protecting insecure communications with topology aware
play

Protecting Insecure Communications with Topology-aware Network - PowerPoint PPT Presentation

Jan 31, 2023 •481 likes •682 views

Protecting Insecure Communications with Topology-aware Network Tunnels Georgios Kontaxis Angelos D. Keromytis Department of Computer Science Columbia University, USA Clients securing their traffic to a server TLS unavailable at the server

  1. Protecting Insecure Communications with Topology-aware Network Tunnels Georgios Kontaxis Angelos D. Keromytis Department of Computer Science Columbia University, USA

  2. Clients securing their traffic to a server TLS unavailable at the server • Minimize the unencrypted network path on the Internet • Without the server’s participation • Not a substitute for TLS! • kontaxis@cs.columbia.edu 2

  3. Limited adoption of transport layer security • Top 10K sites (Alexa) • Only 32% support HTTPS • Only 15% redirect HTTP to HTTPS HTTPS response HTTPS? % # 1 Error (Conn. refused) No 21.4 2144 2 Error (Invalid cert.) No 22.1 2205 3 Error (HTTP 4xx 5xx) No 2.9 292 4 HTTPS downgraded No 21.5 2152 Total No 67.9 6793 5 OK Yes 17.0 1695 6 OK (HTTP upgraded) Yes 15.1 1512 Total Yes 32.1 3207 kontaxis@cs.columbia.edu 3

  4. Imperfect deployment of TLS Implementation vulnerabilities threaten user security • FREAK POODLE Heartbleed RC4 BEAST DROWN Users cannot rely on websites to patch themselves up • 45% of servers affected by FREAK vulnerable 9 months later • DROWN affects a TLS 1.2 client because server supports SSLv2 • kontaxis@cs.columbia.edu 4

  5. Short network paths minimize the attack surface AS 1 AS 2 AS n Client Server A • kontaxis@austria$ traceroute www.nytimes.com 1. EDIS GmbH (AT) 2. RETN Limited (UK) 3. NTT America, Inc. (US) 4. Fastly (US) • kontaxis@ec2-us-east-1$ traceroute www.nytimes.com 1. Amazon Inc. (US) 2. Fastly (US) kontaxis@cs.columbia.edu 5

  6. Web services are clustered in the cloud Cloud networks host the majority of web services • Excellent vantage point to browse the web • Users have access to Virtual Machines in the cloud • % Autonomous System Name 17.1 Akamai Technologies, Inc. 13.9 Amazon.com, Inc. 11.4 CloudFlare, Inc. 9.9 Google Inc. 3.7 EdgeCast Networks, Inc. 2.9 SoftLayer Technologies Inc. 2.1 Fastly 1.7 Tinet SpA 1.6 Internap Network Services Corp. 1.5 Rackspace Hosting 65.8 Total kontaxis@cs.columbia.edu 6

  7. Cloud networks are the gateway to Internet services AS x Server A Cloud Provider 1 AS 1 Client AS y Cloud Provider 2 Server B kontaxis@cs.columbia.edu 7

  8. Proposed overlay of encrypted tunnels with the cloud We replace multi-hop plain-text links with encrypted tunnels • AS x Server A Server A Cloud Cloud Topology-aware Provider 1 Provider 1 Tunnel 1 AS 1 Client Client Topology-aware Tunnel 2 AS y Cloud Cloud Provider 2 Provider 2 Server B Server B kontaxis@cs.columbia.edu 8

  9. Topology-aware Network Tunnels (TNT) •Routing through the tunnel closest to the server AS x Server A Server A Cloud Cloud Topology-aware Provider 1 Provider 1 Tunnel 1 AS 1 Client Client Topology-aware Tunnel 2 AS y Cloud Cloud Provider 2 Provider 2 Server B Server B kontaxis@cs.columbia.edu 9

  10. TNT establishes links to popular cloud networks Cloud Topology-aware Provider 1 Tunnel 1 Client AS z Topology-aware Tunnel 2 Cloud Provider 2 kontaxis@cs.columbia.edu 10

  11. Given a destination TNT maps the available paths •Initially traffic is routed through a tunnel at random Dest GW Metric Any Any 0 Server A Cloud Topology-aware Provider 1 Tunnel 1 Client AS z Topology-aware Tunnel 2 Cloud Provider 2 kontaxis@cs.columbia.edu 11

  12. TNT evaluates the available paths to a destination •Active, passive network measurements identify the shortest path Dest GW Metric Any Any 0 Server A A Tun 1 1 Cloud Topology-aware Provider 1 Tunnel 1 A Tun 2 2 Client AS z Topology-aware Tunnel 2 Cloud Provider 2 kontaxis@cs.columbia.edu 12

