Internet2 Security Efforts - A brief overview of activities Ken Klingenstein 2004 July 21 Joint Techs- Columbus, Ohio.

Internet2 Security Efforts- A brief overview of activities

Ken Klingenstein

2004 July 21

Joint Techs- Columbus, Ohio

INSERT DATE 2

Overview• SALSA 2004 Summer Workshop

• Security and Internet2

• SALSA• What/Who is SALSA, Priorities, Membership, Activities

• Challenges and Q&A

Total time ~25 mins

INSERT DATE 3

SALSA Summer Workshop• Workshop will be held immediately following Joint Techs

• Wednesday afternoon is open to those who are attending Joint Techs

• If you can stay for Thursday, please register

• Agenda includes:• Small group discussions security tools and approaches• Overview of working group activities• Security and Middleware

• http://security.internet2.edu/salsa/workshops/2004summer.html

Heads up…

INSERT DATE 4

Context and Background• Organizations are active in the security space, focusing on

slightly different areas and with cooperative relationships• REN-ISAC

• ISAC (information security and analysis center)• R&E relationships with the public, private, corporate and

government sectors• The EDUCAUSE/Internet2 Security Task Force

Security and Internet2

INSERT DATE 5

S@LS Workshop 2003• Security at Line Speed Workshop

• NSF Sponsored 1.5 day workshop, in conjunction with Indiana University, Internet2, the Massachusetts Institute of Technology and the University of Washington.

• 30 individuals invited to participate

• Chicago, Illinois, 12-13 Aug 2003

• Deliverables included:• Effective practices whitepaper,

research agenda suggestions, ongoing maintenance (SALSA)

Security and Internet2

INSERT DATE 6

“Line Speed” means…• It’s not just high bandwidth

• Exceptionally low latency, e.g. remote instrument control• End-to-end clarity, e.g. Grids• Exceptional low jitter, e.g. real time interactive HDTV• Advanced features, e.g. multicast

• Line speed requires supporting the applications that our membership are building, inventing and creating

• http://apps.internet2.edu/sals/

Security and Internet2

INSERT DATE 7

General Findings•First, and foremost, this is getting a lot harder

•We seem to have hit a couple of turning points• New levels of stresses• Necessary but doomed approaches

•High performance security is approached by a set of specific tools that are assembled by applying general architectural principles to local conditions.

•The concept of the network perimeter is changing; desktop software limits security and performance options

•There are interactions with the emerging middleware layer that should be explored

•Tool integration is an overarching problem

•We are entering diagnostic hell

INSERT DATE 8

Tradeoffs• Host versus border security

• Deny/Allow versus Allow/deny approaches

• Unauthenticated versus authenticated network access

• Central versus end-user management

• Server-centric versus client-centric

• False positives versus zero-day attacks

• Organizational priorities between security and performance

• Perimeter protection versus user/staff confusion

INSERT DATE 9

Trends• More aggressive and frequent attacks, resulting in

• Desktop lockdowns and scanning• New limits at the perimeter• Increased tunneling and VPN’s• More isolation approaches, straining the top of the desk• Hosts as clients only

• Changes in technology• Rise of encyption• New attack vectors, such as P2P• Higher speeds make for more expensive middleboxen• Convergence of technology forces

• New policy drivers• DHS, RIAA, etc.• LCD solutions to hold down costs

INSERT DATE 10

The Tool Matrix

• For a variety of network and host based security tools, • Role in prevention/detection/reaction/analysis• Description• General issues• Performance implications• Operational Impacts

• Network Tools include host scanning, MAC registration, VLAN, Encrypted VPN’s and/or Layer 3 VPN’s, Firewalls, Source Address Verification, Port Mirroring, etc…

• Host Tools include host-based encryption, local firewalls, host-based intrusion detection/prevention, secure OS, automated patching systems, etc.

INSERT DATE 11

Local Network Security Design Factors

• Size of class B address space

• Local fiber plant

• Medical school

• Geographic distribution of departments on campuses

• Distance to gigapops

• Policy Authority of Central IT

• Desktop diversity

• …

INSERT DATE 12

Security and Trust

•Security without external trust results in a defensive, highly constraining position with limited effectiveness

•With trust, collaborative security and collaborative applications can be developed

•Currently, there are two promising trust fabrics to leverage•Federations – emergent inter-enterprise •P2P (the trust fabric, not the architecture) – ad hoc, currently “non-scalable”, but new technologies will be appearing shortly and widely

INSERT DATE 13

SALSA Overview• Technical steering committee composed of senior campus

security architects• Create understanding in the Internet2 community

regarding the multiple aspects of security as it applies to advanced networking

• Deliverables that address need of members and produce tangible benefits

• Prioritizing opportunities and identifying resources• Focused activities• Interested in R&D security topics that can be smoothly

transitioned to deployment

SALSA

INSERT DATE 14

Membership• Current chair: Mark Poepping, CMU

• Currently a small, focused group with membership drawing from multiple communities:• Academy Researchers• Government Labs• International participants

• Founding members drawn from the Security at Line Speed Workshop

SALSA

INSERT DATE 15

SALSA Priorities• Primarily, SALSA acts as a forum to increase sharing, data

collection and integration between security researchers and backbone activities • Data Sharing• Extend S@LS Workshop deliverables

• Case studies, technology surveys, non-technical issues, research agenda

• Current Working Groups• Network Authentication• Architecture

• Cooperation, communication, coordination with other groups• EDUCAUSE/Internet2 SecTF, REN-ISAC, international

networks

SALSA

INSERT DATE 16

NetAuth WG• Chaired by Chris Misra

• http://security.internet2.edu/netauth/index.html

• Initial activities• Investigation of network database and registration services in support

of network security management; investigation of extensions to these services to proactively detect and prevent unauthorized or malicious network activity.

• Pilot and eventual implementation to support network access to visiting scientists among federated institutions.

• Analysis of security applications that may result from extending these implementations.

• Initial deliverable• Strategies for Automating Network Policy Enforcement

• Visiting scientist, taxonomy and next steps

Working Groups

INSERT DATE 17

Architecture WG• Chaired by Marty Schulman

• http://security.internet2.edu/netauth/index.html

• The Architecture WG will consider issues related to:• Identification of functions or components used to authorize

access• Selection of design rules to facilitate operations or enable

new services. • Adoption of specific techniques

• These activities must accommodate a wide range of campus and departmental security policies, procedures, and schemas - the details of which are beyond this group's scope.

Working Groups

INSERT DATE 18

Challenges• Cooperation and community support

• Security threats are increasing and external pressure is increasing; lack of time to organize

• Heterogonous environments are resistant to homogeneous solutions

• “Security” is can be defined differently. Need to identify specific problems and solutions.

• Is network security staying with networks or moving to security as a hybrid?

• How to engage network management with network security• Or, is Joint Techs the right place?

• Now that applications and middleware reaching down to the network… how do we address.

SALSA

INSERT DATE 19

Contact Info / Q&A• Contact Information

Mark Poepping

[email protected]

T. Charles Yun

[email protected]

• Online information regarding security and SALSA efforts zat

http://security.internet2.edu/

• Questions?

INSERT DATE 20