distributed security infrastructure
play

Distributed Security Infrastructure Makan.Pouzandi@Ericsson.ca - PowerPoint PPT Presentation

Jan 01, 2023 •718 likes •1.34k views

Distributed Security Infrastructure Makan.Pouzandi@Ericsson.ca Ericsson Research Open Systems Lab Montral Canada June 26 , 2002 Rev PA1 2002-07-05 1 Ericsson Canada Agenda Context Security in Telecom business Current

  1. Distributed Security Infrastructure Makan.Pouzandi@Ericsson.ca Ericsson Research Open Systems Lab Montréal – Canada June 26 , 2002 Rev PA1 2002-07-05 1 Ericsson Canada

  2. Agenda • Context • Security in Telecom business • Current situation • Need for a new software • DSI Goals and functionality • DSI overview • Security services Rev PA1 2002-07-05 2 Ericsson Canada

  3. Context • Target application: soft real time applications • High Availability: 99.999% uptime • Clustered servers • Exposed to the Internet • Providing services to different operators • Running untrusted third-party software • Software configuration evolves slowly over time: no wild software installations Rev PA1 2002-07-05 3 Ericsson Canada

  4. Why Security in Telecom business? Rev PA1 2002-07-05 4 Ericsson Canada

  5. Change in the market: all-IP-networks Yesterday Today Applications & Content Services Management & Support Service Control Service Capabilities Data/IP Networks Multi-Service PSTN/ISDN IP Backbone PLMN CATV Network Broadband Wireless Narrowband Access Access Access Clients Access Transport & Switching Networks Rev PA1 2002-07-05 5 Ericsson Canada

  6. The need for a new approach Rev PA1 2002-07-05 6 Ericsson Canada

  7. “Distributed Systems Require Distributed Security” Hartman, Flinn, Beznosov, Enterprise Security with EJB and CORBA Rev PA1 2002-07-05 7 Ericsson Canada

  8. Challenges in Distributed security • Implement coherent distributed security – Many layers to fit together : Applications, Middleware, OS, Hardware, Network … – Heterogeneous environment: variety of Hardware, Software: OS, Middleware, Networking technologies • Integration of different security solutions from potentially different vendors … • System management – If manually managed, it may lead to misconfigurations and inconsistencies Rev PA1 2002-07-05 8 Ericsson Canada

  9. Patching versus Coherent framework • Precise place to intervene when it is necessary to increase performances or the needs for the system change according to the client or legal issues • Coherent solutions evolve over time; patching does not! Intrusions Figure from “Building Secure Software”, Viega-McGraw Disclosure Patch Scripts Out Released Time Rev PA1 2002-07-05 9 Ericsson Canada

  10. Benefits of a coherent framework • Abstracting the underlying security algorithms and mechanisms • Reducing development time • Minimizing the risk of creating subtle, but dangerous security vulnerabilities by reusing security tested software • Maximize our investment for security mechanisms Rev PA1 2002-07-05 10 Ericsson Canada

  11. Security in different types of Clusters Traditional Clusters Carrier Class Clusters • Target application: soft real • No real time applications, time, • Security policy based upon login • No possible security policy and passwords, upon traditional login, password, • Running for short period of time (days) before each reboot, • Running for a very long time (months) under the same • No pre-emptive security. login without rebooting, • Fine grained security policy based on processes, • Pre-emptive security. Rev PA1 2002-07-05 11 Ericsson Canada

  12. Access control Approach on cluster computing No Security check on • Current security approach in Node 2 Process a, but on Process b cluster computing: Security Manager – Generally based on user Process b privileges (login, password) – Life time: a session of several hours ? – Scope: limited range of operations according to the application’s Access Request nature Node 1 • Our target telecom application: – One user only Security Manager – Life time: months if not years Process a – Scope: wide range of operations, from upgrading software to managing information in database Rev PA1 2002-07-05 12 Ericsson Canada

  13. Existing solutions • Many existing security solutions exist: – As external security mechanisms to the servers such as firewalls and Intrusion Detection Systems – As part of servers such as Integrity checks and some mechanisms to enhance security as a part of OS… • However, there are few efforts to make a coherent framework for enhancing security in a distributed system Rev PA1 2002-07-05 13 Ericsson Canada

  14. Distributed Security Infrastructure Goals and Functionality Rev PA1 2002-07-05 14 Ericsson Canada

  15. Project Goals • Design an architecture that: – Supports security mechanisms to protect the system against External attacks originating from Internet, Internal attacks (Break through a node in the cluster, O&M security, Intranet attacks ..) – Accommodates current and future needs – Provides mechanisms for detecting and reacting to breaches – Targets Carrier Class Clustered Server • Architectural Requirements: – Scalable and Flexible – Does not provide a single point of failure – Does not impose any performance bottlenecks – Provide ease of development Rev PA1 2002-07-05 15 Ericsson Canada