  13. TNT makes routing decisions to minimize plain-text traffic •TNT starts routing packets through the shortest path in real time Dest GW Metric Any Any 0 Server A A Tun 1 1 Cloud Topology-aware Provider 1 Tunnel 1 A Tun 2 2 Client AS z Topology-aware Tunnel 2 Cloud Provider 2 kontaxis@cs.columbia.edu 13

  14. Insecure network paths are minimized • Tunnel exit in the same network as a web server - Zero traffic exposure to the Internet • Tunnels to AWS, Azure are colocated with 20% of web services 1 0.9 0.8 0.7 0.6 CDF 0.5 0.4 TNT-cloud 0.3 ISP-US-E 0.2 Uni-US-E 0.1 ISP-EU-W 0 0 1 2 3 4 5 Autonomous systems making up the network path to a web service kontaxis@cs.columbia.edu 14

  15. Insecure network paths are minimized • Tunnel exit in a network near the web server - Minimal traffic exchange outside the cloud • TNT paths are always shorter than the native path 1 0.9 0.8 0.7 0.6 CDF 0.5 0.4 TNT-cloud 0.3 ISP-US-E 0.2 Uni-US-E 0.1 ISP-EU-W 0 0 1 2 3 4 5 Autonomous systems making up the network path to a web service kontaxis@cs.columbia.edu 15

  16. TNT preserves the browsing experience Page load time and latency do not deviate from the baseline • Used the network at Columbia University for comparison • 2000 1200 Baseline routing 1900 Baseline routing TNT routing TNT routing 1000 1800 Page Load time (ms) Round-trip Time (ms) 1700 800 1600 1500 600 1400 400 1300 1200 200 1100 1000 0 0 100 200 300 400 500 600 700 800 900 1000 1 10 100 1000 Web servers Web pages kontaxis@cs.columbia.edu 16

  17. Topology-aware network tunnels An overlay of encrypted links to key network infrastructure • Motivated by the clustering of services in the cloud • Minimize plain-text traffic on the Internet • Without the cooperation of individual services • Put clients in control of their security • Deployable using existing technologies and resources • kontaxis@cs.columbia.edu 17

  18. Find out more about TNT https://www.cs.columbia.edu/~kontaxis/tnt/ kontaxis@cs.columbia.edu AS x Server A Topology-aware Cloud Tunnel 1 Provider 1 AS 1 Client Topology-aware Tunnel 2 AS y AS z Server C Cloud Provider 2 Server B

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Ninja Scaning by Fyodor CanSecWest 2009 March 20, 3:50 PM

Ninja Scaning by Fyodor CanSecWest 2009 March 20, 3:50 PM

Insecure.Org Insecure.Org Ninja Scaning by Fyodor CanSecWest 2009 March 20, 3:50 PM http://insecure.org/presentations/CSW09/ Insecure.Org Insecure.Org Ncat http://nmap.org/ncat/ Insecure.Org Insecure.Org Modern Networking Features

689 views • 21 slides
Topology-aware OpenMP Process Scheduling Peter Thoman, Hans Moritsch, and Thomas Fahringer

Topology-aware OpenMP Process Scheduling Peter Thoman, Hans Moritsch, and Thomas Fahringer

Topology-aware OpenMP Process Scheduling Peter Thoman, Hans Moritsch, and Thomas Fahringer University of Innsbruck (Austria) Motivation IWOMP 2010, Topology-aware OpenMP Process Scheduling 2010-06-15 Motivation Hardware Trends

551 views • 30 slides
Protecting Interprocess Communications Operating systems provide various kinds of

Protecting Interprocess Communications Operating systems provide various kinds of

Protecting Interprocess Communications Operating systems provide various kinds of interprocess communications Messages Semaphores Shared memory Sockets How can we be sure theyre used properly? Lecture 8 Page 1 CS 236

266 views • 25 slides
Network Topology-aware Traffic Scheduling Emin Gabrielyan cole Polytechnique Fdrale de

Network Topology-aware Traffic Scheduling Emin Gabrielyan cole Polytechnique Fdrale de

6th SOS Workshop on Distributed Supercomputing: Data Intensive Computing March 4-6, 2002, Badehotel Bristol, Leukerbad, Valais, Switzerland Network Topology-aware Traffic Scheduling Emin Gabrielyan cole Polytechnique Fdrale de Lausanne,

391 views • 22 slides
Communication and Topology-aware Load Balancing in Charm++ with TreeMatch Joint lab 10th workshop

Communication and Topology-aware Load Balancing in Charm++ with TreeMatch Joint lab 10th workshop

Communication and Topology-aware Load Balancing in Charm++ with TreeMatch Joint lab 10th workshop (IEEE Cluster 2013, Indianapolis, IN) Emmanuel Jeannot Esteban Meneses-Rojas Guillaume Mercier Franois Tessier Gengbin Zheng November 27,

