Evaluating parallel file system security

Size: px
Start display at page:

Download "Evaluating parallel file system security"

Transcription

1 Evaluating parallel file system security 1. Motivation After successful Internet attacks on HPC centers worldwide, there has been a paradigm shift in cluster security strategies. Clusters are no longer thought of as just a collection of individual computers but rather as an integrated single unit in which any breach may result in a "class break" compromise of the entire cluster. These are the words from which is a community that reviews the needs of cluster environment. A parallel file-system is a part of any such cluster environment and thus providing security at this file-system becomes essential. This project aims at providing a variety of security interfaces to the file-system for the varying performance budgets of the cluster environment. 2. Introduction A parallel file-system is one where data is striped across many storage nodes across a high speed network. There exists many such parallel file-systems viz. GPFS, Lustre, Parallel Virtual File System [pvfs_home]. The most popular open source file-system in both the research and cluster users community is PVFS. Thus, this project aims at adding security interfaces to the existing PVFS file-system. The security interface that is done for this project mostly resembles the ones provided for a networked file-system. Some of them include, (1) Providing a secure communication path between clients/io servers/meta-data servers. a. Per node basis b. Per file basis (2) Providing encrypted storage on the IO servers a. Per node basis b. Per file basis (3) Providing encrypted storage of all the meta-data information There are a few exceptions in this project s security policies though, from the rule that meta-data is more valuable than the data itself. The existing security libraries that are being used to incorporate the above security interfaces in the file system include, (1) Setkey application to enable ipsec between two nodes in the network (2) Openssl library for establishing secure socket connections between nodes at a tcp connection granularity. (3) GNU Crypto library for encryption/decryption of data.

2 3. Installation and setup of the PVFS on Penguin machines The initial setup of the machines looked like the following figure1. Figure1: Showing Penguin15 to be the client and Penguin17, 18, 19, 20, 21 to be the io servers and penguin16 is the metadata server. The reason for choosing such a simple configuration initially was to check the maximum performance overhead of adding security modules. The above setup is currently configured for a VFS interface and also for the PVFS library interface. The benefits of using a VFS interface is that, existing binaries that run on Linux applications can be run on top of the PVFS file-system. The file-system setup procedure in simple steps is the following, (1) Run the script /usr/bin/pvfs2-genconfig from penguin15. The configuration files which knows the <ip address, server s role > is created (2) Start the penguin16 server using /usr/sbin/pvfs2-server /etc/pvfs2-fs.conf /etc/pvfs2-server.conf-penguin17 f (3) Similarly start other file-system servers at penguin17,18,19,20,21 (4) Then, include fstab entry in penguin16 (client) as follows, tcp://penguin15:3334/pvfs2-fs /mnt/pvfs2 pvfs2 default,noauto 0 (5) Mount the file-system at penguin16 using mount t pvfs2 tcp://penguin15:3334/pvfs2-fs /mnt/pvfs2 Using the VFS interface involves the step of, loading the kernel module. The kernel module was loaded on to the penguin16 (client) machine and successfully evaluated.

3 This enables the use of fopen, fread, fwrite calls provided on a parallel file system directory. A large write application is currently used to test the working of the security interfaces that is being currently added. 4. Source code of PVFS relevant to the work The PVFS written by a group from Clemson University & ANL is organized as follows, (1) Client side code with the system interfaces to a. lookup the handle of a file from the records in the meta server b. Read from the io nodes with the handle & distribution parameters obtained from the meta servers. c. Set an extended attribute to any file in the file-system d. Maintain an attribute cache of recently looked up file handles e. Other functions such as rename a file, get the statistics of a file etc. (2) BMI layer code a. Open a tcp/ip socket connection. b. Send and receive data between clients, meta servers, io servers via the connection (3) TROVE layer a. This layer looks after the data storage on local file-system and the database b. Trove layer at the io server takes care of storing data in the local filesystem c. Trove layer at the metadata server takes care of storing data in the Berkeley DB provided at the metadata server. (4) Meta server side code looks after, a. Calling the trove layer interface with the key for the database. The key is the file name provided by the client. The record retrieves <handle, distribution> only if the credentials provided by the client is satisfied! b. Similarly, creating an entry in the database with <filename, handle, credentials, distribution> whenever a new file is created (5) IO server side code looks after, a. Read (or write) data from (or to) the local file-system at the IO server. This involves bridging the gap between the bmi layer and the trove layer

4 Figure2: The source code tree used/modified for this project The use of these individual files (for instance create.c, geteattr.c, sys-io.c, lookup.c) will be discussed in detail in the later text. 5. Enabling IPSec between the Nodes This security measure enables the communication path between two nodes to be encrypted. Thus, anyone listening on the network would be eavesdropping on encrypted junk message. Advantage: This security measure just requires a key to be exchanged between the two communicating end nodes. Disadvantage: The data that is stored in the server nodes is still un-encrypted. Thus, if the server is compromised, this scheme doesn t help much. IPSec Setup: IPSec involves per packet authentication as well as (optional encryption). The various authentication options include, (1) HMAC MD5 (2) HMAC SHA1 The various encryption options include,

5 (1) AES (128, 192 bit key) (2) BLOWFISH (192 bit key) (3) 3DES An example IPSec script file that has to be used by the setkey application at nodes penguin15 (client) and penguin18 (io node) for enabling IPSec communication with HMAC MD5 is given by, At Penguin15 #!/sbin/setkey -f add ah A hmac-md5 " "; add ah A hmac-md5 " "; spdadd any -P in ipsec ah/transport//require; spdadd any -P out ipsec ah/transport//require; A similar receive communication script has to be run by the setkey application at penguin18. The second and third lines starting with add refer to the entry to be added to the security access database of the kernel. The fourth and fifth lines starting with spdadd refer to the entry to be added to the security policy database of the kernel. The refers to the key used by the md5 hashing algorithm. The security access database is being looked up at the ingress and egress of each packet. Just to have a hint of the performance impact due to ipsec between the client (penguin15) and one such server (penguin 18), a response time Vs write size graph was drawn with one client (penguin15), one meta-data server(penguin16), 5 io server (penguin17 to 21).

