distributed security infrastructure
play

Distributed Security Infrastructure Makan.Pouzandi@Ericsson.ca - PowerPoint PPT Presentation

Jan 01, 2023 •718 likes •1.34k views

Distributed Security Infrastructure Makan.Pouzandi@Ericsson.ca Ericsson Research Open Systems Lab Montral Canada June 26 , 2002 Rev PA1 2002-07-05 1 Ericsson Canada Agenda Context Security in Telecom business Current

  1. Distributed Security Infrastructure Makan.Pouzandi@Ericsson.ca Ericsson Research Open Systems Lab Montréal – Canada June 26 , 2002 Rev PA1 2002-07-05 1 Ericsson Canada

  2. Agenda • Context • Security in Telecom business • Current situation • Need for a new software • DSI Goals and functionality • DSI overview • Security services Rev PA1 2002-07-05 2 Ericsson Canada

  3. Context • Target application: soft real time applications • High Availability: 99.999% uptime • Clustered servers • Exposed to the Internet • Providing services to different operators • Running untrusted third-party software • Software configuration evolves slowly over time: no wild software installations Rev PA1 2002-07-05 3 Ericsson Canada

  4. Why Security in Telecom business? Rev PA1 2002-07-05 4 Ericsson Canada

  5. Change in the market: all-IP-networks Yesterday Today Applications & Content Services Management & Support Service Control Service Capabilities Data/IP Networks Multi-Service PSTN/ISDN IP Backbone PLMN CATV Network Broadband Wireless Narrowband Access Access Access Clients Access Transport & Switching Networks Rev PA1 2002-07-05 5 Ericsson Canada

  6. The need for a new approach Rev PA1 2002-07-05 6 Ericsson Canada

  7. “Distributed Systems Require Distributed Security” Hartman, Flinn, Beznosov, Enterprise Security with EJB and CORBA Rev PA1 2002-07-05 7 Ericsson Canada

  8. Challenges in Distributed security • Implement coherent distributed security – Many layers to fit together : Applications, Middleware, OS, Hardware, Network … – Heterogeneous environment: variety of Hardware, Software: OS, Middleware, Networking technologies • Integration of different security solutions from potentially different vendors … • System management – If manually managed, it may lead to misconfigurations and inconsistencies Rev PA1 2002-07-05 8 Ericsson Canada

  9. Patching versus Coherent framework • Precise place to intervene when it is necessary to increase performances or the needs for the system change according to the client or legal issues • Coherent solutions evolve over time; patching does not! Intrusions Figure from “Building Secure Software”, Viega-McGraw Disclosure Patch Scripts Out Released Time Rev PA1 2002-07-05 9 Ericsson Canada

  10. Benefits of a coherent framework • Abstracting the underlying security algorithms and mechanisms • Reducing development time • Minimizing the risk of creating subtle, but dangerous security vulnerabilities by reusing security tested software • Maximize our investment for security mechanisms Rev PA1 2002-07-05 10 Ericsson Canada

  11. Security in different types of Clusters Traditional Clusters Carrier Class Clusters • Target application: soft real • No real time applications, time, • Security policy based upon login • No possible security policy and passwords, upon traditional login, password, • Running for short period of time (days) before each reboot, • Running for a very long time (months) under the same • No pre-emptive security. login without rebooting, • Fine grained security policy based on processes, • Pre-emptive security. Rev PA1 2002-07-05 11 Ericsson Canada

  12. Access control Approach on cluster computing No Security check on • Current security approach in Node 2 Process a, but on Process b cluster computing: Security Manager – Generally based on user Process b privileges (login, password) – Life time: a session of several hours ? – Scope: limited range of operations according to the application’s Access Request nature Node 1 • Our target telecom application: – One user only Security Manager – Life time: months if not years Process a – Scope: wide range of operations, from upgrading software to managing information in database Rev PA1 2002-07-05 12 Ericsson Canada

  13. Existing solutions • Many existing security solutions exist: – As external security mechanisms to the servers such as firewalls and Intrusion Detection Systems – As part of servers such as Integrity checks and some mechanisms to enhance security as a part of OS… • However, there are few efforts to make a coherent framework for enhancing security in a distributed system Rev PA1 2002-07-05 13 Ericsson Canada

