delegating network security with more information with
play

Delegating Network Security with More Information with More - PowerPoint PPT Presentation

Sep 27, 2023 •207 likes •542 views

Delegating Network Security with More Information with More Information {Stanford: [ Jad Naous , Ryan Stutsman, David Mazires, Nick McKeown,], MIT CSAIL: [Nickolai Zeldovich]} Context Roberto Alicia

  1. Delegating Network Security with More Information with More Information {“Stanford”: [“ Jad Naous” , “Ryan Stutsman”, “David Mazières”, “Nick McKeown”,], “MIT CSAIL”: [“Nickolai Zeldovich”]}

  2. Context Roberto Alicia Carlito

  3. Context

  4. Context Alicia

  5. Policies Alicia Wants • Skype only to Skype • email clients only to email server • Only Roberto can use openssh ver < 5.0 • Allow R&D machines to talk anywhere in net, • Allow R&D machines to talk anywhere in net, but not Sales

  6. Common Problem Alicia does not have all information necessary

  7. Simple Solution Ask!

  8. Who should Alicia ask? • Ask the whole path between sender and destination. • Each network along the path might have different information (e.g. authenticated user) information (e.g. authenticated user) • Augment responses along the path • Communicate any relevant information • Let the Alicia decide what to use

  9. What information might Alicia want? • username and authenticated usernames • Application name, type, hash, version, … • OS information, patches, … • Network name, type, location, security, … • Network name, type, location, security, … • Application expected behavior, network rules, destination rules, …

  10. Soliciting Information: ident++ Proposal for requesting information: 1. Ask for more information for every new flow. 2. Arbitrary user/admin-definable key-value pairs 3. Networks along the path augment responses

  11. Example: e-mail • Mail-server accessed by mail clients only • Thunderbird is the only mail client allowed • Only users authenticated by the network are allowed access. allowed access.

  12. Example: e-mail Data Flow From 192.168.0.1:2358 To 192.168.1.1:25 Payload

  13. Example: e-mail Query Query From 192.168.0.1:2358 From 192.168.0.1:2358 To 192.168.1.1:25 To 192.168.1.1:25

  14. Example: e-mail Response Response From 192.168.0.1:2358 From 192.168.0.1:2358 To 192.168.1.1:25 To 192.168.1.1:25 -app-name: thunderbird -app-name: cyrus -version: 2.0.3 -user: imap -user:roberto -type: email-server -type: email-client

  15. Example: e-mail Response Response From 192.168.0.1:2358 From 192.168.0.1:2358 To 192.168.1.1:25 To 192.168.1.1:25 -app-name: thunderbird -app-name: cyrus -version: 2.0.3 -user: imap -user: roberto -type: email-server -type: email-client -authed-user: roberto

  16. Example: e-mail Data Flow From 192.168.0.1:2358 To 192.168.1.1:25 Payload

  17. Example: evil e-mail Response Response From 192.168.0.1:2358 From 192.168.0.1:2358 To 192.168.1.1:25 To 192.168.1.1:25 -app-name: thunderbird -app-name: cyrus -version: 2.0.3 -user: imap -user: roberto -type: email-server -type: email-client -authed-user: unknown

  18. Example: evil e-mail

  19. Example: e-mail Client Configuration File: Backbone Firewall Rules: @ app /usr/bin/thunderbird { name block all : thunderbird version : 2.0.3 pass all type with eq (@src[type], : email-client } } email-client) email-client) with eq (@dst[type], email-server) with eq (@src[name], thunderbird) with not eq (@src[auth-user], unknown)

  20. Extended PF language • PF+=2 Allows flexible policies based on query results (key-value pairs) • Extensible via arbitrary functions.

  21. Trust and Delegation • We delegate every day • Makes lives easier • Delegate to trusted people • Trust levels vary so delegation levels vary • Trust levels vary so delegation levels vary

  22. Example: e-mail David Roberto Alicia Carlito

  23. Example: e-mail • Mail-server accessed by mail clients only • Thunderbird is the only mail client allowed • Only users authenticated by the network are allowed access. allowed access.

  24. How it is done today Alicia, Carlito, and David get together, coordinate, and then change the rules. An easier way?

  25. Example: e-mail Data Flow From 192.168.0.1:2358 To 192.168.1.1:25 Payload

  26. Example: e-mail Query Query From 192.168.0.1:2358 From 192.168.0.1:2358 To 192.168.1.1:25 To 192.168.1.1:25

  27. Example: e-mail Response Response From 192.168.0.1:2358 From 192.168.0.1:2358 To 192.168.1.1:25 To 192.168.1.1:25 -app-name: cyrus -app-name: thunderbird -user: imap -version: 2.0.3 -type: email-server -user:roberto -rule: only from email-client -type: email-client

