Brief-out: Isolation Working Group Topic discussion leader: Ken Birman.

Slides:

Advertisements

Similar presentations

SkipNet: A Scalable Overlay Network with Practical Locality Properties Nick Harvey, Mike Jones, Stefan Saroiu, Marvin Theimer, Alec Wolman Microsoft Research.

Advertisements

Enabling non-technical innovation – enabling the demand side Professor Stephen Roper Warwick Business School, UK

Secure Routing Panel FIND PI Meeting (June 27, 2007) Morley Mao, Jen Rexford, Xiaowei Yang.

June 27, 2007 FIND Meeting, From Packet-Switching to Contract- Switching Aparna Gupta Shivkumar Kalyanaraman Rensselaer Polytechnic Institute Troy,

1 Resonance: Dynamic Access Control in Enterprise Networks Ankur Nayak, Alex Reimers, Nick Feamster, Russ Clark School of Computer Science Georgia Institute.

1 of 17 Information Strategy The Features of an Information Strategy © FAO 2005 IMARK Investing in Information for Development Information Strategy The.

Introduction to Product Family Engineering. 11 Oct 2002 Ver 2.0 ©Copyright 2002 Vortex System Concepts 2 Product Family Engineering Overview Project Engineering.

ECMP for 802.1Qxx Proposal for PAR and 5 Criteria Version 2 16 people from ECMP ad-hoc committee.

All rights reserved © 2006, Alcatel Grid Standardization & ETSI (May 2006) B. Berde, Alcatel R & I.

Trusted Computing in Government Networks May 16, 2007 Richard C. (Dick) Schaeffer, Jr. Information Assurance Director National Security Agency.

The U.S. Department of Transportation and the Next Generation Jenny Hansen, Contractor – NG9-1-1 Project Coordinator USDOT/NHTSA.

Personal Networks and Their Federations Bernard Hammer TC32 chair Ecma/GA/2008/243.

1 Resonance: Dynamic Access Control in Enterprise Networks Ankur Nayak, Alex Reimers, Nick Feamster, Russ Clark School of Computer Science Georgia Institute.

1 2 nd Shanghai, 19/02/06 Architecture for Next Generation Grids Kostas Tserpes, NTUA Shanghai, 20th of February 2006.

Cyber Defence Data Exchange and Collaboration Infrastructure (CDXI)

Network Virtualization and Service Awareness Properties of FNs

Project Appraisal Module 5 Session 6.

Belgrade December With support from the European Union Progress Programme.

Distributed Data Processing

Chapter 1: Introduction to Scaling Networks

Governance Framework for Integrated Service Delivery Improving Government Service Delivery through Single-Window Service Initiatives Sponsored by the PSSDC.

Mafijul Islam, PhD Software Systems, Electrical and Embedded Systems Advanced Technology & Research Research Issues in Computing Systems: An Automotive.

Building effective networks. In this session Consider the value of building networks with NGOs and other stakeholders. Learn how to develop effective.

1 Functional Strategy – IS & IT Geoff Leese November 2006, revised July 2007, September 2008, August 2009.

Introduction to Databases

Guide to Network Defense and Countermeasures Second Edition

1.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.

Introduction and Overview “the grid” – a proposed distributed computing infrastructure for advanced science and engineering. Purpose: grid concept is motivated.

1 GENI: Global Environment for Network Innovations Jennifer Rexford Princeton University

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

Future Research Directions Jennifer Rexford Advanced Computer Networks Tuesdays/Thursdays 1:30pm-2:50pm.

Network Access Management Trends in IT Applications for Management Prepared by: Ahmed Ibrahim S

The Future of Internet Research Scott Shenker (on behalf of many networking collaborators)

Network Devices BY JACKSON HARDESTY. Hubs  Hubs are a now outdated way of sending signals at layer 2 compared to switches.  Hubs are used primarily.

Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.

Week #10 Objectives: Remote Access and Mobile Computing Configure Mobile Computer and Device Settings Configure Remote Desktop and Remote Assistance for.

COnvergence of fixed and Mobile BrOadband access/aggregation networks Work programme topic: ICT Future Networks Type of project: Large scale integrating.

Configuring Routing and Remote Access(RRAS) and Wireless Networking

A Research Agenda for Accelerating Adoption of Emerging Technologies in Complex Edge-to-Enterprise Systems Jay Ramanathan Rajiv Ramnath Co-Directors,

Version 4.0. Objectives Describe how networks impact our daily lives. Describe the role of data networking in the human network. Identify the key components.

Civil Society – A key to UNSCR 1540 Success Irma Arguello NPSGLobal Foundation – Vienna – Jan 2013.

SECURITY ZONES. Security Zones  A security zone is a logical grouping of resources, such as systems, networks, or processes, that are similar in the.

SOFTWARE DESIGN AND ARCHITECTURE LECTURE 09. Review Introduction to architectural styles Distributed architectures – Client Server Architecture – Multi-tier.

Module 9: Configuring IPsec. Module Overview Overview of IPsec Configuring Connection Security Rules Configuring IPsec NAP Enforcement.

11 SECURING YOUR NETWORK PERIMETER Chapter 10. Chapter 10: SECURING YOUR NETWORK PERIMETER2 CHAPTER OBJECTIVES  Establish secure topologies.  Secure.

September 18, 2002 Windows 2000 Server Active Directory By Jerry Haggard.