6 Write only application (1C, 1MS, 5IOS) 100 completion time in secs No integrity HMAC-md5 Column D Write size (/100) MB Figure3: A simple experiment where an application wrote data (divide X-axis by 100 MB) to the io servers with and without HMAC md5 ipsec communication between clients and servers. This is a worst case experiment to evaluate the effect of adding IPSec security. The reason being, there is only one client & thus the aggregate network bandwidth is not completely utilized. Thus, the bandwidth difference because of adding security would be felt more. An ideal experiment My expectations on how this graph would look for a multiple client & server communication are (I am yet to start doing performance analysis) as follows. (1) The minimal overhead due to security modules would be experienced only when there are multiple clients. If the aggregate bandwidth can be made to reach the maximum network bandwidth, it means that processor bandwidth is not a bottleneck anymore! (2) The above point means that, the network no longer waits for the packets. It would be really interesting to evaluate the secure file sytem using scientific benchmarks such as MPI-tile, BTIO which utilize the aggregate network bandwidth to a full extent.

7 6. Enabling secure channel on a per file basis in the parallel file system Advantage: This provides differential service to different files. Thus, unnecessary performance overheads can be avoided Disadvantage: The metadata server has to maintain the extra state about the quality of security required by each file in the file-system The steps involved in implementing are the following, (1) Use the set extended attribute interface to set a security attribute for each file. This can be done using the PVFS_sys_seteattr( ) which takes file-handle, uid, gid of the client process as the input parameters. Thus, the uid/gid is checked to see if the client is permitted to change the security feature. The uid/gid feature exists already in the PVFS. (2) On a lookup of such a file, the security attribute is got from the meta data server along with the handle. Then on subsequent reads (or writes), the PVFS_sys_io( ) would inspect the security attribute and use the appropriate parameter to SSL socket. The definition of the function PVFS_sys_io( ) in sys-io.c has to be changed. (3) The appropriate parameter (say, HMAC MD5 with ESP AES 128) is passed on to the SSL interface provided by the bmi layer. (4) For the above to be done, the sockets in bmi layer provided by the pvfs has to be changed to secure socket layer using the OpenSSL library. Thus, the source code bmi.c at the client requires to be changed. (I am currently trying to change the bmi layer to a secure bmi layer).

8 Figure4: The figure depicts how the io path between a client (penguin15) and io server can be secure if the meta-data s security attribute is turned on. Penguin14(client) creates the file named file1 and hence it is the owner. Therefore, it can change the security attributes of the file to channel_hmac md5. Later when Penguin15(client) looks up the metadata server to get the handle for file1, Penguin15 knows the security level of file1. Hence, the secure socket layer for communication with the Penguin17, 18, 19, 20, 21 is being used (only penguin17 is shown in figure). 7. Enabling Encrypted storage on the io server on a per file basis Advantage: This provides differential levels of security to each file. Also, the key exchange for each connection (session as in sockets) is avoided. Instead a key is fixed for every file over a period of time. Disadvantages: Key revocation becomes a challenge. Also, the meta-data server becomes a hot location because it has the key for each file!

9 The steps involved in implementing the security schemes are, (1) Use the set extended attribute interface to set a security attribute for each file. This can be done using the PVFS_sys_seteattr( ) which takes file-handle, uid, gid of the client process as the input parameters. Thus, the uid/gid is checked to see if the client is permitted to change the security feature. The uid/gid feature exists already in the PVFS. (2) On a lookup of such a file, the security attribute is got from the meta data server along with the handle. Then on subsequent reads, the PVFS_sys_io( ) would inspect the security attribute and use the cipher library provided by the GNU Crypto The definition of the function PVFS_sys_io( ) in sys-io.c has to be changed. (3) The appropriate parameter (say AES 128 bit encryption and key for the file) is passed on to the decryption library function. (4) Similarly for writing data to a file, the key corresponding to the file is got from the meta-data attribute. Then, the file is encrypted at the client and sent to the io servers.

10 Figure5: The figure depicts how the encrypted storage security attribute is turned on. Penguin14(client) creates the file named file1 and hence it is the owner. Therefore, it can change the security attributes of the file to channel_hmac md5. Later when Penguin15(client) looks up the metadata server to get the handle for file1, Penguin15 also learns the security level of file1 and the AES key. Hence, while reading from penguin17, 18, 19, 20, 21 which are the io nodes, Penguin15 does an AES 128-Decryption. 8. Current status Currently, I am working on using the user level cyrpto libraries from [crypto_library]. This provides a comprehensive function for most of the security encryption/decryption. I am also working on changing the bmi layer of the pvfs using the openssl library. I could not figure out a neat way of using IPSec for each file till now. The reason being the port number binding pattern seems to be very much different for the various system interfaces PVFS offers. 9. References [pvfs_home] [crypto_library] [man_pages] Linux man pages on openssl, setkey [forum] pvfs2-developers@beowulf-underground.org

Creating a Gateway to Gateway VPN between Sidewinder G2 and Linux

Creating a Gateway to Gateway VPN between Sidewinder G2 and Linux A PPLICATION N O T E Creating a Gateway to Gateway VPN between Sidewinder G2 and Linux This application note describes how to set up an IPsec VPN connection between a Linux host and a Sidewinder G2 Security

More information

Security Protocols HTTPS/ DNSSEC TLS. Internet (IPSEC) Network (802.1x) Application (HTTP,DNS) Transport (TCP/UDP) Transport (TCP/UDP) Internet (IP)