  14. Distributed Security Infrastructure Goals and Functionality Rev PA1 2002-07-05 14 Ericsson Canada

  15. Project Goals • Design an architecture that: – Supports security mechanisms to protect the system against External attacks originating from Internet, Internal attacks (Break through a node in the cluster, O&M security, Intranet attacks ..) – Accommodates current and future needs – Provides mechanisms for detecting and reacting to breaches – Targets Carrier Class Clustered Server • Architectural Requirements: – Scalable and Flexible – Does not provide a single point of failure – Does not impose any performance bottlenecks – Provide ease of development Rev PA1 2002-07-05 15 Ericsson Canada

  16. DSI characteristics • Coherent framework: coherent through different layers of heterogeneous hardware, applications…. • Process level approach: security based on individual processes • Pre-emptive security:changes in the security context will be reflected immediately • Transparent key management: cryptographic keys ecurely stored and managed • Dynamic security policy: run time changes in security context and policy Rev PA1 2002-07-05 16 Ericsson Canada

  17. What we do vs. what we don’t do Do Do Not • Design and implement a • Invent new algorithms nor new coherent framework for the protocols for cryptography, security needs of a cluster authentication or else running a soft real time application • Re-use as much as possible existing algorithms and protocols (COTS) • Adapt current technologies to fit our needs and environment (soft real time) Rev PA1 2002-07-05 17 Ericsson Canada

  18. DSI Functionality • Access control: resources each subject should be able to access and prevent the illegal accesses • Authentication: verifies that the principals are who they claim to be. • Auditing: provides a record of security relevant and allows monitoring of the subject in the system. • Confidentiality and Integrity for communications • Security Management Rev PA1 2002-07-05 18 Ericsson Canada

  19. Distributed Security Infrastructure Overview Rev PA1 2002-07-05 19 Ericsson Canada

  20. Distributed Architecture Secondary Security Server Node 1 Node 2 Node 3 Security Server Node Proc987 Proc123 Service Provider Kernel Security Service SS SM SM SM Security Broker DSI Data Traffic SM: Security Manager SS: Security Server Rev PA1 2002-07-05 20 Ericsson Canada

  21. Security Services Security Context Repository Security Policy Key Repository Security Context Security Manager Key Management Auditing Access Control Authentication Integrity Service Service Service Service Rev PA1 2002-07-05 21 Ericsson Canada

  22. Service based (2) • Separation between API and Implementation – Implementation changes, security patches do not affect the system • Flexibility – Easily change, update, remove services based on needs, legal issues • Evolution over time Rev PA1 2002-07-05 22 Ericsson Canada

  23. Distributed Security Policy (DSP) • Express a coherent security vision (security policy) through out all the cluster • Local security policy: – Initially integrated to the secure boot software – Maintained and updated by the security server through security broker • Based on domain enforcement • Define communication type between processes: secure, not secure, authenticated, encrypted… Rev PA1 2002-07-05 23 Ericsson Canada

  24. Distributed Security Policy Security Server Node Node 1 Node 2 Node 3 Proc987 Port 21 Logical Access Dist Sec Policy Dist Sec Policy Dist Sec Policy Kernel SS SM SM SM Security Broker Data Traffic SS: Security Server SM: Security Manager Rev PA1 2002-07-05 24 Ericsson Canada

  25. DSI Core Security Server, Security Manager and Security Communication Channel Rev PA1 2002-07-05 25 Ericsson Canada

  26. Development Environment • Kernel 2.4.17 • LSM patch 2.4.18 • Red Hat 7.2 • C/C++ • GCC 2.96 Rev PA1 2002-07-05 26 Ericsson Canada

  27. Secure Boot • Secure Boot: provides us with Distributed Trusted Computing Base (DTCB) • Kernel at secure boot is small enough to be thoroughly vulnerability tested • Use of digital signatures and a local certification authority will prevent DTCB from malicious modifications Rev PA1 2002-07-05 27 Ericsson Canada

  28. Secure Boot Status • Development software kit done • Download boot images from the network • Checks RSA signatures on boot images • Executes the boot image • Kit based on – Network-Boot kit • boots from LAN • runs Linux • diskless (RAM based) – Two-kernel Monte – OpenSSL 0.9.5 Rev PA1 2002-07-05 28 Ericsson Canada

Recommend

SPKI/SDSI 2.0 A Simple Distributed Security Infrastructure by Ronald L. Rivest MIT Lab for

SPKI/SDSI 2.0 A Simple Distributed Security Infrastructure by Ronald L. Rivest MIT Lab for

SPKI/SDSI 2.0 A Simple Distributed Security Infrastructure by Ronald L. Rivest MIT Lab for Computer Science (Joint work with Butler Lampson and Carl Ellison) 1 1 1 Outline context and history motivation and goals syntax

