Policy-Driven, Knowledge-Centric, Holis

Preview:

Click to see full reader

Citation preview

NetSecOps:Policy-Driven,Knowledge-Centric,

Holis<cNetworkSecurityOpera<ons

(Acollabora<veprojectbetweentheUniversityofKentuckyandtheUniversityofUtah)

JamesGriffioen,

LaboratoryforAdvancedNetworkingUniversityofKentucky

NSFCC*/CICIPIWorkshop2017Albuquerque,NM

October3,2017

NSFCampusCyberinfrastructurePIandCybersecurityInnova9onforCyberinfrastructurePIWorkshop

October3-4,2017|Albuquerque,NM

BroaderImpact:•  Limitorpreventthegrowingnumberof

a[acksoncampusnetworks.•  Addresstheshortageofqualified

securityexpertsoncampuses,andmakeITsecurityteamsmoreeffec<ve.

•  Advancescien<ficresearch,par<cularlyresearchusingbigdata

Solu9on/Approach:

Metadatatag:<tohelpothersunderstandyourcurrentstate–pickoneormany>•  <projecturl>•  <Readyfortransi5ontoprac5ce!>•  <Publica5onspending>•  <Needcollaborators!•  <Needmorefunds>•  <Socialmedia>•  <Studentengagement>

QuadChartfor:SecureandResilientArchitecture:NetSecOps—Policy-Driven,Knowledge-Centric,Holis<cNetworkSecurityOpera<ons(Acollabora<veNSFCICIprojectbetweenUnivofUtahandUnivofKY)

Network

KnowledgeStore

NetworkControl

ExistingData Sources

NetworkControl Apps

KnowledgeDiscovery Apps

PolicyDocuments

Policy Generation& Verification Apps

h[p://www.flux.utah.edu/project/NetSecOps h[p://www.netlab.uky.edu/NetSecOps

Challenge:•  Campussecurityopera<onsrelyon

humandomainexpertstointerpretandmaphigh-levelpolicydocumentstolow-levelnetworkconfigura<ons.

•  Segmentsofthecampushaveverydifferentpoliciesandregula<on.

•  Data-intensivescien<ficresearchtrafficoeenrequiresexcep<onstoITpolicies.

•  Goal:AssistITsecurityteamsbyautoma<ngopera<onalstepsthataretediousanderror-prone.

•  Systema<callycapturecampusnetworksecuritypolicies.

•  Developfine-grainedcontrolabstrac<onsandSDNcapabili<estoimplementbothsecuritypoliciesand(research)policyexcep<on.

•  Createpolicytraceabilitytoolstoverifyintegrityofpolicymappings.

•  Reasonaboutsecurityusinginforma<onfrompointsolu<ons.

NetSecOps(NetworkSecurityOpera<ons)

BasicGoal:AssistITsecurityteamsbyautoma<ngnetworksecurityopera<onalstepsthataretediousanderror-prone.

Network

KnowledgeStore

NetworkControl

ExistingData Sources

NetworkControl Apps

KnowledgeDiscovery Apps

PolicyDocuments

Policy Generation& Verification Apps

NetSecOpsArchitecture

Network

KnowledgeStore

NetworkControl

ExistingData Sources

NetworkControl Apps

KnowledgeDiscovery Apps

PolicyDocuments

Policy Generation& Verification Apps

NetSecOpsArchitecture

Network

KnowledgeStore

NetworkControl

ExistingData Sources

NetworkControl Apps

KnowledgeDiscovery Apps

PolicyDocuments

Policy Generation& Verification Apps

NetSecOpsArchitectureHowdoesthisaffectthedesignofScienceDMZs?

