a seman c firewall for content centric networking
play

A seman(c firewall for Content Centric Networking - PowerPoint PPT Presentation

Dec 12, 2022 •259 likes •665 views

A seman(c firewall for Content Centric Networking IFIP/IEEE Integrated Network Management Symposium (IM 2013) - MC2: Security Management and Recovery May 27 - 31, 2013 David Goergen Thibault Cholez Jrme

  1. A ¡seman(c ¡firewall ¡for ¡Content ¡Centric ¡ Networking ¡ IFIP/IEEE Integrated Network Management Symposium (IM 2013) - MC2: Security Management and Recovery May 27 - 31, 2013 David Goergen Thibault Cholez Jérôme François Thomas Engel SnT – Interdisciplinary Centre for Security, Reliability and Trust

  2. OUTLINE ¡ • Introduction • Content Centric Networking background • Design • Implementation • Evaluation • Conclusion 2 / 39

  3. A semantic firewall for Content Centric Networking INTRODUCTION ¡ 3 / 39

  4. Introduc(on ¡ • Trend towards content retrieval • Content Centric Networking is built and designed to follow this – Some security measures already built-in • Authentication of content – But real security tools missing • Our contribution: – Identify the security needs for a CCN architecture – Design of a semantic CCN firewall – Performance evaluation 4 / 39

  5. Related ¡work ¡ • Jacobson, V., Smetters, D.K., Thornton, J.D., Plass, M.F., Briggs, N.H., Braynard, R.L. : Networking named content. In: Proceedings of the 5th international conference on Emerging networking experiments and technologies. pp. 1–12. CoNEXT ’09, ACM, New York, NY, USA (2009) • D. Smetters, V. Jacobson: Securing Network Content (October 2009) • Lauinger, T.: Security & scalability of content-centric networking (September 2010) • Goergen, David; Cholez, Thibault; François, Jérôme; Engel, Thomas: Security monitoring for Content Centric Networking , Data Privacy Management and Autonomous Spontaneous Security, Volume 7731 (2013) • partly funded by BUTLER and IoT6 FP7 EU projects under the grant agreements 287901 and 88445 5 / 39

  6. A semantic firewall for Content Centric Networking CONTENT ¡CENTRIC ¡NETWORKING ¡ BACKGROUND ¡ 6 / 39

  7. Content ¡Centric ¡Networking ¡-­‑ ¡CCN ¡ • New paradigm proposed by Van Jacobson et al. • Redesign networking focusing on data instead of hosts (who provide the data) • Shift from a communication oriented paradigm to a distribution oriented • To provide the same functionalities as TCP/IP with build in security features, more efficient content diffusion, mobility, … 7 / 39

  8. How ¡does ¡it ¡work? ¡ • Routable data instead of routable host • Content is named in a hierarchical prefix based way Examples: − uni.lu/people/goergen/presentation/im2013 − thisRoom/projector • Like IP, CCN is semantic free. Meaning is defined by application, global conventions, etc. • Content is requested by user’s Interest • Anyone who has the solicited content can answer 8 / 39

  9. CCN ¡architecture ¡ • CCN Packets: – Interest Packets that express Interest for a certain content – Data Packets , signed by the contents producer, reply to a certain Interest and consume it • CCN tables: – Content store • local repository filled with shared content – Pending Interest Table (PIT) • Contains pending Interest requests send upstream to a content provider – Forward Information Base Table (FIB) • Contains the faces which correspond to a certain Interest 9 / 39

  10. CCN ¡node ¡model ¡ 10 / 39

  11. Rou(ng ¡example ¡ 11 / 39

  12. Rou(ng ¡example ¡cont’d ¡ 12 / 39

  13. Rou(ng ¡example ¡cont’d ¡ 13 / 39

  14. Rou(ng ¡example ¡cont’d ¡ 14 / 39

  15. Rou(ng ¡example ¡cont’d ¡ 15 / 39

  16. Rou(ng ¡example ¡cont’d ¡ 16 / 39

  17. Rou(ng ¡example ¡cont’d ¡ 17 / 39

  18. Rou(ng ¡example ¡cont’d ¡ 18 / 39

  19. Rou(ng ¡example ¡cont’d ¡ 19 / 39

  20. Rou(ng ¡example ¡cont’d ¡ 20 / 39

  21. Security ¡layer ¡ ¡ • No Content transmission before Interest reception – Renders classic Denial-of-Service, like flooding, inefficient • Strongly relies on cryptography – Authentication of Content and its producer – Exclusion of untrustworthy sources • But new kind of attacks – Stateful routers  More vulnerable ? – Missing tool for enforcing security policies 21 / 39

