日系女裝潮人必備搭配女t恤上衣女

1、April, 2006Stanford Clean Slate SeminarA Protection Architecture for Enterprise Networks(and comments on security-centric network design)Martin Casado (Stanford)Tal Garfinkel (Stanford)Aditya Akella (CMU/Stanford)Michael Freedman (NYU)Dan Boneh (Stanford)Nick McKeown (Stanford)Scott Shenker (ICSI/Be

2、rkeley)西安服裝設(shè)計(jì)培訓(xùn) http:/女裝批發(fā) http:/April, 2006Stanford Clean Slate SeminarWhat Im Going to Talk AboutvA lot about security in the EnterprisevA little bit about security on the InternetvGenerally exploit this opportunity to pontificateApril, 2006Stanford Clean Slate SeminarRemember . this is Clean Slat

3、evMaybe a little “out-there”vMaybe a little “wrong”vSupposed to foment ideas and discussion(so please interrupt me)April, 2006Stanford Clean Slate SeminarPublic vs. Private NetworksvPublic (google, ebay, etc.)Get as wide exposure(mostly) everyone welcomeWant some protection from evil-do

4、ersvPrivate (internal commercial, financial etc.)Special purposeLimited user baseKnows whats running wherevFundamentally different(but use same technologies)April, 2006Stanford Clean Slate SeminarvAbility to identify individual usersvAbility to revoke access to individual users(stop them from using

5、your network resources)vAbility to determine location of individual users(regulatory compliance)v (more on this later)Infrastructure Support for Public ServicesApril, 2006Stanford Clean Slate Seminarvidentify individual users by useridvrevoke access to usersvdetermine location of individual users an

6、dandvstrictly define connectivity between users, hosts, services, protocols and access pointsvcontrol routes at the session levelvcentralized trust and controlvrestrict access to informationInfrastructure Support for Private NetworksApril, 2006Stanford Clean Slate Seminarvidentify individual users b

7、y useridvrevoke access to usersvdetermine location of individual users andandvstrictly define connectivity between users, hosts, services, protocols and access pointsvcontrol routes at the session levelvCentralized trust and controlvRestrict access to informationSupported by IPApril, 2006Stanford Cl

8、ean Slate SeminarMotivation Punch LinevAttempting to do all these things todayv but without the support of the architecturevResult is:Insecure networkInflexible networkHard to manage networkApril, 2006Stanford Clean Slate SeminarDefining Connectivityv Why? Attempt at limiting resources to that which

9、 is needed Limit damage of internal malware, perimeter breach, or insiderv Today: Use lots of filtering MAC, IP, transport Physical ports (VLANs) Deep packet inspection (e.g. first data packet of a protocol)v Full proxiesv Access control lists on services(not network aware but could be!)April, 2006S

10、tanford Clean Slate SeminarDefining Connectivity (the bad)v Network only really aware of addressesv Firewall rules embeds topology into configuration state Difficult to move machines Hard to read and understand (100k lines of proprietary, different configurations)v Forwarding path unaware of filteri

11、ng rules Will try to circumvent if it can Adding a new network component not good(hence have “choked” networks)v Higher level filtering can be undermined by lower levels(e.g. permissive link layer)April, 2006Stanford Clean Slate SeminarControl Over Routingv Why? Different access points have differen

12、t security requirements(e.g. wireless users must go through http proxy) Different protocols have different security requirements(e.g. all files sent over IM must be checked for viruses) Different user groups have different security requirements(e.g. log all connections from marketing)v Today: make a

13、ll routes go through the same point (large, expensive do-it-all proxies)v Or use two/three/four separate networksv Or application protocol aware routing (Ciscos OER, application aware routing)April, 2006Stanford Clean Slate SeminarCentralized Trust and Controlv Why? Limited number of trusted compone

14、nts Networks often centrally administeredv Pretty new area, but products are starting to pop up Consentry Apani Securifyv Networks by nature are distributed Distributed routing computation (trust every router) Many (many many) heavily trusted components(DNS, DHCP server, gateway, routers, switches,