  16. DSI characteristics • Coherent framework: coherent through different layers of heterogeneous hardware, applications…. • Process level approach: security based on individual processes • Pre-emptive security:changes in the security context will be reflected immediately • Transparent key management: cryptographic keys ecurely stored and managed • Dynamic security policy: run time changes in security context and policy Rev PA1 2002-07-05 16 Ericsson Canada

  17. What we do vs. what we don’t do Do Do Not • Design and implement a • Invent new algorithms nor new coherent framework for the protocols for cryptography, security needs of a cluster authentication or else running a soft real time application • Re-use as much as possible existing algorithms and protocols (COTS) • Adapt current technologies to fit our needs and environment (soft real time) Rev PA1 2002-07-05 17 Ericsson Canada

  18. DSI Functionality • Access control: resources each subject should be able to access and prevent the illegal accesses • Authentication: verifies that the principals are who they claim to be. • Auditing: provides a record of security relevant and allows monitoring of the subject in the system. • Confidentiality and Integrity for communications • Security Management Rev PA1 2002-07-05 18 Ericsson Canada

  19. Distributed Security Infrastructure Overview Rev PA1 2002-07-05 19 Ericsson Canada

  20. Distributed Architecture Secondary Security Server Node 1 Node 2 Node 3 Security Server Node Proc987 Proc123 Service Provider Kernel Security Service SS SM SM SM Security Broker DSI Data Traffic SM: Security Manager SS: Security Server Rev PA1 2002-07-05 20 Ericsson Canada

  21. Security Services Security Context Repository Security Policy Key Repository Security Context Security Manager Key Management Auditing Access Control Authentication Integrity Service Service Service Service Rev PA1 2002-07-05 21 Ericsson Canada

  22. Service based (2) • Separation between API and Implementation – Implementation changes, security patches do not affect the system • Flexibility – Easily change, update, remove services based on needs, legal issues • Evolution over time Rev PA1 2002-07-05 22 Ericsson Canada

  23. Distributed Security Policy (DSP) • Express a coherent security vision (security policy) through out all the cluster • Local security policy: – Initially integrated to the secure boot software – Maintained and updated by the security server through security broker • Based on domain enforcement • Define communication type between processes: secure, not secure, authenticated, encrypted… Rev PA1 2002-07-05 23 Ericsson Canada

  24. Distributed Security Policy Security Server Node Node 1 Node 2 Node 3 Proc987 Port 21 Logical Access Dist Sec Policy Dist Sec Policy Dist Sec Policy Kernel SS SM SM SM Security Broker Data Traffic SS: Security Server SM: Security Manager Rev PA1 2002-07-05 24 Ericsson Canada

  25. DSI Core Security Server, Security Manager and Security Communication Channel Rev PA1 2002-07-05 25 Ericsson Canada

  26. Development Environment • Kernel 2.4.17 • LSM patch 2.4.18 • Red Hat 7.2 • C/C++ • GCC 2.96 Rev PA1 2002-07-05 26 Ericsson Canada

  27. Secure Boot • Secure Boot: provides us with Distributed Trusted Computing Base (DTCB) • Kernel at secure boot is small enough to be thoroughly vulnerability tested • Use of digital signatures and a local certification authority will prevent DTCB from malicious modifications Rev PA1 2002-07-05 27 Ericsson Canada

  28. Secure Boot Status • Development software kit done • Download boot images from the network • Checks RSA signatures on boot images • Executes the boot image • Kit based on – Network-Boot kit • boots from LAN • runs Linux • diskless (RAM based) – Two-kernel Monte – OpenSSL 0.9.5 Rev PA1 2002-07-05 28 Ericsson Canada

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

SPKI/SDSI 2.0 A Simple Distributed Security Infrastructure by Ronald L. Rivest MIT Lab for

SPKI/SDSI 2.0 A Simple Distributed Security Infrastructure by Ronald L. Rivest MIT Lab for

SPKI/SDSI 2.0 A Simple Distributed Security Infrastructure by Ronald L. Rivest MIT Lab for Computer Science (Joint work with Butler Lampson and Carl Ellison) 1 1 1 Outline context and history motivation and goals syntax

973 views • 38 slides
Security Security with Distributed Systems Why Security? The need for security mechanisms in

Security Security with Distributed Systems Why Security? The need for security mechanisms in

Security Security with Distributed Systems Why Security? The need for security mechanisms in distributed systems arises from the desire to share resources Resources must be protected against unauthorized access, as enemies (attackers)

