A seman(c firewall for Content Centric Networking

Similar documents

A Network Monitoring Tool for CCN

Live Streaming with Content Centric Networking

NextServe Framework: Supporting Services Over Content-Centric Networking

NDSS: A Named Data Storage System

Live Streaming with CCN & Content Transmission with CCNx

Content Distribution Networks (CDN)

CS 665: Computer System Security. Network Security. Usage environment. Sources of vulnerabilities. Information Assurance Module

FileSync/NDN: Peer-to-Peer File Sync over Named Data Networking

INTERNET SECURITY: FIREWALLS AND BEYOND. Mehernosh H. Amroli

EFFICIENT DETECTION IN DDOS ATTACK FOR TOPOLOGY GRAPH DEPENDENT PERFORMANCE IN PPM LARGE SCALE IPTRACEBACK

CCN. CCNx 1.0 Internet of Things Architectural Overview. Computer Science Laboratory Networking & Distributed Systems March 2014

Network Security 網路安全. Lecture 1 February 20, 2012 洪國寶

Linux Network Security

Chapter 8 Network Security

Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme. Firewall

Guide to Network Defense and Countermeasures Third Edition. Chapter 2 TCP/IP

Security (II) ISO : Security Architecture of OSI Reference Model. Outline. Course Outline: Fundamental Topics. EE5723/EE4723 Spring 2012

Supporting Information-Centric Networking in SDN

Internet Firewall CSIS Internet Firewall. Spring 2012 CSIS net13 1. Firewalls. Stateless Packet Filtering

Industrial Network Security for SCADA, Automation, Process Control and PLC Systems. Contents. 1 An Introduction to Industrial Network Security 1

Overview. Securing TCP/IP. Introduction to TCP/IP (cont d) Introduction to TCP/IP

Mobile IP Network Layer Lesson 01 OSI (open systems interconnection) Seven Layer Model and Internet Protocol Layers

Chapter 8 Security Pt 2

ΕΠΛ 674: Εργαστήριο 5 Firewalls

IMPLEMENTATION OF INTELLIGENT FIREWALL TO CHECK INTERNET HACKERS THREAT

VLAN 802.1Q. 1. VLAN Overview. 1. VLAN Overview. 2. VLAN Trunk. 3. Why use VLANs? 4. LAN to LAN communication. 5. Management port

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

A SURVEY OF CLOUD COMPUTING: NETWORK BASED ISSUES PERFORMANCE AND ANALYSIS

Stateful Inspection Technology

Packet Level Authentication Overview

A Study of Network Security Systems

SOFTWARE ENGINEERING 4C03. Computer Networks & Computer Security. Network Firewall

CS 356 Lecture 16 Denial of Service. Spring 2013

PROTECTING INFORMATION SYSTEMS WITH FIREWALLS: REVISED GUIDELINES ON FIREWALL TECHNOLOGIES AND POLICIES

ITL BULLETIN FOR JANUARY 2011

Firewall Firewall August, 2003

Intro to Firewalls. Summary

Network Security Administrator

Chapter 11 Cloud Application Development

Protocols and Architecture. Protocol Architecture.

Security vulnerabilities in the Internet and possible solutions

Steelcape Product Overview and Functional Description

REPORT ON AUDIT OF LOCAL AREA NETWORK OF C-STAR LAB

Overview - Using ADAMS With a Firewall

ΕΠΛ 475: Εργαστήριο 9 Firewalls Τοίχοι πυρασφάλειας. University of Cyprus Department of Computer Science

Firewalls, Tunnels, and Network Intrusion Detection

Overview - Using ADAMS With a Firewall

Introduction to Computer Security

The Advantages of a Firewall Over an Interafer

Basic Vulnerability Issues for SIP Security

Review: Lecture 1 - Internet History

Keywords: VoIP calls, packet extraction, packet analysis

1. Introduction. 2. DoS/DDoS. MilsVPN DoS/DDoS and ISP. 2.1 What is DoS/DDoS? 2.2 What is SYN Flooding?

MPLS VPN Security Best Practice Guidelines

INTRODUCTION TO FIREWALL SECURITY

Introduction to Computer Security

We will give some overview of firewalls. Figure 1 explains the position of a firewall. Figure 1: A Firewall