15、end-hosts, directory services, authentication services, proxies etc.)April, 2006Stanford Clean Slate SeminarRestrict Access to Informationv Why? (first resource available to attacker)v Turn off (normally filter at host or perimeter firewall) RST ICMP (TTL Time exceeded, echo reply, port unreach)v De

16、tect ARP scans Automated IP scansv Limit visibility network resources VLAN NATs, Proxies etc.v Still really hard to do(e.g Topology information passed unencrypted in routing protocols)v No “switch” for auditing(should be controlled the same as other resources)April, 2006Stanford Clean Slate SeminarR

17、etrofitting Security onto IPv Designed for Security Firewalls, Router ACLS Port Security IDS/NDS/IPS (scan detection, anomaly detection, signature detection) VLANsv Pushed Into Service Ethernet Switches NATs, ProxiesPhysicalDatalinkNetworkTransportApplicationApril, 2006Stanford Clean Slate SeminarvI

18、nflexible Hard to move a machine (yet difficult to know if someone has moved)Really difficult to deploy a new protocolvBrittleChange a firewall rule, break security policyAdd a switch, break security policyvConfusing Many disparate point solutionsState = a bunch of soft stateHard to state meaningful

19、 policiesvLose redundancyIntroduce choke pointsCant migrate routes b/c of all the soft stateCommon Solutions = Crummy Networks(and mediocre security)April, 2006Stanford Clean Slate SeminarArgument Thus FarvEnterprise networks use IP (design for Internet)vIP not designed for attack resistance permiss

20、ive Unauthenticated end-points No knowledge of application protocols Heavily distributed (proliferation of TCB) No support for ubiquitous loggingvAttempts to retrofit access controls have resulted in less-than-ideal networksConfusingBrittleEtc.April, 2006Stanford Clean Slate SeminarLets Start from S

21、cratchvLeverage characteristics unique to EnterpriseCentrally managedKnown usersStructured connectivityvReduce number of trusted componentsvSimplify policy declarationvRetain flexibility and redundancy (decouple topology and security policy)April, 2006Stanford Clean Slate SeminarInstead ofvDefault o

22、n + filter Default off + permissionvDistributed, cryptic policy simple and centralizedvsecurity choke-point fine grained control of routesvDistributed trust centralizedvPermissive link layer low level enforcementApril, 2006Stanford Clean Slate SeminarMomentary DetourvCurrently two competing approach

23、es to securing Enterprise: A) Detect when things are bad behaviorally(e.g. anomaly detection) Dont know network state How are you going to define a new protocol? What if your heuristics are bad? B) Strictly define what is permissible Limit connectivity to what is needed to get the job done Assume tr

24、affic using that is OKApril, 2006Stanford Clean Slate SeminarSANEvDeclare policy centrally over users, protocols, services and access pointsvAll communications require a “capability” from a central arbitervCapabilities encode the routevAll switches enforce the capability(it is included and enforced

25、at layer 2)April, 2006Stanford Clean Slate SeminarCapability Provides Isolation LayerPhysicalDatalinkNetworkTransportApplicationIntroduce layer 2.5Isolation LayerIsolation LayerEthernetSANEIP .vContains, encrypted, immutable, route1,43,22,1Service portMACMACMACMACEsw1Esw2CAP-ID ExpirationApril, 2006

26、Stanford Clean Slate SeminarSANE:Action Sequence!PublishPublishmartin.friends.ambient-streamsmartin.friends.ambient-streamsallow tal, sundar, adityaallow tal, sundar, adityaAuthenticateAuthenticatehi, Im martin, my password ishi, Im martin, my password isAuthenticateAuthenticatehi, Im tal, my passwo