5.1 © 2004 Pearson Education, Inc. Exam Designing a Microsoft ® Windows ® Server 2003 Active Directory and Network Infrastructure Lesson 5: Planning.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Introducing Network Design Concepts Designing and Supporting Computer Networks.

Welcome Windows Server 2008 安全功能 -NAP. Network Access Protection in Windows Server 2008.

Federal Cybersecurity Research Agenda June 2010 Dawn Meyerriecks

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Living in a Network Centric World Network Fundamentals – Chapter 1.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Living in a Network Centric World Network Fundamentals – Chapter 1.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Introducing Network Design Concepts Designing and Supporting Computer Networks.

Marv Adams Chief Information Officer November 29, 2001.

Enabling Converged Services Changing the Way the World Communicates Jim Dondero Vice-President Global Solutions Marketing CANTO, June 21st.

What’s Happening at Internet2 Renee Woodten Frost Associate Director Middleware and Security 8 March 2005.

Introduction to Active Directory

What’s Ahead for Embedded Software? (Wed) Gilsoo Kim

Federated Wireless Network Authentication Kevin Miller Duke University Internet2 Joint Techs Salt Lake City February, 2005.

System A system is a set of elements and relationships which are different from relationships of the set or its elements to other elements or sets.

IS3220 Information Technology Infrastructure Security

Version 4.0 Living in a Network Centric World Network Fundamentals – Chapter 1.

Presented by: Sonali Pagade Nibha Dhagat paper1.pdf.

Project Management Enabling Quality Marien de Wilde, PMP April 2007.

N-Tier Architecture.

Module Overview Installing and Configuring a Network Policy Server

Goals and Objectives Project(s): Technical Specification for SD-WAN Service Definition Purpose of the contribution: To describe the proposal and have an.

Goals and Objectives Project(s): Technical Specification for SD-WAN Service Definition Purpose of the contribution: To describe the proposal and have an.

IPv6-only in an Enterprise Network

Presentation transcript:

Brief-out: Isolation Working Group Topic discussion leader: Ken Birman

Isolation Right now we have firewalls, VPNs, networks that are physically disjoint Question: Could we invent some new architectural abstraction to make it easier to isolate a subnet and yet have it also be part of the larger Internet? Success enables a federation of subnets: a heirarchy of domains operated using distinct policies and perhaps even incompatible technologies

Basic Understanding Isolation has boundary, physical and even application-level ramifications This recognition leads us to a multi-edged goal – Even in current networks, we need new and more flexible options for isolating systems and resources from undesired influences – We are also seeing emerging needs to isolate subnets for purposes such as security, QoS, sensitive data, special AUPs, etc. Existing options (like firewalls) are inadequate In the limit, a kind of multiverse with multiple side- by-side networks connected by controlled tunnels

Value proposition Fault-containment seen as an irresistible draw for many potential enterprise users – Such users would also benefit from improvement options for specifying desired management policy – Value may be measurable by enumerating cases where lack of isolation technology resulted in costly failures. Potentially huge new opportunity for QoS and multimedia-enabled applications frustrated by current IP networks, which have poor isolation – Microsoft has invested billions on such applications…

Research Challenges 1. How to express, store and implement properties of networks and applications, specify desired policy, verify that policy is being adhered to 2. Composition and tunneling between otherwise isolated subnets 3. Network admission control policies for isolated subsystems, with the usual issues of authentication, authorization, enforcement… 4. Are there unimplementable forms of isolation? 5. Are there forms of isolation that can only be supported on bare-bones hardware (as opposed to overlays on existing IP networks)?

Research Challenges 6. What sorts of client-side or O/S mechanisms are required in support of a new generation of networks offering isolation for network traffic? 7. What are ramifications of isolation in hosts, infrastructure components? Network is not just wires 8. Could we improve the behavior of wireless networks to improve isolation (in the sense of fair sharing, security, non- interference)? 9. Isolation evokes a future world of hierarchical administration, provisioning, administration tools… how to build these?

Research Challenges (cont) 11. How to strike appropriate balance between need for trust, authorization, resource control and management, enforcement of scoped AUPs 12. Isolation could be a powerful architecture tool for those who design and manage networks today. But we lack the needed architectural abstractions and need to invent them 13. Can a system offering interesting isolation properties scale as well as the Internet does? (Would it need to? Perhaps isolated subnetworks are usually more limited in scope and more homogeneous…)

Research Challenges (cont) 14. Are there automated ways to discover and assemble policy information in a decentralized world where each scope might define its own policies? 15. How would one implement exception handling in a hierarchical world where isolated subnetworks might view the same event in different ways (your exception is my bread- and-butter) 16. Theory of isolation: Formally characterize conditions under which isolation is compatible with sharing resources (Recall that isolation is trivial if we dont share anything…)

Can it be done? Question is too broad: depends what it means. We concluded that at least some of these goals can definitely be achieved Even an architectural building block would represent a valuable step forward Need to separate concept of isolation from question of what those isolated subnets might be doing – one can imagine many behaviors subnets could possibly implement

Enablers for Progress, Partnering Two technical enablers: – Need a standard way to partition traffic and route relevant traffic (only) into appropriate subset – Possible O/S requirement: Might VMMs be required for an O/S to enable isolation in multi-homed setups? NSF GENI initiative seen as very promising, could bring a community together with a focus on this issue (if this issue emerges as a key priority) Industry/academic partnership: could try to articulate value proposition in ways that will motivate government to act….

Conclusions Our breakout group believes this topic is quite promising It would be hard to do, but seems feasible Has ramifications in many dimensions Impact of success could be very significant