Per-user Policy Enforcement on Mobile Apps through Network Functions - - PowerPoint PPT Presentation

▶

Jan 11, 2024 364 likes •515 views

Per-user Policy Enforcement on Mobile Apps through Network Functions Virtualization Workshop on Mobility in the Evolving Internet Architecture Sep. 11, 2014, Maui, Hawaii, USA Yong Liao, Mario Baldi, Amedeo Sapio Gyan Ranjan, Alok Tongaonkar,

SLIDE 1

Amedeo Sapio Fulvio Risso Politecnico di Torino

Per-user Policy Enforcement on Mobile Apps through Network Functions Virtualization

Amedeo Sapio amedeo.sapio@polito.it

Workshop on Mobility in the Evolving Internet Architecture

Sep. 11, 2014, Maui, Hawaii, USA

Yong Liao, Mario Baldi, Gyan Ranjan, Alok Tongaonkar, Ruben Torres, Antonio Nucci Narus, Inc.

SLIDE 2

2 Amedeo Sapio amedeo.sapio@polito.it

Motivation

Courtesy of SEN Technologies

SLIDE 3

3 Amedeo Sapio amedeo.sapio@polito.it

Motivation

SLIDE 4

4 Amedeo Sapio amedeo.sapio@polito.it

Motivation

Smartphones can collect a wide range of data
Different mobile apps have different vulnerabilities
Mobile apps traffic is largely undistinguishable from web traffic
Different mobile apps can use

the same remote end-point

Use of encrypted connections

by mobile apps is increasing

Different roles within an
rganization have different

security clearances and necessities

SLIDE 5

5 Amedeo Sapio amedeo.sapio@polito.it

MAPPER

Mobile Apps Personal Policy Enforcement Router

Bob’s security profile Alice’s security profile

Network-based approach
Mobile apps aware policies
Device independent policies
Per-user defined policies
Uniform protection among different APs
HTTPS support

Bob’s Security profile

SLIDE 6

6 Amedeo Sapio amedeo.sapio@polito.it

Mobile Application Identification Module

Flows

Rule set

Features Extraction Metadata (Identifiers)

Lookup Categorization

Application Categories XML summary Features App

MAI

App profile

SLIDE 7

7 Amedeo Sapio amedeo.sapio@polito.it

FROG – Flexible and pROGrammable network node

Dedicated lightweight VM for each user

Policy enforcement
Traffic segregation
Dynamic allocation
Flexible policy definition

Hypervisor

VM User 1

Mobile App Filter Firewall

FROG node VM User 2

Network monitor Parental control

SLIDE 8

8 Amedeo Sapio amedeo.sapio@polito.it

MAPPER Architecture

Smart Wireless Access Point
User dedicated lightweight VMs
Mobile Apps Identification engine
TLS proxy (MiMP)
Application content filtering

MAPPER Mobile Application Identification Module

Mobile App Categorization Module Mobility Classifier

Metadata Rule Engine

Classified Flows

Management Server

Users & Groups User policies Permissions

MiMP

Parsed HTTP flows

FROG Hypervisor

VM User 1 VM User 2 VM User 3

App ID

Network applications Marketplace

Firewall Parental Control Malware Detector Network Monitor Content Filter Mobile app filter MiMP bridge

SLIDE 9

9 Amedeo Sapio amedeo.sapio@polito.it

MAPPER workflow

Hypervisor

User PEX

Mobile App Filter MiMP Bridge NIC 1 NIC 2

GEX 2 MiMP

MAPPER

Virtualization layer GEX 1 MAI Client Server 1 2 - 3 - 6 4 5

PEX: Personal EXecution Environment GEX: Global EXecution Environment MAI: Mobile Application Identification module MiMP: Man-in-the-Middle Proxy

1. IP redirection
2. TLS proxying
3. Summary extraction
4. App Identification
5. Policy consistency
6. Policy enforcement

SLIDE 10

10 Amedeo Sapio amedeo.sapio@polito.it

Evaluation – Single user

Average throughput (MByte/s)

ms

Response time CDF 500 requests for 1 KB file

SLIDE 11

11 Amedeo Sapio amedeo.sapio@polito.it

Evaluation – Multi user

Memory MB

Number of clients

CPU RAM Throughput Response time 1 user 16.13% 3261 MB 104 Kb/s 778.8 ms 2 users 21.57% 3392 MB 102 Kb/s 751.6 ms

500 online search queries

SLIDE 12

12 Amedeo Sapio amedeo.sapio@polito.it

Conclusions

MAPPER leverages Network Functions Virtualization for implementing

fine-grained policies on mobile devices.

Policies can be designed according to:

 Mobile apps  Categories  Devices

The system can easily scale to a large number of users exploiting load

distribution and cloud computing.

Future studies will be directed towards performance improvements and

additional functionalities.

SLIDE 13

Amedeo Sapio amedeo.sapio@polito.it

Questions?

SLIDE 14

Amedeo Sapio amedeo.sapio@polito.it Fulvio Risso fulvio.risso@polito.it Yong Liao yliao@narus.com Mario Baldi mbaldi@narus.com

Thank you!

Amedeo Sapio amedeo.sapio@polito.it

Amedeo Sapio Fulvio Risso Politecnico di Torino

Per-user Policy Enforcement on Mobile Apps through Network Functions Virtualization

Workshop on Mobility in the Evolving Internet Architecture

Yong Liao, Mario Baldi, Gyan Ranjan, Alok Tongaonkar, Ruben Torres, Antonio Nucci Narus, Inc.

Motivation

Motivation

Motivation

the same remote end-point

by mobile apps is increasing

security clearances and necessities

MAPPER

Mobile Apps Personal Policy Enforcement Router

Mobile Application Identification Module

Rule set

Lookup Categorization

MAI

App profile

FROG – Flexible and pROGrammable network node

Dedicated lightweight VM for each user

MAPPER Architecture

MAPPER Mobile Application Identification Module

MiMP

FROG Hypervisor

Network applications Marketplace

MAPPER workflow

Evaluation – Single user

ms

Evaluation – Multi user

CPU RAM Throughput Response time 1 user 16.13% 3261 MB 104 Kb/s 778.8 ms 2 users 21.57% 3392 MB 102 Kb/s 751.6 ms

Conclusions

fine-grained policies on mobile devices.

 Mobile apps  Categories  Devices

distribution and cloud computing.

additional functionalities.

Questions?

Amedeo Sapio amedeo.sapio@polito.it Fulvio Risso fulvio.risso@polito.it Yong Liao yliao@narus.com Mario Baldi mbaldi@narus.com

Thank you!

Gyan Ranjan granjan@narus.com Alok Tongaonkar atongaonkar@narus.com Ruben Torres rtorres@narus.com Antonio Nucci anucci@narus.com