  22. A semantic firewall for Content Centric Networking DESIGN ¡ 22 / 39

  23. IP ¡firewall ¡general ¡use ¡cases ¡ • IP_UC1 – Based on the protocol • Example: http, mail, p2p, voip, … • IP_UC2 – According to the status of the connection • IP_UC3 – Using known blacklisted IP addresses • IP_UC4 – Unusual inbound traffic • From a denial of service attack 23 / 39

  24. CCN-­‑specific ¡use ¡cases ¡ • CCN_UC1 – Filtering on content provider • Example: known untrustworthy or banned • CCN_UC2 – Filtering on bad signature • CCN_UC3 – Filtering on content name and semantic • Example: excluding files with certain extensions • CCN_UC4 – Composition (content provider & content name) 24 / 39

  25. CCN-­‑specific ¡use ¡cases ¡ • CCN_UC5 – Filtering on content direction • Example: avoid leakage of certain documents • CCN_UC6 – Filtering on heavy traffic • Perservation of QoS • CCN_UC7 – Filtering of stored data • Example: Only storing specific content 25 / 39

  26. Comparison ¡ IP use cases CCN use cases Filtering on IP_UC1 CCN_UC3 Protocol / Content name IP_UC2 -- Status of the connection IP_UC3 CCN_UC1 Listed IP / Content provider IP_UC4 CCN_UC6 Unusual / Heavy traffic -- CCN_UC2 Bad signature -- CCN_UC4 Composition of filters -- CCN_UC5 Content direction -- CCN_UC7 Stored data 26 / 39

  27. A semantic firewall for Content Centric Networking IMPLEMENTATION ¡ 27 / 39

  28. Syntax ¡defini(on ¡ • Syntax based on iptables – Ease of use and readability • Distinguish between 3 types of rules – r_interest • interest SP direction SP match_interest SP “pit” SP action – r_face • face SP number – r_data • data SP direction SP match_data SP [“cs” | “pit”] SP action 28 / 39

  29. r_interest ¡& ¡r_face ¡ interest SP direction SP match_interest SP “pit” SP action • direction – int | ext | * • match_interest – * or regular expression • action – forward | drop • example : interest * \@game|play|fun\@ 15 pit drop face SP number Number of active faces • example : face 200 29 / 39

  30. r_data ¡ data SP direction SP match_data SP [“cs” | “pit”] SP action • direction – int | ext | * • match_data – content_name SP provider • content_name – * or regular expression • provider – sign_check SP provider_sign • signcheck – 0 | 1 • provider_sign – * or hex representation of one or more signatures • action – forward | drop • example : data * \@game|fun\@ 0 0 123456789ABCDEF;FFFF0000AAAA pit drop 30 / 39

  31. Pre-­‑processing ¡with ¡Disco ¡ • >= 3 character sequences are extracted • Segmented as real human-readable words • For each sequence find x similar alternative sequences • Recombine with original to create new regular expression 31 / 39

  32. Implementa(on ¡into ¡CCN ¡stack ¡ 32 / 39

  33. A semantic firewall for Content Centric Networking EVALUATION ¡ 33 / 39

  34. Setup ¡ • 6 nodes • Intermediate routers don’t cache • Consumer request single binary file 500MB or 1GB • Measured transfer time request  received 34 / 39

  35. 1 st ¡evalua(on: ¡Impact ¡of ¡rules ¡ • Impact on the number of processed rules – Increasing step 100 – Request 500 MB and 1 GB file • Shows small to no impact on transfer time 35 / 39

