A Survey of Network Security Research at ENST Gwendal Le Grand gwendal.legrand@enst.fr Ecole Nationale Supérieure des Télécommunications (ENST), Paris France CNRS (LTCI – UMR 541) Séance du 6 février 2003 Outline � Presentation of ENST � Digital security in 2005: crisis, stakes and roadmap � Network security and projects at ENST (selected activities) � Conclusion Page 2 - A survey of Network Security at ENST - 19/08/2005
ENST : Ecole Nationale Supérieure des Télécommunications Website : http://www.enst.fr/en � computer science and network (INFRES) department � ≈ 50 permanent staff � ≈ 50 PhD students � Research @INFRES: � Software & System engineering, Middleware, Reconfigurability, Adaptability, software radio � Heterogeneous networks, interconnection, interworking and administration, Traffic modelling, � Architecture Design, Metrology, QoS ; Mobile technologies : GSM, GPRS, UMTS, WiFi, Bluetooth, � Queues, performance assessment, distribution approximations, stochastic analysis. � Discrete structures, graphs, algorithms ; Algebraic coding, cryptology ; � Artificial Intelligence, expert systems, natural languages processing ; � Databases, Semantic Web. � Security : Critical Infrastructure Protection, QuantumNetworks, Grid security, Network security � (802.11, Bluetooth), Ad hoc & active network security, Privacy, cryptology, watermarking, cryptographic protocols, PKIs, IPv6 security, Authentication, Honey pots, IDS, protection of services ; ENST is part of Euronetlab (www.euronetlab.net). � Study of security of QoS routers and mobile routers. � Page 3 - A survey of Network Security at ENST - 19/08/2005 The security crisis No real trust in ICT � Physical relationship still important in exchanges and commerce (relative � failure of e-commerce, …) • trust in the exchanges ≠ security of electronic payment. Virtual world � • Anonymity, geographic virtuality. No real spread of existing technologies � Digital signature not used � PKI (too complicated, non interoperable, hard to assess) � Smart card does not really spread out of France � How to protect distributed systems? � Biometry still not used (except digital identity maybe) � Need to define new concepts for security � • Find alternatives to Alice and Bob, claissical cryptography, SSL … Security is hard to sell: No “added value”, noRoI � Page 4 - A survey of Network Security at ENST - 19/08/2005
ICT Security stakes in 2005 • Avoid drastic security measures Restore trust in the digital world � Crisis management E-commerce, e-business, e-content, e- • ICT vulnerability � government, e-vote, e-democracy •Interconnected, more complex and fragile Interdependencies Resilient infrastructures � Just-in-time business Protected Networks and systems � • A quality label (certification) Multimedia, software, � dissemination of knowledge Software engineering Protect infospheres � • Protection against any type of attack Individual : protect privacy � Physical attacks Company : anticipate problems � Critical infrastructures : prevent domino Towards a digital order? � effect, limit cybercriminality Security incompatible with uncontrolled world. Need of some principles (ethics, responsability, Immune applications and data � transparency, autonomy, …) in a realistic world. Applicable for the international community. … in a mobile world with ambient intelligence Accepted by users and stakeholders Page 5 - A survey of Network Security at ENST - 19/08/2005 Why are systems vulnerable? Complexity Distribution � � Ontologies and their structuration Scalability � � Heterogeneity Protocols and exchanges � � • Size, number of actors, entities and actions Architecture � Sensitivity � • Semantics and types of components and links Tangible value � • Each canonic architecture has its intrinsic vulnerabilities Corporate image (symbolic � Virtual (abstraction) attack …) � • Digital imitation (machine, network, OS, company …) Movement � Mobility … but a mobile world � has a history • footprints of the ontologies (subjects, objects, operations) • Witnesses Page 8 - A survey of Network Security at ENST - 19/08/2005
