SafeBricks: Shielding Network Functions in the Cloud

Size: px
Start display at page:

Download "SafeBricks: Shielding Network Functions in the Cloud"

Transcription

1 SafeBricks: Shielding Network Functions in the Cloud Rishabh Poddar, Chang Lan, Raluca Ada Popa, Sylvia Ratnasamy UC Berkeley

2 Network Functions (NFs) in the cloud Clients 2 Enterprise Destination

3 Network Functions (NFs) in the cloud Clients 3 Enterprise Destination

4 Network Functions (NFs) in the cloud NF NF providers providers Clients 4 Enterprise Destination

5 Problem: Security NF NF providers providers Clients 5 Enterprise Destination

6 Problem: Security 1 Need to protect traffic from the cloud provider NF NF providers providers Hackers / curious employees Clients 6 Enterprise Destination

7 Problem: Security 2 Need to protect traffic from the Exfiltration NF NF providers providers Clients 7 Enterprise Destination

8 Problem: Security 3 Need to protect NF code and rulesets from client enterprise and cloud NF NF providers providers Clients 8 Enterprise Destination

9 Cryptographic solutions do not suffice NF NF providers providers Clients 9 Enterprise Destination

10 Cryptographic solutions do not suffice 1 Standard encryption: e.g. end-to-end TLS NF NF providers providers Clients 10 Enterprise Destination

11 Cryptographic solutions do not suffice 1 Standard encryption: e.g. end-to-end TLS Functionality: Doesn t allow any computation on encrypted payload NF NF providers providers? Clients 11 Enterprise Destination

12 Cryptographic solutions do not suffice 1 Standard encryption: e.g. end-to-end TLS Functionality: Doesn t allow any computation on encrypted payload Security: Unencrypted fields (e.g. IP headers) still leak information NF NF providers providers? Clients 12 Enterprise Destination

13 Cryptographic solutions do not suffice 2 Specialized encryption: e.g. BlindBox, Embark [Sherry et al. (SIGCOMM 15)] [Lan et al. (NSDI 16)] 13

14 Cryptographic solutions do not suffice 2 Specialized encryption: e.g. BlindBox, Embark Too limited in functionality! Header-based comparisons Regular expressions Keyword matching Cross-flow analysis Statistical computations 14

15 How to achieve full functionality and our security goals simultaneously? 15

16 SafeBricks 1 Protects traffic from the cloud provider 2 Protects traffic from the 3 Protects NF source code and rulesets from client enterprise and cloud 16

17 SafeBricks Hardware enclaves + language-based isolation 1 Protects traffic from the cloud provider 2 Protects traffic from the 3 Protects NF source code and rulesets from client enterprise and cloud 17

18 Background: Hardware enclaves (e.g. Intel SGX) Secure region of memory (enclaves) protected by hardware Application (untrusted) Enclave (trusted) Operating System (untrusted) 18

19 Background: Hardware enclaves (e.g. Intel SGX) Secure region of memory (enclaves) protected by hardware Application (untrusted) Secret data Trusted code Enclave (trusted) Operating System (untrusted) 19

20 Background: Hardware enclaves (e.g. Intel SGX) Secure region of memory (enclaves) protected by hardware Application (untrusted) Secret data Trusted code Client Enclave (trusted) Remote attestation by clients Operating System (untrusted) 20

21 Background: Hardware enclaves (e.g. Intel SGX) Secure region of memory (enclaves) protected by hardware Application (untrusted) Secret data Trusted code Client Enclave (trusted) Remote attestation by clients Remotely verify enclave contents Operating System (untrusted) 21

22 Background: Hardware enclaves (e.g. Intel SGX) Secure region of memory (enclaves) protected by hardware Application (untrusted) Secret data Trusted code Client Enclave (trusted) Remote attestation by clients Remotely verify enclave contents Operating System (untrusted) Establish a secure channel with enclave 22

23 Background: NetBricks [Panda et al. (OSDI 16)] Framework for developing arbitrary NFs Programming abstractions NetBricks Scheduler State abstractions I/O interface DPDK Poll for I/O NICs 23