  36. 2 nd ¡evalua(on: ¡Clean ¡vs. ¡Firewall ¡ • Repeated experiment to obtain significant results • Firewalled CCN – 1000 rules • Request 500 MB file • Applied Chi-square and KS-test on obtain result 36 / 39

  37. A semantic firewall for Content Centric Networking CONCLUSION ¡ 37 / 39

  38. Conclusion ¡ • Introduction of a first firewall implementation dedicated to CCN – Use case analysis – Grammar definition – Implementation • Use of semantic tools • Overhead of the firewall is neglectable • Future Work – Rule reordering – Using Bloom filters 38 / 39

  39. THANK ¡YOU ¡FOR ¡YOUR ¡ATTENTION ¡ QUESTIONS? ¡ 39 / 39

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Content-Centric Content-Centric Networking Networking J.J. Garcia-Luna-Aceves UCSC and PARC

Content-Centric Content-Centric Networking Networking J.J. Garcia-Luna-Aceves UCSC and PARC

Content-Centric Content-Centric Networking Networking J.J. Garcia-Luna-Aceves UCSC and PARC jj@soe.ucsc.edu jjgla@parc.com Outline Outline Problem we address Limitations of routing schemes that assume connected networks Our

264 views • 25 slides
Introduction to Content Centric Networking Van Jacobson van@parc.com FISS 09 Bremen, Germany

Introduction to Content Centric Networking Van Jacobson van@parc.com FISS 09 Bremen, Germany

Introduction to Content Centric Networking Van Jacobson van@parc.com FISS 09 Bremen, Germany 22 June 2009 This talk describes ongoing PARC work on CCN (Content-centric Networking) by: Jim Thornton Simon Barber Diana Smetters

862 views • 32 slides
Content-Centric Networking at Internet Scale through The Integration of Name Resolution and

Content-Centric Networking at Internet Scale through The Integration of Name Resolution and

Content-Centric Networking at Internet Scale through The Integration of Name Resolution and Routing J. J. Garcia-Luna-Aceves UCSC/Xerox PARC Overview q Routing to names is not better than routing to addresses in a content-centric network q

559 views • 22 slides
Various Faces of Data Centric Networking and Systems Eiko Yoneki University of Cambridge

Various Faces of Data Centric Networking and Systems Eiko Yoneki University of Cambridge

Various Faces of Data Centric Networking and Systems Eiko Yoneki University of Cambridge Computer Laboratory 5 Faces in DCN 1. Content-Centric Networking (CCN) and Content Distribution Networks (CDN) Big Data 2. Programming in Data Centric

358 views • 25 slides
CCTCP: A Scalable Receiver-driven Congestion Control Protocol for Content Centric Networking

CCTCP: A Scalable Receiver-driven Congestion Control Protocol for Content Centric Networking

CCTCP: A Scalable Receiver-driven Congestion Control Protocol for Content Centric Networking Lorenzo Saino, Cosmin Cocora and George Pavlou Communications and Information Systems Group Department of Electrical and Electronics Engineering

500 views • 13 slides
Network Names in Content-Centric Networking ACM ICN 2016 1 CCN Names Expressed as URIs

Network Names in Content-Centric Networking ACM ICN 2016 1 CCN Names Expressed as URIs

9/27/16 Network Names in Content-Centric Networking ACM ICN 2016 1 CCN Names Expressed as URIs /a/b/foo /us/edu/uci/cs/tsudik/papers/acm-icn16.pdf Encoded as TLVs 1 2 3 0 1 2 3 4 5 6 7 8 9

304 views • 12 slides
PIT Overload Analysis in Content Centric Networks Matteo Virgilio, Guido Marchetto, Riccardo

PIT Overload Analysis in Content Centric Networks Matteo Virgilio, Guido Marchetto, Riccardo

ACM SIGCOMM Workshop on Information-Centric Networking 12/08/2013 PIT Overload Analysis in Content Centric Networks Matteo Virgilio, Guido Marchetto, Riccardo Sisto Department of Control and Computer Engineering Politecnico di Torino 1/16

393 views • 16 slides
Data Centric Networking Session 1: Introduction to R202 Data Centric Networking Eiko Yoneki