Security Protocols HTTPS/ DNSSEC TLS. Internet (IPSEC) Network (802.1x) Application (HTTP,DNS) Transport (TCP/UDP) Transport (TCP/UDP) Internet (IP) Security Protocols Security Protocols Necessary to communicate securely across untrusted network Provide integrity, confidentiality, authenticity of communications Based on previously discussed cryptographic

More information

Virtual Private Networks

Virtual Private Networks Virtual Private Networks ECE 4886 Internetwork Security Dr. Henry Owen Definition Virtual Private Network VPN! Virtual separation in protocol provides a virtual network using no new hardware! Private communication

More information

Security. Contents. S-72.3240 Wireless Personal, Local, Metropolitan, and Wide Area Networks 1

Security. Contents. S-72.3240 Wireless Personal, Local, Metropolitan, and Wide Area Networks 1 Contents Security requirements Public key cryptography Key agreement/transport schemes Man-in-the-middle attack vulnerability Encryption. digital signature, hash, certification Complete security solutions

More information

Security vulnerabilities in the Internet and possible solutions

Security vulnerabilities in the Internet and possible solutions Security vulnerabilities in the Internet and possible solutions 1. Introduction The foundation of today's Internet is the TCP/IP protocol suite. Since the time when these specifications were finished in

More information

Accellion Secure File Transfer Cryptographic Module Security Policy Document Version 1.0. Accellion, Inc.

Accellion Secure File Transfer Cryptographic Module Security Policy Document Version 1.0. Accellion, Inc. Accellion Secure File Transfer Cryptographic Module Security Policy Document Version 1.0 Accellion, Inc. December 24, 2009 Copyright Accellion, Inc. 2009. May be reproduced only in its original entirety

More information

Client Server Registration Protocol

Client Server Registration Protocol Client Server Registration Protocol The Client-Server protocol involves these following steps: 1. Login 2. Discovery phase User (Alice or Bob) has K s Server (S) has hash[pw A ].The passwords hashes are

More information

CGHub Client Security Guide Documentation

CGHub Client Security Guide Documentation CGHub Client Security Guide Documentation Release 3.1 University of California, Santa Cruz April 16, 2014 CONTENTS 1 Abstract 1 2 GeneTorrent: a secure, client/server BitTorrent 2 2.1 GeneTorrent protocols.....................................

More information

SoftNAS Application Guide: In-Flight Encryption 12/7/2015 SOFTNAS LLC

SoftNAS Application Guide: In-Flight Encryption 12/7/2015 SOFTNAS LLC SoftNAS Application Guide: In-Flight Encryption 12/7/2015 SOFTNAS LLC SoftNAS Application Guide: In-Flight Encryption Contents Introduction to In-Flight Data Encryption... 2 CIFS Encryption In-Flight...

More information

Data Management. Network transfers

Data Management. Network transfers Data Management Network transfers Network data transfers Not everyone needs to transfer large amounts of data on and off a HPC service Sometimes data is created and consumed on the same service. If you

More information

From Centralization to Distribution: A Comparison of File Sharing Protocols

From Centralization to Distribution: A Comparison of File Sharing Protocols From Centralization to Distribution: A Comparison of File Sharing Protocols Xu Wang, Teng Long and Alan Sussman Department of Computer Science, University of Maryland, College Park, MD, 20742 August, 2015

More information

Security Protocols/Standards

Security Protocols/Standards Security Protocols/Standards Security Protocols/Standards Security Protocols/Standards How do we actually communicate securely across a hostile network? Provide integrity, confidentiality, authenticity

More information

Handy. A Parallel File System with High Availability & Dynamic Scalability. Bin Cheng Advisor: Dr. Hai Jin Ke Shi Cluster & Grid Computing Lab of HUST

Handy. A Parallel File System with High Availability & Dynamic Scalability. Bin Cheng Advisor: Dr. Hai Jin Ke Shi Cluster & Grid Computing Lab of HUST Handy A Parallel File System with High Availability & Dynamic Scalability Bin Cheng Advisor: Dr. Hai Jin Ke Shi Cluster & Grid Computing Lab of HUST Outline Cluster and Grid Computing Lab 2 Background

More information

Cray DVS: Data Virtualization Service

Cray DVS: Data Virtualization Service Cray : Data Virtualization Service Stephen Sugiyama and David Wallace, Cray Inc. ABSTRACT: Cray, the Cray Data Virtualization Service, is a new capability being added to the XT software environment with

More information

CCNA Security 1.1 Instructional Resource

CCNA Security 1.1 Instructional Resource CCNA Security 1.1 Instructional Resource Chapter 8 Implementing Virtual Private Networks 2012 Cisco and/or its affiliates. All rights reserved. 1 Describe the purpose and types of VPNs and define where

More information

Corporate VPN Using Mikrotik Cloud Feature. By SOUMIL GUPTA BHAYA Mikortik Certified Trainer

Corporate VPN Using Mikrotik Cloud Feature. By SOUMIL GUPTA BHAYA Mikortik Certified Trainer Corporate VPN Using Mikrotik Cloud Feature By SOUMIL GUPTA BHAYA Mikortik Certified Trainer What is a VPN? A virtual private network (VPN) is a method for the extension of a private network across a public

More information

Chapter 7 Transport-Level Security

Chapter 7 Transport-Level Security Cryptography and Network Security Chapter 7 Transport-Level Security Lectured by Nguyễn Đức Thái Outline Web Security Issues Security Socket Layer (SSL) Transport Layer Security (TLS) HTTPS Secure Shell

More information

Using etoken for SSL Web Authentication. SSL V3.0 Overview

Using etoken for SSL Web Authentication. SSL V3.0 Overview Using etoken for SSL Web Authentication Lesson 12 April 2004 etoken Certification Course SSL V3.0 Overview Secure Sockets Layer protocol, version 3.0 Provides communication privacy over the internet. Prevents