24 Background: NetBricks [Panda et al. (OSDI 16)] Framework for developing arbitrary NFs MapReduce like programming abstractions (operators) for packet processing Programming abstractions State abstractions NetBricks Scheduler I/O interface DPDK Poll for I/O NICs 24

25 Background: NetBricks [Panda et al. (OSDI 16)] Framework for developing arbitrary NFs MapReduce like programming abstractions (operators) for packet processing NFs represented as a directed graph with operators as nodes Programming abstractions State abstractions NetBricks I/O interface DPDK Scheduler Poll for I/O NICs 25

26 Background: NetBricks Written in Rust Fast, safe, zero-copy semantics NetBricks NF 1 NF 1 Isolates NFs deployed in a chain while running them in the same address space NICs 26

27 SafeBricks 1 Protects traffic from the cloud provider 2 Protects traffic from the 3 Protects NF source code and rulesets from client enterprise and cloud 27

28 SafeBricks 1 Protects traffic from the cloud provider 2 Protects traffic from the 3 Protects NF source code and rulesets from client enterprise and cloud 28

29 Outsourcing NFs using hardware enclaves Cloud (untrusted) Enclave OS (untrusted) Clients Gateway Destination 29 Enterprise

30 Outsourcing NFs using hardware enclaves Cloud (untrusted) NF Enclave OS (untrusted) Clients Gateway Destination 30 Enterprise

31 Outsourcing NFs using hardware enclaves Cloud (untrusted) NF Enclave OS (untrusted) Clients Gateway Destination 31 Enterprise

32 Outsourcing NFs using hardware enclaves Cloud (untrusted) IPSec NF Enclave IPSec OS (untrusted) Clients Gateway Destination 32 Enterprise

33 Outsourcing NFs using hardware enclaves Cloud (untrusted) IPSec NF Enclave IPSec TLS OS (untrusted) Clients Interception proxy Gateway Destination 33 Enterprise

34 Outsourcing NFs using hardware enclaves Cloud (untrusted) IPSec NF Enclave IPSec TLS OS (untrusted) Clients TLS Gateway Destination 34 Enterprise

35 Outsourcing NFs using hardware enclaves Cloud (untrusted) IPSec NF Enclave IPSec TLS IPSec OS (untrusted) Clients TLS Gateway Destination 35 Enterprise

36 Outsourcing NFs using hardware enclaves Cloud (untrusted) IPSec NF Enclave IPSec TLS IPSec OS (untrusted) Clients TLS Gateway Packet headers also encrypted Destination 36 Enterprise

37 Outsourcing NFs using hardware enclaves Cloud (untrusted) IPSec NF Enclave IPSec TLS IPSec OS (untrusted) Clients TLS Gateway TLS Destination 37 Enterprise

38 Outsourcing NFs using hardware enclaves Cloud (untrusted) IPSec NF Enclave IPSec TLS OS (untrusted) Clients TLS 38 Enterprise Gateway SafeBricks also supports direct delivery of traffic Destination

39 Outsourcing NFs using hardware enclaves Cloud (untrusted) IPSec NF Enclave Can use general purpose frameworks, e.g. Haven, Scone IPSec TLS IPSec OS (untrusted) Clients TLS Gateway TLS Destination 39 Enterprise

40 Challenges 1 Small trusted computing base (TCB) enclave should contain minimal amount of code 40

41 Challenges 1 Small trusted computing base (TCB) enclave should contain minimal amount of code 2 High performance Transitioning into / out of enclaves is expensive! 41

42 Challenges 1 Small trusted computing base (TCB) enclave should contain minimal amount of code 2 High performance Transitioning into / out of enclaves is expensive! 3 Illegal enclave instructions SGX does not support system calls or instructions that may lead to a VMEXIT 42

43 Challenges 1 Small trusted computing base (TCB) enclave should contain minimal amount of code 2 High performance Transitioning into / out of enclaves is expensive! 3 Illegal enclave instructions SGX does not support system calls or instructions that lead to a VMEXIT 43