471 views • 34 slides
Topology-Aware Data Aggregation for Intensive I/O on Large-Scale Supercomputers Franois Tessier

Topology-Aware Data Aggregation for Intensive I/O on Large-Scale Supercomputers Franois Tessier

Context Approach Evaluation Conclusion Topology-Aware Data Aggregation for Intensive I/O on Large-Scale Supercomputers Franois Tessier , Preeti Malakar , Venkatram Vishwanath , Emmanuel Jeannot , Florin Isaila Argonne

488 views • 30 slides
A Topology-Aware Performance Monitoring Tool for Shared Resource Management in Multicore Systems

A Topology-Aware Performance Monitoring Tool for Shared Resource Management in Multicore Systems

A Topology-Aware Performance Monitoring Tool for Shared Resource Management in Multicore Systems TADaaM Team - Nicolas Denoyelle - Brice Goglin - Emmanuel Jeannot August 24, 2015 1. Context/Motivations 2. Fast presentation of the tool 3.

446 views • 29 slides
Scripting and Extending Nmap and Wireshark with Lua by Gerald Combs & Gordon Fyodor

Scripting and Extending Nmap and Wireshark with Lua by Gerald Combs & Gordon Fyodor

Insecure.Org Insecure.Org Scripting and Extending Nmap and Wireshark with Lua by Gerald Combs & Gordon Fyodor Lyon Sharkfest 2010 June 16, 1:15 PM http://insecure.org/presentations/Sharkfest10/ Insecure.Org Insecure.Org Nmap

278 views • 16 slides
Topology-Aware Cooperative Data Protection in Blockchain-Based Decentralized Storage Networks

Topology-Aware Cooperative Data Protection in Blockchain-Based Decentralized Storage Networks

ISIT 2020 Topology-Aware Cooperative Data Protection in Blockchain-Based Decentralized Storage Networks Siyi Yang 1 , Ahmed Hareedy 2 , Robert Calderbank 2 , Lara Dolecek 1 1 Electrical and Computer Engineering Department, UCLA 2 Electrical and

927 views • 61 slides
TARA: Topology-Aware Resource Adaptation for Congestion Avoidance in Wireless Sensor Networks

TARA: Topology-Aware Resource Adaptation for Congestion Avoidance in Wireless Sensor Networks

TARA: Topology-Aware Resource Adaptation for Congestion Avoidance in Wireless Sensor Networks Jaewon Kang, Yanyong Zhang, and Badri Nath WINLAB and DATAMAN Lab. Rutgers, The State University of New Jersey WINLAB Research Review, May 2006 Too

486 views • 25 slides
Network Topology-aware Traffic Scheduling Emin Gabrielyan, Roger D. Hersch cole Polytechnique

Network Topology-aware Traffic Scheduling Emin Gabrielyan, Roger D. Hersch cole Polytechnique

Submitted to the 2 nd IEEE International Symposium on Cluster Computing and the Grid. 21-24 May 2002, Berlin, Germany Network Topology-aware Traffic Scheduling Emin Gabrielyan, Roger D. Hersch cole Polytechnique Fdrale de Lausanne,

462 views • 8 slides
Enhancing Compact Routing in CCN with Prefix Embedding and Topology-Aware Hashing Stefanie Roos 1

Enhancing Compact Routing in CCN with Prefix Embedding and Topology-Aware Hashing Stefanie Roos 1

Enhancing Compact Routing in CCN with Prefix Embedding and Topology-Aware Hashing Stefanie Roos 1 , Liang Wang 2 , Thorsten Strufe 1 , Jussi Kangasharju 2 1 TU Dresden, firstname.lastname@tu-dresden.de 2 University of Helsinki,

434 views • 12 slides
Protecting Free and Open Communications on the Internet Against Man-in-the-Middle Attacks on

Protecting Free and Open Communications on the Internet Against Man-in-the-Middle Attacks on

Protecting Free and Open Communications on the Internet Against Man-in-the-Middle Attacks on Third-Party Software Jeffrey Knockel, Jedidiah Crandall Computer Science Department University of New Mexico Recent News Iran: forged SSL

569 views • 27 slides
Automating Topology Aware Mapping for Supercomputers Abhinav Bhatele, Gagan Gupta Laxmikant V.

Automating Topology Aware Mapping for Supercomputers Abhinav Bhatele, Gagan Gupta Laxmikant V.

