Seraphim : A Security Architecture for Active Networks - PowerPoint PPT Presentation

1 / 24
About This Presentation
Title:

Seraphim : A Security Architecture for Active Networks

Description:

Seraphim : A Security Architecture for Active Networks University of Illinois at Urbana-Champaign – PowerPoint PPT presentation

Number of Views:79
Avg rating:3.0/5.0
Slides: 25
Provided by: Seu58
Category:

less

Transcript and Presenter's Notes

Title: Seraphim : A Security Architecture for Active Networks


1
Seraphim A Security Architecture for Active
Networks
  • University of Illinois at Urbana-Champaign

2
Motivation
  • Active Network is a radical approach to provide
    programmability in the network
  • Dynamic nature of Active Network needs dynamic
    security architecture as one of the crucial
    requirements

3
Seraphim Threat Model
  • Malicious attacks against the active packets?
  • Unauthorized access to NodeOS resources
  • Attacks against the privacy and integrity of
    communication
  • Denial of Service

4
Seraphim Features
  • Access Control for the NodeOS resources using
    Security Guardian with Dynamic Policy and Active
    Capability
  • Security API for secure communication
  • DDoS Prevention
  • Pluggable Architecture

5
Access Control
  • All accesses to NodeOS resources go through the
    Security Guardian
  • Access control policies are written in the
    context of Policy Framework
  • Active Capability is used as the carrier of the
    access control policy

6
Dynamic Policy
  • Supports several security policies and provides
    dynamic transition between them

DDAC
DAC
MAC
RBAC
OS Primitives, Interfaces
7
NodeOS Security API
EE
Authentication
Authorization
Security Services
GAA API
PAM API
GSS API
X.509, Password-based, Kerberos, SESAME, Etc.
Active Capability, PolicyMaker, ACL Etc.
JCE, Kerberos, SESAME, Etc.
Public Key API
Security Guardian
X.509 PKI
NodeOS
Dynamic Policy Framework
RFC 2510
8
DDoS Prevention - BARMAN
9
DDOS Prevention
  • BARMAN Bandwidth Authorization and Resource
    Management in Active Networks
  • Dynamic protocol solution triggered by
    bandwidth flooding
  • Threshold value based on processor and link
    characteristics
  • Bandwidth Certification for Attack Detection
  • Hierarchical traceback with dynamic accounting
    state
  • Co-operative dynamic recovery using active
    filtering

10
Threshold Computation
  • Static Phase of Protocol
  • Threshold Value
  • Computed by trusted entity e.g., administrator
  • Packet rate that can be safely processed by
    receiver (server or active router) without
    getting DOSed
  • Accommodate for emergency control channel
  • Secure Session Establishment

11
Bandwidth Certification
  • Dynamic Phase of Protocol
  • Triggered by Threshold violation
  • Sender certifies hop-to-hop bandwidth
  • Certificate for Authorization of Bandwidth
    Small fixed length certificate, fixed options,
    cryptographic protection using fast encryption or
    hardware.
  • Prevents link spoofing, man-in-the-middle and
    replay attacks
  • Layered authentication technique

12
Traceback
  • Flow Classification and Aggregation based on
    eventual destination of capsule
  • Direct host, same subnet, foreign subnet
  • Flow characterization real-time statistics
    collection vs. attack-triggered
  • Characterization used to implement hierarchical
    traceback with dynamic state

13
Dynamic Traceback
(0,0,X)
AS 3
AS 2
(0,X,-)
(0,X,0)
(X,0,-)
AS 4
(0,0,-)
14
Dynamic Recovery
  • Traceback as far back as possible using secure
    control messages
  • Reconstruct attack based on collected statistics
  • Dynamically filter on sender for misbehaving
    flows simultaneously

15
Pluggable Architecture
16
Pluggable Architecture
  • Seraphim is designed as a pluggable architecture
  • Originally developed for restructured version of
    ANTS
  • Currently, Seraphim is integrated with Bowman

17
Integration Overview
CANEs API
I2
I1
U
CANEs EE
User A-Flow
Policy Administrator GUI
CANEs Signaling A-Flow
Security Guardian (JNI, JVM)
Policy Server
System Thread
Bowman NodeOS
Host OS
18
Integration Features
  • Provides access control for signaling messages
  • Dynamic flow control at active routers by dynamic
    policy framework
  • Use JNI to plug Java-based Seraphim architecture
    into C-based CANEs/Bowman

19
Demo Contributions
  • Access control for the CANES signaling mechanism
  • Dynamic control of AER flows
  • Prevention of bandwidth clogging DDoS attacks

20
Demo Details - CANES Signaling
21
Demo Details AER flows
22
Demo Details - BARMAN
23
Conclusion
  • Seraphim is dynamic, extensible, flexible, and
    reconfigurable security architecture which meets
    the requirements for Active Networks

24
Future Research Possibilities
  • Interoperability between different security
    domains using role translation
  • Risk model for Active Networks
  • Automated response against intrusions
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Seraphim : A Security Architecture for Active Networks" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!