44 1 NetBricks Programming abstractions Scheduler State abstractions I/O interface DPDK Poll for I/O NICs 44

45 1 Enclave Programming abstractions Scheduler Maximal TCB: NetBricks State abstractions stack entirely within enclave I/O interface DPDK Poll for I/O NICs 45

46 1 Enclave Programming abstractions Scheduler State abstractions Minimal TCB: Only securitycritical components within enclave I/O interface One enclave transition per node per packet batch DPDK Poll for I/O NICs 46

47 1 Enclave Programming abstractions Scheduler Intermediate TCB State abstractions One enclave transition per packet batch I/O interface DPDK Poll for I/O NICs 47

48 1 Programming abstractions Scheduler SafeBricks enclave (trusted) State abstractions Partitioned NetBricks Glue code (trusted) framework; glue code connects trusted and SafeBricks host (untrusted) Glue code (untrusted) I/O interface DPDK untrusted code Poll for I/O 48 NICs

49 1 SafeBricks enclave (trusted) Programming abstractions State abstractions Scheduler Two new operators for packet transfer to/from enclave: toenclave and tohost Partitioned NetBricks Glue code (trusted) framework; glue code connects trusted and SafeBricks host (untrusted) Glue code (untrusted) I/O interface DPDK untrusted code Poll for I/O 49 NICs

50 Challenges 1 Small trusted computing base (TCB) enclave should contain minimal amount of code 2 High performance Transitioning into / out of enclaves is expensive! 3 Illegal enclave instructions SGX does not support system calls or instructions that lead to a VMEXIT 50

51 2 SafeBricks enclave NF toenclave tohost One enclave transition per packet batch SafeBricks host NICs 51

52 2 SafeBricks enclave NF toenclave tohost Shared queues in non-enclave Enclave I/O heap recv send Separate enclave and host threads Access queues without exiting Host I/O SafeBricks host enclave zero enclave transitions 52 NICs

53 Challenges 1 Small trusted computing base (TCB) enclave should contain minimal amount of code 2 High performance Transitioning into / out of enclaves is expensive! 3 Illegal enclave instructions SGX does not support system calls or instructions that lead to a VMEXIT 53

54 3 Observation: NFs in general do not require support for system calls / instructions that lead to VMEXITs 54

55 3 Observation: NFs in general do not require support for system calls / instructions that lead to VMEXITs, except: Logging Timestamps (using rdtsc) 55

56 3 Observation: NFs in general do not require support for system calls / instructions that lead to VMEXITs, except: Logging Timestamps (using rdtsc) SafeBricks designs custom solutions for these operations without enclave transitions 56

57 SafeBricks 1 Protects traffic from the cloud provider 2 Protects traffic from the 3 Protects NF source code and rulesets from client enterprise and cloud 57

58 Problem: Malicious NFs within enclaves! Malicious NFs inside the enclave can exfiltrate or tamper with packets! 58

59 Problem: Malicious NFs within enclaves! Malicious NFs inside the enclave can exfiltrate or tamper with packets! Observation: NFs typically need access only to specific packet fields E.g. Firewall needs read-only access to TCP/IP headers E.g. NAT needs both read-write access to headers but not to packet payload 59

60 Problem: Malicious NFs within enclaves! Malicious NFs inside the enclave can exfiltrate or tamper with packets! Observation: NFs typically need access only to specific packet fields E.g. Firewall needs read-only access to TCP/IP headers E.g. NAT needs both read-write access to headers but IP not addresses; to packet payload TCP ports; HTTP payload 60

61 Problem: Malicious NFs within enclaves! Malicious NFs inside the enclave can exfiltrate or tamper with packets! Observation: NFs typically need access only to specific packet fields E.g. Firewall needs read-only access to TCP/IP headers E.g. NAT needs both read-write access to headers but not to packet payload SafeBricks enforces least privilege across NFs within the enclave 61