973 views • 38 slides
Security Security with Distributed Systems Why Security? The need for security mechanisms in

Security Security with Distributed Systems Why Security? The need for security mechanisms in

Security Security with Distributed Systems Why Security? The need for security mechanisms in distributed systems arises from the desire to share resources Resources must be protected against unauthorized access, as enemies (attackers)

1.16k views • 67 slides
Distributed Systems How does the OS ensure security? 13C. Distributed Systems: Security all

Distributed Systems How does the OS ensure security? 13C. Distributed Systems: Security all

5/20/2018 Distributed Systems How does the OS ensure security? 13C. Distributed Systems: Security all key resources are kept inside of the OS protected by hardware (mode, memory management) 13I. Secure sessions processes cannot

129 views • 9 slides
Distributed Systems How does the OS ensure security? 13C. Security for Distributed Systems

Distributed Systems How does the OS ensure security? 13C. Security for Distributed Systems

5/27/2017 Distributed Systems How does the OS ensure security? 13C. Security for Distributed Systems all key resources are kept inside of the OS protected by hardware (mode, memory management) 13I. Secure Sessions processes cannot

253 views • 9 slides
Compiler Infrastructure Systems and Internet Infrastructure Security (SIIS) Laboratory Page 1

Compiler Infrastructure Systems and Internet Infrastructure Security (SIIS) Laboratory Page 1

Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Compiler Infrastructure Systems and Internet Infrastructure Security

603 views • 23 slides
Sancus: A Low-Cost Security Architecture for Distributed IoT Applications on a Shared

Sancus: A Low-Cost Security Architecture for Distributed IoT Applications on a Shared

Sancus: A Low-Cost Security Architecture for Distributed IoT Applications on a Shared Infrastructure Job Noorman Public PhD Defence 19 Apr 2017 Safety considerations when lodging in a hotel Untrusted guests Locked room Unknown personnel

1.16k views • 79 slides
Poster 158 1 / 4 Poster 158 Security in Distributed ML Zeno: distributed synchronous SGD that

Poster 158 1 / 4 Poster 158 Security in Distributed ML Zeno: distributed synchronous SGD that

Zeno: Distributed Stochastic Gradient Descent with Suspicion-based Fault-tolerance Cong Xie, Oluwasanmi Koyejo, Indranil Gupta June 12, 2019 Poster 158 1 / 4 Poster 158 Security in Distributed ML Zeno: distributed synchronous SGD that

211 views • 4 slides
A Distributed X.509 Public Key Infrastructure Backed by a Blockchain A public key infrastructure

A Distributed X.509 Public Key Infrastructure Backed by a Blockchain A public key infrastructure

A Distributed X.509 Public Key Infrastructure Backed by a Blockchain A public key infrastructure (PKI) is a set of roles, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates and manage

248 views • 23 slides
Internet Infrastructure Security Internet Infrastructure Security Simon Fraser University Scott

Internet Infrastructure Security Internet Infrastructure Security Simon Fraser University Scott

Internet Infrastructure Security Internet Infrastructure Security Simon Fraser University Scott Wakelin 4/27/2004 1 Road Map Road Map Project Goals and Overview Project Status Network Infrastructure ISP Topology ISP

554 views • 30 slides
` James R. Wilcox Zach Tatlock Ilya Sergey Distributed Systems Distributed Infrastructure

` James R. Wilcox Zach Tatlock Ilya Sergey Distributed Systems Distributed Infrastructure

Programming Language Abstractions for Modularly Verified Distributed Systems { P } c { Q } ` James R. Wilcox Zach Tatlock Ilya Sergey Distributed Systems Distributed Infrastructure Distributed Applications Verified Distributed Systems

794 views • 64 slides
Namespaces Systems and Internet Infrastructure Security (SIIS) Laboratory Page 1 Outline Sects

Namespaces Systems and Internet Infrastructure Security (SIIS) Laboratory Page 1 Outline Sects

Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Namespaces Systems and Internet Infrastructure Security (SIIS)

1.13k views • 49 slides
Constraint Solving Systems and Internet Infrastructure Security (SIIS) Laboratory Page 1 Outline

Constraint Solving Systems and Internet Infrastructure Security (SIIS) Laboratory Page 1 Outline

Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Constraint Solving Systems and Internet Infrastructure Security (SIIS)

455 views • 18 slides
Attack Graphs Systems and Internet Infrastructure Security (SIIS) Laboratory Page 1 Outline Attack