More information

SSL Tunnels. Introduction

SSL Tunnels. Introduction SSL Tunnels Introduction As you probably know, SSL protects data communications by encrypting all data exchanged between a client and a server using cryptographic algorithms. This makes it very difficult,

More information

Secure Shell SSH provides support for secure remote login, secure file transfer, and secure TCP/IP and X11 forwarding. It can automatically encrypt,

Secure Shell SSH provides support for secure remote login, secure file transfer, and secure TCP/IP and X11 forwarding. It can automatically encrypt, Secure Shell SSH provides support for secure remote login, secure file transfer, and secure TCP/IP and X11 forwarding. It can automatically encrypt, authenticate, and compress transmitted data. The main

More information

Application Note: Onsight Device VPN Configuration V1.1

Application Note: Onsight Device VPN Configuration V1.1 Application Note: Onsight Device VPN Configuration V1.1 Table of Contents OVERVIEW 2 1 SUPPORTED VPN TYPES 2 1.1 OD VPN CLIENT 2 1.2 SUPPORTED PROTOCOLS AND CONFIGURATION 2 2 OD VPN CONFIGURATION 2 2.1

More information

FL EDI SECURE FTP CONNECTIVITY TROUBLESHOOTING GUIDE. SSL/FTP (File Transfer Protocol over Secure Sockets Layer)

FL EDI SECURE FTP CONNECTIVITY TROUBLESHOOTING GUIDE. SSL/FTP (File Transfer Protocol over Secure Sockets Layer) FL EDI SECURE FTP CONNECTIVITY TROUBLESHOOTING GUIDE This troubleshooting guide covers secure file transfers using the SFTP and SSL/FTP file transfer protocols for Claims, POC, and Medical EDI transmissions.

More information

Configuring Security Features of Session Recording

Configuring Security Features of Session Recording Configuring Security Features of Session Recording Summary This article provides information about the security features of Citrix Session Recording and outlines the process of configuring Session Recording

More information

CHAPTER 1 INTRODUCTION

CHAPTER 1 INTRODUCTION CHAPTER 1 INTRODUCTION 1.0 Introduction Voice over Internet Protocol (VoIP) is the most popular in telecommunication technology. Nowadays, three million users use VoIP. It is estimated that the number

More information

File System Encryption with Integrated User Management

File System Encryption with Integrated User Management File System Encryption with Integrated User Management Stefan Ludwig Corporate Technology Siemens AG, Munich fsfs@stefan-ludwig.de Prof. Dr. Winfried Kalfa Operating Systems Group Chemnitz University of

More information

High Security Online Backup. A Cyphertite White Paper February, 2013. Cloud-Based Backup Storage Threat Models

High Security Online Backup. A Cyphertite White Paper February, 2013. Cloud-Based Backup Storage Threat Models A Cyphertite White Paper February, 2013 Cloud-Based Backup Storage Threat Models PG. 1 Definition of Terms Secrets Passphrase: The secrets passphrase is the passphrase used to decrypt the 2 encrypted 256-bit

More information

ReadyNAS Remote White Paper. NETGEAR May 2010

ReadyNAS Remote White Paper. NETGEAR May 2010 ReadyNAS Remote White Paper NETGEAR May 2010 Table of Contents Overview... 3 Architecture... 3 Security... 4 Remote Firewall... 5 Performance... 5 Overview ReadyNAS Remote is a software application that

More information

COSC 6374 Parallel Computation. Parallel I/O (I) I/O basics. Concept of a clusters

COSC 6374 Parallel Computation. Parallel I/O (I) I/O basics. Concept of a clusters COSC 6374 Parallel I/O (I) I/O basics Fall 2012 Concept of a clusters Processor 1 local disks Compute node message passing network administrative network Memory Processor 2 Network card 1 Network card

More information

Configuring Nex-Gen Web Load Balancer

Configuring Nex-Gen Web Load Balancer Configuring Nex-Gen Web Load Balancer Table of Contents Load Balancing Scenarios & Concepts Creating Load Balancer Node using Administration Service Creating Load Balancer Node using NodeCreator Connecting

More information

Integrating Lustre with User Security Administration. LAD 15 // Chris Gouge // 2015 Sep

Integrating Lustre with User Security Administration. LAD 15 // Chris Gouge // 2015 Sep Integrating Lustre with User Security Administration LAD 15 // Chris Gouge // 2015 Sep Topics User Security in Linux POSIX Permissions The Requirement for Upcall in Lustre Upcall Utilities Overview Upcall

More information

Lustre * Filesystem for Cloud and Hadoop *

Lustre * Filesystem for Cloud and Hadoop * OpenFabrics Software User Group Workshop Lustre * Filesystem for Cloud and Hadoop * Robert Read, Intel Lustre * for Cloud and Hadoop * Brief Lustre History and Overview Using Lustre with Hadoop Intel Cloud

More information

NetBrain Security Guidance

NetBrain Security Guidance NetBrain Security Guidance 1. User Authentication and Authorization 1.1. NetBrain Components NetBrain Enterprise Server includes five components: Customer License Server (CLS), Workspace Server (WSS),

More information

Bridgit Conferencing Software: Security, Firewalls, Bandwidth and Scalability

Bridgit Conferencing Software: Security, Firewalls, Bandwidth and Scalability Bridgit Conferencing Software: Security, Firewalls, Bandwidth and Scalability Overview... 3 Installing Bridgit Software... 4 Installing Bridgit Software Services... 4 Creating a Server Cluster... 4 Using

More information

Secure Socket Layer (SSL) and Transport Layer Security (TLS)

Secure Socket Layer (SSL) and Transport Layer Security (TLS) Secure Socket Layer (SSL) and Transport Layer Security (TLS) Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 Jain@cse.wustl.edu Audio/Video recordings of this lecture are available

More information

7 Network Security. 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework. 7.5 Absolute Security?

7 Network Security. 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework. 7.5 Absolute Security? 7 Network Security 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework 7.4 Firewalls 7.5 Absolute Security? 7.1 Introduction Security of Communications data transport e.g. risk

More information

Is Your SSL Website and Mobile App Really Secure?

