Presentation is loading. Please wait.

Presentation is loading. Please wait.

Seraphim : A Security Architecture for Active Networks

Published byBarnaby McGee Modified over 6 years ago

Similar presentations

Presentation on theme: "Seraphim : A Security Architecture for Active Networks"— Presentation transcript:

1 Seraphim : A Security Architecture for Active Networks
University of Illinois at Urbana-Champaign

2 Motivation Active Network is a radical approach to provide programmability in the network Dynamic nature of Active Network needs dynamic security architecture as one of the crucial requirements 9/21/2018

3 Seraphim Threat Model Malicious attacks against the active packets?
Unauthorized access to NodeOS resources Attacks against the privacy and integrity of communication Denial of Service 9/21/2018

4 Seraphim Features Access Control for the NodeOS resources using Security Guardian with Dynamic Policy and Active Capability Security API for secure communication DDoS Prevention Pluggable Architecture 9/21/2018

5 Access Control All accesses to NodeOS resources go through the Security Guardian Access control policies are written in the context of Policy Framework Active Capability is used as the carrier of the access control policy 9/21/2018

6 OS Primitives, Interfaces
Dynamic Policy Supports several security policies and provides dynamic transition between them DDAC DAC MAC RBAC OS Primitives, Interfaces 9/21/2018

7 NodeOS Security API EE NodeOS Authentication Authorization
Security Services PAM API GAA API GSS API X.509, Password-based, Kerberos, SESAME, Etc. Active Capability, PolicyMaker, ACL Etc. JCE, Kerberos, SESAME, Etc. Public Key API Security Guardian X.509 PKI NodeOS Dynamic Policy Framework RFC 2510 9/21/2018

8 DDoS Prevention - BARMAN
9/21/2018

9 DDOS Prevention BARMAN – Bandwidth Authorization and Resource Management in Active Networks Dynamic protocol solution – triggered by bandwidth flooding Threshold value based on processor and link characteristics Bandwidth Certification for Attack Detection Hierarchical traceback with dynamic accounting state Co-operative dynamic recovery using active filtering 9/21/2018

10 Threshold Computation
Static Phase of Protocol Threshold Value Computed by trusted entity e.g., administrator Packet rate that can be safely processed by receiver (server or active router) without getting DOSed Accommodate for emergency control channel Secure Session Establishment 9/21/2018

11 Bandwidth Certification
Dynamic Phase of Protocol Triggered by Threshold violation Sender certifies hop-to-hop bandwidth Certificate for Authorization of Bandwidth : Small fixed length certificate, fixed options, cryptographic protection using fast encryption or hardware. Prevents link spoofing, man-in-the-middle and replay attacks Layered authentication technique 9/21/2018

12 Traceback Flow Classification and Aggregation based on eventual destination of capsule Direct host, same subnet, foreign subnet Flow characterization – real-time statistics collection vs. attack-triggered Characterization used to implement hierarchical traceback with dynamic state 9/21/2018

13 Dynamic Traceback (0,0,X) AS 3 AS 2 (0,X,-) (0,X,0) (X,0,-) AS 4
(0,0,-) 9/21/2018

14 Dynamic Recovery Traceback as far back as possible using secure control messages Reconstruct attack based on collected statistics Dynamically filter on sender for misbehaving flows simultaneously 9/21/2018

15 Pluggable Architecture
9/21/2018

16 Pluggable Architecture
Seraphim is designed as a pluggable architecture Originally developed for restructured version of ANTS Currently, Seraphim is integrated with Bowman 9/21/2018

17 Security Guardian (JNI, JVM)
Integration Overview CANEs API I2 I1 U CANEs EE User A-Flow Policy Administrator GUI CANEs Signaling A-Flow Security Guardian (JNI, JVM) Policy Server System Thread Bowman NodeOS Host OS 9/21/2018

18 Integration Features Provides access control for signaling messages
Dynamic flow control at active routers by dynamic policy framework Use JNI to plug Java-based Seraphim architecture into C-based CANEs/Bowman 9/21/2018

19 Demo Contributions Access control for the CANES signaling mechanism
Dynamic control of AER flows Prevention of bandwidth clogging DDoS attacks 9/21/2018

20 Demo Details - CANES Signaling
9/21/2018

21 Demo Details – AER flows
9/21/2018

22 Demo Details - BARMAN 9/21/2018

23 Conclusion Seraphim is dynamic, extensible, flexible, and reconfigurable security architecture which meets the requirements for Active Networks 9/21/2018

24 Future Research Possibilities
Interoperability between different security domains using role translation Risk model for Active Networks Automated response against intrusions 9/21/2018

Download ppt "Seraphim : A Security Architecture for Active Networks"

Similar presentations

Internet Protocol Security (IP Sec)

Internet Protocol Security (IP Sec)
Security by Design A Prequel for COMPSCI 702. Perspective “Any fool can know. The point is to understand.” - Albert Einstein “Sometimes it's not enough.

