Security Architectures and Advanced Networks Ken Klingenstein Day Job: Middleware Night Job: Network Security.

Slides:



Advertisements
Similar presentations
The System Center Family Microsoft. Mobile Device Manager 2008.
Advertisements

Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.
Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.
Research and Educational Networking Information Analysis and Sharing Center (REN-ISAC) Mark S. Bruhn, Interim Director University Copyright.
Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.
Fundamentals of Computer Security Geetika Sharma Fall 2008.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Chapter 1 – Introduction
Chapter 9 Designing Systems for Diverse Environments.
CCSE NETWORK STRUCTURE. CCSE NETWORK OUTLINE Mid-sized Building Network spanning over Building 22 and Building 23. Autonomous from ITC’s KFUPM Domain.
Security Awareness: Applying Practical Security in Your World
This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
The Co-mingled Universe of R&E Networking: the reprise Ken Klingenstein Director, Internet2 Middleware and Security Ken Klingenstein Director, Internet2.
eGovernance Under guidance of Dr. P.V. Kamesam IBM Research Lab New Delhi Ashish Gupta 3 rd Year B.Tech, Computer Science and Engg. IIT Delhi.
Computer Security: Principles and Practice
Higher Education Cybersecurity Strategy, Programs, and Initiatives Rodney Petersen Policy Analyst & Security Task Force Coordinator EDUCAUSE.
Enterprise Security. Mark Bruhn, Assoc. VP, Indiana University Jack Suess, VP of IT, UMBC.
Accessibility, Integrity, & Confidentiality: Security Challenges for E-Business Rodney J. Petersen University of Maryland & Educause/Internet2 Security.
CISCO CONFIDENTIAL – DO NOT DUPLICATE OR COPY Protecting the Business Network and Resources with CiscoWorks VMS Security Management Software Girish Patel,
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec
1 October 20-24, 2014 Georgian Technical University PhD Zaza Tsiramua Head of computer network management center of GTU South-Caucasus Grid.
Copyright © 2006 CyberRAVE LLC. All rights reserved. 1 Virtual Private Network Service Grid A Fixed-to-Mobile Secure Communications Framework Managed Security.
Shib in the present and the future Ken Klingenstein Director, Internet2 Middleware and Security.
INTERNET2 COLLABORATIVE INNOVATION PROGRAM DEVELOPMENT Florence D. Hudson Senior Vice President and Chief Innovation.
SALSA-NetAuth Joint Techs Vancouver, BC July 2005.
OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
Intrusion Detection Prepared by: Mohammed Hussein Supervised by: Dr. Lo’ai Tawalbeh NYIT- winter 2007.
Salsa Bits: A few things that the analysts aren't talking about... December 2006.
Module 2: Installing and Maintaining ISA Server. Overview Installing ISA Server 2004 Choosing ISA Server Clients Installing and Configuring Firewall Clients.
The New Problem Space: Issues for the Future Ken Klingenstein Director, Internet2 Middleware and Security.
1 Second ATLAS-South Caucasus Software / Computing Workshop & Tutorial October 24, 2012 Georgian Technical University PhD Zaza Tsiramua Head of computer.
Network and Perimeter Security Paula Kiernan Senior Consultant Ward Solutions.