  28. Example: e-mail Response Response From 192.168.0.1:2358 From 192.168.0.1:2358 To 192.168.1.1:25 To 192.168.1.1:25 -app-name: thunderbird -app-name: cyrus -version: 2.0.3 -user: imap -user: roberto -type: email-server -type: email-client -rule: only from email-client -authed-user: bob -rule: thunderbird only

  29. Example: e-mail Data Flow From 192.168.0.1:2358 To 192.168.1.1:25 Payload

  30. Example: e-mail Server Configuration File: Backbone Firewall Rules: @ app /usr/bin/cyrus { name block all : cyrus type pass all : email-server rule with allowed (@dst[rules]) : block all block all with not eq (@src[auth-user], with not eq (@src[auth-user], with not eq (@src[type], unknown) email-client) }

  31. Third-Party Delegation • Another Example – Allow users to run any application as long as it conforms to rules signed by trusted third-party – Rules can be downloaded by user and stored – Rules can be downloaded by user and stored locally. – Security devices check signatures before accepting rules.

  32. Summary • If you don’t know, ask! • Trust and delegation intertwined (be careful who you delegate to or what information you trust) trust) • ident++ delegation enabler, says nothing about trust

  33. Questions? Questions? This work was funded partially by an NSF grant.

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

What is network security? Friends and enemies: Alice, Bob, Trudy What is network security?

What is network security? Friends and enemies: Alice, Bob, Trudy What is network security?

Network security Network security Foundations: what is security? cryptography Network Security Network Security authentication message integrity key distribution and certification Security in practice: Srinidhi Varadarajan

332 views • 6 slides
Network Security Network Security Srinidhi Varadarajan Network security Network security

Network Security Network Security Srinidhi Varadarajan Network security Network security

Network Security Network Security Srinidhi Varadarajan Network security Network security Foundations: what is security? cryptography authentication message integrity key distribution and certification Security in practice:

634 views • 36 slides
Security Note: These slides are created using information from. Network Security Essentials by

Security Note: These slides are created using information from. Network Security Essentials by

Security Note: These slides are created using information from. Network Security Essentials by William Stallings Computer Networking, A top-down approach by James F.Kurose and Keith W.Ross Maximum Security by Anonymous Lectures and Notes from

489 views • 38 slides
Security in Malicious Environments: NSF Programs in Information-Theoretic Network Security Phil

Security in Malicious Environments: NSF Programs in Information-Theoretic Network Security Phil

Background Classical Tools Beyond Cryptography NSF Security in Malicious Environments: NSF Programs in Information-Theoretic Network Security Phil Regalia Program Director Directorate for Computer &amp; Information Science &amp; Engineering

552 views • 36 slides
Economics of network security Harald Vranken 1 Economics of network security Note that

Economics of network security Harald Vranken 1 Economics of network security Note that

Advanced Network Security (2019-2020) Economics of network security Harald Vranken 1 Economics of network security Note that network in this lecture means Physical communication network (eg. Internet, telephony, fax, telegraph)

769 views • 49 slides
Security 101 Definition of Information Security Information security is the protection of

Security 101 Definition of Information Security Information security is the protection of

Computing Services Information Security Office Security 101 Definition of Information Security Information security is the protection of information and systems from unauthorized access, disclosure, modification, destruction or disruption. The

469 views • 22 slides
Intro, history, hacking Network Security Lecture 1 Welcome to Network Security Should be able

Intro, history, hacking Network Security Lecture 1 Welcome to Network Security Should be able

Intro, history, hacking Network Security Lecture 1 Welcome to Network Security Should be able to Skills identify design and Ability to analyze the implementation security of networked vulnerabilities in network systems protocols

564 views • 33 slides
N etwork safeguards are the first protec- tion barrier of IT sys- tem resources against

N etwork safeguards are the first protec- tion barrier of IT sys- tem resources against

ISSA Journal | October 2007 ISSA The Global Voice of Information Security The Principles of Network Security Design By Mariusz Stawowski Deployment of an effective and scalable network security system requires proper designing

320 views • 3 slides
CSE543 Computer and Network Security Module: Network Security Professor Patrick McDaniel Fall

CSE543 Computer and Network Security Module: Network Security Professor Patrick McDaniel Fall

CSE543 Computer and Network Security Module: Network Security Professor Patrick McDaniel Fall 204 1 CSE543 - Introduction to Computer and Network Security Page Networking Fundamentally about transmitting information between two (or more)

636 views • 47 slides
Victorian Protective Data Security Framework Victorian Information Security Network - VPS Forum

Victorian Protective Data Security Framework Victorian Information Security Network - VPS Forum

Victorian Protective Data Security Framework Victorian Information Security Network - VPS Forum December 2016 C ommissioner for P rivacy and D ata P rotection Introductions Pr Presenter esenter Commissioner Privacy and Data Protection David

415 views • 20 slides
Victorian Protective Data Security Framework Victorian Information Security Network PARTNERS

Victorian Protective Data Security Framework Victorian Information Security Network PARTNERS