Is Your SSL Website and Mobile App Really Secure? Is Your SSL Website and Mobile App Really Secure? Agenda What is SSL / TLS SSL Vulnerabilities PC/Server Mobile Advice to the Public Hong Kong Computer Emergency Response Team Coordination Centre 香 港 電

More information

PC Business Banking. Technical Requirements

PC Business Banking. Technical Requirements PC Business Banking Technical Requirements For PC Business Banking Version 7.0 March 2007 Application Overview PC Business Banking (PCBB) is Bank of New Zealand s banking platform for large business/corporate

More information

LAB FORWARD. WITH PROService RMS TECHNOLOGY, ARCHITECTURE AND SECURITY INFORMATION FOR IT PROFESSIONALS

LAB FORWARD. WITH PROService RMS TECHNOLOGY, ARCHITECTURE AND SECURITY INFORMATION FOR IT PROFESSIONALS LAB FORWARD WITH PROService RMS TECHNOLOGY, ARCHITECTURE AND SECURITY INFORMATION FOR IT PROFESSIONALS Medical diagnostics are a vital part of the modern healthcare system, and instrument uptime is critical

More information

Privacy and Encryption in egovernment. Dewey Landrum Technical Architect CSO SLED West Sector CISSP August 11, 2008

Privacy and Encryption in egovernment. Dewey Landrum Technical Architect CSO SLED West Sector CISSP August 11, 2008 Privacy and Encryption in egovernment Dewey Landrum Technical Architect CSO SLED West Sector CISSP August 11, 2008 Privacy Regulations Health Insurance Portability and Accountability Act (HIPPA) Gramm-Leach-Bliley

More information

Design Notes for an Efficient Password-Authenticated Key Exchange Implementation Using Human-Memorable Passwords

Design Notes for an Efficient Password-Authenticated Key Exchange Implementation Using Human-Memorable Passwords Design Notes for an Efficient Password-Authenticated Key Exchange Implementation Using Human-Memorable Passwords Author: Paul Seymer CMSC498a Contents 1 Background... 2 1.1 HTTP 1.0/1.1... 2 1.2 Password

More information

Using IPSec in Windows 2000 and XP, Part 2

Using IPSec in Windows 2000 and XP, Part 2 Page 1 of 8 Using IPSec in Windows 2000 and XP, Part 2 Chris Weber 2001-12-20 This is the second part of a three-part series devoted to discussing the technical details of using Internet Protocol Security

More information

An Experimental Study of Cross-Layer Security Protocols in Public Access Wireless Networks

An Experimental Study of Cross-Layer Security Protocols in Public Access Wireless Networks An Experimental Study of Cross-Layer Security Protocols in Public Access Wireless Networks Avesh K. Agarwal Wenye Wang Department of Electrical and Computer Engineering North Carolina State University,

More information

Binonymizer A Two-Way Web-Browsing Anonymizer

Binonymizer A Two-Way Web-Browsing Anonymizer Binonymizer A Two-Way Web-Browsing Anonymizer Tim Wellhausen Gerrit Imsieke (Tim.Wellhausen, Gerrit.Imsieke)@GfM-AG.de 12 August 1999 Abstract This paper presents a method that enables Web users to surf

More information

Network Security Essentials Chapter 5

Network Security Essentials Chapter 5 Network Security Essentials Chapter 5 Fourth Edition by William Stallings Lecture slides by Lawrie Brown Chapter 5 Transport-Level Security Use your mentality Wake up to reality From the song, "I've Got

More information

Network-Enabled Devices, AOS v.5.x.x. Content and Purpose of This Guide...1 User Management...2 Types of user accounts2

Network-Enabled Devices, AOS v.5.x.x. Content and Purpose of This Guide...1 User Management...2 Types of user accounts2 Contents Introduction--1 Content and Purpose of This Guide...........................1 User Management.........................................2 Types of user accounts2 Security--3 Security Features.........................................3

More information

ERserver. iseries. Securing applications with SSL

ERserver. iseries. Securing applications with SSL ERserver iseries Securing applications with SSL ERserver iseries Securing applications with SSL Copyright International Business Machines Corporation 2000, 2001. All rights reserved. US Government Users

More information

Sync Security and Privacy Brief

Sync Security and Privacy Brief Introduction Security and privacy are two of the leading issues for users when transferring important files. Keeping data on-premises makes business and IT leaders feel more secure, but comes with technical

More information

GPU File System Encryption Kartik Kulkarni and Eugene Linkov

GPU File System Encryption Kartik Kulkarni and Eugene Linkov GPU File System Encryption Kartik Kulkarni and Eugene Linkov 5/10/2012 SUMMARY. We implemented a file system that encrypts and decrypts files. The implementation uses the AES algorithm computed through

More information

7.1. Remote Access Connection

7.1. Remote Access Connection 7.1. Remote Access Connection When a client uses a dial up connection, it connects to the remote access server across the telephone system. Windows client and server operating systems use the Point to

More information

SBClient SSL. Ehab AbuShmais

SBClient SSL. Ehab AbuShmais SBClient SSL Ehab AbuShmais Agenda SSL Background U2 SSL Support SBClient SSL 2 What Is SSL SSL (Secure Sockets Layer) Provides a secured channel between two communication endpoints Addresses all three

