And Then There Were More:

Size: px
Start display at page:

Download "And Then There Were More:"

Transcription

1 David Naylor Carnegie Mellon And Then There Were More: Secure Communication for More Than Two Parties Richard Li University of Utah Christos Gkantsidis Microsoft Research Thomas Karagiannis Microsoft Research Peter Steenkiste Carnegie Mellon

2

3 In most networks, # middleboxes # routers Web Cache Compression Proxy Intrusion Detection System Virus Scanner Parental Filter Load Balancer [Making Middleboxes Someone Else s Problem. SIGCOMM 12]

4 In most networks, # middleboxes # routers Encryption blinds middleboxes.

5 Encryption blinds middleboxes. Goal: Encryption + Middleboxes

6 Goal: Encryption + Middleboxes 1 2 Design Space mbtls For secure, multi-entity communication protocols A deployable protocol for outsourced middleboxes.

7 There s a big design space for secure, multi-entity communication protocols

8 There s a big design space for secure, multi-entity communication protocols 1 Extend TLS Security Properties 2 3 New Security Other Properties Properties

9 1 Extend TLS Security Properties 2 1 Data Secrecy Data Authentication 3 Entity Authentication

10 1 Extend TLS Security Properties Definition of Party vs Granularity of Data Access Definition of Identity Headers Body vs Headers vs

11 1 2 Extend TLS Security Properties New Security Properties 3 Other Properties Granularity of Data Access Headers Body vs Headers Definition of Party vs Definition of Identity vs

12 2 New Security Properties Path Integrity Authorization Data Change Secrecy

13 1 Extend TLS Security Properties 2 New Security Properties 3 Other Properties Granularity of Data Access Path Integrity Headers Body vs Headers Definition of Party Data Change Secrecy vs Definition of Identity Authorization vs

14 3 Other Properties Legacy Endpoints Computation v1.2 Arbitrary vs Limited In-Band Discovery

15 1 Extend TLS Security Properties 2 New Security Properties 3 Other Properties Granularity of Data Access Path Integrity Legacy Endpoints Headers Body vs Headers v1.2 Definition of Party vs Data Change Secrecy In-Band Discovery Definition of Identity vs Authorization Computation vs Arbitrary Limited

16 There s a big design space for secure, multi-entity communication protocols 1 Extend TLS Security Properties 2 New Security Properties 3 Other Properties

17 There s a big design space for secure, multi-entity communication protocols There is no one-size-fits-all solution.

18 There s a big design space for secure, multi-entity communication protocols There is no one-size-fits-all solution. Supporting one property often precludes another.

19 Supporting one property often precludes another. TLS interception with custom root certificates Supports two legacy endpoints Prevents endpoint authentication (owner or code) v1.2 vs

20 Supporting one property often precludes another. Multi-Context TLS (mctls) [SIGCOMM 15] Supports fine-grained data access Prevents legacy support Headers Body vs Headers v1.2

21 Supporting one property often precludes another. BlindBox [SIGCOMM 15] Supports functional crypto (minimal data access) Prevents arbitrary computation Headers Body vs Headers Arbitrary vs Limited

22 There s a big design space for secure, multi-entity communication protocols There is no one-size-fits-all solution. Supporting one property often precludes another.

23 There s a big design space for secure, multi-entity communication protocols There is no one-size-fits-all solution. Supporting one property often precludes another.

24 Goal: Encryption + Middleboxes 1 2 Design Space mbtls For secure, multi-entity communication protocols A deployable protocol for outsourced middleboxes.

25 mbtls targets two commoncase, real-world needs 1 Immediate deployability Interoperate with one legacy endpoint 2 Protection for outsourced middleboxes Protect session data from middlebox infrastructure (in addition to traditional network attackers)

26 mbtls targets two commoncase, real-world needs 2 Outsourced Middlebox Server-Side Proxy Residential ISP Upgraded Server Legacy Clients 1 Legacy Endpoint

27 mbtls targets two commoncase, real-world needs 1 Legacy Endpoint 2 Outsourced Middlebox Upgraded Client Client-Side Proxy Cloud Compute Provider Legacy Servers

28 mbtls targets two commoncase, real-world needs 1 Immediate deployability Interoperate with one legacy endpoint 2 Protection for outsourced middleboxes Protect session data from middlebox infrastructure (in addition to traditional network attackers)

29 2 Protection for outsourced middleboxes Protect session data from middlebox infrastructure (in addition to traditional network attackers) Middlebox Software R/W access Client R/W access Middlebox Infrastructure No access Server R/W access Everyone Else No access

30 mbtls targets two commoncase, real-world needs 1 Immediate deployability Interoperate with one legacy endpoint 2 Protection for outsourced middleboxes Protect session data from middlebox infrastructure (in addition to traditional network attackers)

31 A first approach: pass primary session key over secondary TLS session Primary TLS Connection Supports legacy endpoints Secondary TLS Connection Data and keys visible in RAM

32 An aside: Intel SGX 1 Secure Execution Environment Program code, data, and stack encrypted. 2 Remote Attestation Prove to remote party that 1 is working.

33 A first approach: pass primary session key over secondary TLS session Primary TLS Connection Supports legacy endpoints Secondary TLS Connection Data and keys visible in RAM

34 mbtls protects session data and keys using SGX Primary TLS Connection SGX Enclave TLS Handshake + Attestation Supports legacy endpoints Data and keys encrypted in RAM

35 On-path middleboxes can be discovered on-the-fly ClientHello + MiddleboxSupportExtension ServerHello MiddleboxAnnouncement MbtlsEncap[ ] + MboxHello

36 Per-hop keys provide path integrity and data change secrecy Original session key bridges client- and server-side middleboxes.