Security by Design A Prequel for COMPSCI 702. Perspective “Any fool can know. The point is to understand.” - Albert Einstein “Sometimes it's not enough.
Efficient Public Key Infrastructure Implementation in Wireless Sensor Networks Wireless Communication and Sensor Computing, 2010. ICWCSC 2010. International.

Efficient Public Key Infrastructure Implementation in Wireless Sensor Networks Wireless Communication and Sensor Computing, ICWCSC International.
1 Network Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

1 Network Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
NS-H0503-02/11041 Attacks. NS-H0503-02/11042 The Definition Security is a state of well-being of information and infrastructures in which the possibility.

NS-H /11041 Attacks. NS-H /11042 The Definition Security is a state of well-being of information and infrastructures in which the possibility.
1 © 2004, Cisco Systems, Inc. All rights reserved IP Telephony Security Cisco Systems.

1 © 2004, Cisco Systems, Inc. All rights reserved IP Telephony Security Cisco Systems.
1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.

1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.
6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.

6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.
WiFi Security. What is WiFi ? Originally, Wi-Fi was a marketing term. The Wi-Fi certified logo means that the product has passed interoperability tests.

WiFi Security. What is WiFi ? Originally, Wi-Fi was a marketing term. The Wi-Fi certified logo means that the product has passed interoperability tests.
Spring 2002CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

Spring 2002CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
Edward Tsai – CS 239 – Spring 2003 Strong Security for Active Networks CS 239 – Network Security Edward Tsai Tuesday, May 13, 2003.

Edward Tsai – CS 239 – Spring 2003 Strong Security for Active Networks CS 239 – Network Security Edward Tsai Tuesday, May 13, 2003.
A Secure Network Access Protocol (SNAP) A. F. Al Shahri, D. G. Smith and J. M. Irvine Proceedings of the Eighth IEEE International Symposium on Computers.

A Secure Network Access Protocol (SNAP) A. F. Al Shahri, D. G. Smith and J. M. Irvine Proceedings of the Eighth IEEE International Symposium on Computers.
Spring 2003CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

Spring 2003CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
Introduction (Pendahuluan)  Information Security.

Introduction (Pendahuluan)  Information Security.
Network Infrastructure Security. LAN Security Local area networks facilitate the storage and retrieval of programs and data used by a group of people.

Network Infrastructure Security. LAN Security Local area networks facilitate the storage and retrieval of programs and data used by a group of people.
Wireless Network Security. Wireless Security Overview concerns for wireless security are similar to those found in a wired environment concerns for wireless.

Wireless Network Security. Wireless Security Overview concerns for wireless security are similar to those found in a wired environment concerns for wireless.
Cryptography and Network Security

Cryptography and Network Security
Eng. Wafaa Kanakri Second Semester 1435 CRYPTOGRAPHY & NETWORK SECURITY Chapter 1:Introduction Eng. Wafaa Kanakri UMM AL-QURA UNIVERSITY

Eng. Wafaa Kanakri Second Semester 1435 CRYPTOGRAPHY & NETWORK SECURITY Chapter 1:Introduction Eng. Wafaa Kanakri UMM AL-QURA UNIVERSITY
1 22 August 2001 The Security Architecture of the M&M Mobile Agent Framework P. Marques, N. Santos, L. Silva, J. Silva CISUC, University of Coimbra, Portugal.

1 22 August 2001 The Security Architecture of the M&M Mobile Agent Framework P. Marques, N. Santos, L. Silva, J. Silva CISUC, University of Coimbra, Portugal.
© Oxford University Press 2011 DISTRIBUTED COMPUTING Sunita Mahajan Sunita Mahajan, Principal, Institute of Computer Science, MET League of Colleges, Mumbai.

© Oxford University Press 2011 DISTRIBUTED COMPUTING Sunita Mahajan Sunita Mahajan, Principal, Institute of Computer Science, MET League of Colleges, Mumbai.

Similar presentations

Ads by Google