27、rd ishi, Im tal, my password ismartin.friends.ambient-streamsmartin.friends.ambient-streamsRequestRequestmartin.friends.ambient-streamsmartin.friends.ambient-streams1434413122Ambient streams13122Client port14344Ambient streams13122Client port4344Ambient streams13122Client port344Ambient streams13122

28、Client port44Ambient streams13122Client port13122Client port4Ambient streamsApril, 2006Stanford Clean Slate SeminarSANE:OverviewDomain ControllerSwitchesEnd-HostsAuthenticates usersContains network topologyHosts services (by name)Manages permission checkingCreates and issues capabilitiesSend topolog

29、y information to the DCProvide default connectivity to the DCValidate capabilitiesForward packets base on capabilityEnforce revocationsPublish services at the DCSpecify access controls(export streams.ambient allow tal)Request access to servicesUse appropriate capability for each packetApril, 2006Sta

30、nford Clean Slate SeminarvPermission check before connectivity(Users only access resources they have permission to)vPolicy enforced at every switchvCentralized, simply policy declaration (topology independent)vControl of routesvInformation restricted to administratorvAuthenticated end hosts (bound t

31、o location)Security PropertiesApril, 2006Stanford Clean Slate SeminarvCentral point for connection logging (DC)vAddition of switches (redundancy) does not undermine security policyvAnti-mobilityOther Nice PropertiesApril, 2006Stanford Clean Slate SeminarBut vHow to communicate with the DC?vHow to pr

32、otect the DC?vHow to securely get topology to DC?vGo to DC for each flow are you inSANE?vThis is really, really clean slateFork lift upgrade entire networkChange all end-hosts to work with capabilitiesChange notion of services and namingApril, 2006Stanford Clean Slate SeminarvSwitches construct span

33、ning treespanning tree Rooted at DCvSwitches dont learn topology(just neighbors)vProvides basic datagram service to DC Connectivity to the DCApril, 2006Stanford Clean Slate SeminarvSwitches authenticate with DCand establish symmetric keyvIke2 for key establishmentvAll subsequent packets to DC have “

34、authentication header”(similar to ipsec esp header)Ksw1Ksw2Ksw3Ksw4Ksw1Ksw3Ksw4Ksw2Switch AuthenticationApril, 2006Stanford Clean Slate SeminarEstablishing TopologyvSwitches generate neighbor listsduring MST algorithmvSend encrypted neighbor-listto DCvDC aggregates to full topologyvNo switch knows f

35、ull topologyKsw1Ksw2Ksw3Ksw4Ksw1Ksw3Ksw4Ksw2April, 2006Stanford Clean Slate SeminarCentralized? (and you call yourself a network researcher)vExists today . Sort of (DNS)vPermission check is fast(and control path != data path)(and control path != data path)vReplicate DC Computationally (multiple serv

36、ers) Topologically (multiple servers in multiple places)vLoads arent as high as you might thinkApril, 2006Stanford Clean Slate SeminarvUse first packet of flow for permission checkPorts, IP addressesCan guess application typevInstead of source routes use virtual circuitsvInstead of replacing switche

37、s, add “bumps”Backwards Compatibility(Ethane)April, 2006Stanford Clean Slate SeminarConnection Setupv Switches disallow all Ethernet broadcast(and respond to ARP for all IPs)v First packet of every new flow is sentto DC for permission checkv DC sets up flow at each switchv Packets of established flo

38、ws areforwarded using multi-layerswitchingDCAliceBob?April, 2006Stanford Clean Slate SeminarEasing DeploymentvUse trivial 2-port switches(bumps)vOn links betweenEthernet switchesvCan be enhanced by usingVLAN per portApril, 2006Stanford Clean Slate SeminarStatusvBuilt software version SANEAll compone

39、nts in softwareRan in group network (7 hosts) 1 monthvCurrently in development of “Ethane”Switches in hardware + softwareDC using standard PCApril, 2006Stanford Clean Slate SeminarNetwork Support for Public Services?vAbility to identify individual usersvAbility to revoke access to individual usersvA