1.16k views • 67 slides
Distributed Systems How does the OS ensure security? 13C. Distributed Systems: Security all

Distributed Systems How does the OS ensure security? 13C. Distributed Systems: Security all

5/20/2018 Distributed Systems How does the OS ensure security? 13C. Distributed Systems: Security all key resources are kept inside of the OS protected by hardware (mode, memory management) 13I. Secure sessions processes cannot

129 views • 9 slides
Distributed Systems How does the OS ensure security? 13C. Security for Distributed Systems

Distributed Systems How does the OS ensure security? 13C. Security for Distributed Systems

5/27/2017 Distributed Systems How does the OS ensure security? 13C. Security for Distributed Systems all key resources are kept inside of the OS protected by hardware (mode, memory management) 13I. Secure Sessions processes cannot

253 views • 9 slides
Compiler Infrastructure Systems and Internet Infrastructure Security (SIIS) Laboratory Page 1

Compiler Infrastructure Systems and Internet Infrastructure Security (SIIS) Laboratory Page 1

Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Compiler Infrastructure Systems and Internet Infrastructure Security

603 views • 23 slides
Sancus: A Low-Cost Security Architecture for Distributed IoT Applications on a Shared

Sancus: A Low-Cost Security Architecture for Distributed IoT Applications on a Shared

Sancus: A Low-Cost Security Architecture for Distributed IoT Applications on a Shared Infrastructure Job Noorman Public PhD Defence 19 Apr 2017 Safety considerations when lodging in a hotel Untrusted guests Locked room Unknown personnel

1.16k views • 79 slides
Poster 158 1 / 4 Poster 158 Security in Distributed ML Zeno: distributed synchronous SGD that

Poster 158 1 / 4 Poster 158 Security in Distributed ML Zeno: distributed synchronous SGD that

Zeno: Distributed Stochastic Gradient Descent with Suspicion-based Fault-tolerance Cong Xie, Oluwasanmi Koyejo, Indranil Gupta June 12, 2019 Poster 158 1 / 4 Poster 158 Security in Distributed ML Zeno: distributed synchronous SGD that

211 views • 4 slides
A Distributed X.509 Public Key Infrastructure Backed by a Blockchain A public key infrastructure

A Distributed X.509 Public Key Infrastructure Backed by a Blockchain A public key infrastructure

A Distributed X.509 Public Key Infrastructure Backed by a Blockchain A public key infrastructure (PKI) is a set of roles, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates and manage

248 views • 23 slides
Internet Infrastructure Security Internet Infrastructure Security Simon Fraser University Scott

Internet Infrastructure Security Internet Infrastructure Security Simon Fraser University Scott

Internet Infrastructure Security Internet Infrastructure Security Simon Fraser University Scott Wakelin 4/27/2004 1 Road Map Road Map Project Goals and Overview Project Status Network Infrastructure ISP Topology ISP

554 views • 30 slides
` James R. Wilcox Zach Tatlock Ilya Sergey Distributed Systems Distributed Infrastructure

` James R. Wilcox Zach Tatlock Ilya Sergey Distributed Systems Distributed Infrastructure

Programming Language Abstractions for Modularly Verified Distributed Systems { P } c { Q } ` James R. Wilcox Zach Tatlock Ilya Sergey Distributed Systems Distributed Infrastructure Distributed Applications Verified Distributed Systems

794 views • 64 slides
Namespaces Systems and Internet Infrastructure Security (SIIS) Laboratory Page 1 Outline Sects

Namespaces Systems and Internet Infrastructure Security (SIIS) Laboratory Page 1 Outline Sects

Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Namespaces Systems and Internet Infrastructure Security (SIIS)

1.13k views • 49 slides
Constraint Solving Systems and Internet Infrastructure Security (SIIS) Laboratory Page 1 Outline

Constraint Solving Systems and Internet Infrastructure Security (SIIS) Laboratory Page 1 Outline

Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Constraint Solving Systems and Internet Infrastructure Security (SIIS)

455 views • 18 slides
Attack Graphs Systems and Internet Infrastructure Security (SIIS) Laboratory Page 1 Outline Attack

Attack Graphs Systems and Internet Infrastructure Security (SIIS) Laboratory Page 1 Outline Attack

Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Attack Graphs Systems and Internet Infrastructure Security (SIIS)

1.06k views • 60 slides
Security Middleware for Distributed applications Professor : Sophie Chabridon Ma Siqi Shalini

Security Middleware for Distributed applications Professor : Sophie Chabridon Ma Siqi Shalini

Security Middleware for Distributed applications Professor : Sophie Chabridon Ma Siqi Shalini Nagar 1 CONTENTS Security Characterizing Security General Scenario Tactics for Security A Design Checklist for Security Summary 2 01