37 Evaluation 1 What overheads does mbtls introduce? From SGX? From crypto? 2 Is mbtls immediately deployable? Will existing network devices drop mbtls handshake messages?

38 SGX doesn t have much impact on I/O+compute-intensive workloads 10 8 No Enclave Enclave Throughput (Gbps) K 2K 4K 8K 12K Record Size (Bytes)

39 mbtls adds some handshake CPU overhead on the server Server 1.5 Computation Time (ms) 1.0 TLS (no mbox) mbtls (1 serve mbtls (2 serve mbtls (3 serve TLS mbtls Server mbtls mbtls no mbox 1 mbox 2 mbox 3 mbox

40 mbtls handshake protocol changes are deployable today?? Drop handshake? 6 enterprise networks 34 residential networks 2 mobile networks No handshakes were dropped. 11 university networks 35 colocation networks 1 public network 56 hosting networks 19 data center networks 77 unlabeled networks

41 David Naylor Carnegie Mellon And Then There Were More: Secure Communication for More Than Two Parties Richard Li University of Utah Christos Gkantsidis Microsoft Research Thomas Karagiannis Microsoft Research Peter Steenkiste Carnegie Mellon

mctls: enabling secure in-network functionality in TLS

mctls: enabling secure in-network functionality in TLS mctls: enabling secure in-network functionality in TLS David Naylor Kyle Schomp Matteo Varvello Ilias Leontiadis Jeremy Blackburn Diego Lopez Dina Papagiannaki Pablo Rodriguez Rodriguez Peter Steenkiste

More information

EndBox: Scalable Middlebox Functions Using Client-Side Trusted Execution

EndBox: Scalable Middlebox Functions Using Client-Side Trusted Execution : Scalable Functions Using -Side Trusted Execution Image CC-BY-SA Victorgrigas David Goltzsche, 1 Signe Rüsch, 1 Manuel Nieke, 1 Sébastien Vaucher, 2 Nico Weichbrodt, 1 Valerio Schiavoni, 2 Pierre-Louis

More information

SafeBricks: Shielding Network Functions in the Cloud

SafeBricks: Shielding Network Functions in the Cloud SafeBricks: Shielding Network Functions in the Cloud Rishabh Poddar, Chang Lan, Raluca Ada Popa, Sylvia Ratnasamy UC Berkeley Network Functions (NFs) in the cloud Clients 2 Enterprise Destination Network

More information

Rule based Forwarding (RBF): improving the Internet s flexibility and security. Lucian Popa, Ion Stoica, Sylvia Ratnasamy UC Berkeley Intel Labs

Rule based Forwarding (RBF): improving the Internet s flexibility and security. Lucian Popa, Ion Stoica, Sylvia Ratnasamy UC Berkeley Intel Labs Rule based Forwarding (RBF): improving the Internet s flexibility and security Lucian Popa, Ion Stoica, Sylvia Ratnasamy UC Berkeley Intel Labs Motivation Improve network s flexibility Middlebox support,

More information

A Ten Minute Introduction to Middleboxes. Justine Sherry, UC Berkeley

A Ten Minute Introduction to Middleboxes. Justine Sherry, UC Berkeley A Ten Minute Introduction to Middleboxes Justine Sherry, UC Berkeley This Talk: Three Questions! What is a middlebox? What are some recent trends in middlebox engineering? What research challenges do middleboxes

More information

SDN Use-Cases. internet exchange, home networks. TELE4642: Week8. Materials from Prof. Nick Feamster is gratefully acknowledged

SDN Use-Cases. internet exchange, home networks. TELE4642: Week8. Materials from Prof. Nick Feamster is gratefully acknowledged SDN Use-Cases internet exchange, home networks TELE4642: Week8 Materials from Prof. Nick Feamster is gratefully acknowledged Overview n SDX: A Software-Defined Internet Exchange n SDN-enabled Home Networks

More information

Overview. SSL Cryptography Overview CHAPTER 1

Overview. SSL Cryptography Overview CHAPTER 1 CHAPTER 1 Secure Sockets Layer (SSL) is an application-level protocol that provides encryption technology for the Internet. SSL ensures the secure transmission of data between a client and a server through

More information

From Zero Touch Provisioning to Secure Business Intent

From Zero Touch Provisioning to Secure Business Intent From Zero Touch Provisioning to Secure Business Intent Flexible Orchestration with Silver Peak s EdgeConnect SD-WAN Solution From Zero Touch Provisioning to Secure Business Intent Flexible Orchestration

More information

Cloud, SDN and BIGIQ. Philippe Bogaerts Senior Field Systems Engineer

Cloud, SDN and BIGIQ. Philippe Bogaerts Senior Field Systems Engineer Cloud, SDN and BIGIQ Philippe Bogaerts Senior Field Systems Engineer Virtual Editions TMOS/LTM 12.0 Highlights 1 NIC support Azure Marketplace Kernel Independent driver Enhanced Hypervisor support F5 Networks,

More information

Rule-Based Forwarding

Rule-Based Forwarding Building Extensible Networks with Rule-Based Forwarding Lucian Popa Norbert Egi Sylvia Ratnasamy Ion Stoica UC Berkeley/ICSI Lancaster Univ. Intel Labs Berkeley UC Berkeley Making Internet forwarding flexible

More information

SYMANTEC CONSIDERATIONS ON MIDDLEBOXES

SYMANTEC CONSIDERATIONS ON MIDDLEBOXES SYMANTEC CONSIDERATIONS ON MIDDLEBOXES 12 th OF JUNE 2018 @ETSI SECURITY WEEK 2018 SYMANTEC AGENDA TODAY 1 2 WHICH MODEL FOR SECURITY AND PRIVACY? IS A CONSENSUS REACHABLE? LET s BE PATIENT ANNEX PRACTICAL

