Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright 2005 NTT Information Sharing Platform Labs 1 Safe and Secure Ubiquitous Communication Jan. 27, 2005 Atsuhiro GOTO Information Sharing Platform.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Copyright 2005 NTT Information Sharing Platform Labs 1 Safe and Secure Ubiquitous Communication Jan. 27, 2005 Atsuhiro GOTO Information Sharing Platform."— Presentation transcript:

1 Copyright 2005 NTT Information Sharing Platform Labs 1 Safe and Secure Ubiquitous Communication Jan. 27, 2005 Atsuhiro GOTO Information Sharing Platform Laboratories Nippon Telegraph and Telephone Corporation (NTT)

2 Copyright 2005 NTT Information Sharing Platform Labs 2 Safe & Secure v.s. Easy & Simple “DVR attacked Web Server”, Sept. 2004 How to cope with both: Safe & Secure Easy & Simple in consumer appliance network? Two topics –A new remote configurable firewall system for home-use gateways –A detachable IPsec device for secure consumer communication platform, “IPsec-Proxy technology”

3 Copyright 2005 NTT Information Sharing Platform Labs 3 Easy access to home-network From School/Office From a friend’s house The Internet Home network Watch your children, pet, plants etc. while away from home Listen to the music, stored at home servers From a relative’s house Share digital photo with relatives Share digital photo of an event among group members Search and download documents which are stored at home servers From outside home From Hot Spot / From Internet Cafe Access permitted for parents Access permitted for family members Access permitted for friends HGW Location-free, device-free, secure and convenient access to the contents or devices at home. Unauthorized access is denied

4 Copyright 2005 NTT Information Sharing Platform Labs 4 What is the option we have now? VPN? (e.g. L2TP, IPSec, SSL-VPN etc.) –Complex configuration For both server and client. –Client software dependent May require software installation –High-cost appliances Mainly used in business Reverse proxy or application server? –FW/NAT problems –Vendor dependency Static firewall configuration? –Opening the port to people all over the Internet, or only statically specified client is permitted to access –Configuration is yet complex for end-users IP address, port numbers, NAT rules… We want a simpler and an easier way…

5 Copyright 2005 NTT Information Sharing Platform Labs 5 Our solution: a new security gateway On-demand creation of source address based firewall/NAT rules. Simplified configuration procedure of access policy settings for network appliances. Office, Friend’s house, Internet Café, etc. Access Policy for each device Communication originated from the authenticated IP address is temporarily permitted Internet Attacker Denial of unauthorized access (1) Configuration supporting system(2) Dynamic firewall system Security gateway Home-network User authentication (over SSL) User data outside UPnP based simple policy configuration

6 Copyright 2005 NTT Information Sharing Platform Labs 6 Security gateway architecture Configuration supporting system Dynamic FW system I/F2I/F1 templates ACLs NW appliances (Home Network) User from outside (Internet) data access requestregistration FW UPnP SSL Other home gateway functions setting policy On-demand creation of firewall/NAT rules Creates source-address based firewall/NAT rules to prevent ports from being opened to everyone Multiple rules can be applied to a single port Universal Plug and Play (UPnP) based Creating templates for firewall/NAT rules based on UPnP request from network appliances Also creates user-name based ACLs Templates and ACLs are used by dynamic-firewall system

7 Copyright 2005 NTT Information Sharing Platform Labs 7 home Pseudo-Internet (hub) friend’s house Security GatewayTV with web browserNetwork cameraFriend’s PC Photo demo (the demo system)

8 Copyright 2005 NTT Information Sharing Platform Labs 8 1. Connect a new UPnP enabled network camera. 2. UPnP negotiation between the camera and the gateway 3. Gateway does not open the port immediately. But creates firewall/NAT policy templates Ex) TCP:80 IPaddress: 192.168.0.21 Security Gateway UPnP enabled NW Camera Connecting Device

9 Copyright 2005 NTT Information Sharing Platform Labs 9 You can optionally configure per- user ACLs using a web browser. (ex. browser embedded TV) Check boxes represents user’s access right to the network appliance Editing ACL

10 Copyright 2005 NTT Information Sharing Platform Labs 10 Main page of the security gateway. Each of the circle icon represents a set of firewall policy and ACLs for the corresponding appliance Access the security gateway with any web browser. User authentication over SSL session is required. FW control from outside - accessing home from friend’s PC -

11 Copyright 2005 NTT Information Sharing Platform Labs 11 Clicking on an icon activates the policy Red icon represents an activated appliance (e.g. ports are opened for the user’s PC) Activating policy

12 Copyright 2005 NTT Information Sharing Platform Labs 12 Once the firewall is opened for the user, you can access to home network appliance using an appropriate browser. (ex. web browser) Activation is valid until the user deactivates the policy or if the main window is closed (e.g. SSL session is destroyed) Accessing home network