487 views • 25 slides
CMPSC 497: Java Security Trent Jaeger Systems and Internet Infrastructure Security (SIIS)

CMPSC 497: Java Security Trent Jaeger Systems and Internet Infrastructure Security (SIIS)

CMPSC 497: Java Security Trent Jaeger Systems and Internet Infrastructure Security (SIIS) Lab Computer Science and Engineering Department Pennsylvania State University Systems and Internet Infrastructure Security Laboratory (SIIS) Page 1

562 views • 42 slides
The Intersection of Application and Security Architecture Through the lens of distributed

The Intersection of Application and Security Architecture Through the lens of distributed

The Intersection of Application and Security Architecture Through the lens of distributed systems Walt Williams Who is this bloke? Author of Security for Service Oriented Architecture, CRC press 2014 Director of Information Security,

1.12k views • 55 slides
Wireless Networks and Protocols MAP-TELE Manuel P. Ricardo Faculdade de Engenharia da

Wireless Networks and Protocols MAP-TELE Manuel P. Ricardo Faculdade de Engenharia da

Intro 1 Wireless Networks and Protocols MAP-TELE Manuel P. Ricardo Faculdade de Engenharia da Universidade do Porto Intro 2 WNP Professors Prof. Adriano Moreira Universidade do Minho Prof. Manuel Ricardo Universidade do

1.21k views • 82 slides
Lecture 2: Links and Signaling CSE 123: Computer Networks Chris Kanich Project 1 out Today, due

Lecture 2: Links and Signaling CSE 123: Computer Networks Chris Kanich Project 1 out Today, due

Lecture 2: Links and Signaling CSE 123: Computer Networks Chris Kanich Project 1 out Today, due Mon 7/11 Lecture 2 Overview Signaling Types of physical media Shannons Law and Nyquist Limit Encoding schemes Clock recovery

381 views • 12 slides
MOBILE COMPUTING CSE 40814/60814 Fall 2015 Public Switched Telephone Network - PSTN Transit

MOBILE COMPUTING CSE 40814/60814 Fall 2015 Public Switched Telephone Network - PSTN Transit

10/11/15 MOBILE COMPUTING CSE 40814/60814 Fall 2015 Public Switched Telephone Network - PSTN Transit switch Transit Transit switch switch Long distance network Local Local switch switch Incoming Outgoing call call - Transfer mode:

709 views • 40 slides
Good Morning! INT1004 Computers for Business Ulrich Werner Discovering Computers Technology in

Good Morning! INT1004 Computers for Business Ulrich Werner Discovering Computers Technology in

Good Morning! INT1004 Computers for Business Ulrich Werner Discovering Computers Technology in a World of Computers, Mobile Devices, and the Internet Chapter 9 Operating Systems Operating System Functions Starting Computers and Mobile

873 views • 65 slides
BYOD Revisited: BUILD Your Own Device Ron Munitz The PSCG about://Ron_Munitz Distributed

BYOD Revisited: BUILD Your Own Device Ron Munitz The PSCG about://Ron_Munitz Distributed

BYOD Revisited: BUILD Your Own Device Ron Munitz The PSCG about://Ron_Munitz Distributed Fault Tolerant Avionic Systems Linux, VxWorks, very esoteric libraries, 0s and 1s Highly distributed video routers Linux Real

617 views • 49 slides
3GPP Telecommunication Systems Long Term Evolution (LTE) Gert-Jan van Lieshout Samsung

3GPP Telecommunication Systems Long Term Evolution (LTE) Gert-Jan van Lieshout Samsung

3GPP Telecommunication Systems Long Term Evolution (LTE) Gert-Jan van Lieshout Samsung Electronics Research Institute Deventer, The Netherlands gert.vanlieshout@samsung.com 2012-06-05 Mobile and Wireless; 23-10-2014 Outline Outline

797 views • 58 slides
Performance Evaluation in LTE Networks (SGW-u Tunnels) Sina Shafaei Chair for Network

Performance Evaluation in LTE Networks (SGW-u Tunnels) Sina Shafaei Chair for Network

Chair for Network Architectures and Services Chair for Network Architectures and Services Technische Universitt Mnchen Technische Universitt Mnchen IDP intermediary talk Performance Evaluation in LTE Networks (SGW-u Tunnels)

823 views • 13 slides
Multimedia Systems - Image & Video Capture Video An image is captured when a camera scans

Multimedia Systems - Image & Video Capture Video An image is captured when a camera scans

Video - Basics September, 2000 Multimedia Systems - Image & Video Capture Video An image is captured when a camera scans a scene Colour => Red (R), Green (G) and Blue (B) array of digital samples Density of samples (pixels)

461 views • 15 slides

More recommend