More information

OpenADN: A Case for Open Application Delivery Networking

OpenADN: A Case for Open Application Delivery Networking OpenADN: A Case for Open Application Delivery Networking Subharthi Paul, Raj Jain, Jianli Pan Washington University in Saint Louis {Pauls, jain, jp10}@cse.wustl.edu International Conference on Computer

More information

this security is provided by the administrative authority (AA) of a network, on behalf of itself, its customers, and its legal authorities

this security is provided by the administrative authority (AA) of a network, on behalf of itself, its customers, and its legal authorities INFRASTRUCTURE SECURITY this security is provided by the administrative authority (AA) of a network, on behalf of itself, its customers, and its legal authorities Goals * prevent or mitigate resource attacks

More information

Hillstone IPSec VPN Solution

Hillstone IPSec VPN Solution 1. Introduction With the explosion of Internet, more and more companies move their network infrastructure from private lease line to internet. Internet provides a significant cost advantage over private

More information

Dynamic Network Segmentation

Dynamic Network Segmentation Dynamic Network Segmentation Innovative network security protection to stop cyber attacks and meet compliance. 1 Isolate and flexibly segment your networks Introduction As organizational structures and

More information

Multi-Context TLS (mctls): Enabling Secure In-Network Functionality in TLS

Multi-Context TLS (mctls): Enabling Secure In-Network Functionality in TLS Multi-Context TLS (mctls: Enabling Secure In-Network Functionality in TLS David Naylor, Kyle Schomp, Matteo Varvello, Ilias Leontiadis, Jeremy Blackburn, Diego Lopez, Konstantina Papagiannaki, Pablo Rodriguez

More information

Overview Content Delivery Computer Networking Lecture 15: The Web Peter Steenkiste. Fall 2016

Overview Content Delivery Computer Networking Lecture 15: The Web Peter Steenkiste. Fall 2016 Overview Content Delivery 15-441 15-441 Computer Networking 15-641 Lecture 15: The Web Peter Steenkiste Fall 2016 www.cs.cmu.edu/~prs/15-441-f16 Web Protocol interactions HTTP versions Caching Cookies

More information

Transport Layer Security

Transport Layer Security Transport Layer Security TRANSPORT LAYER SECURITY PERFORMANCE TESTING OVERVIEW Transport Layer Security (TLS) and its predecessor Secure Sockets Layer (SSL), are the most popular cryptographic protocols

More information

The case for ubiquitous transport level encryption. Andrea Bittau, Mike Hamburg, Mark Handley, David Mazieres, Dan Boneh. UCL and Stanford.

The case for ubiquitous transport level encryption. Andrea Bittau, Mike Hamburg, Mark Handley, David Mazieres, Dan Boneh. UCL and Stanford. The case for ubiquitous transport level encryption Andrea Bittau, Mike Hamburg, Mark Handley, David Mazieres, Dan Boneh. UCL and Stanford. What would it take to encrypt all the traffic on the Internet,

More information

Computer Science 461 Final Exam May 22, :30-3:30pm

Computer Science 461 Final Exam May 22, :30-3:30pm NAME: Login name: Computer Science 461 Final Exam May 22, 2012 1:30-3:30pm This test has seven (7) questions, each worth ten points. Put your name on every page, and write out and sign the Honor Code pledge

More information

Cisco Next Generation Firewall Services

Cisco Next Generation Firewall Services Toronto,. CA May 30 th, 2013 Cisco Next Generation Firewall Services Eric Kostlan Cisco Technical Marketing 2011 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 1 Objectives At the

More information

CSCE 715: Network Systems Security

CSCE 715: Network Systems Security CSCE 715: Network Systems Security Chin-Tser Huang huangct@cse.sc.edu University of South Carolina Web Security Web is now widely used by business, government, and individuals But Internet and Web are

More information

Understanding of basic networking concepts (routing, switching, VLAN, firewall functionality)

Understanding of basic networking concepts (routing, switching, VLAN, firewall functionality) Citrix NetScaler for Apps and Desktops Day(s): 5 Course Code: CNS-222 Overview This course is designed specifically for students who have limited or no previous NetScaler experience. The content is based

More information

NetScaler for Apps and Desktops CNS-222; 5 Days; Instructor-led

NetScaler for Apps and Desktops CNS-222; 5 Days; Instructor-led NetScaler for Apps and Desktops CNS-222; 5 Days; Instructor-led Course Description Designed for students with little or no previous NetScaler, NetScaler Gateway or Unified Gateway experience, this course

More information

RTCWEB Working Group. Media Security: A chat about RTP, SRTP, Security Descriptions, DTLS-SRTP, EKT, the past and the future

RTCWEB Working Group. Media Security: A chat about RTP, SRTP, Security Descriptions, DTLS-SRTP, EKT, the past and the future RTCWEB Working Group Media Security: A chat about RTP, SRTP, Security Descriptions, DTLS-SRTP, EKT, the past and the future Dan Wing dwing@cisco.com IETF83 - March 2012 v2 1 Agenda Scope Upcoming Questions

More information

CSCI-1680 Network Layer:

CSCI-1680 Network Layer: CSCI-1680 Network Layer: Wrapup Rodrigo Fonseca Based partly on lecture notes by Jennifer Rexford, Rob Sherwood, David Mazières, Phil Levis, John JannoA Administrivia Homework 2 is due tomorrow So we can

More information

The Security Impact of HTTPS Interception

The Security Impact of HTTPS Interception The Security Impact of HTTPS Interception Zakir Durumeric, Zane Ma, Drew Springall, Richard Barnes, Nick Sullivan, Elie Bursztein, Michael Bailey, J. Alex Halderman, Vern Paxson University of Michigan,