Security of IPv6 and DNSSEC for penetration testers

Firewall Configuration. Firewall Configuration. Solution Firewall Principles

CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention. Spring 2013

Protocol Specification & Design. The Internet and its Protocols. Course Outline (trivia) Introduction to the Subject Teaching Methods

CS5008: Internet Computing

OF-CCN: CCN over OpenFlow. NDN hands-on Workshop Junho Suh ( jhsuh@mmlab.snu.ac.kr)

FIREWALLS. Firewall: isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others

Module 8. Network Security. Version 2 CSE IIT, Kharagpur

SANE: A Protection Architecture For Enterprise Networks

CS Computer and Network Security: Firewalls

co Characterizing and Tracing Packet Floods Using Cisco R

Introduction to Firewalls Open Source Security Tools for Information Technology Professionals

A Review of Anomaly Detection Techniques in Network Intrusion Detection System

Owner of the content within this article is Written by Marc Grote

Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified

How To Write A Transport Layer Protocol For Wireless Networks

Final exam review, Fall 2005 FSU (CIS-5357) Network Security

Anonymous Communication in Peer-to-Peer Networks for Providing more Privacy and Security

Firewalls and VPNs. Principles of Information Security, 5th Edition 1

Cornerstones of Security

Objectives of Lecture. Network Architecture. Protocols. Contents

A Brief Overview of VoIP Security. By John McCarron. Voice of Internet Protocol is the next generation telecommunications method.

Multifaceted Approach to Understanding the Botnet Phenomenon

Virtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN

CSE 3461 / 5461: Computer Networking & Internet Technologies

Architecture of distributed network processors: specifics of application in information security systems

Ranch Networks for Hosted Data Centers

FIREWALL ARCHITECTURES

Deploying ACLs to Manage Network Security

10CS64: COMPUTER NETWORKS - II

What is Firewall? A system designed to prevent unauthorized access to or from a private network.

CS 640 Introduction to Computer Networks. Network security (continued) Key Distribution a first step. Lecture24

Application Firewalls

Transcription:

A seman(c firewall for Content Centric Networking IFIP/IEEE Integrated Network Management Symposium (IM 2013) - MC2: Security Management and Recovery May 27-31, 2013 David Goergen Thibault Cholez Jérôme François Thomas Engel SnT Interdisciplinary Centre for Security, Reliability and Trust

OUTLINE Introduction Content Centric Networking background Design Implementation Evaluation Conclusion 2 / 39

A semantic firewall for Content Centric Networking INTRODUCTION 3 / 39

Introduc(on Trend towards content retrieval Content Centric Networking is built and designed to follow this Some security measures already built-in Authentication of content But real security tools missing Our contribution: Identify the security needs for a CCN architecture Design of a semantic CCN firewall Performance evaluation 4 / 39

Related work Jacobson, V., Smetters, D.K., Thornton, J.D., Plass, M.F., Briggs, N.H., Braynard, R.L.: Networking named content. In: Proceedings of the 5th international conference on Emerging networking experiments and technologies. pp. 1 12. CoNEXT 09, ACM, New York, NY, USA (2009) D. Smetters, V. Jacobson: Securing Network Content (October 2009) Lauinger, T.: Security & scalability of content-centric networking (September 2010) Goergen, David; Cholez, Thibault; François, Jérôme; Engel, Thomas: Security monitoring for Content Centric Networking, Data Privacy Management and Autonomous Spontaneous Security, Volume 7731 (2013) partly funded by BUTLER and IoT6 FP7 EU projects under the grant agreements 287901 and 88445 5 / 39

A semantic firewall for Content Centric Networking CONTENT CENTRIC NETWORKING BACKGROUND 6 / 39

Content Centric Networking - CCN New paradigm proposed by Van Jacobson et al. Redesign networking focusing on data instead of hosts (who provide the data) Shift from a communication oriented paradigm to a distribution oriented To provide the same functionalities as TCP/IP with build in security features, more efficient content diffusion, mobility, 7 / 39

How does it work? Routable data instead of routable host Content is named in a hierarchical prefix based way Examples: uni.lu/people/goergen/presentation/im2013 thisroom/projector Like IP, CCN is semantic free. Meaning is defined by application, global conventions, etc. Content is requested by user s Interest Anyone who has the solicited content can answer 8 / 39