40、bility to determine location of individual users(regulatory compliance)April, 2006Stanford Clean Slate SeminarProblem: IdentityvFirst level of identity is the IP address Is it forged? (maybe) Is half of Thailand behind it? (maybe)vObviously a bad discriminator Allow 1 person, allow half of Thailand

41、(e.g. IPA) Ban 1 person, ban half of Thailand (e.g. AOL proxies)vTodays solution? Use high-bandwidth infrastructure for TCP handshake Use separate, low-function login service Only allow “blessed” sessions to use services Is this sufficient?v Tomorrows solution? (hip? Note IPv6 does nothing to help u

42、s here)April, 2006Stanford Clean Slate SeminarProblem: Protecting Downstream BWvLots of shared queues (cross traffic)vPackets may not get to destination to trigger filtering I manually set my TTL I futz with the transport checksum so your proxy drops itv SYN packet source may be forged (cannot filte

43、r)v Note: Overprovision by magical power of 2 not really helpfulv Todays solutions Get flooded Identify “aggregates” in the network Hire someone else to figure out what is going onApril, 2006Stanford Clean Slate SeminarThird Party Vetting ModelLikely per-flow stateAnd other anomaly detection voodoop

44、eerpeerpeerpeerIPsec tunnelOr private circuitv Is this the right model? v Is per-flow state at a few points rather thanthroughout the network OK?v How about having a static, layer-2 circuit to protect trust relationships (sounds reasonable to me)v Can we generalize this to offer and support as a ser

45、vice from the Internet? April, 2006Stanford Clean Slate SeminarProblem: GeoLocationvInformation isnt really stored anywhere Registries arent accurate DNS loc isnt widely used People lie when filling out online accountsvProxies and Dial-Ups further complicate thingsvTodays solution? A lot of bad acad

46、emic tools (e.g. unDNS, netgeo) A few decent commercial offerings (Quova, Akamai)Offering 90 95% accuracy at country level Still, may be breaking the law 5% of the timevTomorrows solution? should this even be at the network level? oh no!, what about privacy?April, 2006Stanford Clean Slate SeminarSec

47、urity and the InternetvDoes IP provide adequate security the public Networks?(no, but its pretty close .)vWill a future Internet look similar to IP(maybe)vWhat is the problem then? Malware SPAM Admission Control Phishing etc.April, 2006Stanford Clean Slate SeminarQuestions?April, 2006Stanford Clean

48、Slate SeminarvControl of routes is powerfulvDC can force routesthrough middlebox based on policyvE.g. signature detection forall flows from laptops and users in marketingSignaturedetectionMiddlebox IntegrationApril, 2006Stanford Clean Slate SeminarvDecouple control and data path in switchesvSoftware

49、 control path (connection setup)(slightly higher latency)vSimple, fast, hardware forwarding path (Gigabits)PerformanceApril, 2006Stanford Clean Slate SeminarvIncidental attacks (phishing, spam, worms, viruses, kiddies) vExternal, Targeted AttacksCompetitors (e.g. vs. )Idealists (e.g. SCO)vInsiders (

50、29% of all attacks?)Enterprise Threat EnvironmentApril, 2006Stanford Clean Slate SeminarvIncidental attacks (worms, viruses, kiddies)vExternal Targeted AttacksMore access to resourcesAbility to hire skilled attackervInsiders (29% of all attacks?)Locality (access to internal network)Knowledge of inte

51、rnal workingsEnterprise Threat EnvironmentApril, 2006Stanford Clean Slate SeminarExample: External Targeted Attackv Target:Target: Large company (B)v Attacker Profile:Attacker Profile: Skill-level equivalent to a B.S. in computer sciencev Rules of Engagement:Rules of Engagement: No physical access Cannot limit availability of network resourcesv Goals: Goals: Map out operations Gain access to sensitive information Ability to disrupt internal communications if neededApril, 2006Stanford Clean Slate SeminarStep 1: ReconnaissanceNetcraft search: ba