delegating network security with more information with
play

Delegating Network Security with More Information with More - PowerPoint PPT Presentation

Delegating Network Security with More Information with More Information {Stanford: [ Jad Naous , Ryan Stutsman, David Mazires, Nick McKeown,], MIT CSAIL: [Nickolai Zeldovich]} Context Roberto Alicia


  1. Delegating Network Security with More Information with More Information {“Stanford”: [“ Jad Naous” , “Ryan Stutsman”, “David Mazières”, “Nick McKeown”,], “MIT CSAIL”: [“Nickolai Zeldovich”]}

  2. Context Roberto Alicia Carlito

  3. Context

  4. Context Alicia

  5. Policies Alicia Wants • Skype only to Skype • email clients only to email server • Only Roberto can use openssh ver < 5.0 • Allow R&D machines to talk anywhere in net, • Allow R&D machines to talk anywhere in net, but not Sales

  6. Common Problem Alicia does not have all information necessary

  7. Simple Solution Ask!

  8. Who should Alicia ask? • Ask the whole path between sender and destination. • Each network along the path might have different information (e.g. authenticated user) information (e.g. authenticated user) • Augment responses along the path • Communicate any relevant information • Let the Alicia decide what to use

  9. What information might Alicia want? • username and authenticated usernames • Application name, type, hash, version, … • OS information, patches, … • Network name, type, location, security, … • Network name, type, location, security, … • Application expected behavior, network rules, destination rules, …

  10. Soliciting Information: ident++ Proposal for requesting information: 1. Ask for more information for every new flow. 2. Arbitrary user/admin-definable key-value pairs 3. Networks along the path augment responses

  11. Example: e-mail • Mail-server accessed by mail clients only • Thunderbird is the only mail client allowed • Only users authenticated by the network are allowed access. allowed access.

  12. Example: e-mail Data Flow From 192.168.0.1:2358 To 192.168.1.1:25 Payload

  13. Example: e-mail Query Query From 192.168.0.1:2358 From 192.168.0.1:2358 To 192.168.1.1:25 To 192.168.1.1:25

  14. Example: e-mail Response Response From 192.168.0.1:2358 From 192.168.0.1:2358 To 192.168.1.1:25 To 192.168.1.1:25 -app-name: thunderbird -app-name: cyrus -version: 2.0.3 -user: imap -user:roberto -type: email-server -type: email-client

  15. Example: e-mail Response Response From 192.168.0.1:2358 From 192.168.0.1:2358 To 192.168.1.1:25 To 192.168.1.1:25 -app-name: thunderbird -app-name: cyrus -version: 2.0.3 -user: imap -user: roberto -type: email-server -type: email-client -authed-user: roberto

  16. Example: e-mail Data Flow From 192.168.0.1:2358 To 192.168.1.1:25 Payload

  17. Example: evil e-mail Response Response From 192.168.0.1:2358 From 192.168.0.1:2358 To 192.168.1.1:25 To 192.168.1.1:25 -app-name: thunderbird -app-name: cyrus -version: 2.0.3 -user: imap -user: roberto -type: email-server -type: email-client -authed-user: unknown

  18. Example: evil e-mail

  19. Example: e-mail Client Configuration File: Backbone Firewall Rules: @ app /usr/bin/thunderbird { name block all : thunderbird version : 2.0.3 pass all type with eq (@src[type], : email-client } } email-client) email-client) with eq (@dst[type], email-server) with eq (@src[name], thunderbird) with not eq (@src[auth-user], unknown)

  20. Extended PF language • PF+=2 Allows flexible policies based on query results (key-value pairs) • Extensible via arbitrary functions.

  21. Trust and Delegation • We delegate every day • Makes lives easier • Delegate to trusted people • Trust levels vary so delegation levels vary • Trust levels vary so delegation levels vary

  22. Example: e-mail David Roberto Alicia Carlito

  23. Example: e-mail • Mail-server accessed by mail clients only • Thunderbird is the only mail client allowed • Only users authenticated by the network are allowed access. allowed access.

  24. How it is done today Alicia, Carlito, and David get together, coordinate, and then change the rules. An easier way?

  25. Example: e-mail Data Flow From 192.168.0.1:2358 To 192.168.1.1:25 Payload

  26. Example: e-mail Query Query From 192.168.0.1:2358 From 192.168.0.1:2358 To 192.168.1.1:25 To 192.168.1.1:25

  27. Example: e-mail Response Response From 192.168.0.1:2358 From 192.168.0.1:2358 To 192.168.1.1:25 To 192.168.1.1:25 -app-name: cyrus -app-name: thunderbird -user: imap -version: 2.0.3 -type: email-server -user:roberto -rule: only from email-client -type: email-client

  28. Example: e-mail Response Response From 192.168.0.1:2358 From 192.168.0.1:2358 To 192.168.1.1:25 To 192.168.1.1:25 -app-name: thunderbird -app-name: cyrus -version: 2.0.3 -user: imap -user: roberto -type: email-server -type: email-client -rule: only from email-client -authed-user: bob -rule: thunderbird only

  29. Example: e-mail Data Flow From 192.168.0.1:2358 To 192.168.1.1:25 Payload

  30. Example: e-mail Server Configuration File: Backbone Firewall Rules: @ app /usr/bin/cyrus { name block all : cyrus type pass all : email-server rule with allowed (@dst[rules]) : block all block all with not eq (@src[auth-user], with not eq (@src[auth-user], with not eq (@src[type], unknown) email-client) }

  31. Third-Party Delegation • Another Example – Allow users to run any application as long as it conforms to rules signed by trusted third-party – Rules can be downloaded by user and stored – Rules can be downloaded by user and stored locally. – Security devices check signatures before accepting rules.

  32. Summary • If you don’t know, ask! • Trust and delegation intertwined (be careful who you delegate to or what information you trust) trust) • ident++ delegation enabler, says nothing about trust

  33. Questions? Questions? This work was funded partially by an NSF grant.

Recommend


More recommend