Internet

BldgA

BldgB

BldgC

Middleboxes

CampusCore

FirewallsEdgeRouter

HPC

MiddleboxBo[lenecks

TypicalCampusNetwork

HPC

Conven9onalScienceDMZ

ScienceDMZ

Internet

BldgA

BldgB

BldgC

Middleboxes

CampusCore

FirewallsEdgeRouter

UKYSDNCore

Internet

BldgA

BldgB

BldgC

Middleboxes

CampusCore

FirewallsEdgeRouter

SDNCore

SDNSwitch SDNSwitch SDNSwitch

HPC

UKYSDNNetwork

Internet

BldgA

BldgB

BldgC

Middleboxes

CampusCore

FirewallsEdgeRouter

SDNCore

SDNSwitch SDNSwitch SDNSwitch

HPC

UKYSDNNetwork

Internet

BldgA

BldgB

BldgC

Middleboxes

CampusCore

FirewallsEdgeRouter

SDNCore

SDNSwitch SDNSwitch SDNSwitch

HPC

SDNController

Controllertellsswitchesto:1.  Actlikealegacyrouter

bydefault2.  Routeauthorized

sciencetrafficdirectlytotheedge(bypassingmiddleboxes)

UKYSDNNetwork

Internet

BldgA

BldgB

BldgC

Middleboxes

CampusCore

FirewallsEdgeRouter

SDNCore

SDNSwitch SDNSwitch SDNSwitch

HPC

NormalFlowPath

UKYSDNNetwork

Internet

BldgA

BldgB

BldgC

Middleboxes

CampusCore

FirewallsEdgeRouter

SDNCore

SDNSwitch SDNSwitch SDNSwitch

HPC

NormalFlowPath

High-speedFlowPath

(a.k.a.,VIPLanes).Note:thesearePolicyExcep9ons

All-CampusScienceDMZ

Flows(notmachines)jointheDMZ.

UKYAll-CampusScienceDMZ

Internet

BldgA

BldgB

BldgC

Middleboxes

CampusCore

FirewallsEdgeRouter

SDNCore

SDNSwitch SDNSwitch SDNSwitch

HPC

NormalFlowPath

High-speedFlowPath

InternetPerformanceResults

SeeICCCN2017VIPLanesPaper

Mbps Gbps

SecuringanAll-CampusScienceDMZ

•  ScalingtheScienceDMZtotheen<recampus– Thenumberofmachinesismuchlarger– Thenumberofpoten<alusersismuchlarger– Thenumberofpoliciesismuchlarger•  policiesareperflow,notpermachine

•  Scalingthedecision-makingprocesses– Definingpolicies– AuthorizingUsers– DefiningTrustrela<onships

Establishing/ManagingTrust(InanAll-campusScienceDMZ)

•  AuthorizedBypassFlows:Authorizedbypasstrafficshouldbeatthegranularityofflows,asopposedtoallScienceDMZtraffic.

•  TrustedUsers:Users(notmachines)shouldbeauthen<catedandtrusted(i.e.,trustshouldbetraceabletopeople,notmachines).

•  LimitedTrust:Usertrustshouldbelimitedtoaspecificsetofflowsforalimitedamountof<me.

•  DistributedTrustInfrastructure:Trustdecisionsshouldnotbemadebyasingleen<ty(e.g.,campusIT),butrathershouldbedistributedinacontrolledwayamongtrustedusers.

•  DynamicallyEstablishedAuthorizedFlows:Trustedusersshouldbeabletodynamicallycreateauthorizedbypassflows.

•  RefinableTrust:Ifaflow’scharacteris<cscannotbeknownun<ltheflowbecomesac<ve,trustshouldberefinedtomatchtheflowassoonastheflowappears.

•  Trust,butverify:Userscouldmisuseprivilegeinunauthorizedways.Usageshouldbeverified.

•  BackwardCompa<bility:Legacyapplica<onsshouldbeabletomakeuseofVIPLaneswithoutmodifica<on.

NetSecOpsPolicyExcep<ons

•  Flowsspaceisarrangedintoahierarchy–  Root=allflows–  Subnodes=strictsubsetofparent’sflows–  Flowsdefinedbytuple(e.g.,src/dstIPaddrsandports)

•  TrustedUsersassignedtomanagepor<onsofthehierarchy–  Caninstan<ateaflow(i.e.,createapolicyexcep<on)–  CandelegatecontroltootherTrustedUser– Delega<ondefinesahierarchyofresponsibility

SeeICCCN2017VIPLanesPaper

Src:*Dst:*Group:CampusIT

Src:128.123.4.160/27Dst:*Group:CoEIT

Src:128.123.123.0/24Dst:*Group:A&SIT

Src:128.123.4.160/28Dst:*Group:CSResearchers

Src:128.123.4.176/28Dst:*Group:ECEResearchers

Src:128.123.4.160/29Dst:*Group:VIPLanes

Src:128.123.4.168/29Dst:*Group:GENIResearch

ExamplePolicyExcep<onTree

Policytreeiscreatedbyusersinadistributedway(throughawebserverthatmaintainsthepolicytree).

