network security breakout
DESCRIPTION
Network Security Breakout. Participants. Matt Crawford, FNAL Phil Dykstra, DREN Chris Greer, NCO Karl Levitt, NSF Paul Love, NCO Grant Miller, NCO Thomas Ndousse, DOE Joe St Sauver, Internet2 and U. Oregon. Time Horizon/Scope. Immediate term vs. longer term - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Network Security Breakout](https://reader035.vdocument.in/reader035/viewer/2022062517/56813907550346895da0be49/html5/thumbnails/1.jpg)
1
Network Security Breakout
![Page 2: Network Security Breakout](https://reader035.vdocument.in/reader035/viewer/2022062517/56813907550346895da0be49/html5/thumbnails/2.jpg)
2
Participants
• Matt Crawford, FNAL
• Phil Dykstra, DREN
• Chris Greer, NCO
• Karl Levitt, NSF
• Paul Love, NCO
• Grant Miller, NCO
• Thomas Ndousse, DOE
• Joe St Sauver, Internet2 and U. Oregon
![Page 3: Network Security Breakout](https://reader035.vdocument.in/reader035/viewer/2022062517/56813907550346895da0be49/html5/thumbnails/3.jpg)
3
Time Horizon/Scope
• Immediate term vs. longer term
• If we don't do the short term items, we may not be able to do the longer time items
• We limited our discussion to unclassified networks.
![Page 4: Network Security Breakout](https://reader035.vdocument.in/reader035/viewer/2022062517/56813907550346895da0be49/html5/thumbnails/4.jpg)
4
Vision Of the Future
• Everything is way too fast
• Everything is encrypted
• Multilayer: not just all layer three any longer
![Page 5: Network Security Breakout](https://reader035.vdocument.in/reader035/viewer/2022062517/56813907550346895da0be49/html5/thumbnails/5.jpg)
5
Immediate Term
• Research on how to deploy existing and developmental capabilities
• How do we provide incentives to encourage folks to use security capabilities
• Testbed creation to test and deploy capabilities and to see how folks respond to them
![Page 6: Network Security Breakout](https://reader035.vdocument.in/reader035/viewer/2022062517/56813907550346895da0be49/html5/thumbnails/6.jpg)
6
Moving perimeter into the host• Chokepoints can't keep up at 10Gbps, 100G coming• To scale border protection, move the perimeter "two
inches into the host" -- put network security policy onto a trusted network interface card/chip.
• Deals with the issue of the firewalls not being able to keep up at increasingly high rates
• R&D direction– The NIC would be site-configurable, not host-configurable,
and auditable. It would report events as required by configured security policy.
– Verifying host & OS integrity is probably out of scope.
![Page 7: Network Security Breakout](https://reader035.vdocument.in/reader035/viewer/2022062517/56813907550346895da0be49/html5/thumbnails/7.jpg)
7
Any New Network Architecture
• ALL new network architectures must include a security model from the ground up
• Require this to be part of proposals!
![Page 8: Network Security Breakout](https://reader035.vdocument.in/reader035/viewer/2022062517/56813907550346895da0be49/html5/thumbnails/8.jpg)
8
Security Test Bed As Part of GENI
• DETER has limits on acceptable research (e.g., no malware testing)
• GENI would offer potentially large scale environment
• Cyber Range isn't accessible/is classified
• Applications to run on GENI or other experimental test bed networks should include security metrics
![Page 9: Network Security Breakout](https://reader035.vdocument.in/reader035/viewer/2022062517/56813907550346895da0be49/html5/thumbnails/9.jpg)
9
Security vs. Usability
• Completely secure if unplugged and locked up in a vault… but that's not what it is for
• Need to balance security vs. usability, and that will likely require research to understand and get right
• Who pays: some security mandates may be unfunded
• Research area: tradeoffs between usability vs. security.
![Page 10: Network Security Breakout](https://reader035.vdocument.in/reader035/viewer/2022062517/56813907550346895da0be49/html5/thumbnails/10.jpg)
10
Threat Assessment
• [we'll be discussing tomorrow]
![Page 11: Network Security Breakout](https://reader035.vdocument.in/reader035/viewer/2022062517/56813907550346895da0be49/html5/thumbnails/11.jpg)
11
Closer Coordination Between Security and Networking Folks,
and Security and Apps Folks• Currently those are silo'd communities
• Recommendation: develop mechanisms to foster sharing and cross fertilization.
![Page 12: Network Security Breakout](https://reader035.vdocument.in/reader035/viewer/2022062517/56813907550346895da0be49/html5/thumbnails/12.jpg)
12
Physical Layer (L1) Security
• OTDR checking on a reserved lambda while in-service to detect taps/cuts
![Page 13: Network Security Breakout](https://reader035.vdocument.in/reader035/viewer/2022062517/56813907550346895da0be49/html5/thumbnails/13.jpg)
13
Layer 2 Security
• Context: ethernet VPNs seem to be ubiquitous in the near future, therefore layer two security issues are of growing concern.