More information

DRAFT Standard Statement Encryption

DRAFT Standard Statement Encryption DRAFT Standard Statement Encryption Title: Encryption Standard Document Number: SS-70-006 Effective Date: x/x/2010 Published by: Department of Information Systems 1. Purpose Sensitive information held

More information

Analyzing the Security Schemes of Various Cloud Storage Services

Analyzing the Security Schemes of Various Cloud Storage Services Analyzing the Security Schemes of Various Cloud Storage Services ECE 646 Project Presentation Fall 2014 12/09/2014 Team Members Ankita Pandey Gagandeep Singh Bamrah Pros and Cons of Cloud Storage Services

More information

BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: 10.1.1. Security Note

BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: 10.1.1. Security Note BlackBerry Enterprise Service 10 Secure Work Space for ios and Android Version: 10.1.1 Security Note Published: 2013-06-21 SWD-20130621110651069 Contents 1 About this guide...4 2 What is BlackBerry Enterprise

More information

A Brief Overview of VoIP Security. By John McCarron. Voice of Internet Protocol is the next generation telecommunications method.

A Brief Overview of VoIP Security. By John McCarron. Voice of Internet Protocol is the next generation telecommunications method. A Brief Overview of VoIP Security By John McCarron Voice of Internet Protocol is the next generation telecommunications method. It allows to phone calls to be route over a data network thus saving money

More information

Efficient Framework for Deploying Information in Cloud Virtual Datacenters with Cryptography Algorithms

Efficient Framework for Deploying Information in Cloud Virtual Datacenters with Cryptography Algorithms Efficient Framework for Deploying Information in Cloud Virtual Datacenters with Cryptography Algorithms Radhika G #1, K.V.V. Satyanarayana *2, Tejaswi A #3 1,2,3 Dept of CSE, K L University, Vaddeswaram-522502,

More information

Network Attached Storage. Jinfeng Yang Oct/19/2015

Network Attached Storage. Jinfeng Yang Oct/19/2015 Network Attached Storage Jinfeng Yang Oct/19/2015 Outline Part A 1. What is the Network Attached Storage (NAS)? 2. What are the applications of NAS? 3. The benefits of NAS. 4. NAS s performance (Reliability

More information

Secure Network Filesystem (Secure NFS) By Travis Zigler

Secure Network Filesystem (Secure NFS) By Travis Zigler Secure Network Filesystem (Secure NFS) By Travis Zigler Overview of Secure NFS Problems with NFS Security of Basic NFS Configurations Securing NFS with SSH Tutorial Securing NFS with SSL Overview Conclusions

More information

Protocol Security Where?

Protocol Security Where? IPsec: AH and ESP 1 Protocol Security Where? Application layer: (+) easy access to user credentials, extend without waiting for OS vendor, understand data; (-) design again and again; e.g., PGP, ssh, Kerberos

More information

DFW Backup Software. Whitepaper Data Security

DFW Backup Software. Whitepaper Data Security Version 6 Jan 2012 Table of Content 1 Introduction... 3 2 DFW Backup Offsite Backup Server Secure, Robust and Reliable... 4 2.1 Secure 128-bit SSL communication... 4 2.2 Backup data are securely encrypted...

More information

Complying with PCI Data Security

Complying with PCI Data Security Complying with PCI Data Security Solution BRIEF Retailers, financial institutions, data processors, and any other vendors that manage credit card holder data today must adhere to strict policies for ensuring

More information

Application Note: Integrate Juniper IPSec VPN with Gemalto SA Server. SASolutions@gemalto.com October 2007. www.gemalto.com

Application Note: Integrate Juniper IPSec VPN with Gemalto SA Server. SASolutions@gemalto.com October 2007. www.gemalto.com Application Note: Integrate Juniper IPSec VPN with Gemalto SA Server SASolutions@gemalto.com October 2007 www.gemalto.com Table of contents Overview... 3 Architecture... 5 Configure Juniper IPSec on an

More information

[SMO-SFO-ICO-PE-046-GU-

[SMO-SFO-ICO-PE-046-GU- Presentation This module contains all the SSL definitions. See also the SSL Security Guidance Introduction The package SSL is a static library which implements an API to use the dynamic SSL library. It

More information

13 Virtual Private Networks 13.1 Point-to-Point Protocol (PPP) 13.2 Layer 2/3/4 VPNs 13.3 Multi-Protocol Label Switching 13.4 IPsec Transport Mode

13 Virtual Private Networks 13.1 Point-to-Point Protocol (PPP) 13.2 Layer 2/3/4 VPNs 13.3 Multi-Protocol Label Switching 13.4 IPsec Transport Mode 13 Virtual Private Networks 13.1 Point-to-Point Protocol (PPP) PPP-based remote access using dial-in PPP encryption control protocol (ECP) PPP extensible authentication protocol (EAP) 13.2 Layer 2/3/4

More information

E-Commerce: Designing And Creating An Online Store

E-Commerce: Designing And Creating An Online Store E-Commerce: Designing And Creating An Online Store Introduction About Steve Green Ministries Solo Performance Artist for 19 Years. Released over 26 Records, Several Kids Movies, and Books. My History With

More information

CS 377: Operating Systems. Outline. A review of what you ve learned, and how it applies to a real operating system. Lecture 25 - Linux Case Study

CS 377: Operating Systems. Outline. A review of what you ve learned, and how it applies to a real operating system. Lecture 25 - Linux Case Study CS 377: Operating Systems Lecture 25 - Linux Case Study Guest Lecturer: Tim Wood Outline Linux History Design Principles System Overview Process Scheduling Memory Management File Systems A review of what

More information

Setting Up SSL on IIS6 for MEGA Advisor

Setting Up SSL on IIS6 for MEGA Advisor Setting Up SSL on IIS6 for MEGA Advisor Revised: July 5, 2012 Created: February 1, 2008 Author: Melinda BODROGI CONTENTS Contents... 2 Principle... 3 Requirements... 4 Install the certification authority