ThankYou

Ques<ons?

Thisworkissupported,inpart,bytheNa5onalScienceFounda5onunderNSFgrantsACI-1642134,ACI-1642158,ACI-1541426andACI-1541380

Recommended

The Case of Singapore - Center for Curriculum Redesign...Survival-Driven 1959 -1978 Efficiency-Driven 1979 –1996 Ability-Based 1997 –2011 Student-Centric, Values-Driven 2012 –
Documents
People-Centric Process Management Strategies: Can Process ... · 3. What are the best practices and technologies that support a process-centric view? Data-driven process automation
Documents
Lynx: A SmartNIC-driven Accelerator-centric Architecture for Network … · 2020. 2. 20. · Lynx generalizes the accelerator-centric server design con-cepts of prior works beyond
Documents
Towards Informing Human-centric ICT Standardization for ... › eserv › UNU:6640 › RP_Journal_2245-800… · Towards Informing Human-centric ICT Standardization for Data-driven
Documents
Board Driven/Objective Centric Internal Audit & … Driven/Objective Centric Internal Audit & ERM: Next Generation Assurance Presented by Tim Leech FCPA CIA CRMA CCSA CFE Risk Oversight
Documents
Trustworthy Data-Driven Networked Production for Customer ... · Trustworthy Data-Driven Networked Production for Customer-Centric Plants Davy Preuveneers, Wouter Joosen imec-DistriNet-KU
Documents
Research Trends in NSF and JST -NSF Collaboration ...• Data-driven research in all NSF research domains • Data-centric, science-driven, research cyberinfrastructure (CI) ecosystem
Documents
Claudio Erba, CEO Ian Kidson, CFO August 2020...Formal learning pushed top down Formal and informal, learner centric Learner centric: Community driven, intelligent management and delivery
Documents
Transitioning from code-centric to model-driven industrial ...miroslaw/papers/2008... · Introducing Model Driven Software Development (MDSD) into industrial projects is rarely done
Documents
Board Driven/Objective Centric Internal Audit & ERM: …riskoversightsolutions.com/wp-content/uploads/2011/03/Risk... · Board Driven/Objective Centric Internal Audit & ERM: ... Evolution
Documents
Human-Centric Trusted AI for Data-Driven EconomyHuman-Centric Trusted AI for Data-Driven Economy Masugi Inoue 1 and Hideyuki Tokuda 2 National Institute of Information and Communications
Documents
HoLIS GIS Update
Technology
J. Bezivin, Principles and Applications of Model Driven ... · Principles and Applications of Model Driven Engineering ... driven reverse engineering, stream-based and data-centric
Documents
Ben Farkas - Build a Customer-Centric, Results Driven Social Practice
Social Media
Model-Driven, Performance-Centric HPC Software and - T. Hoefler
Documents
Event Driven Programming Chapter 5. Sequential Programming Computer-Centric Computer-Centric Program Runs as Programmer Intended Program Runs as Programmer
Documents
Model-driven Engineering in Practice: Integrated ... · Model-driven Engineering in Practice: Integrated Performance Decision Support for Process-centric Business Impact Analysis
Documents
Context-Driven Decision Making in Network-Centric ... · Context-Driven Decision Making in Network-Centric Operations: Agent-Based Intelligent Support Prof. Alexander Smirnov Head
Documents
Insight Driven Health Risk based. Data driven. The …...Risk based. Data driven. The new face of utilization management Insight Driven Health Using a new network-centric utilization
Documents
An artifact centric approach to generating web-based business process driven user interfaces
Technology