More information

A Policy Framework for a Secure

A Policy Framework for a Secure A Policy Framework for a Secure Future Internet Jad Naous(Stanford University) Arun Seehra(UT Austin) Michael Walfish(UT Austin) David Mazières(Stanford University) Antonio Nicolosi(Stevens Institute of

More information

Cisco HyperFlex and the F5 BIG-IP Platform Accelerate Infrastructure and Application Deployments

Cisco HyperFlex and the F5 BIG-IP Platform Accelerate Infrastructure and Application Deployments OVERVIEW + Cisco and the F5 BIG-IP Platform Accelerate Infrastructure and Application Deployments KEY BENEFITS Quickly create private clouds Tested with industry-leading BIG-IP ADC platform Easily scale

More information

Optimizing Pulse Secure Access Suite with Pulse Secure Virtual Application Delivery Controller solution

Optimizing Pulse Secure Access Suite with Pulse Secure Virtual Application Delivery Controller solution DATASHEET Optimizing Pulse Secure Access Suite with Pulse Secure Virtual Application Delivery Controller solution Features & Benefits Best-in-class VPN and vadc solutions A single point of access for all

More information

Configuring F5 for SSL Intercept

Configuring F5 for SSL Intercept Configuring F5 for Welcome to the F5 deployment guide for configuring the BIG-IP system for SSL intercept (formerly called with Air Gap Egress Inspection). This document contains guidance on configuring

More information

Introduction to SGX (Software Guard Extensions) and SGX Virtualization. Kai Huang, Jun Nakajima (Speaker) July 12, 2017

Introduction to SGX (Software Guard Extensions) and SGX Virtualization. Kai Huang, Jun Nakajima (Speaker) July 12, 2017 Introduction to SGX (Software Guard Extensions) and SGX Virtualization Kai Huang, Jun Nakajima (Speaker) July 12, 2017 1 INTEL RESTRICTED SECRET Agenda SGX Introduction Xen SGX Virtualization Support Backup

More information

Embark: Securely Outsourcing Middleboxes to the Cloud

Embark: Securely Outsourcing Middleboxes to the Cloud Embark: Securely Outsourcing Middleboxes to the Cloud Chang Lan, Justine Sherry, Raluca Ada Popa, Sylvia Ratnasamy, Zhi Liu UC Berkeley Tsinghua University 1 Background Middleboxes are prevalent and problematic

More information

Protocols, Technologies and Standards Secure network protocols for the OSI stack P2.1 WLAN Security WPA, WPA2, IEEE i, IEEE 802.1X P2.

Protocols, Technologies and Standards Secure network protocols for the OSI stack P2.1 WLAN Security WPA, WPA2, IEEE i, IEEE 802.1X P2. P2 Protocols, Technologies and Standards Secure network protocols for the OSI stack P2.1 WLAN Security WPA, WPA2, IEEE 802.11i, IEEE 802.1X P2.2 IP Security IPsec transport mode (host-to-host), ESP and

More information

STORAGE MADE EASY: S3 DRIVE & S3 EXPLORER

STORAGE MADE EASY: S3 DRIVE & S3 EXPLORER SOLUTION GUIDE STORAGE MADE EASY: S3 DRIVE & S3 EXPLORER IBM COS ABOUT STORAGE MADE EASY FILE FABRIC The Storage Made Easy File Fabric enables IT to regain control of "cloud data sprawl" by unifying on-premises

More information

RIGHTNOW A C E

RIGHTNOW A C E RIGHTNOW A C E 2 0 1 4 2014 Aras 1 A C E 2 0 1 4 Scalability Test Projects Understanding the results 2014 Aras Overview Original Use Case Scalability vs Performance Scale to? Scaling the Database Server

More information

Cloudamize Agents FAQ

Cloudamize Agents FAQ Cloudamize Agents FAQ Cloudamize is a cloud infrastructure analytics platform that provides data analysis and recommendations to speed and simplify cloud migration and management. Our platform helps you

More information

A Comparison Study of Intel SGX and AMD Memory Encryption Technology

A Comparison Study of Intel SGX and AMD Memory Encryption Technology A Comparison Study of Intel SGX and AMD Memory Encryption Technology Saeid Mofrad, Fengwei Zhang Shiyong Lu Wayne State University {saeid.mofrad, Fengwei, Shiyong}@wayne.edu Weidong Shi (Larry) University

More information

CS 356 Internet Security Protocols. Fall 2013

CS 356 Internet Security Protocols. Fall 2013 CS 356 Internet Security Protocols Fall 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access Control Lists Chapter 5

More information

Optimize and Accelerate Your Mission- Critical Applications across the WAN

Optimize and Accelerate Your Mission- Critical Applications across the WAN BIG IP WAN Optimization Module DATASHEET What s Inside: 1 Key Benefits 2 BIG-IP WAN Optimization Infrastructure 3 Data Optimization Across the WAN 4 TCP Optimization 4 Application Protocol Optimization

More information

TLS 1.1 Security fixes and TLS extensions RFC4346

TLS 1.1 Security fixes and TLS extensions RFC4346 F5 Networks, Inc 2 SSL1 and SSL2 Created by Netscape and contained significant flaws SSL3 Created by Netscape to address SSL2 flaws TLS 1.0 Standardized SSL3 with almost no changes RFC2246 TLS 1.1 Security

More information

Who s Protecting Your Keys? August 2018

Who s Protecting Your Keys? August 2018 Who s Protecting Your Keys? August 2018 Protecting the most vital data from the core to the cloud to the field Trusted, U.S. based source for cyber security solutions We develop, manufacture, sell and