More information

Network Security Part II: Standards

Network Security Part II: Standards Network Security Part II: Standards Raj Jain Washington University Saint Louis, MO 63131 Jain@cse.wustl.edu These slides are available on-line at: http://www.cse.wustl.edu/~jain/cse473-05/ 18-1 Overview

More information

McAfee SMC Installation Guide 5.7. Security Management Center

McAfee SMC Installation Guide 5.7. Security Management Center McAfee SMC Installation Guide 5.7 Security Management Center Legal Information The use of the products described in these materials is subject to the then current end-user license agreement, which can

More information

Computer Networks. Secure Systems

Computer Networks. Secure Systems Computer Networks Secure Systems Summary Common Secure Protocols SSH HTTPS (SSL/TSL) IPSec Wireless Security WPA2 PSK vs EAP Firewalls Discussion Secure Shell (SSH) A protocol to allow secure login to

More information

SSL Handshake Analysis

SSL Handshake Analysis SSL Handshake Analysis Computer Measurement Group Webinar Nalini Elkins Inside Products, Inc. nalini.elkins@insidethestack.com Inside Products, Inc. (831) 659-8360 www.insidethestack.com www.ipproblemfinders.com

More information

Overlapping Data Transfer With Application Execution on Clusters

Overlapping Data Transfer With Application Execution on Clusters Overlapping Data Transfer With Application Execution on Clusters Karen L. Reid and Michael Stumm reid@cs.toronto.edu stumm@eecg.toronto.edu Department of Computer Science Department of Electrical and Computer

More information

3.2: Transport Layer: SSL/TLS Secure Socket Layer (SSL) Transport Layer Security (TLS) Protocol

3.2: Transport Layer: SSL/TLS Secure Socket Layer (SSL) Transport Layer Security (TLS) Protocol Chapter 2: Security Techniques Background Chapter 3: Security on Network and Transport Layer Network Layer: IPSec Transport Layer: SSL/TLS Chapter 4: Security on the Application Layer Chapter 5: Security

More information

First Semester Examinations 2011/12 INTERNET PRINCIPLES

First Semester Examinations 2011/12 INTERNET PRINCIPLES PAPER CODE NO. EXAMINER : Martin Gairing COMP211 DEPARTMENT : Computer Science Tel. No. 0151 795 4264 First Semester Examinations 2011/12 INTERNET PRINCIPLES TIME ALLOWED : Two Hours INSTRUCTIONS TO CANDIDATES

More information

Alliance Key Manager Solution Brief

Alliance Key Manager Solution Brief Alliance Key Manager Solution Brief KEY MANAGEMENT Enterprise Encryption Key Management On the road to protecting sensitive data assets, data encryption remains one of the most difficult goals. A major

More information

Securing Ship-to-Shore Data Flow

Securing Ship-to-Shore Data Flow Securing Ship-to-Shore Data Flow Background on Common File Transfer Methods Today corporations, government entities, and other organizations rely on Electronic File Transfers as an important part of their

More information

AES-GCM software performance on the current high end CPUs as a performance baseline for CAESAR competition

AES-GCM software performance on the current high end CPUs as a performance baseline for CAESAR competition Directions in Authenticated Ciphers DIAC 2013, 11 13 August 2013, Chicago, USA AES-GCM software performance on the current high end CPUs as a performance baseline for CAESAR competition Shay Gueron University

More information

CS 494/594 Computer and Network Security

CS 494/594 Computer and Network Security CS 494/594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010 1 Exercise: Chapters 13, 15-18 18 1. [Kaufman] 13.1

More information

INF3510 Information Security University of Oslo Spring 2011. Lecture 9 Communication Security. Audun Jøsang

INF3510 Information Security University of Oslo Spring 2011. Lecture 9 Communication Security. Audun Jøsang INF3510 Information Security University of Oslo Spring 2011 Lecture 9 Communication Security Audun Jøsang Outline Network security concepts Communication security Perimeter security Protocol architecture

More information

How to Secure a Groove Manager Web Site

How to Secure a Groove Manager Web Site How to Secure a Groove Manager Web Site Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the companies, organizations,

More information

Network Management & Monitoring

Network Management & Monitoring Network Management & Monitoring Overview CSI International 8120 State Route 138 Williamsport, OH 43164-9767 http://www.csi-international.com (800) 795-4914 - USA (740) 420-5400 - Main Operator (740) 333-7335

More information

Whitepaper : Using Unsniff Network Analyzer to analyze SSL / TLS

Whitepaper : Using Unsniff Network Analyzer to analyze SSL / TLS Whitepaper : Using Unsniff Network Analyzer to analyze SSL / TLS A number of applications today use SSL and TLS as a security layer. Unsniff allows authorized users to analyze these applications by decrypting

More information

Chapter 10. Network Security

Chapter 10. Network Security Chapter 10 Network Security 10.1. Chapter 10: Outline 10.1 INTRODUCTION 10.2 CONFIDENTIALITY 10.3 OTHER ASPECTS OF SECURITY 10.4 INTERNET SECURITY 10.5 FIREWALLS 10.2 Chapter 10: Objective We introduce

More information

Proto Balance SSL TLS Off-Loading, Load Balancing. User Manual - SSL. http://www.protonet.co.za/

Proto Balance SSL TLS Off-Loading, Load Balancing. User Manual - SSL. http://www.protonet.co.za/ Proto Balance SSL TLS Off-Loading, Load Balancing http://www.protonet.co.za/ User Manual - SSL Copyright c 2003-2010 Shine The Way 238 CC. All rights reserved. March 13, 2010 Contents 1. Introduction........................................................................