Automating Topology Aware Mapping for Supercomputers Abhinav Bhatele, Gagan Gupta Laxmikant V. Kale 1 1 Application Topologies Patch Compute Proxy

637 views • 44 slides
Safeguarding about making people aware of Adults their rights, protecting them Section 42

Safeguarding about making people aware of Adults their rights, protecting them Section 42

Safeguarding is Safeguarding about making people aware of Adults their rights, protecting them Section 42 and preventing abuse. Enquiries Delivered by: Jane Hughes Safeguarding Consultant on behalf of Hampshire Safeguarding Adults

665 views • 38 slides
Safeguarding about making people aware of Adults their rights, protecting them Section 42

Safeguarding about making people aware of Adults their rights, protecting them Section 42

Safeguarding is Safeguarding about making people aware of Adults their rights, protecting them Section 42 and preventing abuse. Enquiries Delivered by: Jane Hughes Safeguarding Consultant on behalf of Hampshire Safeguarding Adults

548 views • 36 slides
Coccinelle: Reducing the Barriers to Modularization in a Large C Code Base Julia Lawall

Coccinelle: Reducing the Barriers to Modularization in a Large C Code Base Julia Lawall

Coccinelle: Reducing the Barriers to Modularization in a Large C Code Base Julia Lawall Inria/LIP6/UPMC/Sorbonne University-Regal Modularity 2014 1 Modularity Wikipedia: Modularity is the degree to which a systems components may be

481 views • 30 slides
MTS: Bringing Multi-Tenancy to Virtual Networking Kashyap Thimmaraju, Saad Hermak, Gbor

MTS: Bringing Multi-Tenancy to Virtual Networking Kashyap Thimmaraju, Saad Hermak, Gbor

MTS: Bringing Multi-Tenancy to Virtual Networking Kashyap Thimmaraju, Saad Hermak, Gbor Rtvri and Stefan Schmid USENIX Annual Technical Conference 2019 July 11, Renton, Washington, USA Virtual Networks Using Virtual Switches VM VM VM

962 views • 58 slides
Outline Where overflows come from, contd CSci 5271 More problems Introduction to Computer

Outline Where overflows come from, contd CSci 5271 More problems Introduction to Computer

Outline Where overflows come from, contd CSci 5271 More problems Introduction to Computer Security Announcements intermission Low-level vulnerabilities and attacks (combined lecture) Classic code injection attacks Stephen McCamant

391 views • 9 slides
Mobitopolo: A Portable Infrastructure to Facilitate Flexible Deployment and Migration of

Mobitopolo: A Portable Infrastructure to Facilitate Flexible Deployment and Migration of

Mobitopolo: A Portable Infrastructure to Facilitate Flexible Deployment and Migration of Distributed Applications with Virtual Topologies Richard POTTER NICT Akihiro NAKAO University of Tokyo NICT Virtual Infrastructure for Testbeds

161 views • 13 slides
Neue strongSwan VPN Features GUUG Frhjahrsfachgesprch 2015 Stuttgart Prof. Dr. Andreas

Neue strongSwan VPN Features GUUG Frhjahrsfachgesprch 2015 Stuttgart Prof. Dr. Andreas

Neue strongSwan VPN Features GUUG Frhjahrsfachgesprch 2015 Stuttgart Prof. Dr. Andreas Steffen Institute for Internet Technologies and Applications HSR Hochschule fr Technik Rapperswil andreas.steffen@strongswan.org Wo um Gottes Willen

608 views • 35 slides
Chapters IID and II a : SUN new and sun proofs of WUN Last time : and awkward

Chapters IID and II a : SUN new and sun proofs of WUN Last time : and awkward

Chapters IID and II a : SUN new and sun proofs of WUN Last time : and awkward hypotheses Downside are : verify to hard . " new SUN " To fix this create a : modified hypotheses with I " odds :* . entails

407 views • 13 slides
Persistent Personal Names for Globally Connected Mobile Devices Bryan Ford, Jacob Strauss, Chris

Persistent Personal Names for Globally Connected Mobile Devices Bryan Ford, Jacob Strauss, Chris

Persistent Personal Names for Globally Connected Mobile Devices Bryan Ford, Jacob Strauss, Chris Lesniewski-Laas, Sean Rhea, Frans Kaashoek, Robert Morris Massachusetts Institute of Technology http://pdos.csail.mit.edu/uia Connectivity

824 views • 61 slides
The ICSI Haystack A Platform for Hybrid Mobile Measurements in the Wild Narseo

The ICSI Haystack A Platform for Hybrid Mobile Measurements in the Wild Narseo

AIMS Workshop - CAIDA, February 2016 The ICSI Haystack A Platform for Hybrid Mobile Measurements in the Wild Narseo Vallina-Rodriguez In collaboration with: S. Sundaresan, C. Kreibich, M. Allman, V. Paxson (ICSI/UC Berkeley) A.

616 views • 19 slides

More recommend