NSF Middleware Initiative Renee Woodten Frost Assistant Director, Middleware Initiatives Internet2 NSF Middleware Initiative.
Internet2 Middleware Initiative. Discussion Outline  What is Middleware why is it important why is it hard  What are the major components of middleware.
Network Security Technologies CS490 - Security in Computing Copyright © 2005 by Scott Orr and the Trustees of Indiana University.
EDUCAUSE LIVE EDUCAUSE/Internet2 Computer and Network Security Task Force Update Jack Suess January 21, 2004.
Knowing What You Missed Forensic Techniques for Investigating Network Traffic.
Internet2 Security Efforts - A brief overview of activities Ken Klingenstein 2004 July 21 Joint Techs- Columbus, Ohio.
The Impact of Evolving IT Security Concerns On Cornell Information Technology Policy.
1 Chapter 1 – Background Computer Security T/ Tyseer Alsamany - Computer Security.
GRID Overview Internet2 Member Meeting Spring 2003 Sandra Redman Information Technology and Systems Center and Information Technology Research Center National.
Exchange Deployment Planning Services Exchange 2010 Complementary Products.
Rob Davidson, Partner Technology Specialist Microsoft Management Servers: Using management to stay secure.
Enterprise and Federated Security: Some Frontiers.
Security at Line Speed: Integrating Academic Research and Enterprise Security.
Module 10: Windows Firewall and Caching Fundamentals.
Securing the Grid & other Middleware Challenges Ian Foster Mathematics and Computer Science Division Argonne National Laboratory and Department of Computer.
GRID ANATOMY Advanced Computing Concepts – Dr. Emmanuel Pilli.
Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.
Security Architectures and Advanced Networks Ken Klingenstein Day Job: Middleware Night Job: Network Security.
NSF Middleware Initiative and Enterprise Middleware: What Can It Do for My Campus? Renee Woodten Frost Internet2/University of Michigan.
1 Network Security: Introduction Behzad Akbari Fall 2009 In the Name of the Most High.
Welcome to CAMP Directory Workshop Ken Klingenstein, Internet2 and University of Colorado-Boulder.
IS3220 Information Technology Infrastructure Security
Federated Security Services Ken Klingenstein Day Job: Middleware Night Job: Network Security.
Network Architecture and Security Ten Years Out Internet2 Member Meeting; Fall 2005 Deke Kassabian – University of Pennsylvania Mark Poepping – Carnegie.
NSF Middleware Initiative and Enterprise Middleware: What Can It Do for My Campus? Mark Luker, EDUCAUSE Copyright Mark Luker, This work is the intellectual.
Securing Access to Data Using IPsec Josh Jones Cosc352.
© ITT Educational Services, Inc. All rights reserved. IS3220 Information Technology Infrastructure Security Unit 10 Network Security Management.
Lecture 19 Page 1 CS 236 Online 6. Application Software Security Why it’s important: –Security flaws in applications are increasingly the attacker’s entry.
To Join the Teleconference
Mark Poepping, SALSA Chair
How to Mitigate the Consequences What are the Countermeasures?
Implementing Client Security on Windows 2000 and Windows XP Level 150
PLANNING A SECURE BASELINE INSTALLATION
6. Application Software Security
Unit # 1: Overview of the Course Dr. Bhavani Thuraisingham
IT Management, Simplified
Presentation transcript:

Security Architectures and Advanced Networks Ken Klingenstein Day Job: Middleware Night Job: Network Security

CHANGE DATE 2 Security Topics  Educause/Internet2 Security Task Force Effective Practices I2 Resource Commitments  REN-ISAC  workshop  SALSA – a steering group for advanced network/security technologies  Federated security services Collaborative incident analysis New security-aware capabilities  Going forward

CHANGE DATE 3 EDUCAUSE/Internet2 Security Task Force  Overarching umbrella for a variety of coordinated security  Activities include education and awareness, policy, technologies, etc.  Two important recent activities Effective Practices - NSF Security at Line Speed Workshop

CHANGE DATE 4 Workshop 2003  NSF Sponsored workshop, in conjunction with Indiana University, Internet2, the Massachusetts Institute of Technology and the University of Washington.  1.5 day Workshop, held in Chicago, Illinois, Aug 2003  Extensive on-line follow-up discussion to refine and recover  White paper is at

CHANGE DATE 5 By “Line Speed”, we really mean…  High bandwidth  Exceptional low latency, e.g. remote instrument control  End-to-end transparency, e.g. Grids  Exceptional low jitter, e.g. real time interactive HDTV  Advanced features, e.g. multicast

CHANGE DATE 6 Security topics  Information leakage: access to data by unauthorized parties  Integrity violation: destruction, modification, or falsification of data  Illegitimate use: Access to resources (processing cycles, storage or network) by unauthorized users  Denial of Service: Preventing legitimate users from accessing resources

CHANGE DATE 7 Security x High Performance  Difficulty in realizing performance in end-end high bandwidth connections  Difficulty in deploying and using videoconferencing  Difficulty in deploying grids  Limited remote instrument control use  Lack of scalable approaches  Inability to identify what’s broken  Things not broken but just incompatible

CHANGE DATE 8 Environmental Scan: Requirements of R&E  Cyberdiversity of machines and instruments on net  Mobility requirements of machines  Mobility requirements of users  Highly distributed network management  Distinctive privacy and security needs as public and academic institutions  Inter-institutional collaborations predominate and create exceptional wide- area needs  Widespread needs and limited resources preclude expensive point solutions  University=federation of hundreds of disparate and autonomous businesses

CHANGE DATE 9 Tradeoffs  Host versus border security  Deny/Allow versus Allow/deny approaches  Unauthenticated versus authenticated network access  Central versus end-user management  Server-centric versus client-centric  False positives versus zero-day attacks  Organizational priorities between security and performance  Perimeter protection versus user/staff confusion

CHANGE DATE 10 Trends  More aggressive and frequent attacks, resulting in Desktop lockdowns and scanning New limits at the perimeter Increased tunneling and VPN’s More isolation approaches, straining the top of the desk Hosts as clients only  Changes in technology Rise of encyption New attack vectors, such as P2P Higher speeds make for more expensive middleboxen Convergence of technology forces  New policy drivers DHS, RIAA, etc. LCD solutions to hold down costs

CHANGE DATE 11 General Findings  First, and foremost, this is getting a lot harder  2003 seems to mark a couple of turning points New levels of stresses Necessary but doomed approaches  High performance security is approached by a set of specific tools that are assembled by applying general architectural principles to local conditions.  The concept of the network perimeter is changing; desktop software limits security and performance options  There are interactions with the emerging middleware layer that should be explored  Tool integration is an overarching problem  We are entering diagnostic hell

CHANGE DATE 12 The Tool Matrix  For a variety of network and host based security tools, Role in prevention/detection/reaction/analysis Description General issues Performance implications Operational Impacts  Network Tools include host scanning, MAC registration, VLAN, Encrypted VPN’s and/or Layer 3 VPN’s, Firewalls, Source Address Verification, Port Mirroring, etc…  Host Tools include host-based encryption, local firewalls, host-based intrusion detection/prevention, secure OS, automated patching systems, etc.

CHANGE DATE 13 The Architectural Frameworks  The virtual perimeter: a mix of perimeter defenses, careful subnetting, and desktop firewalls  Open and closed networks  Separation of internal and external servers (e.g. SMTP servers, routers, etc…)  Managed and unmanaged desktops  Client versus client/server desktop orientation  Types of authenticated network access control

CHANGE DATE 14 Local Factors  Size of class B address space  Local fiber plant  Medical school  Geographic distribution of departments on campuses  Distance to gigapops  Policy Authority of Central IT  Desktop diversity  …

CHANGE DATE 15 Case Studies/Examples  Generic Academic Case  Novel Academic Alternative  LBL and Bro  Lightly Authenticated Wireless Network  Denial of Service Protection  Network Auditing at CMU

CHANGE DATE 16 Case Study Structure  Background and Intro  Alternative Approaches and Selected Implementation  Pros and Cons Specifics on attack vectors Ramifications on advanced computing etc

CHANGE DATE 17 SALSA Overview  Technical steering committee composed of senior campus security architects Create understanding in the community regarding the multiple aspects of security as it applies to advanced networking Advise on deliverables that address need of members and produce tangible benefits  Prioritizing opportunities and identifying resources Focused activities Interested in R&D security topics that can be smoothly transitioned to deployment Intended to complement other activities in the Internet2/EDUCAUSE Security Task Force