CCN architecture CCN Packets: Interest Packets that express Interest for a certain content Data Packets, signed by the contents producer, reply to a certain Interest and consume it CCN tables: Content store local repository filled with shared content Pending Interest Table (PIT) Contains pending Interest requests send upstream to a content provider Forward Information Base Table (FIB) Contains the faces which correspond to a certain Interest 9 / 39

CCN node model 10 / 39

Rou(ng example 11 / 39

Rou(ng example cont d 12 / 39

Rou(ng example cont d 13 / 39

Rou(ng example cont d 14 / 39

Rou(ng example cont d 15 / 39

Rou(ng example cont d 16 / 39

Rou(ng example cont d 17 / 39

Rou(ng example cont d 18 / 39

Rou(ng example cont d 19 / 39

Rou(ng example cont d 20 / 39

Security layer No Content transmission before Interest reception Renders classic Denial-of-Service, like flooding, inefficient Strongly relies on cryptography Authentication of Content and its producer Exclusion of untrustworthy sources But new kind of attacks Stateful routers More vulnerable? Missing tool for enforcing security policies 21 / 39

A semantic firewall for Content Centric Networking DESIGN 22 / 39

IP firewall general use cases IP_UC1 Based on the protocol IP_UC2 Example: http, mail, p2p, voip, According to the status of the connection IP_UC3 Using known blacklisted IP addresses IP_UC4 Unusual inbound traffic From a denial of service attack 23 / 39

CCN- specific use cases CCN_UC1 Filtering on content provider Example: known untrustworthy or banned CCN_UC2 Filtering on bad signature CCN_UC3 Filtering on content name and semantic Example: excluding files with certain extensions CCN_UC4 Composition (content provider & content name) 24 / 39

CCN- specific use cases CCN_UC5 Filtering on content direction Example: avoid leakage of certain documents CCN_UC6 Filtering on heavy traffic Perservation of QoS CCN_UC7 Filtering of stored data Example: Only storing specific content 25 / 39

Comparison IP use cases CCN use cases Filtering on IP_UC1 CCN_UC3 Protocol / Content name IP_UC2 -- Status of the connection IP_UC3 CCN_UC1 Listed IP / Content provider IP_UC4 CCN_UC6 Unusual / Heavy traffic -- CCN_UC2 Bad signature -- CCN_UC4 Composition of filters -- CCN_UC5 Content direction -- CCN_UC7 Stored data 26 / 39

A semantic firewall for Content Centric Networking IMPLEMENTATION 27 / 39

Syntax defini(on Syntax based on iptables Ease of use and readability Distinguish between 3 types of rules r_interest interest SP direction SP match_interest SP pit SP action r_face face SP number r_data data SP direction SP match_data SP [ cs pit ] SP action 28 / 39

r_interest & r_face interest SP direction SP match_interest SP pit SP action direction int ext * match_interest * or regular expression action forward drop example : interest * \@game play fun\@ 15 pit drop face SP number Number of active faces example : face 200 29 / 39

r_data data SP direction SP match_data SP [ cs pit ] SP action direction int ext * match_data content_name SP provider content_name * or regular expression provider sign_check SP provider_sign signcheck 0 1 provider_sign * or hex representation of one or more signatures action forward drop example : data * \@game fun\@ 0 0 123456789ABCDEF;FFFF0000AAAA pit drop 30 / 39

Pre- processing with Disco >= 3 character sequences are extracted Segmented as real human-readable words For each sequence find x similar alternative sequences Recombine with original to create new regular expression 31 / 39

Implementa(on into CCN stack 32 / 39

A semantic firewall for Content Centric Networking EVALUATION 33 / 39

Setup 6 nodes Intermediate routers don t cache Consumer request single binary file 500MB or 1GB Measured transfer time request received 34 / 39

1 st evalua(on: Impact of rules Impact on the number of processed rules Increasing step 100 Request 500 MB and 1 GB file Shows small to no impact on transfer time 35 / 39

2 nd evalua(on: Clean vs. Firewall Repeated experiment to obtain significant results Firewalled CCN 1000 rules Request 500 MB file Applied Chi-square and KS-test on obtain result 36 / 39

A semantic firewall for Content Centric Networking CONCLUSION 37 / 39

Conclusion Introduction of a first firewall implementation dedicated to CCN Use case analysis Grammar definition Implementation Use of semantic tools Overhead of the firewall is neglectable Future Work Rule reordering Using Bloom filters 38 / 39

THANK YOU FOR YOUR ATTENTION QUESTIONS? 39 / 39