More information

Monitoring Sonic Firewall

Monitoring Sonic Firewall Monitoring Sonic Firewall eg Enterprise v6.0 Restricted Rights Legend The information contained in this document is confidential and subject to change without notice. No part of this document may be reproduced

More information

FIPS 140-2 Security Policy LogRhythm 6.0.4 Log Manager

FIPS 140-2 Security Policy LogRhythm 6.0.4 Log Manager FIPS 140-2 Security Policy LogRhythm 6.0.4 Log Manager LogRhythm 3195 Sterling Circle, Suite 100 Boulder CO, 80301 USA September 17, 2012 Document Version 1.0 Module Version 6.0.4 Page 1 of 23 Copyright

More information

Globus Striped GridFTP Framework and Server. Raj Kettimuthu, ANL and U. Chicago

Globus Striped GridFTP Framework and Server. Raj Kettimuthu, ANL and U. Chicago Globus Striped GridFTP Framework and Server Raj Kettimuthu, ANL and U. Chicago Outline Introduction Features Motivation Architecture Globus XIO Experimental Results 3 August 2005 The Ohio State University

More information

FL EDI SECURE FTP CONNECTIVITY TROUBLESHOOTING GUIDE. SFTP (Secure File Transfer Protocol)

FL EDI SECURE FTP CONNECTIVITY TROUBLESHOOTING GUIDE. SFTP (Secure File Transfer Protocol) FL EDI SECURE FTP CONNECTIVITY TROUBLESHOOTING GUIDE This troubleshooting guide covers secure file transfers using the SFTP file transfer protocols for Claims, POC, and Medical EDI transmissions. SFTP

More information

Topics in Network Security

Topics in Network Security Topics in Network Security Jem Berkes MASc. ECE, University of Waterloo B.Sc. ECE, University of Manitoba www.berkes.ca February, 2009 Ver. 2 In this presentation Wi-Fi security (802.11) Protecting insecure

More information

Setup Guide Access Manager Appliance 3.2 SP3

Setup Guide Access Manager Appliance 3.2 SP3 Setup Guide Access Manager Appliance 3.2 SP3 August 2014 www.netiq.com/documentation Legal Notice THIS DOCUMENT AND THE SOFTWARE DESCRIBED IN THIS DOCUMENT ARE FURNISHED UNDER AND ARE SUBJECT TO THE TERMS

More information

Lab Exercise SSL/TLS. Objective. Step 1: Open a Trace. Step 2: Inspect the Trace

Lab Exercise SSL/TLS. Objective. Step 1: Open a Trace. Step 2: Inspect the Trace Lab Exercise SSL/TLS Objective To observe SSL/TLS (Secure Sockets Layer / Transport Layer Security) in action. SSL/TLS is used to secure TCP connections, and it is widely used as part of the secure web:

More information

2014 IBM Corporation

2014 IBM Corporation 2014 IBM Corporation This is the 27 th Q&A event prepared by the IBM License Metric Tool Central Team (ICT) Currently we focus on version 9.x of IBM License Metric Tool (ILMT) The content of today s session

More information

Plutus: scalable secure file sharing on untrusted storage

Plutus: scalable secure file sharing on untrusted storage Plutus: scalable secure file sharing on untrusted storage Mahesh Kallahalla HP Labs Joint work with Erik Riedel (Seagate Research), Ram Swaminathan (HP Labs), Qian Wang (Penn State), Kevin Fu (MIT) March

More information

Implementing SSL Security on a PowerExchange 9.1.0 Network

Implementing SSL Security on a PowerExchange 9.1.0 Network Implementing SSL Security on a PowerExchange 9.1.0 Network 2012 Informatica Abstract This article describes how to implement SSL security on a PowerExchange network. To implement SSL security, configure

More information

Hosted File Backup for business. Keep your data safe with our cloud backup service

Hosted File Backup for business. Keep your data safe with our cloud backup service Hosted File Backup for business Keep your data safe with our cloud backup service Why choose Hosted File Backup? Your most important business asset is data. After all, without customer information, order

More information

Security Policy Revision Date: 23 April 2009

Security Policy Revision Date: 23 April 2009 Security Policy Revision Date: 23 April 2009 Remote Desktop Support Version 3.2.1 or later for Windows Version 3.1.2 or later for Linux and Mac 4 ISL Light Security Policy This section describes the procedure

More information

Cut Network Security Cost in Half Using the Intel EP80579 Integrated Processor for entry-to mid-level VPN

Cut Network Security Cost in Half Using the Intel EP80579 Integrated Processor for entry-to mid-level VPN Cut Network Security Cost in Half Using the Intel EP80579 Integrated Processor for entry-to mid-level VPN By Paul Stevens, Advantech Network security has become a concern not only for large businesses,

More information

Oracle Cluster File System on Linux Version 2. Kurt Hackel Señor Software Developer Oracle Corporation

Oracle Cluster File System on Linux Version 2. Kurt Hackel Señor Software Developer Oracle Corporation Oracle Cluster File System on Linux Version 2 Kurt Hackel Señor Software Developer Oracle Corporation What is OCFS? GPL'd Extent Based Cluster File System Is a shared disk clustered file system Allows

More information

Project Proposal. Data Storage / Retrieval with Access Control, Security and Pre-Fetching

Project Proposal. Data Storage / Retrieval with Access Control, Security and Pre-Fetching 1 Project Proposal Data Storage / Retrieval with Access Control, Security and Pre- Presented By: Shashank Newadkar Aditya Dev Sarvesh Sharma Advisor: Prof. Ming-Hwa Wang COEN 241 - Cloud Computing Page

More information

CS 356 Lecture 25 and 26 Operating System Security. Spring 2013

CS 356 Lecture 25 and 26 Operating System Security. Spring 2013 CS 356 Lecture 25 and 26 Operating System Security Spring 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access Control

More information