More information

Good Fences Make Good Neighbors: Rethinking Your Cloud Selection Strategy

Good Fences Make Good Neighbors: Rethinking Your Cloud Selection Strategy Good Fences Make Good Neighbors: Rethinking Your Cloud Selection Strategy SESSION ID: CSV-W01 Bryan D. Payne Director of Security Research Nebula @bdpsecurity Cloud Security Today Cloud has lots of momentum

More information

Course Objectives In this course, students can expect to learn how to:

Course Objectives In this course, students can expect to learn how to: CNS-222 Citrix NetScaler Essentials and Unified Gateway The objective of this course is to provide the foundational concepts and teach the skills necessary to deploy, secure and manage a Citrix NetScaler

More information

Auditing IoT Communications with TLS-RaR

Auditing IoT Communications with TLS-RaR Auditing IoT Communications with TLS-RaR Judson Wilson, Henry Corrigan-Gibbs, Riad S. Wahby, Keith Winstein, Philip Levis, Dan Boneh Stanford University Auditing Standard Devices MITM Used for: security

More information

Features. HDX WAN optimization. QoS

Features. HDX WAN optimization. QoS May 2013 Citrix CloudBridge Accelerates, controls and optimizes applications to all locations: datacenter, branch offices, public and private clouds and mobile users Citrix CloudBridge provides a unified

More information

Network in the Cloud: a Map-and-Encap Approach

Network in the Cloud: a Map-and-Encap Approach Network in the Cloud: a Map-and-Encap Approach Damien Saucez Wassim Haddad Inria Ericsson IEEE CloudNet 12 Enterprise network www ISP1 SOHO ISP2 Internet 2 Enterprise network (contd.) Survey on 57 enterprise

More information

Corente Cloud Services Exchange

Corente Cloud Services Exchange Corente Cloud Services Exchange Oracle s Corente Cloud Services Exchange (Corente CSX) is a cloud-based service that enables distributed enterprises to deliver trusted IPSec VPN connectivity services to

More information

PrecisionAccess Trusted Access Control

PrecisionAccess Trusted Access Control Data Sheet PrecisionAccess Trusted Access Control Defeats Cyber Attacks Credential Theft: Integrated MFA defeats credential theft. Server Exploitation: Server isolation defeats server exploitation. Compromised

More information

Share Count Analysis HEADERS

Share Count Analysis HEADERS Measuring Network Privacy with It s 11PM. DO YOU KNOW WHERE YOUR Share Count Analysis HEADERS ARE? David Naylor Peter Steenkiste GOAL measure how private a network architecture or protocol is GOAL measure

More information

On the Internet, nobody knows you re a dog.

On the Internet, nobody knows you re a dog. On the Internet, nobody knows you re a dog. THREATS TO DISTRIBUTED APPLICATIONS 1 Jane Q. Public Big Bank client s How do I know I am connecting to my bank? server s Maybe an attacker...... sends you phishing

More information

Overview SENTINET 3.1

Overview SENTINET 3.1 Overview SENTINET 3.1 Overview 1 Contents Introduction... 2 Customer Benefits... 3 Development and Test... 3 Production and Operations... 4 Architecture... 5 Technology Stack... 7 Features Summary... 7

More information

Migration to IPv6 from IPv4. Is it necessary?

Migration to IPv6 from IPv4. Is it necessary? Introduction Today Internet plays a big role in every aspect of our lives and IP acted as an important pillar of Internet. Since its inception the Internet has reached almost all corners of globe and it

More information

INFLUENTIAL OPERATING SYSTEM RESEARCH: SECURITY MECHANISMS AND HOW TO USE THEM CARSTEN WEINHOLD

INFLUENTIAL OPERATING SYSTEM RESEARCH: SECURITY MECHANISMS AND HOW TO USE THEM CARSTEN WEINHOLD Faculty of Computer Science Institute of Systems Architecture, Operating Systems Group INFLUENTIAL OPERATING SYSTEM RESEARCH: SECURITY MECHANISMS AND HOW TO USE THEM CARSTEN WEINHOLD OVERVIEW Fundamental

More information

Configuring Cisco Mobility Advantage

Configuring Cisco Mobility Advantage CHAPTER 46 This chapter describes how to configure the adaptive security appliance for Cisco Unified Communications Mobility Advantage Proxy features. This chapter includes the following sections: Information

More information

ORACLE ENTERPRISE COMMUNICATIONS BROKER

ORACLE ENTERPRISE COMMUNICATIONS BROKER ORACLE ENTERPRISE COMMUNICATIONS BROKER A CORE COMMUNICATIONS CONTROLLER KEY FEATURES Centralized dial plan management Centralized session routing and forking Multivendor UC protocol normalization SIP

More information

Middleboxes in Cellular Networks

Middleboxes in Cellular Networks Middleboxes in Cellular Networks Szilveszter Nádas, Salvatore Loreto Ericsson Research, Szilveszter.Nadas@ericsson.com, Salvatore.Loreto@ericsson.com November 4, 2014 Abstract This is a position paper

More information

Cisco NAC Profiler Architecture Overview

Cisco NAC Profiler Architecture Overview CHAPTER 2 Topics in this chapter include: Overview, page 2-1 Cisco NAC Profiler System Deployment Model, page 2-3 Cisco NAC Profiler Usage: Port Provisioning and Endpoint Directory, page 2-4 Overview Cisco

More information

Computer Security. 10r. Recitation assignment & concept review. Paul Krzyzanowski. Rutgers University. Spring 2018

Computer Security. 10r. Recitation assignment & concept review. Paul Krzyzanowski. Rutgers University. Spring 2018 Computer Security 10r. Recitation assignment & concept review Paul Krzyzanowski Rutgers University Spring 2018 April 3, 2018 CS 419 2018 Paul Krzyzanowski 1 1. What is a necessary condition for perfect