Data Centric Networking Session 1: Introduction to R202 Data Centric Networking Eiko Yoneki

Data Centric Networking Session 1: Introduction to R202 Data Centric Networking Eiko Yoneki Systems Research Group University of Cambridge Computer Laboratory Welcome and Introduction Welcome to R202 First introduce yourselves Tell

374 views • 18 slides
Architec(ng Digital Twins for Model-Centric Engineering: Seman(c and Machine Learning Approach

Architec(ng Digital Twins for Model-Centric Engineering: Seman(c and Machine Learning Approach

Architec(ng Digital Twins for Model-Centric Engineering: Seman(c and Machine Learning Approach Sponsor: OUSD(R&E) | CCDC By Dr. Mark Aus(n (PI), Maria Coelho, Dr. Mark Blackburn 11 th Annual SERC Sponsor Research Review November 19, 2019

327 views • 8 slides
On the intersection of Information Centric Networking and Delay Tolerant Networking (Lessons

On the intersection of Information Centric Networking and Delay Tolerant Networking (Lessons

On the intersection of Information Centric Networking and Delay Tolerant Networking (Lessons learned from the GreenICN project) Jan Seedorf HFT Stuttgart Visit at HAW Hamburg December 2019 1 Outline (Very) Short Introduction to

682 views • 43 slides
Information Centric Networking(ICN) for Delivering Big Data with Persistent Identifiers(PID)

Information Centric Networking(ICN) for Delivering Big Data with Persistent Identifiers(PID)

Information Centric Networking(ICN) for Delivering Big Data with Persistent Identifiers(PID) Andreas Karakannas Research Project 2 Supervised by: Zhiming Zhao Background PIDs in IP Network Information Centric Networking A new network

696 views • 34 slides
Secure Fragmentation for Content Centric Networking Christopher A. Wood Palo Alto Reseach Center

Secure Fragmentation for Content Centric Networking Christopher A. Wood Palo Alto Reseach Center

Secure Fragmentation for Content Centric Networking Christopher A. Wood Palo Alto Reseach Center cwood@parc.com Marc Mosko Palo Alto Reseach Center mmosko@parc.com IEEE CCN 2015 Dallas, TX, USA 10/19/2015 Confidential Agenda 1. CCNx

1.09k views • 64 slides
Pro-Diluvian: Understanding Scoped-Flooding for Content Discovery in Information-Centric

Pro-Diluvian: Understanding Scoped-Flooding for Content Discovery in Information-Centric

Pro-Diluvian: Understanding Scoped-Flooding for Content Discovery in Information-Centric Networking Liang Wang , Suzan Bayhan, Jo rg Ott, Jussi Kangasharju, Arjuna Sathiaseelan, Jon Crowcroft University of Cambridge, UK Aalto University,

310 views • 27 slides
When Encryption is Not Enough Privacy Attacks in Content- Centric Networking ACM ICN 2017 1

When Encryption is Not Enough Privacy Attacks in Content- Centric Networking ACM ICN 2017 1

When Encryption is Not Enough Privacy Attacks in Content- Centric Networking ACM ICN 2017 1 Privacy with IP GET /a/b/c C S RESPONSE: <data> ACM ICN 2017 2 Privacy with IP secure channel GET /a/b/c C S RESPONSE: <data>

386 views • 37 slides
Sophos XG Firewall IP Partners ICT Systems & Services www.ippartners.gr XG Firewall

Sophos XG Firewall IP Partners ICT Systems & Services www.ippartners.gr XG Firewall

Sophos XG Firewall IP Partners ICT Systems & Services www.ippartners.gr XG Firewall Overview Todays top firewall problems What IT managers say about their existing firewall Firewall Satisfaction Survey (Spiceworks 2017) Top

548 views • 52 slides
Multimedia Data Processing on CIEL Arman Idani 14 Feb 2012 R202 Data Centric Networking

Multimedia Data Processing on CIEL Arman Idani 14 Feb 2012 R202 Data Centric Networking

