Presentation is loading. Please wait.

Presentation is loading. Please wait.

59th IETF Seoul, Korea Quarantine Model Overview “Quarantine model overview for ipv6 network security” draft-kondo-quarantine-overview-00.txt Satoshi kondo.

Published byLeonard Cooper Modified over 8 years ago

Similar presentations

Presentation on theme: "59th IETF Seoul, Korea Quarantine Model Overview “Quarantine model overview for ipv6 network security” draft-kondo-quarantine-overview-00.txt Satoshi kondo."— Presentation transcript:

1 59th IETF Seoul, Korea Quarantine Model Overview “Quarantine model overview for ipv6 network security” draft-kondo-quarantine-overview-00.txt Satoshi kondo satoshi_kondo@trendmicro.co.jp

2 59th IETF Seoul, Korea IPv6 v.s. Firewall The benefits of IPv6 don’t coexist with legacy firewalls –End-to-end communication no-more NAT, IPsec, multicast, QoS,... –Plug & Play Non-PC Devices –Mobility Mobile IPv6 What should we do to provide security in IPv6 network? –Should we upgrade firewalls? –Should we design alternative way?

3 59th IETF Seoul, Korea Limitation of Firewall It is difficult for firewalls to –block every network worms via SMTP, HTTP –filter encrypted/tunneled packets SSL, IPsec –control/manage nomadic nodes –pass through high-speed traffics These limitations stem from the basic firewall design (“Border Defense Model”) –we have to abandon firewall to create a new security framework for IPv6 (and IPv4)!

4 59th IETF Seoul, Korea What Is “Quarantine Model” ? Combination of host-based security model and network- based security model to provide flexible and robust security management Consists of three steps: –1. Quarantine the security credential of a node when it is connected to the network –2. Connect the node to a different network based on that result a node is grouped by its security-level –3. Apply different security policy for each networks to enforce site security policy Enforce to apply security patches Access control Filtering rules Packet inspection

5 59th IETF Seoul, Korea Quarantine Model Diagram Network Admission Server Quarantine Authentication Server Prevention Information Server

6 59th IETF Seoul, Korea Security Threat Window Incident Security Threat ReportedSpread to the Internet Spreading speed (Less than 8 hours) Prevention time window (few weeks - several months) Outbreak

7 59th IETF Seoul, Korea Limitation of Firewall is solved Quarantine the security credential of a node when it’s connected to the network –block network worms –control/manage nomadic node Separates nodes according to their security level, and allowing special communications only to high security-level nodes. –encrypted/tunneled packets –pass through high-speed traffic

8 59th IETF Seoul, Korea Next Actions and Issues Experimental implementation –How to describe a site security policy? –How to make a network separation? –How to control network equipment (router/switch/firewall)? Standardization to provide interoperability –to avoid vendor-proprietary IPv6 network security model! –and vendors can implement vendor-specific solutions based on these interoperability. Security prevention information –Data format, Delivering protocol Credential information of network node –Data format, exchange protocol, security-level deprecation

9 59th IETF Seoul, Korea Q&A Is this work necessary for IPv6 network security? If so, should it be an v6ops WG item? –if not, where is the right WG? Other comments are welcome!

Download ppt "59th IETF Seoul, Korea Quarantine Model Overview “Quarantine model overview for ipv6 network security” draft-kondo-quarantine-overview-00.txt Satoshi kondo."

Similar presentations

NAT, firewalls and IPv6 Christian Huitema Architect, Windows Networking Microsoft Corporation.

NAT, firewalls and IPv6 Christian Huitema Architect, Windows Networking Microsoft Corporation.
IPv6 Keith Wichman. History Based on IPv4 Based on IPv4 Development initiated in 1994 Development initiated in 1994.

IPv6 Keith Wichman. History Based on IPv4 Based on IPv4 Development initiated in 1994 Development initiated in 1994.
A master thesis work by Christer Engman Network Services Telia Research AB Department of Teleinformatics Royal Institute of Technology.

A master thesis work by Christer Engman Network Services Telia Research AB Department of Teleinformatics Royal Institute of Technology.
IPv6-The Next Generation Protocol RAMYA MEKALA UIN:01008672.

IPv6-The Next Generation Protocol RAMYA MEKALA UIN:
LMF/TTR Raimo Vuopionperä 6WINIT: Ericsson (Research) Objectives (6WINIT Kick-Off, London) Raimo Vuopionperä (Ph. D.), NomadicLab (LMF/TTR)

LMF/TTR Raimo Vuopionperä 6WINIT: Ericsson (Research) Objectives (6WINIT Kick-Off, London) Raimo Vuopionperä (Ph. D.), NomadicLab (LMF/TTR)
Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
H. 323 and firewalls: Problem Statement and Solution Framework Author: Melinda Shore, Nokia Presenter: Shannon McCracken.

H. 323 and firewalls: Problem Statement and Solution Framework Author: Melinda Shore, Nokia Presenter: Shannon McCracken.
Security Threats and Security Requirements for the Access Node Control Protocol (ANCP) IETF 67 - ANCP WG November 5-10, 2006 draft-moustafa-ancp-security-threats-00.txt.

Security Threats and Security Requirements for the Access Node Control Protocol (ANCP) IETF 67 - ANCP WG November 5-10, 2006 draft-moustafa-ancp-security-threats-00.txt.
Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.

Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.
Security Firewall Firewall design principle. Firewall Characteristics.

Security Firewall Firewall design principle. Firewall Characteristics.
Unleashing the Power of Ubiquitous Connectivity with IPv6 Sandeep K. Singhal, Ph.D Director of Program Management Windows Networking.

Unleashing the Power of Ubiquitous Connectivity with IPv6 Sandeep K. Singhal, Ph.D Director of Program Management Windows Networking.
The Aerospace Clinic 2002 Team Members Nick Hertl (Project Manager) Will Berriel Richard Fujiyama Chip Bradford Faculty Advisor Professor Michael Erlinger.

The Aerospace Clinic 2002 Team Members Nick Hertl (Project Manager) Will Berriel Richard Fujiyama Chip Bradford Faculty Advisor Professor Michael Erlinger.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
Firewalls Presented by: Sarah Castro Karen Correa Kelley Gates.

Firewalls Presented by: Sarah Castro Karen Correa Kelley Gates.
Circuit & Application Level Gateways CS-431 Dick Steflik.

Circuit & Application Level Gateways CS-431 Dick Steflik.
Internet Protocol Security (IPSec)

Internet Protocol Security (IPSec)
1 IPv6 Address Management Rajiv Kumar. 2 Lecture Overview Introduction to IP Address Management Rationale for IPv6 IPv6 Addressing IPv6 Policies & Procedures.

1 IPv6 Address Management Rajiv Kumar. 2 Lecture Overview Introduction to IP Address Management Rationale for IPv6 IPv6 Addressing IPv6 Policies & Procedures.
Firewalls Marin Stamov. Introduction Technological barrier designed to prevent unauthorized or unwanted communications between computer networks or hosts.

Firewalls Marin Stamov. Introduction Technological barrier designed to prevent unauthorized or unwanted communications between computer networks or hosts.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

Similar presentations

Ads by Google