200 likes | 215 Views
This presentation provides an overview of the security efforts in Internet2, including the SALSA 2004 Summer Workshop, challenges faced, and the role of trust in collaborative security. It also discusses the changing network perimeter, tool integration, tradeoffs in security approaches, and emerging trends in network security.
E N D
Internet2 Security Efforts- A brief overview of activities Ken Klingenstein 2004 July 21 Joint Techs- Columbus, Ohio
Overview • SALSA 2004 Summer Workshop • Security and Internet2 • SALSA • What/Who is SALSA, Priorities, Membership, Activities • Challenges and Q&A Total time ~25 mins
Heads up… SALSA Summer Workshop • Workshop will be held immediately following Joint Techs • Wednesday afternoon is open to those who are attending Joint Techs • If you can stay for Thursday, please register • Agenda includes: • Small group discussions security tools and approaches • Overview of working group activities • Security and Middleware • http://security.internet2.edu/salsa/workshops/2004summer.html
Security and Internet2 Context and Background • Organizations are active in the security space, focusing on slightly different areas and with cooperative relationships • REN-ISAC • ISAC (information security and analysis center) • R&E relationships with the public, private, corporate and government sectors • The EDUCAUSE/Internet2 Security Task Force
Security and Internet2 S@LS Workshop 2003 • Security at Line Speed Workshop • NSF Sponsored 1.5 day workshop, in conjunction with Indiana University, Internet2, the Massachusetts Institute of Technology and the University of Washington. • 30 individuals invited to participate • Chicago, Illinois, 12-13 Aug 2003 • Deliverables included: • Effective practices whitepaper, research agenda suggestions, ongoing maintenance (SALSA)
Security and Internet2 “Line Speed” means… • It’s not just high bandwidth • Exceptionally low latency, e.g. remote instrument control • End-to-end clarity, e.g. Grids • Exceptional low jitter, e.g. real time interactive HDTV • Advanced features, e.g. multicast • Line speed requires supporting the applications that our membership are building, inventing and creating • http://apps.internet2.edu/sals/
General Findings • First, and foremost, this is getting a lot harder • We seem to have hit a couple of turning points • New levels of stresses • Necessary but doomed approaches • High performance security is approached by a set of specific tools that are assembled by applying general architectural principles to local conditions. • The concept of the network perimeter is changing; desktop software limits security and performance options • There are interactions with the emerging middleware layer that should be explored • Tool integration is an overarching problem • We are entering diagnostic hell
Tradeoffs • Host versus border security • Deny/Allow versus Allow/deny approaches • Unauthenticated versus authenticated network access • Central versus end-user management • Server-centric versus client-centric • False positives versus zero-day attacks • Organizational priorities between security and performance • Perimeter protection versus user/staff confusion
Trends • More aggressive and frequent attacks, resulting in • Desktop lockdowns and scanning • New limits at the perimeter • Increased tunneling and VPN’s • More isolation approaches, straining the top of the desk • Hosts as clients only • Changes in technology • Rise of encyption • New attack vectors, such as P2P • Higher speeds make for more expensive middleboxen • Convergence of technology forces • New policy drivers • DHS, RIAA, etc. • LCD solutions to hold down costs
The Tool Matrix • For a variety of network and host based security tools, • Role in prevention/detection/reaction/analysis • Description • General issues • Performance implications • Operational Impacts • Network Tools include host scanning, MAC registration, VLAN, Encrypted VPN’s and/or Layer 3 VPN’s, Firewalls, Source Address Verification, Port Mirroring, etc… • Host Tools include host-based encryption, local firewalls, host-based intrusion detection/prevention, secure OS, automated patching systems, etc.
Local Network Security Design Factors • Size of class B address space • Local fiber plant • Medical school • Geographic distribution of departments on campuses • Distance to gigapops • Policy Authority of Central IT • Desktop diversity • …
Security and Trust • Security without external trust results in a defensive, highly constraining position with limited effectiveness • With trust, collaborative security and collaborative applications can be developed • Currently, there are two promising trust fabrics to leverage • Federations – emergent inter-enterprise • P2P (the trust fabric, not the architecture) – ad hoc, currently “non-scalable”, but new technologies will be appearing shortly and widely
SALSA SALSA Overview • Technical steering committee composed of senior campus security architects • Create understanding in the Internet2 community regarding the multiple aspects of security as it applies to advanced networking • Deliverables that address need of members and produce tangible benefits • Prioritizing opportunities and identifying resources • Focused activities • Interested in R&D security topics that can be smoothly transitioned to deployment
SALSA Membership • Current chair: Mark Poepping, CMU • Currently a small, focused group with membership drawing from multiple communities: • Academy Researchers • Government Labs • International participants • Founding members drawn from the Security at Line Speed Workshop
SALSA SALSA Priorities • Primarily, SALSA acts as a forum to increase sharing, data collection and integration between security researchers and backbone activities • Data Sharing • Extend S@LS Workshop deliverables • Case studies, technology surveys, non-technical issues, research agenda • Current Working Groups • Network Authentication • Architecture • Cooperation, communication, coordination with other groups • EDUCAUSE/Internet2 SecTF, REN-ISAC, international networks
Working Groups NetAuth WG • Chaired by Chris Misra • http://security.internet2.edu/netauth/index.html • Initial activities • Investigation of network database and registration services in support of network security management; investigation of extensions to these services to proactively detect and prevent unauthorized or malicious network activity. • Pilot and eventual implementation to support network access to visiting scientists among federated institutions. • Analysis of security applications that may result from extending these implementations. • Initial deliverable • Strategies for Automating Network Policy Enforcement • Visiting scientist, taxonomy and next steps
Working Groups Architecture WG • Chaired by Marty Schulman • http://security.internet2.edu/netauth/index.html • The Architecture WG will consider issues related to: • Identification of functions or components used to authorize access • Selection of design rules to facilitate operations or enable new services. • Adoption of specific techniques • These activities must accommodate a wide range of campus and departmental security policies, procedures, and schemas - the details of which are beyond this group's scope.
SALSA Challenges • Cooperation and community support • Security threats are increasing and external pressure is increasing; lack of time to organize • Heterogonous environments are resistant to homogeneous solutions • “Security” is can be defined differently. Need to identify specific problems and solutions. • Is network security staying with networks or moving to security as a hybrid? • How to engage network management with network security • Or, is Joint Techs the right place? • Now that applications and middleware reaching down to the network… how do we address.
Contact Info / Q&A • Contact Information Mark Poepping poepping@cmu.edu T. Charles Yun charles@internet2.edu • Online information regarding security and SALSA efforts zat http://security.internet2.edu/ • Questions?