• Specifically, we know of ARP spoofing MITM attacks, MAC admission control manageability issues
![Page 14: Network Security Breakout](https://reader035.vdocument.in/reader035/viewer/2022062517/56813907550346895da0be49/html5/thumbnails/14.jpg)
14
Understanding Circuit-Based Risks• Two sites:
-- one with a circuit connected host (host A) that also has Internet connectivity-- other with a circuit connected host (host B) that also has sensitive internal network connectivity
• Risk is that path will bridge Internet --> host A --> circuit based connection --> host B --> sensitive internal network
• Doesn't have to occur at the same time
![Page 15: Network Security Breakout](https://reader035.vdocument.in/reader035/viewer/2022062517/56813907550346895da0be49/html5/thumbnails/15.jpg)
15
Optical Networks
• Opportunity for strong authentication prior to circuit establishment
• Critical to protect the control plane -- currently often inband
![Page 16: Network Security Breakout](https://reader035.vdocument.in/reader035/viewer/2022062517/56813907550346895da0be49/html5/thumbnails/16.jpg)
16
Virtualization• Promise and peril
• Folks like the idea of being able to give people a virtual machine, then blow it away when it is done being used
• Issues associated with potentially saving state and then restoring a now-insecure VM
• Additional machines and complexity to administer
• Risk of hypervisor breakout attacks
![Page 17: Network Security Breakout](https://reader035.vdocument.in/reader035/viewer/2022062517/56813907550346895da0be49/html5/thumbnails/17.jpg)
17
Immunocomputing• Things to be learned from nature which
may be applicable to security
• Can the machine be introspective with respect to its own security?
• Possibility: third level of security -- user, kernel, security
• Possibility: other systems on the subnet paying attention to what's going on
• Diversity
![Page 18: Network Security Breakout](https://reader035.vdocument.in/reader035/viewer/2022062517/56813907550346895da0be49/html5/thumbnails/18.jpg)
18
Correlating Diverse Inputs• Having a broad picture of network activity has
security value -- for example, Einstein sees more than an individual IDS might
• Slow scan issues
• Asymmetric multihoming
• Bad routing
• Traceback
• Additional alarm possibilities
• Security implications of network architectures
![Page 19: Network Security Breakout](https://reader035.vdocument.in/reader035/viewer/2022062517/56813907550346895da0be49/html5/thumbnails/19.jpg)
19
Security Policies in the Face of Ubiquitous Encryption
• Assume all traffic is opportunistically encrypted host-to-host.
• What can "network security" still do if all it can see is (src,dst)?
• Research area: incorporate traffic analytic methods into security tools
![Page 20: Network Security Breakout](https://reader035.vdocument.in/reader035/viewer/2022062517/56813907550346895da0be49/html5/thumbnails/20.jpg)
20
Want IPSEC Support forIP Multicast Key Exchange
• May be able to build on an existing proprietary secure IP multicast solution
• 100% of DREN traffic is IPSEC encrypted-- except for IP multicast, and DREN would like to fix that.
• IETF MSEC group is working on it (drafts from 2007
![Page 21: Network Security Breakout](https://reader035.vdocument.in/reader035/viewer/2022062517/56813907550346895da0be49/html5/thumbnails/21.jpg)
21
Performance Measurement and Monitoring
• Tradeoff in sharing of information privacy of sensitive information vs. generalized access and timely alerts
![Page 22: Network Security Breakout](https://reader035.vdocument.in/reader035/viewer/2022062517/56813907550346895da0be49/html5/thumbnails/22.jpg)
22
Intrusion Prevention SystemsHandling Asymmetric Traffic Flows
• Very hard problem, no one currently commercially addressing this
• Should be a topic for research
![Page 23: Network Security Breakout](https://reader035.vdocument.in/reader035/viewer/2022062517/56813907550346895da0be49/html5/thumbnails/23.jpg)
23
Longer Term• May not be dealing with packets, might be
circuits, flows, streams, …
![Page 24: Network Security Breakout](https://reader035.vdocument.in/reader035/viewer/2022062517/56813907550346895da0be49/html5/thumbnails/24.jpg)
24
Economics of Security
• Understanding the financial incentives of attackers
• Economic motivators for security solutions
![Page 25: Network Security Breakout](https://reader035.vdocument.in/reader035/viewer/2022062517/56813907550346895da0be49/html5/thumbnails/25.jpg)
25
If You Remember One Thing
• The security problem is distributed
• Therefore the solution needs to be distributed as well
![Page 26: Network Security Breakout](https://reader035.vdocument.in/reader035/viewer/2022062517/56813907550346895da0be49/html5/thumbnails/26.jpg)
26
• Topic
• Finding
• Recommendations