62 Least privilege enforcement Run NFs within the same enclave Firewall NAT toenclave tohost Host 62

63 Least privilege enforcement Run NFs within the same enclave Firewall NAT toenclave tohost Host 63

64 Least privilege enforcement Run NFs within the same enclave Firewall NAT Stitch NFs together interspersed with an operator ( wlist ) that embeds a vector of permissions in packets two bits per packet field wlist wlist toenclave tohost Host 64

65 Least privilege enforcement Enforce permissions by mediating access to packets using Rust s ownership model SafeBricks Controller 65

66 Least privilege enforcement Enforce permissions by mediating access to packets using Rust s ownership model Packet buffer Controller module holds ownership of packet buffers SafeBricks Controller 66

67 Least privilege enforcement Enforce permissions by mediating access to packets using Rust s ownership model Packet buffer Controller module holds ownership of packet buffers SafeBricks Controller NFs borrow references to packet fields from the Controller, which checks permissions vector in packet Firewall NAT 67

68 Least privilege enforcement Enforce permissions by mediating access to packets using Rust s ownership model Packet buffer Controller module holds ownership of packet buffers SafeBricks Controller NFs borrow references to packet fields from the Controller, which checks permissions vector in packet Firewall NAT Returns an immutable reference for readonly access, and a mutable reference for write access 68

69 Assumption: Trusted compilation of NFs Least privilege guarantees only hold if NFs are built using a compiler that prohibits unsafe operations! 69

70 Assumption: Trusted compilation of NFs Least privilege guarantees only hold if NFs are built using a compiler that prohibits unsafe operations! E.g. Check array bounds, no pointer arithmetic, no unsafe type casts 70

71 Assumption: Trusted compilation of NFs Least privilege guarantees only hold if NFs are built using a compiler that prohibits unsafe operations! NF NF providers providers Possible solution: Client obtains NF source codes from providers and assembles them NF code + rulesets locally Client Enterprise 71

72 Assumption: Trusted compilation of NFs Least privilege guarantees only hold if NFs are built using a compiler that prohibits unsafe operations! NF NF providers providers Possible solution: Client obtains NF source codes from providers and assembles them NF code + rulesets locally Problem: This violates the confidentiality of NF source code! Enterprise 72

73 SafeBricks 1 Protects traffic from the cloud provider 2 Protects traffic from the 3 Protects NF source code and rulesets from client enterprise and cloud 73

74 Assembling NFs Key idea: Build NFs within a special meta -enclave in the cloud using an agreed upon compiler 74

75 Assembling NFs Key idea: Build NFs within a special meta -enclave in the cloud using an agreed upon compiler Both client and can verify the agreed upon compiler using remote attestation 75

76 Assembling NFs Assembly enclave Loader Compiler 76 Enterprise

77 Assembling NFs Assembly enclave Loader Compiler Remote attestation 77 Enterprise

78 Assembling NFs Assembly enclave Loader Compiler Remote attestation 78 Enterprise

79 Assembling NFs Assembly enclave Loader Compiler Remote attestation 79 Enterprise

80 Assembling NFs Assembly enclave NF code + rulesets Loader Compiler 80 Enterprise

81 Assembling NFs Assembly enclave Loader Compiler NF code + rulesets Config 81 Enterprise

82 Assembling NFs Assembly enclave Loader Compiler NF code + rulesets Config 82 Enterprise Placement of NFs, least privilege policies per NF

83 Assembling NFs Assembly enclave Loader Compiler NF code + rulesets Config 83 Enterprise

84 Assembling NFs Assembly enclave Loader Compiler Deployment enclave 84 Enterprise

85 SafeBricks 1 Protects traffic from the cloud provider 2 Protects traffic from the 3 Protects NF source code and rulesets from client enterprise and cloud 85

86 86 Performance

87 Throughput decline across NFs 40% Firewall NAT Throughput decline 30% 20% 10% Load Balancer DPI 0% Packet size (bytes) ~0 15% overhead across applications for different packet sizes 87

