Per-user Policy Enforcement on Mobile Apps through Network Functions Virtualization Workshop on Mobility in the Evolving Internet Architecture Sep. 11, 2014, Maui, Hawaii, USA Yong Liao, Mario Baldi, Amedeo Sapio Gyan Ranjan, Alok Tongaonkar, Fulvio Risso Ruben Torres, Antonio Nucci Politecnico di Torino Narus, Inc. Amedeo Sapio amedeo.sapio@polito.it
Motivation Courtesy of SEN Technologies Amedeo Sapio amedeo.sapio@polito.it 2
Motivation Amedeo Sapio amedeo.sapio@polito.it 3
Motivation • Smartphones can collect a wide range of data • Different mobile apps have different vulnerabilities • Mobile apps traffic is largely undistinguishable from web traffic • Different mobile apps can use the same remote end-point • Use of encrypted connections by mobile apps is increasing • Different roles within an organization have different security clearances and necessities Amedeo Sapio amedeo.sapio@polito.it 4
MAPPER Mobile Apps Personal Policy Enforcement Router • Network-based approach • Mobile apps aware policies • Device independent policies Bob’s Security • Per-user defined policies profile • Uniform protection among different APs • HTTPS support Bob’s Alice’s security security profile profile Amedeo Sapio amedeo.sapio@polito.it 5
Mobile Application Identification Module App Flows profile XML summary MAI Features App Features Lookup Categorization Extraction Application Rule Metadata Categories (Identifiers) set Amedeo Sapio amedeo.sapio@polito.it 6
FROG – Flexible and pROGrammable network node Dedicated lightweight VM for each user • Policy enforcement FROG node VM VM • Traffic segregation User 1 User 2 • Dynamic allocation Mobile App Network Filter monitor • Flexible policy definition Parental Firewall control Hypervisor Amedeo Sapio amedeo.sapio@polito.it 7
MAPPER Architecture Network applications • Smart Wireless Access Point Marketplace • User dedicated lightweight VMs Content Filter Mobile app filter • Mobile Apps Identification engine Malware Firewall Detector • TLS proxy (MiMP) Parental MiMP bridge Network Control • Application content filtering Monitor MAPPER Mobile Application MiMP FROG Identification Module Management Server VM VM Mobile App User 1 User 2 Metadata Categorization Module Users & User Groups Classified policies VM Flows Parsed HTTP flows User 3 Permissions Rule App ID Mobility Classifier Engine Hypervisor Amedeo Sapio amedeo.sapio@polito.it 8
MAPPER workflow Virtualization layer 1. IP redirection MAPPER User 2. TLS proxying GEX 1 PEX 4 3. Summary extraction 5 MAI Mobile App Filter 4. App Identification GEX 2 1 5. Policy consistency MiMP Bridge MiMP Server NIC 2 6. Policy enforcement 2 - 3 - 6 Hypervisor PEX : P ersonal EX ecution Environment NIC 1 GEX : G lobal EX ecution Environment MAI : M obile A pplication I dentification module Client MiMP : M an- i n-the- M iddle P roxy Amedeo Sapio amedeo.sapio@polito.it 9
Evaluation – Single user Average throughput 500 requests for (MByte/s) 1 KB file Response time CDF ms Amedeo Sapio amedeo.sapio@polito.it 10
Evaluation – Multi user Memory MB 500 online search queries Number of clients CPU RAM Throughput Response time 1 user 16.13% 3261 MB 104 Kb/s 778.8 ms 2 users 21.57% 3392 MB 102 Kb/s 751.6 ms Amedeo Sapio amedeo.sapio@polito.it 11
Conclusions • MAPPER leverages Network Functions Virtualization for implementing fine-grained policies on mobile devices. • Policies can be designed according to: Mobile apps Categories Devices • The system can easily scale to a large number of users exploiting load distribution and cloud computing. • Future studies will be directed towards performance improvements and additional functionalities. Amedeo Sapio amedeo.sapio@polito.it 12
Questions? Amedeo Sapio amedeo.sapio@polito.it
Thank you! Amedeo Sapio Gyan Ranjan amedeo.sapio@polito.it granjan@narus.com Fulvio Risso Alok Tongaonkar fulvio.risso@polito.it atongaonkar@narus.com Yong Liao Ruben Torres yliao@narus.com rtorres@narus.com Mario Baldi Antonio Nucci mbaldi@narus.com anucci@narus.com Amedeo Sapio amedeo.sapio@polito.it
Recommend
More recommend