definition Security is a state of well-being of information and infrastructures in which the possibility.
1 © 2004, Cisco Systems, Inc. All rights reserved IP Telephony Security Cisco Systems.
1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.
6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.
WiFi Security. What is WiFi ? Originally, Wi-Fi was a marketing term. The Wi-Fi certified logo means that the product has passed interoperability tests.
Spring 2002CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
Edward Tsai – CS 239 – Spring 2003 Strong Security for Active Networks CS 239 – Network Security Edward Tsai Tuesday, May 13, 2003.
A Secure Network Access Protocol (SNAP) A. F. Al Shahri, D. G. Smith and J. M. Irvine Proceedings of the Eighth IEEE International Symposium on Computers.
Spring 2003CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
Introduction (Pendahuluan)  Information Security.
Network Infrastructure Security. LAN Security Local area networks facilitate the storage and retrieval of programs and data used by a group of people.
Wireless Network Security. Wireless Security Overview concerns for wireless security are similar to those found in a wired environment concerns for wireless.
Cryptography and Network Security
Eng. Wafaa Kanakri Second Semester 1435 CRYPTOGRAPHY & NETWORK SECURITY Chapter 1:Introduction Eng. Wafaa Kanakri UMM AL-QURA UNIVERSITY
1 22 August 2001 The Security Architecture of the M&M Mobile Agent Framework P. Marques, N. Santos, L. Silva, J. Silva CISUC, University of Coimbra, Portugal.
© Oxford University Press 2011 DISTRIBUTED COMPUTING Sunita Mahajan Sunita Mahajan, Principal, Institute of Computer Science, MET League of Colleges, Mumbai.
PRESENTED BY P. PRAVEEN Roll No: 1009 – 11 – NETWORK SECURITY M.C.A III Year II Sem.
Network Security. 2 SECURITY REQUIREMENTS Privacy (Confidentiality) Data only be accessible by authorized parties Authenticity A host or service be able.
1 University of Palestine Information Security Principles ITGD 2202 Ms. Eman Alajrami 2 nd Semester
. 1. Computer Security Concepts 2. The OSI Security Architecture 3. Security Attacks 4. Security Services 5. Security Mechanisms 6. A Model for Network.
Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved DISTRIBUTED.
Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved DISTRIBUTED SYSTEMS.
1 Chapter 1 – Background Computer Security T/ Tyseer Alsamany - Computer Security.
Topic 1 – Introduction Huiqun Yu Information Security Principles & Applications.
Lecture 24 Wireless Network Security
Microsoft ISA Server 2000 Presented by Ricardo Diaz Ryan Fansa.
Cherubim Dynamic Security System Roy Campbell and Denny Mickunas Tin Qian, Vijay Raghavan, Tim Fraser, Chuck Willis, Zhaoyu Liu Department of Computer.
Need for Security Control access to servicesControl access to services Ensure confidentialityEnsure confidentiality Guard against attacksGuard against.
Cryptography and Network Security Chapter 1. Background  Information Security requirements have changed in recent times  traditionally provided by physical.
M2M Service Layer – DM Server Security Group Name: OMA-BBF-oneM2M Adhoc Source: Timothy Carey, Meeting Date:
SECURITY REQUIREMENTS AND MANAGEMENT: Presentation By: Guillermo Dijk.
Csci5233 Computer Security1 Bishop: Chapter 14 Representing Identity.
@Yuan Xue CS 285 Network Security Placement of Security Function and Security Service Yuan Xue Fall 2013.
IPv6 Security Issues Georgios Koutepas, NTUA IPv6 Technology and Advanced Services Oct.19, 2004.
Presented by Edith Ngai MPhil Term 3 Presentation
IPSec Detailed Description and VPN
CompTIA Security+ Study Guide (SY0-401)
IPSecurity.
Grid Computing Security Mechanisms: the state-of-the-art
Intrusion Tolerant Architectures
Working at a Small-to-Medium Business or ISP – Chapter 8
Mobile Networking (I) CS 395T - Mobile Computing and Wireless Networks
Grid Security.
SECURING NETWORK TRAFFIC WITH IPSEC
IT443 – Network Security Administration Instructor: Bo Sheng
Module 8: Securing Network Traffic by Using IPSec and Certificates
Firewall – Survey Purpose of a Firewall Characteristic of a firewall
Understanding the OSI Reference Model
Security in Networking
CompTIA Security+ Study Guide (SY0-401)
Message Digest Cryptographic checksum One-way function Relevance
امنیت شبکه علی فانیان
NAAS 2.0 Features and Enhancements
Virtual Private Networks
draft-ipdvb-sec-01.txt ULE Security Requirements
Cryptography and Network Security
Security Of Wireless Sensor Networks
Security.
Module 8: Securing Network Traffic by Using IPSec and Certificates
Introduction to Network Security
Security of Wireless Sensor Networks
DISTRIBUTED SYSTEMS Principles and Paradigms Second Edition ANDREW S
Advanced Computer Networks
A lighttwiht reconfigurable security mechanism for 3G/4G mobile devices 2019/7/1 A Lightweight reconfigurable security mechanism for 3G/4G mobile devices.
Cryptography and Network Security
Presentation transcript:

Seraphim : A Security Architecture for Active Networks University of Illinois at Urbana-Champaign

Motivation Active Network is a radical approach to provide programmability in the network Dynamic nature of Active Network needs dynamic security architecture as one of the crucial requirements 9/21/2018

Seraphim Threat Model Malicious attacks against the active packets? Unauthorized access to NodeOS resources Attacks against the privacy and integrity of communication Denial of Service 9/21/2018

Seraphim Features Access Control for the NodeOS resources using Security Guardian with Dynamic Policy and Active Capability Security API for secure communication DDoS Prevention Pluggable Architecture 9/21/2018

Access Control All accesses to NodeOS resources go through the Security Guardian Access control policies are written in the context of Policy Framework Active Capability is used as the carrier of the access control policy 9/21/2018

OS Primitives, Interfaces Dynamic Policy Supports several security policies and provides dynamic transition between them DDAC DAC MAC RBAC OS Primitives, Interfaces 9/21/2018

NodeOS Security API EE NodeOS Authentication Authorization Security Services PAM API GAA API GSS API X.509, Password-based, Kerberos, SESAME, Etc. Active Capability, PolicyMaker, ACL Etc. JCE, Kerberos, SESAME, Etc. Public Key API Security Guardian X.509 PKI NodeOS Dynamic Policy Framework RFC 2510 9/21/2018

DDoS Prevention - BARMAN 9/21/2018

DDOS Prevention BARMAN – Bandwidth Authorization and Resource Management in Active Networks Dynamic protocol solution – triggered by bandwidth flooding Threshold value based on processor and link characteristics Bandwidth Certification for Attack Detection Hierarchical traceback with dynamic accounting state Co-operative dynamic recovery using active filtering 9/21/2018

Threshold Computation Static Phase of Protocol Threshold Value Computed by trusted entity e.g., administrator Packet rate that can be safely processed by receiver (server or active router) without getting DOSed Accommodate for emergency control channel Secure Session Establishment 9/21/2018

Bandwidth Certification Dynamic Phase of Protocol Triggered by Threshold violation Sender certifies hop-to-hop bandwidth Certificate for Authorization of Bandwidth : Small fixed length certificate, fixed options, cryptographic protection using fast encryption or hardware. Prevents link spoofing, man-in-the-middle and replay attacks Layered authentication technique 9/21/2018

Traceback Flow Classification and Aggregation based on eventual destination of capsule Direct host, same subnet, foreign subnet Flow characterization – real-time statistics collection vs. attack-triggered Characterization used to implement hierarchical traceback with dynamic state 9/21/2018

Dynamic Traceback (0,0,X) AS 3 AS 2 (0,X,-) (0,X,0) (X,0,-) AS 4 (0,0,-) 9/21/2018

Dynamic Recovery Traceback as far back as possible using secure control messages Reconstruct attack based on collected statistics Dynamically filter on sender for misbehaving flows simultaneously 9/21/2018

Pluggable Architecture 9/21/2018

Pluggable Architecture Seraphim is designed as a pluggable architecture Originally developed for restructured version of ANTS Currently, Seraphim is integrated with Bowman 9/21/2018

Security Guardian (JNI, JVM) Integration Overview CANEs API I2 I1 U CANEs EE User A-Flow Policy Administrator GUI CANEs Signaling A-Flow Security Guardian (JNI, JVM) Policy Server System Thread Bowman NodeOS Host OS 9/21/2018

Integration Features Provides access control for signaling messages Dynamic flow control at active routers by dynamic policy framework Use JNI to plug Java-based Seraphim architecture into C-based CANEs/Bowman 9/21/2018

Demo Contributions Access control for the CANES signaling mechanism Dynamic control of AER flows Prevention of bandwidth clogging DDoS attacks 9/21/2018

Demo Details - CANES Signaling 9/21/2018

Demo Details – AER flows 9/21/2018

Demo Details - BARMAN 9/21/2018

Conclusion Seraphim is dynamic, extensible, flexible, and reconfigurable security architecture which meets the requirements for Active Networks 9/21/2018

Future Research Possibilities Interoperability between different security domains using role translation Risk model for Active Networks Automated response against intrusions 9/21/2018

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.