More information

Initial connection setup. Adding subflow setup. Three-way handshake with MP_CAPABLE Exchange 64 bit key(key-a, Key-B)

Initial connection setup. Adding subflow setup. Three-way handshake with MP_CAPABLE Exchange 64 bit key(key-a, Key-B) - 2 - Despite the short history, Multipath TCP(MPTCP) prevails drastically As MPTCP was deployed, security concerns increase There have been multiple attempts at verifications to security of MPTCP Initial

More information

CSE 123A Computer Netwrking

CSE 123A Computer Netwrking CSE 123A Computer Netwrking Winter 2005 Mobile Networking Alex Snoeren presenting in lieu of Stefan Savage Today s s issues What are implications of hosts that move? Remember routing? It doesn t work anymore

More information

THE FUTURE OF AUTHENTICATION FOR THE INTERNET OF THINGS

THE FUTURE OF AUTHENTICATION FOR THE INTERNET OF THINGS THE FUTURE OF AUTHENTICATION FOR THE INTERNET OF THINGS FIDO ALLIANCE WEBINAR MARCH 28, 2017 1 INTRODUCTION TO THE FIDO ALLIANCE ANDREW SHIKIAR SENIOR DIRECTOR OF MARKETING MARCH 28, 2017 2 THE FACTS ON

More information

DYNAMIC SERVICE CHAINING DYSCO WITH. forcing packets through middleboxes for security, optimizing performance, enhancing reachability, etc.

DYNAMIC SERVICE CHAINING DYSCO WITH. forcing packets through middleboxes for security, optimizing performance, enhancing reachability, etc. DYNAMIC SERVICE CHAINING WITH DYSCO forcing packets through es for security, optimizing performance, enhancing reachability, etc. Pamela Zave AT&T Labs Research Ronaldo A. Ferreira UFMS, Brazil Xuan Kelvin

More information

LOGICAL ADDRESSING. Faisal Karim Shaikh.

LOGICAL ADDRESSING. Faisal Karim Shaikh. LOGICAL ADDRESSING Faisal Karim Shaikh faisal.shaikh@faculty.muet.edu.pk DEWSNet Group Dependable Embedded Wired/Wireless Networks www.fkshaikh.com/dewsnet IPv4 ADDRESSES An IPv4 address is a 32-bit address

More information

Intel Active Management Technology Overview

Intel Active Management Technology Overview Chapter 5 Intel Active Management Technology Overview Management is doing things right; leadership is doing the right things. Peter Drucker (1909 2005) As we discussed in the last chapter, Intel Active

More information

ENDBOX: Scalable Middlebox Functions Using Client-Side Trusted Execution

ENDBOX: Scalable Middlebox Functions Using Client-Side Trusted Execution ENDBOX: Scalable Middlebox Functions Using -Side Trusted Execution David Goltzsche, Signe Rüsch, Manuel Nieke, Sébastien Vaucher, Nico Weichbrodt, Valerio Schiavoni, Pierre-Louis Aublin, Paolo Costa, Christof

More information

Pulse Secure Application Delivery

Pulse Secure Application Delivery DATA SHEET Pulse Secure Application Delivery HIGHLIGHTS Provides an Application Delivery and Load Balancing solution purposebuilt for high-performance Network Functions Virtualization (NFV) Uniquely customizable,

More information

SharkFest'17 US. Experience with the expressive Internet Architecture. Peter Steenkiste Carnegie Mellon University

SharkFest'17 US. Experience with the expressive Internet Architecture. Peter Steenkiste Carnegie Mellon University SharkFest'17 US Experience with the expressive Internet Architecture Peter Steenkiste Carnegie Mellon University Dave Andersen, David Eckhardt, Sara Kiesler, Jon Peha, Adrian Perrig, Srini Seshan, Marvin

More information

TALK THUNDER SOFTWARE FOR BARE METAL HIGH-PERFORMANCE SOFTWARE FOR THE MODERN DATA CENTER WITH A10 DATASHEET YOUR CHOICE OF HARDWARE

TALK THUNDER SOFTWARE FOR BARE METAL HIGH-PERFORMANCE SOFTWARE FOR THE MODERN DATA CENTER WITH A10 DATASHEET YOUR CHOICE OF HARDWARE DATASHEET THUNDER SOFTWARE FOR BARE METAL YOUR CHOICE OF HARDWARE A10 Networks application networking and security solutions for bare metal raise the bar on performance with an industryleading software

More information

Lecture 15 PKI & Authenticated Key Exchange. COSC-260 Codes and Ciphers Adam O Neill Adapted from

Lecture 15 PKI & Authenticated Key Exchange. COSC-260 Codes and Ciphers Adam O Neill Adapted from Lecture 15 PKI & Authenticated Key Exchange COSC-260 Codes and Ciphers Adam O Neill Adapted from http://cseweb.ucsd.edu/~mihir/cse107/ Today We will see how signatures are used to create public-key infrastructures

More information

Rethinking Security: The Need For A Security Delivery Platform

Rethinking Security: The Need For A Security Delivery Platform Rethinking Security: The Need For A Security Delivery Platform Cybercrime In Asia: A Changing Environment & Shifting Focus Asia, more vulnerable to cybercrime because of diversity and breadth of countries

More information

The World Wide Web is widely used by businesses, government agencies, and many individuals. But the Internet and the Web are extremely vulnerable to

The World Wide Web is widely used by businesses, government agencies, and many individuals. But the Internet and the Web are extremely vulnerable to 1 The World Wide Web is widely used by businesses, government agencies, and many individuals. But the Internet and the Web are extremely vulnerable to compromises of various sorts, with a range of threats