Mobility and ambient intelligence Classical security models are timeless and not fitted to mobility � Must enrich existing models, policies, protocols to take into account context and spatio � temporal properties. Tracability to log history � • Keep the memory of the system Morphology of the system is linked to its protection and its security � Restore trust in ICT systems requires to reform Internet, prevent anonymity, provide � proofs. Need of alibis to prove that here and now there are witnesses of events. � Need to identifying spatio-temporal trusted invariants in this environment: location of � base stations, trusted clock, etc. Mobility may be an asset � Liberty: intelligence and information may move where needed � Creates entropy: useful to introduce randomness and secrets (mobile cryptography). � Page 9 - A survey of Network Security at ENST - 19/08/2005 Security R&D roadmap Classical security technologies � Security of the content and services � Cryptology, cryptographic � (application layer) protocols and formal methods DRM, IPR � Security policies and models � Watermarking � Certification and assessment � Cryptographic protocols dedicated to � methodology specific uses Security of infrastructures � Network security � Model the big public open � Security of multi service networks domains � (GPRS, UMTS …) • PKIs, quantum, critical Security of protocols (AAA, DNSSec, infrastructures … � Mobile IP, …) Model privacy � IDS, honeypots … � • Personal infospheres … Hardware entities � Security of non functional properties � Personal trust entity (smart card) � Mobility: ad hoc networks, mesh � networks, PANA … Secure hardware architecture : � configurable crypto-processor high Configurability: personalized � throughput cryptography middleware, downloadable software, mobile agents Biometry � Distribution: security of grids, � virtual machines, distributed OS Architectures � Page 10 - A survey of Network Security at ENST - 19/08/2005
Projects at ENST (recent past, present and near future ) European projects National (RNRT) ITEA Ambience : security in a � Icare :trusted infrastructures, � mobile world, ambient PKIs intelligence Swap : WAP security � ITEA BRIC : audiovisual � watermarking MMQoS : security, mobility and � QoS CELTIC BUGYO: Telecom � infrastrucure protection Anaïs : security of Professional � Mobile Radio IST Acip : Critical infrastructure � protection Infradio : Security on a � campus and of infospheres in IST CI2RCO: CIIP � meshed networks IST IRRIIS (IP): CIIP– starts � Epis : smart card security E2E end 2005 � with IPv6 IST DESEREC (IP): CIIP– � Resodo : Security of domestic starts end 2005 � networks IST SECOQC (IP): Quantum � Aquaflux : mediametry network � watermarking IST EuroNGI (NoE): Trust … � Artus : augmented reality � Vipbob : cryptographic protocol � marking with biometric data Page 11 - A survey of Network Security at ENST - 19/08/2005 INFRADIO (RNRT)– Radio infosphere � 138.142.55.1 à 55.253 (DHCP) � 255.255.255.0 � 10.0.0.1 à 253 (DHCP) � 138.142.55.254 � 255.255.255.0 Invité � 10.0.0.254 Permanent What radio infrastructure? Routeur de l’ENST � Communication sphere � 138.142.54.254 � � 138.142.54.1 à 54.125 � 255.255.254.0 � 255.255.255.128 � 138.142.54.126 Switch APs Cisco 1200 802.11a et g Variable size, spontaneous, robust Dareau � VLAN 100 ( T ) VLANs 101, 102 et 103 ( T ) Secure, administrated � VLANs 100, 101, 102 et 103 ( T ) VLAN 103 ( U ) Applications � 138.142.54.133 VLAN 101 ( U ) � � 255.255.255.192 Switch Baystack 450-24T VLAN 102 ( U ) VLAN 104 ( U ) Security policies in a semi open world � VLAN 100 ( U ) � 10.0.0..254 � 138.142.54.194 Semi open VLAN 100 ( U ) � � 255.255.255.0 � 255.255.255.192 � 138.142.54.254 � 138.142.55.254 Captive Portal � 255.255.255.0 • Permanent staff, usual users, anonymous portal.infradio.enst.fr � 138.142.54.129 • Variable infrastructure � 138.142.54.193 � 138.142.54.130 � 255.255.255.192 � 138.142.54.126 Légende � 255.255.255.192 � 255.255.255.192 � 138.142.54.130 � 255.255.255.128 � 138.142.54.254 � Adresse IP Firewall 2 RADIUS, MySQL DNS, DHCP Firewall 1 Configurable security policies � � Masque de sous-réseau fw2.infradio.enst.fr radius.infradio.enst.fr ns1.infradio.enst.fr fw1.infradio.enst.fr � Passerelle par défaut T Tagged � 138.142.54.131 � 138.142.54.132 U Untagged • Audit and imputability policies � 255.255.255.192 � 255.255.255.192 • Granularity of security, adapt to a profile Mobility = vulnerability, manage a secure mobility � Authentication of subjects and objects, secure architecture, alibis, � tracability, web of trust QoS access control � Page 12 - A survey of Network Security at ENST - 19/08/2005
Recommend
More recommend