Attack Graphs Systems and Internet Infrastructure Security (SIIS) Laboratory Page 1 Outline Attack

Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Attack Graphs Systems and Internet Infrastructure Security (SIIS)

1.06k views • 60 slides
Security Middleware for Distributed applications Professor : Sophie Chabridon Ma Siqi Shalini

Security Middleware for Distributed applications Professor : Sophie Chabridon Ma Siqi Shalini

Security Middleware for Distributed applications Professor : Sophie Chabridon Ma Siqi Shalini Nagar 1 CONTENTS Security Characterizing Security General Scenario Tactics for Security A Design Checklist for Security Summary 2 01

487 views • 25 slides
CMPSC 497: Java Security Trent Jaeger Systems and Internet Infrastructure Security (SIIS)

CMPSC 497: Java Security Trent Jaeger Systems and Internet Infrastructure Security (SIIS)

CMPSC 497: Java Security Trent Jaeger Systems and Internet Infrastructure Security (SIIS) Lab Computer Science and Engineering Department Pennsylvania State University Systems and Internet Infrastructure Security Laboratory (SIIS) Page 1

562 views • 42 slides
The Intersection of Application and Security Architecture Through the lens of distributed

The Intersection of Application and Security Architecture Through the lens of distributed

The Intersection of Application and Security Architecture Through the lens of distributed systems Walt Williams Who is this bloke? Author of Security for Service Oriented Architecture, CRC press 2014 Director of Information Security,

1.12k views • 55 slides
Security infrastructure, certificates and responsibilities Anand Padmanabhan for the OSG

Security infrastructure, certificates and responsibilities Anand Padmanabhan for the OSG

OSG Summer Workshop Lubbock, 2011 Security infrastructure, certificates and responsibilities Anand Padmanabhan for the OSG Security team Aug 10th, 2011 OSG Security 1 OSG Security OSG Security model A high level overview Aug 10th, 2011

714 views • 37 slides
Language/OS Based Security 1 Infrastructure 2 Security Abstraction Layers 3 OS Security

Language/OS Based Security 1 Infrastructure 2 Security Abstraction Layers 3 OS Security

Language/OS Based Security 1 Infrastructure 2 Security Abstraction Layers 3 OS Security Control 4 Abstraction Imperfections OS: Each process has exclusive access to its own CPU and memory Illusion!! A process may be able to

429 views • 21 slides
Status and challenges of security in distributed compu6ng

Status and challenges of security in distributed compu6ng

Status and challenges of security in distributed compu6ng Sebas&an Lopienski CERN Deputy Computer Security Officer (with input from S.Lueders and

569 views • 24 slides
Advanced Systems Security: Security Kernels Trent Jaeger Systems and Internet Infrastructure

Advanced Systems Security: Security Kernels Trent Jaeger Systems and Internet Infrastructure

Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security: Security Kernels Trent Jaeger

559 views • 35 slides
Security Through Examples Exploring Cyber Security in Critical Infrastructure Tim Yardley,

Security Through Examples Exploring Cyber Security in Critical Infrastructure Tim Yardley,

Security Through Examples Exploring Cyber Security in Critical Infrastructure Tim Yardley, University of Illinois Urbana-Champaign yardley@illinios.edu Introduction Material September 30, 2016 cred-c.org Se Settin ing T The St Stage 1

495 views • 20 slides
Security in Distributed Systems Introduction Cryptography Authentication Key

Security in Distributed Systems Introduction Cryptography Authentication Key

Security in Distributed Systems Introduction Cryptography Authentication Key exchange Computer Science Lecture 18, page 1 Network Security Intruder may eavesdrop remove, modify, and/or insert messages read and

361 views • 11 slides
Attacks Trent Jaeger Systems and Internet Infrastructure Security (SIIS) Lab Computer Science and

Attacks Trent Jaeger Systems and Internet Infrastructure Security (SIIS) Lab Computer Science and

Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Attacks Trent Jaeger Systems and Internet Infrastructure Security

534 views • 18 slides
Advanced Systems Security Fuzz Testing Trent Jaeger Systems and Internet Infrastructure

Advanced Systems Security Fuzz Testing Trent Jaeger Systems and Internet Infrastructure

Advanced Systems Security Fuzz Testing Trent Jaeger Systems and Internet Infrastructure Security (SIIS) Lab Computer Science and Engineering Department Pennsylvania State University Systems and Internet Infrastructure Security Laboratory

812 views • 42 slides

More recommend