More information

What is New in Cisco ACE 4710 Application Control Engine Software Release 3.1

What is New in Cisco ACE 4710 Application Control Engine Software Release 3.1 What is New in Cisco ACE 4710 Application Control Engine Software Release 3.1 PB478675 Product Overview The Cisco ACE Application Control Engine 4710 represents the next generation of application switches

More information

Internet Security. - IPSec, SSL/TLS, SRTP - 29th. Oct Lee, Choongho

Internet Security. - IPSec, SSL/TLS, SRTP - 29th. Oct Lee, Choongho Internet Security - IPSec, SSL/TLS, SRTP - 29th. Oct. 2007 Lee, Choongho chlee@mmlab.snu.ac.kr Contents Introduction IPSec SSL / TLS SRTP Conclusion 2/27 Introduction (1/2) Security Goals Confidentiality

More information

Security Fundamentals

Security Fundamentals COMP 150-IDS: Internet Scale Distributed Systems (Spring 2015) Security Fundamentals Noah Mendelsohn Tufts University Email: noah@cs.tufts.edu Web: http://www.cs.tufts.edu/~noah Copyright 2012 & 2015 Noah

More information

The Road to a Secure, Compliant Cloud

The Road to a Secure, Compliant Cloud The Road to a Secure, Compliant Cloud The Road to a Secure, Compliant Cloud Build a trusted infrastructure with a solution stack from Intel, IBM Cloud SoftLayer,* VMware,* and HyTrust Technology innovation

More information

Forwarding Architecture

Forwarding Architecture Forwarding Architecture Brighten Godfrey CS 538 February 14 2018 slides 2010-2018 by Brighten Godfrey unless otherwise noted Building a fast router Partridge: 50 Gb/sec router A fast IP router well, fast

More information

TOWARDS USABLE AND FINE-GRAINED SECURITY FOR HTTPS WITH MIDDLEBOXES

TOWARDS USABLE AND FINE-GRAINED SECURITY FOR HTTPS WITH MIDDLEBOXES TOWARDS USABLE AND FINE-GRAINED SECURITY FOR HTTPS WITH MIDDLEBOXES Abhimanyu Khanna A thesis in The Department of Concordia Institute for Information Systems Engineering Presented in Partial Fulfillment

More information

Graphene-SGX. A Practical Library OS for Unmodified Applications on SGX. Chia-Che Tsai Donald E. Porter Mona Vij

Graphene-SGX. A Practical Library OS for Unmodified Applications on SGX. Chia-Che Tsai Donald E. Porter Mona Vij Graphene-SGX A Practical Library OS for Unmodified Applications on SGX Chia-Che Tsai Donald E. Porter Mona Vij Intel SGX: Trusted Execution on Untrusted Hosts Processing Sensitive Data (Ex: Medical Records)

More information

ENHANCE APPLICATION SCALABILITY AND AVAILABILITY WITH NGINX PLUS AND THE DIAMANTI BARE-METAL KUBERNETES PLATFORM

ENHANCE APPLICATION SCALABILITY AND AVAILABILITY WITH NGINX PLUS AND THE DIAMANTI BARE-METAL KUBERNETES PLATFORM JOINT SOLUTION BRIEF ENHANCE APPLICATION SCALABILITY AND AVAILABILITY WITH NGINX PLUS AND THE DIAMANTI BARE-METAL KUBERNETES PLATFORM DIAMANTI PLATFORM AT A GLANCE Modern load balancers which deploy as

More information

Understanding Traffic Decryption

Understanding Traffic Decryption The following topics provide an overview of SSL inspection, describe the prerequisites for SSL inspection configuration, and detail deployment scenarios. Traffic Decryption Overview, page 1 SSL Handshake

More information

AWS & Intel: A Partnership Dedicated to fueling your Innovations. Thomas Kellerer BDM CSP, Intel Central Europe

AWS & Intel: A Partnership Dedicated to fueling your Innovations. Thomas Kellerer BDM CSP, Intel Central Europe AWS & Intel: A Partnership Dedicated to fueling your Innovations Thomas Kellerer BDM CSP, Intel Central Europe The Digital Service Economy Growth in connected devices enables new business opportunities

More information

Transport Layer Security

Transport Layer Security CEN585 Computer and Network Security Transport Layer Security Dr. Mostafa Dahshan Department of Computer Engineering College of Computer and Information Sciences King Saud University mdahshan@ksu.edu.sa

More information

A Guide to Routers. Connectivity Type. ADSL (Telephone Type)

A Guide to Routers. Connectivity Type. ADSL (Telephone Type) A Guide to Routers Besides enabling wireless internet connections, routers also keep sensitive data private by safeguarding networks. Wireless routers are increasingly common, even in public spaces. This

More information

SOLUTION BRIEF RSA NETWITNESS SUITE & THE CLOUD PROTECTING AGAINST THREATS IN A PERIMETER-LESS WORLD

SOLUTION BRIEF RSA NETWITNESS SUITE & THE CLOUD PROTECTING AGAINST THREATS IN A PERIMETER-LESS WORLD RSA NETWITNESS SUITE & THE CLOUD PROTECTING AGAINST THREATS IN A PERIMETER-LESS WORLD THE CLOUD MAKES THREAT HUNTING HARDER The explosion in cloud workloads is driving real, substantial business value.

More information

Performance Study of COPS over TLS and IPsec Secure Session

Performance Study of COPS over TLS and IPsec Secure Session Performance Study of COPS over TLS and IPsec Secure Session Yijun Zeng and Omar Cherkaoui Université du Québec à Montréal CP. 8888 Suc. A, Montréal yj_zeng@hotmail.com, cherkaoui.omar@uqam.ca Abstract.

