150 likes | 256 Views
Security at Line Speed: Integrating Academic Research and Enterprise Security. Topics. Overview – Ken Klingenstein Wireless, Security and Performance: A Tale to Tell – Steve Wallace The needs of the many and the needs of the few – Terry Gray Nextsteps – Charles Yun. Acknowledgements.
E N D
Security at Line Speed:Integrating Academic Research and Enterprise Security
Topics Overview – Ken Klingenstein Wireless, Security and Performance: A Tale to Tell – Steve Wallace The needs of the many and the needs of the few – Terry Gray Nextsteps – Charles Yun
Acknowledgements • National Science Foundation, ANIR • Internet2 support staff • Program Committee • Guy Almes, Jeff Schiller, Ken Klingenstein, Steve Wallace, Charles Yun • Terry Gray, fearless and tireless • Participants
S@LS Workshop 2003 • NSF Sponsored workshop, in conjunction with Indiana University, Internet2, the Massachusetts Institute of Technology and the University of Washington. • 1.5 day Workshop • Held in Chicago, Illinois • 12-13 Aug 2003
Project Goals • Effective practices whitepaper technology oriented, architectural principles and specific recommendations • Research agenda suggestions to NSF and any other agencies that might be interested • Recommendations for mechanisms for maintenance of the above
Workshop Structure and Mechanics Big picture what are the basic tensions and dynamics what are the possible futures Drill downs IPv6, private addresses and NATs, firewalls, IDS Summaries and next steps Practical recommendations Policy requirements Research agenda
A Few Thoughts • There needs to be some connection with a trust fabric, at several levels of the stack. • There are internal and external trust fabrics to consider • What does the potential existence of a middleware fabric (directories, authentication, authorization assertions, etc.) mean for the network? • What does reemergence of circuit-switched technologies mean for enterprise security? What does development of non-IP transports mean for enterprise security? • Performance requirements of research computing are easier to predict than configuration requirements. • Configuration requirements range from opening ports to multicast capabilities
A few more thoughts • How do the requirements of universities for enterprise security compare to those at government labs? • How can enterprises work with research funding agencies ti improve the delivery of network services to campus based researchers?
Workshop Findings • First, and foremost, this is getting a lot harder • 2003 seems to mark a couple of turning points • New levels of stresses • Necessary but doomed approaches • There are areas to work in • Architectures and technologies • Interactions with middleware • Education and awareness always a need • There is some applied research that would be helpful • There are some non-technical issues that need to be worked to achieve real security at real line speed…
By “Line Speed”, we really mean… • High bandwidth • Exceptional low latency, e.g. remote instrument control • End-to-end clarity, e.g. Grids • Exceptional low jitter, e.g. real time interactive HDTV • Advanced features, e.g. multicast
Architectures • A mix of perimeter defenses, careful subnetting, and desktop firewalls • Separation of internal and external servers (e.g. SMTP servers, routers, etc…) • Managed and unmanaged desktops • Cautions: • Cost • Traffic loads • Diagnostics
Integration with middleware • Network authentication and authorization • Of users • Of devices • What is done after authentication? • Access • Scanning • Patching • Configuration of local firewalls • Subnetting • Configuration of performance parameters • Accommodating distinctive needs of higher education • Network mobility • Role-based access
Applied Research and Research Computing • Policy-based firewalls • Easier connections of IDS with other enterprise services and systems • Unlisted IP addresses – asymmetric connectivity • --------------------------------------------------------- • Inform research computing environment developers (e.g. Grids) about the real world security issues and approaches being deployed.
Non-technical issues • Proposals may be funded that haven’t gotten agreements from campus IT on architecture • Policies on encryption • Policies on permitting new applications (.e.g video) • Inconsistencies on what campuses will permit will affect inter-institutional collaborations • Trust fabrics need to underpin security • Pulling policies from several disparate but applicable sources