13 Copyright 2005 NTT Information Sharing Platform Labs 13 Secure Network for Consumer Appliances Consumer appliance network –Easy-to-Use = Plug-and-play Secure network –protected against sniffing, falsification, spoofing and attacks Insecure network Secure network : Easy-to-use secure device : Eavesdropper : Consumer appliance insecure (current) (goal) secure

14 Copyright 2005 NTT Information Sharing Platform Labs 14 Approach Plug-and-play Secure protection In the routerIn the wireIn the stack Simplicity △ ○× Cost × △ ○ Controllability ○ △ × SSL/TLSIPsecL2sec Encryption ○○× Authentication ○ △△ Versatility ×○○ IPsec bridge ⇒ IPsec in the wire ⇒ IPsec bridge place feature protocol feature

15 Copyright 2005 NTT Information Sharing Platform Labs 15 IPsec-Proxy Technology Unique IPsec implementation –Bump in the wire –non IP addressable Arrangement Application OS Network device IPsec OS IPsec Application OS Network device IPsec The Internet CurrentNew Appliance (w/ IPsec)Appliance (wo/ IPsec) IPsec-Proxy Adapter ( IP Bridge ) IP address no IP address Outsourcing IPsec Secure communication Clear communication

16 Copyright 2005 NTT Information Sharing Platform Labs 16 Prototype and Experiment The Internet IPsec-Proxy (Prototype A) 3.5 inch Ethernet Port Serial Port for Debugging CF Card Slot CPU: 133MHz (486 compatible) MEM: 32MB Ethernet: 10Base-T

17 Copyright 2005 NTT Information Sharing Platform Labs 17 Wrap Ups How to cope with both: Safe & Secure Easy & Simple in consumer appliance network? Two topics –A new remote configurable firewall system for home-use gateways Easy to set up and Dynamically open/close ports –True plug-and-play “IPsec-Proxy technology” for secure consumer communication platform “non IP addressable” “transport mode (not tunnel mode)”.

Download ppt "Copyright 2005 NTT Information Sharing Platform Labs 1 Safe and Secure Ubiquitous Communication Jan. 27, 2005 Atsuhiro GOTO Information Sharing Platform."

Similar presentations

WEB AND WIRELESS AUTOMATION connecting people and processes InduSoft Web Solution Welcome.

WEB AND WIRELESS AUTOMATION connecting people and processes InduSoft Web Solution Welcome.
Enabling IPv6 in Corporate Intranet Networks

Enabling IPv6 in Corporate Intranet Networks
Cisco Confidential 1 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco SB Summit Praha, 26.4.2012 Jan Křístek Tomáš Chott.

Cisco Confidential 1 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco SB Summit Praha, Jan Křístek Tomáš Chott.
Filtering and Security By Mohammad Shanehsaz June 2004.

Filtering and Security By Mohammad Shanehsaz June 2004.
Firewalls By Tahaei Fall 2012. What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
Setting Up a Virtual Private Network Chapter 9. Learning Objectives Understand the components and essential operations of virtual private networks (VPNs)

Setting Up a Virtual Private Network Chapter 9. Learning Objectives Understand the components and essential operations of virtual private networks (VPNs)
Module 5: Configuring Access to Internal Resources.

Module 5: Configuring Access to Internal Resources.
Network Security. Reasons to attack Steal information Modify information Deny service (DoS)

Network Security. Reasons to attack Steal information Modify information Deny service (DoS)
Module 5: Configuring Access for Remote Clients and Networks.

Module 5: Configuring Access for Remote Clients and Networks.
VPN construction with independence of client environment 25 January 25 January 2007 Shin Takeuchi (University of Tsukuba)

VPN construction with independence of client environment 25 January 25 January 2007 Shin Takeuchi (University of Tsukuba)
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Introduction to ISA 2004 Dana Epp Microsoft Security MVP.

Introduction to ISA 2004 Dana Epp Microsoft Security MVP.
1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.

1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.
A Security Pattern for a Virtual Private Network Ajoy Kumar and Eduardo B. Fernandez Dept. of Computer Science and Eng. Florida Atlantic University Boca.

A Security Pattern for a Virtual Private Network Ajoy Kumar and Eduardo B. Fernandez Dept. of Computer Science and Eng. Florida Atlantic University Boca.
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
Hands-On Microsoft Windows Server 2003 Administration Chapter 11 Administering Remote Access Services.

Hands-On Microsoft Windows Server 2003 Administration Chapter 11 Administering Remote Access Services.
Wi-Fi Structures.

Wi-Fi Structures.
70-270, 70-290 MCSE/MCSA Guide to Installing and Managing Microsoft Windows XP Professional and Windows Server 2003 Chapter Twelve Implementing Terminal.

70-270, MCSE/MCSA Guide to Installing and Managing Microsoft Windows XP Professional and Windows Server 2003 Chapter Twelve Implementing Terminal.
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.

 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.
1 © 2001, Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID Cisco Easy VPN Solutions Applications and Implementation with Cisco IOS.

1 © 2001, Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID Cisco Easy VPN Solutions Applications and Implementation with Cisco IOS.

Similar presentations

Ads by Google