Securing Nomads: The Case For Quarantine, Examination, Decontamination Kevin Eustice, Shane Markstrum, V. Ramakrishna, Dr. Peter Reiher, Dr. Leonard Kleinrock,

Slides:



Advertisements
Similar presentations
1 Resonance: Dynamic Access Control in Enterprise Networks Ankur Nayak, Alex Reimers, Nick Feamster, Russ Clark School of Computer Science Georgia Institute.
Advertisements

Rocket Software, Inc. Confidential James Storey General Manager, OSS Unit Rocket Software APNOMS 2003: Managing Pervasive Computing and Ubiquitous Communications.
1 Resonance: Dynamic Access Control in Enterprise Networks Ankur Nayak, Alex Reimers, Nick Feamster, Russ Clark School of Computer Science Georgia Institute.
Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 13: Planning Server and Network Security.
1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.
Lesson 14-Desktop Protection. Overview Protect against malicious code. Use the Internet. Protect against physical tampering.
An Investigation into Guest Movement in the Smart Party Jason Stoops Faculty advisor: Dr. Peter Reiher.
This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
Security Awareness: Applying Practical Security in Your World
Wireless Router Setup. Internet Cable Internet Cable (Blue) Machine Cable (Yellow) Power Plug (Black) Reset Button (Red)
CS 239: Advanced Security Spring 04 Security in Pervasive and Ubiquitous Environments Sam Irvine
Security of wireless ad-hoc networks. Outline Properties of Ad-Hoc network Security Challenges MANET vs. Traditional Routing Why traditional routing protocols.
1 Securing Information Transmission by Redundancy Jun LiPeter ReiherGerald Popek Computer Science Department UCLA NISS Conference October 21, 1999.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.
Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.
Chapter 3 Application Level Security in Wireless Network IWD2243 : Zuraidy Adnan : Sept 2012.
CISCO CONFIDENTIAL – DO NOT DUPLICATE OR COPY Protecting the Business Network and Resources with CiscoWorks VMS Security Management Software Girish Patel,
Securing a Wireless Network
Chapter 6 Configuring, Monitoring & Troubleshooting IPsec
Telecommunication Networks Group Technical University Berlin Secure WLAN Operation and Deployment in Home and Small to Medium Size Office Environments.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 IT Essentials PC Hardware and Software 4.1 Instructional Resource Chapter.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.
Securing Windows 7 Lesson 10. Objectives Understand authentication and authorization Configure password policies Secure Windows 7 using the Action Center.
Intranet, Extranet, Firewall. Intranet and Extranet.
MOBILE DEVICE SECURITY. WHAT IS MOBILE DEVICE SECURITY? Mobile Devices  Smartphones  Laptops  Tablets  USB Memory  Portable Media Player  Handheld.
Using Windows Firewall and Windows Defender
Networking Security Chapter 8 powered by dj. Chapter Objectives  Explain various security threats  Monitor security in Windows Vista  Explain basic.
Introduction to the Atlas Platform Mobile & Pervasive Computing Laboratory Department of Computer and Information Sciences and Engineering University of.
Lesson 20-Wireless Security. Overview Introduction to wireless networks. Understanding current wireless technology. Understanding wireless security issues.
OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
Module 9: Configuring IPsec. Module Overview Overview of IPsec Configuring Connection Security Rules Configuring IPsec NAP Enforcement.
CONTENTS  INTRODUCTION.  KEYWORDS  WHAT IS FIREWALL ?  WHY WE NEED FIREWALL ?  WHY NOT OTHER SECURITY MECHANISM ?  HOW FIREWALL WORKS ?  WHAT IT.