Multimedia Data Processing on CIEL Arman Idani 14 Feb 2012 R202 Data Centric Networking Machine Learning on DC Apache Mahout (library for Hadoop) Tons of independent codes Only on textual/graph content No multimedia input

282 views • 14 slides
Fast and Scalable Method for Resolving Anomalies in Firewall Policies Hassan Gobjua

Fast and Scalable Method for Resolving Anomalies in Firewall Policies Hassan Gobjua

Fast and Scalable Method for Resolving Anomalies in Firewall Policies Hassan Gobjua Kamal Ahmat Verizon City University of New York Introduction Firewalls Types of Anomalies Related

380 views • 21 slides
Firewalls Summary Brief History of Firewalls What is a Firewall? Why Firewalls?

Firewalls Summary Brief History of Firewalls What is a Firewall? Why Firewalls?

Firewalls Summary Brief History of Firewalls What is a Firewall? Why Firewalls? Network Address Translation Types of Firewalls Linux/Windows Firewalls pfSense Blue Team Activity Brief History Firewall

348 views • 30 slides
Advanced network scanning with Nmap 6 Henri Doreau henri.doreau@gmail.com 13 th LSM - Geneva 2012

Advanced network scanning with Nmap 6 Henri Doreau henri.doreau@gmail.com 13 th LSM - Geneva 2012

Advanced network scanning with Nmap 6 Henri Doreau henri.doreau@gmail.com 13 th LSM - Geneva 2012 Project presentation Nmap Scripting Engine Nmap 6 new features Ongoing developments Conclusion Outline Project presentation 1 Introduction

844 views • 35 slides
Remote Network Analysis - I know what you know - Torsten Hfler htor@cs.tu-chemnitz.de Torsten

Remote Network Analysis - I know what you know - Torsten Hfler htor@cs.tu-chemnitz.de Torsten

Remote Network Analysis - I know what you know - Torsten Hfler htor@cs.tu-chemnitz.de Torsten Hfler, 21. November 2004 Remote Network Analysis - p. 1/41 Outline Outline 1. Introduction Introduction 2. Passive Analysis Passive

906 views • 41 slides
Adaptive and Proactive Security Assessment on Energy Delivery Systems Carlos Rubio-Medrano, Vu

Adaptive and Proactive Security Assessment on Energy Delivery Systems Carlos Rubio-Medrano, Vu

Adaptive and Proactive Security Assessment on Energy Delivery Systems Carlos Rubio-Medrano, Vu Coughlin , Josephine Lamp, Ziming Zhao, Gail-Joon Ahn and Anna Scaglione Outline Activity Current/ OntoEDS ExSol EDSGuard Refresher Future Work

1.38k views • 41 slides
Using a firewall to control traffic in networks 1 Example Network .35 .12 .36 .11 3.3.3.0/24

Using a firewall to control traffic in networks 1 Example Network .35 .12 .36 .11 3.3.3.0/24

Using a firewall to control traffic in networks 1 Example Network .35 .12 .36 .11 3.3.3.0/24 1.1.1.0/24 Rd .1 Ra .4.1 .4.4 1.1.0.0/16 Rc 2.2.2.0/24 .1 .4.2 .1 .23 Rb .47 Re .15.6 .99 1.1.2.0/24 4.4.4.0/24 .24 2 Firewall

708 views • 13 slides
GASPP: A GPU-Accelerated Stateful Packet Processing Framework

GASPP: A GPU-Accelerated Stateful Packet Processing Framework

GASPP: A GPU-Accelerated Stateful Packet Processing Framework Giorgos Vasiliadis, FORTH-ICS, Greece Lazaros Koromilas, FORTH-ICS, Greece Michalis Polychronakis,

949 views • 56 slides
Firewalls Chester Rebeiro IIT Madras Some of the slides borrowed from the book Computer

Firewalls Chester Rebeiro IIT Madras Some of the slides borrowed from the book Computer

Firewalls Chester Rebeiro IIT Madras Some of the slides borrowed from the book Computer Security: A Hands on Approach by Wenliang Du Firewall Block unauthorized traffic flowing from one network to another Separate trusted and

898 views • 58 slides

More recommend