CHANGE DATE 18 Membership  Chair: Mark Poepping, CMU  Founding members drawn from the Security at Line Speed Workshop – e.g. Jeff Schiller (MIT), Terry Grey (UW), Jim Pepin (USC), Doug Pearson (Indiana), Chris Misra (UMass), Steve Wallace (Indiana), Rodney Petersen (EDUCAUSE), James Sankar (Ukerna), etc…  Working on a charter  Minutes, etc at

CHANGE DATE 19 Possible SALSA Priorities  Developing core security architecture Common campus network reference model Common R&E internet network reference model Nomenclature and architecture  Additional case studies for and revisit the basics  Increase data collection, sharing and integration between security researchers and backbone activities  Net Authentication/Authorization  Federated Security Services and Capabilities

CHANGE DATE 20 Data Sharing  Assemble knowledge, experience and tools to identify useful security data to be directed towards a comprehensive, operational security solution  Identify associated privacy issues.  Working with REN-ISAC on plan, process and structure to share data: Data guidelines Information exchange frameworks Sharing agreements Escalation process  Increase integration and sharing between security researchers and network backbone activities (e.g., diagnostics, Abilene Observatory)

CHANGE DATE 21 Network AuthN/AuthZ  Identify areas where middleware technologies can support intra and inter-realm security  Network access controls may depend on The identity of the user The identity of the device The state of the device (scanned, patched, etc) The role of the user Other  Initiating organized activities to develop network authentication and authorization architectures and sample implementations, including responding to the TERENA mobility TF  ngn13/ _JR_GN2_JRA5.pdf

CHANGE DATE 22 Federated Security Services  Federated networks Share a common network substrate Share a common trust fabric Together they could permit…  Collaborative incident analysis and response Network-wide views Leveraged diagnostic help Ability for automated tools to use distributed monitors Protect privacy at several layers  Security-aware capabilities Trust-moderated transparency Integrated security/performance diagnostics  Moving it into the broader Internet

CHANGE DATE 23 Collaborative Incident Analysis  Moving beyond the “border” to see network-wide views I’m seeing activity X? Are others seeing it? What variants are they seeing? Real-time attack recognition From the central observatory, let me see the full address of the attacking node at site Y in the federation I’m seeing an attack ostensibly from source address z at enterprise Y. Let me look at logging within site Y to verify Correlate signatures and traffic among sites A-Z to provide an early warning system of DDOS Let external experts from site Z examine our forensic information to assist our diagnostics  Requires federated backbone (meters, log files, etc) and federated trust fabric (for scaling, role-based access control, contact info, etc.)

CHANGE DATE 24 Collaborative incident analysis  Scaling requires managing large data sets Centralized – the Abilene Observatory, perhaps others Distributed – on a per enterprise level  Which in turn requires a clear data model Common event records, likely distilled and reformatted from native logs Is enterprise-level security sufficient  And also pluggable modules for harvesting records by tools  Tools  And also a trust fabric that permits multiple levels of authentication and fine-grain authorization

CHANGE DATE 25 Federated Security-aware Capabilities  Federated user network authentication for on-the-road science  Control spam through federated verification of sending enterprises  Tell me which firewall is dropping which service request  Permit end-end videoconferencing through firewalls and NATs  Allow enterprise-specific patching paradigms to coexist  Create end-end transparency for use of Grids  Personal firewall configuration based on authorization

CHANGE DATE 26 Moving it into the broader Internet  Picking approaches that are deployable and build on embedded bases  Federated substrata among those on common backbones  Interfederation issues – how hard will they be  International discrepancies in privacy  International IdSP’s - legalisms

CHANGE DATE 27 Advancing Network Security  An architecture instead of piece parts Too many parts with too much interactions Diagnostic hell and innovation ice age Current approaches are doomed anyway…  Federated services and possible market making Inter-institutional authn/z activities Perhaps, with funding and trust, other federated security tools and services

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.