Victorian Protective Data Security Framework Victorian Information Security Network PARTNERS Forum December 2016 C ommissioner for P rivacy and D ata P rotection Introductions Pr Presenter esenter Commissioner Privacy and Data Protection

363 views • 23 slides
Foundations of Network and Foundations of Network and Computer Security Computer Security J ohn

Foundations of Network and Foundations of Network and Computer Security Computer Security J ohn

Foundations of Network and Foundations of Network and Computer Security Computer Security J ohn Black J CSCI 6268/TLEN 5831, Fall 2004 Introduction UC Davis PhD in 2000 Cryptography Interested in broader security as well

492 views • 12 slides
Network Security Where we are in the Course Security crosses all layers Applicatjon

Network Security Where we are in the Course Security crosses all layers Applicatjon

Network Security Where we are in the Course Security crosses all layers Applicatjon Transport Network Link Physical CSE 461 University of Washington 2 Security Threats Security is like performance Means many things

1.12k views • 92 slides
Network Security Where we are in the Course Security crosses all layers Application

Network Security Where we are in the Course Security crosses all layers Application

Network Security Where we are in the Course Security crosses all layers Application Transport Network Link Physical CSE 461 University of Washington 2 Security Threats Security is like performance Means many things

374 views • 13 slides
Network Security Where we are in the Course Security crosses all layers Application

Network Security Where we are in the Course Security crosses all layers Application

Network Security Where we are in the Course Security crosses all layers Application Transport Network Link Physical CSE 461 University of Washington 2 Security Threats Security is like performance Means many things

932 views • 55 slides
Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University

Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University

Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University of Michigan 2013 Network Security Fundamentals Module 3 Network Protocol Attacks Roadmap Network security The basic objectives: CIA

1.68k views • 39 slides
IMAP, JMAP and the future of email standards Bron Gondwana &lt;brong@fastmailteam.com&gt; 1 / 13

IMAP, JMAP and the future of email standards Bron Gondwana &lt;brong@fastmailteam.com&gt; 1 / 13

IMAP, JMAP and the future of email standards Bron Gondwana &lt;brong@fastmailteam.com&gt; 1 / 13 DISCLAIMER This talk and the protocols covered are for client / server email only I do NOT address server / server SMTP I do NOT address

445 views • 13 slides
CRASTE-LF Inputs of African Regional Centre for Space Science and Technology Education in French

CRASTE-LF Inputs of African Regional Centre for Space Science and Technology Education in French

CRASTE-LF United Nations / South Africa Symposium on Basic Space Technology Small satellite missions for Affiliated to UN scientific and technological advancement : Stellenbosch, South Africa 11-15 December 2017 CRASTE-LF Inputs of

718 views • 27 slides
Charlie Garrod Chris Timperley 17-214 1 Administrivia Homework 5c due tonight! 17-214 2

Charlie Garrod Chris Timperley 17-214 1 Administrivia Homework 5c due tonight! 17-214 2

Principles of Software Construction: Objects, Design, and Concurrency Toward software engineering in practice Charlie Garrod Chris Timperley 17-214 1 Administrivia Homework 5c due tonight! 17-214 2 Software Engineering (SE) at CMU

689 views • 45 slides
Modelling of turbulent flows: RANS and LES Turbulenzmodelle in der Str omungsmechanik: RANS und

Modelling of turbulent flows: RANS and LES Turbulenzmodelle in der Str omungsmechanik: RANS und

Introduction Algebraic stress models Non-linear eddy viscosity models Modelling of turbulent flows: RANS and LES Turbulenzmodelle in der Str omungsmechanik: RANS und LES Markus Uhlmann Institut f ur Hydromechanik Karlsruher Institut f

315 views • 20 slides
Toward an Automated Vulnerability Comparison of Open Source IMAP Servers Chaos Golubitsky

Toward an Automated Vulnerability Comparison of Open Source IMAP Servers Chaos Golubitsky

Toward an Automated Vulnerability Comparison of Open Source IMAP Servers Chaos Golubitsky (chaos@glassonion.org) December 7, 2005 1 Overview Motivation Attack surfaces IMAP server design Automated attack surface measurement

236 views • 12 slides
rt sts ssts r

rt sts ssts r

rt sts ssts r r t s tr sst tr

1.21k views • 77 slides
Graphical Models Graphical Models Bayesian Networks Siamak Ravanbakhsh Fall 2019 Previously on

Graphical Models Graphical Models Bayesian Networks Siamak Ravanbakhsh Fall 2019 Previously on

Graphical Models Graphical Models Bayesian Networks Siamak Ravanbakhsh Fall 2019 Previously on Previously on Probabilistic Graphical Models Probabilistic Graphical Models Probability distribution and density functions Random variable

1.39k views • 104 slides
Chapter 2 Application Layer

Chapter 2 Application Layer

Chapter 2 Application Layer

1.46k views • 114 slides

More recommend