More information

HALO IN ACTION COMPLIANCE DON T LET LEGACY SECURITY TOOLS HOLD UP PCI COMPLIANCE IN THE CLOUD. Automated PCI compliance anytime, anywhere.

HALO IN ACTION COMPLIANCE DON T LET LEGACY SECURITY TOOLS HOLD UP PCI COMPLIANCE IN THE CLOUD. Automated PCI compliance anytime, anywhere. HALO IN ACTION COMPLIANCE DON T LET LEGACY SECURITY TOOLS HOLD UP PCI COMPLIANCE IN THE CLOUD Automated PCI compliance anytime, anywhere. THE PROBLEM Online commercial transactions will hit an estimated

More information

Scaling Internet TV Content Delivery ALEX GUTARIN DIRECTOR OF ENGINEERING, NETFLIX

Scaling Internet TV Content Delivery ALEX GUTARIN DIRECTOR OF ENGINEERING, NETFLIX Scaling Internet TV Content Delivery ALEX GUTARIN DIRECTOR OF ENGINEERING, NETFLIX Inventing Internet TV Available in more than 190 countries 104+ million subscribers Lots of Streaming == Lots of Traffic

More information

Dynamic Source Routing in ad hoc wireless networks

Dynamic Source Routing in ad hoc wireless networks Dynamic Source Routing in ad hoc wireless networks David B. Johnson David A. Maltz Computer Science Department Carnegie Mellon University In Mobile Computing, vol. 353, chapter 5, T. Imielinski and H.

More information

Delivering Microservices Securely and at Scale with NGINX in Red Hat OpenShift. November, 2017

Delivering Microservices Securely and at Scale with NGINX in Red Hat OpenShift. November, 2017 Delivering Microservices Securely and at Scale with NGINX in Red Hat OpenShift November, 2017 Klaus Oxdal Channel Director klaus@nginx.com The Big Shift Architectural Changes: Monolith import myapp.driver

More information

ARCHITECTURING AND SECURING IOT PLATFORMS JANKO ISIDOROVIC MAINFLUX

ARCHITECTURING AND SECURING IOT PLATFORMS JANKO ISIDOROVIC MAINFLUX ARCHITECTURING AND SECURING IOT PLATFORMS JANKO ISIDOROVIC CEO @ MAINFLUX Outline Internet of Things (IoT) Common IoT Project challenges - Networking - Power Consumption - Computing Power - Scalability

More information

SOLUTION BRIEF CA API MANAGEMENT. Enable and Protect Your Web Applications From OWASP Top Ten With CA API Management

SOLUTION BRIEF CA API MANAGEMENT. Enable and Protect Your Web Applications From OWASP Top Ten With CA API Management SOLUTION BRIEF CA API MANAGEMENT Enable and Protect Your Web Applications From OWASP Top Ten With CA API Management 2 SOLUTION BRIEF ENABLE AND PROTECT YOUR WEB APPLICATIONS WITH CA API MANAGEMENT ca.com

More information

Citrix NetScaler Administration Training

Citrix NetScaler Administration Training Citrix NetScaler Administration Training Course Duration : 20 Working Days Class Duration : 3 hours per day Fast Track: - Course duration 10days (Per day 8 hours) Get Fee Details Module 1 NetScaler Overview

More information

Firewalls for Secure Unified Communications

Firewalls for Secure Unified Communications Firewalls for Secure Unified Communications Positioning Guide 2008 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 1 of 12 Firewall protection for call control

More information

CPS 510 final exam, 4/27/2015

CPS 510 final exam, 4/27/2015 CPS 510 final exam, 4/27/2015 Your name please: This exam has 25 questions worth 12 points each. For each question, please give the best answer you can in a few sentences or bullets using the lingo of

More information

About DPI-SSL. About DPI-SSL. Functionality. Deployment Scenarios

About DPI-SSL. About DPI-SSL. Functionality. Deployment Scenarios DPI-SSL About DPI-SSL Configuring Client DPI-SSL Settings Configuring Server DPI-SSL Settings About DPI-SSL About DPI-SSL Functionality Deployment Scenarios Customizing DPI-SSL Connections per Appliance

More information

NGIPS Recommended Practices

NGIPS Recommended Practices F5 Networks, Inc. NGIPS Recommended Practices F5 BIG-IP and Cisco/Sourcefire NGIPS load balancing Matt Quill, Brandon Frelich, and Bob Blair 5/9/2014 This document articulate the details for configuring

More information

ForeScout CounterACT. Continuous Monitoring and Mitigation. Real-time Visibility. Network Access Control. Endpoint Compliance.

ForeScout CounterACT. Continuous Monitoring and Mitigation. Real-time Visibility. Network Access Control. Endpoint Compliance. Real-time Visibility Network Access Control Endpoint Compliance Mobile Security ForeScout CounterACT Continuous Monitoring and Mitigation Rapid Threat Response Benefits Rethink IT Security Security Do

More information

Management and Orchestration with F5 BIG-IQ 4.5. Philippe Bogaerts F5 Networks

Management and Orchestration with F5 BIG-IQ 4.5. Philippe Bogaerts F5 Networks Management and Orchestration with F5 BIG-IQ 4.5 Philippe Bogaerts F5 Networks F5 Synthesis High-Performance Services Fabric Simplified Business Models F5 Networks, Inc 2 BIG-IQ in the Synthesis Framework

More information

Cloud Native Security. OpenShift Commons Briefing

Cloud Native Security. OpenShift Commons Briefing Cloud Native Security OpenShift Commons Briefing Amir Sharif Co-Founder amir@aporeto.com Cloud Native Applications Challenge Security Change Frequency x 10x 100x 1,000x Legacy (Pets) Servers VMs Cloud

More information