11 SECURING YOUR NETWORK PERIMETER Chapter 10. Chapter 10: SECURING YOUR NETWORK PERIMETER2 CHAPTER OBJECTIVES  Establish secure topologies.  Secure.
OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
Module 11: Remote Access Fundamentals
1 C-DAC/Kolkata C-DAC All Rights Reserved Computer Security.
INTRODUCTION. The security system is used as in various fields, particularly the internet, communications data storage, identification and authentication.
Doc.: IEEE ai Submission Paul Lambert, Marvell Security Review and Recommendations for IEEE802.11ai Fast Initial Link Setup Author:
Module 2: Installing and Maintaining ISA Server. Overview Installing ISA Server 2004 Choosing ISA Server Clients Installing and Configuring Firewall Clients.
Securing Wired Local Area Networks(LANs)
K E M A, I N C. Ten Steps To Secure Control Systems APPA 2005 Conference Session: Securing SCADA Networks from Cyber Attacks Memphis, TN April 18, 2005.
CPT 123 Internet Skills Class Notes Internet Security Session A.
Lesson 7-Managing Risk. Overview Defining risk. Identifying the risk to an organization. Measuring risk.
Secure Wired Local Area Network( LAN ) By Sentuya Francis Derrick ID Module code:CT3P50N BSc Computer Networking London Metropolitan University.
1 Service Sharing with Trust in Pervasive Environment: Now it’s Time to Break the Jinx Sheikh I. Ahamed, Munirul M. Haque and Nilothpal Talukder Ubicomp.
IT Security. What is Information Security? Information security describes efforts to protect computer and non computer equipment, facilities, data, and.
Security fundamentals Topic 2 Establishing and maintaining baseline security.
Rob Davidson, Partner Technology Specialist Microsoft Management Servers: Using management to stay secure.
Wireless Security Rick Anderson Pat Demko. Wireless Medium Open medium Broadcast in every direction Anyone within range can listen in No Privacy Weak.
Securing Data Transmission and Authentication. Securing Traffic with IPSec IPSec allows us to protect our network from within IPSec secures the IP protocol.
Approaches for Ensuring Security and Privacy in Unplanned Ubiquitous Computing Environments V. Ramakrishna, Kevin Eustice, Matthew Schnaider Laboratory.
Module 10: Windows Firewall and Caching Fundamentals.
Internet of Things. IoT Novel paradigm – Rapidly gaining ground in the wireless scenario Basic idea – Pervasive presence around us a variety of things.
Wireless Security Presented by Colby Carlisle. Wireless Networking Defined A type of local-area network that uses high-frequency radio waves rather than.
Securing a Host Computer BY STEPHEN GOSNER. Definition of a Host  Host  In networking, a host is any device that has an IP address.  Hosts include.
Unit 2 Personal Cyber Security and Social Engineering Part 2.
NETWORK SECURITY LAB 1170 REHAB ALFALLAJ CT1406. Introduction There are a number of technologies that exist for the sole purpose of ensuring that the.
Labs. Session 1 Lab: Installing and Configuring Windows 7 Exercise 1: Migrating Settings by Using Windows Easy Transfer Exercise 2: Configuring a Reference.
1 Network Security. 2 Security Services Confidentiality: protection of any information from being exposed to unintended entities. –Information content.
Network System Security - Task 2. Russell Johnston.
Securing Network Servers
Working at a Small-to-Medium Business or ISP – Chapter 8
Secure Software Confidentiality Integrity Data Security Authentication
Computer Data Security & Privacy
Securing the Network Perimeter with ISA 2004
Configuring and Troubleshooting Routing and Remote Access
Deriving more value from your Windows investment
Firewalls.
Presentation transcript:

Securing Nomads: The Case For Quarantine, Examination, Decontamination Kevin Eustice, Shane Markstrum, V. Ramakrishna, Dr. Peter Reiher, Dr. Leonard Kleinrock, Dr. Gerald Popek Laboratory for Advanced Systems Research UCLA Computer Science Annual Computer Security Applications Conference 2003

In a Nutshell Problem summary –Networks do little to monitor or control entry –Exploited or vulnerable nomadic devices freely move around –Other devices may victimize or fall victim to these devices A proposed model: QED –Quarantine devices upon entrance –Examine devices as required by environment –Decontaminate devices to repair or update Introduction – Challenges – The Paradigm – Conclusion

New Trends In Nomadicity Users: Frequently change networks, taking their devices with them Carry misconfigured and vulnerable software with them from locale to locale Pick up electronic hitchhikers (viruses, malicious agents, other malcode) from other nomads they encounter Introduction – Challenges – The Paradigm – Conclusion

Local Café Scenario: nomadic blaster propagation BobAliceCarolXavier

Bob’s Office Scenario: nomadic blaster propagation Worker Bob

Traditional Security Ignores Nomadic Devices Wireless focus has been on better –Authentication –Encryption Wired and wireless devices promiscuously enter and leave networks –Little accountability in existing paradigm –Reactive security, not proactive Introduction – Challenges – The Paradigm – Conclusion

Life will only get worse… Pervasive Computing is coming Pervasive paradigm implies many more attack vectors and potential attackers Abundant confidential and important personal information Some possibilities: –Trojan horses in consumer electronics –PDA-carried viruses –Wireless parasites Introduction – Challenges – The Paradigm – Conclusion

Characteristics of the Environment Many, many affected users and devices Heterogeneous OS/application space Dynamic, often short-lived network membership Mostly benevolent but non-technical users Minimal system administration available Where do we go from here? Introduction – Challenges – The Paradigm – Conclusion

Bob’s Office QED BobWorker Quarantine device upon entry into network, and authenticate. Examine device for vulnerabilities or undesirable services. Decontaminate: Work with device to repair vulnerabilities!

Quarantine Typically, there are two immediate types of desired quarantine: Isolation from outside world –Many networks partially do this –Often imperfectly Isolation from peers –Few networks do this –Just as important Introduction – Challenges – The Paradigm – Conclusion

Quarantine Some mechanisms to quarantine devices include: Routing restrictions at gateway Voluntary isolation by device DENY firewall rules on peers MAC address-based forwarding restrictions in Access Point Quarantine wireless network outside firewall Introduction – Challenges – The Paradigm – Conclusion

Examination Many possible alternatives: Software package analysis Network profiling Configuration analysis File checksum examination Virus scan Introduction – Challenges – The Paradigm – Conclusion

Decontamination Assist device in complying with local policy: Work with device to fix problems Update software packages, configurations Ask device to disable certain services while in this network, etc. Introduction – Challenges – The Paradigm – Conclusion

Work in Progress: QED Prototype Introduction – Challenges – The Paradigm – Conclusion

UCLA CS Scenario: QED Prototype design ClientWorker Security Manager IPsec tunnel Worker IPsec tunnel Worker Authenticated DHCP, w/IPsec key insertion IPsec tunnel Default drop rules on Worker nodes have already isolated them from the untrusted Client. RPM Examination Package Update

Open Issues Overhead management Privacy Leveraging trust relationships Heterogeneity Introduction – Challenges – The Paradigm – Conclusion

Big Picture QED is a component of Panoply, UCLA’s pervasive computing project We think QED is a step towards more secure pervasive environments Introduction – Challenges – The Paradigm – Conclusion

Conclusions Existing security mechanisms are insufficient for emerging pervasive computing paradigm Security needs to be proactive QED is the first system to address these issues Introduction – Challenges – The Paradigm – Conclusion

References For more info: Contact: Kevin Eustice, Leonard Kleinrock, Shane Markstrum, Gerald Popek, Venkatraman Ramakrishna, Peter Reiher. “Enabling Secure Ubiquitous Interactions ”. In the proceedings of the 1st International Workshop on Middleware for Pervasive and Ad-Hoc Computing. Kevin Eustice, Leonard Kleinrock, Shane Markstrum, Gerald Popek, Venkatraman Ramakrishna, Peter Reiher. “Wi-Fi Nomads: The Case for Quarantine, Examination and Decontamination ”. To appear in the proceedings of the New Security Paradigms Workshop 2003.