88 DPI performance with increasing no. of rules 100% 8MB 64MB 94MB Throughput decline 75% 50% 25% 0% Number of rules 88 Overhead spikes when NF working set exceeds enclave memory

89 DPI performance with increasing no. of rules 100% 8MB 64MB 94MB Throughput decline 75% 50% 25% Not a fundamental limitation 0% Number of rules 89 Overhead spikes when NF working set exceeds enclave memory

90 Summary SafeBricks uses a combination of hardware enclaves and language-based isolation to: Protect client traffic from the cloud provider Enforce least privilege across NFs Protect the confidentiality of NF code and rulesets Modest overhead across a range of applications 90

Embark: Securely Outsourcing Middleboxes to the Cloud

Embark: Securely Outsourcing Middleboxes to the Cloud Embark: Securely Outsourcing Middleboxes to the Cloud Chang Lan, Justine Sherry, Raluca Ada Popa, Sylvia Ratnasamy, Zhi Liu UC Berkeley Tsinghua University 1 Background Middleboxes are prevalent and problematic

More information

NetBricks: Taking the V out of NFV. Aurojit Panda, Sangjin Han, Keon Jang, Melvin Walls, Sylvia Ratnasamy, Scott Shenker UC Berkeley, Google, ICSI

NetBricks: Taking the V out of NFV. Aurojit Panda, Sangjin Han, Keon Jang, Melvin Walls, Sylvia Ratnasamy, Scott Shenker UC Berkeley, Google, ICSI NetBricks: Taking the V out of NFV Aurojit Panda, Sangjin Han, Keon Jang, Melvin Walls, Sylvia Ratnasamy, Scott Shenker UC Berkeley, Google, ICSI What the heck is NFV? A Short Introduction to NFV A Short

More information

EndBox: Scalable Middlebox Functions Using Client-Side Trusted Execution

EndBox: Scalable Middlebox Functions Using Client-Side Trusted Execution : Scalable Functions Using -Side Trusted Execution Image CC-BY-SA Victorgrigas David Goltzsche, 1 Signe Rüsch, 1 Manuel Nieke, 1 Sébastien Vaucher, 2 Nico Weichbrodt, 1 Valerio Schiavoni, 2 Pierre-Louis

More information

Graphene-SGX. A Practical Library OS for Unmodified Applications on SGX. Chia-Che Tsai Donald E. Porter Mona Vij

Graphene-SGX. A Practical Library OS for Unmodified Applications on SGX. Chia-Che Tsai Donald E. Porter Mona Vij Graphene-SGX A Practical Library OS for Unmodified Applications on SGX Chia-Che Tsai Donald E. Porter Mona Vij Intel SGX: Trusted Execution on Untrusted Hosts Processing Sensitive Data (Ex: Medical Records)

More information

SCONE: Secure Linux Container Environments with Intel SGX

SCONE: Secure Linux Container Environments with Intel SGX SCONE: Secure Linux Container Environments with Intel SGX S. Arnautov, B. Trach, F. Gregor, Thomas Knauth, and A. Martin, Technische Universität Dresden; C. Priebe, J. Lind, D. Muthukumaran, D. O'Keeffe,

More information

And Then There Were More:

And Then There Were More: David Naylor Carnegie Mellon And Then There Were More: Secure Communication for More Than Two Parties Richard Li University of Utah Christos Gkantsidis Microsoft Research Thomas Karagiannis Microsoft Research

More information

Introduction to SGX (Software Guard Extensions) and SGX Virtualization. Kai Huang, Jun Nakajima (Speaker) July 12, 2017

Introduction to SGX (Software Guard Extensions) and SGX Virtualization. Kai Huang, Jun Nakajima (Speaker) July 12, 2017 Introduction to SGX (Software Guard Extensions) and SGX Virtualization Kai Huang, Jun Nakajima (Speaker) July 12, 2017 1 INTEL RESTRICTED SECRET Agenda SGX Introduction Xen SGX Virtualization Support Backup

More information

INFLUENTIAL OPERATING SYSTEM RESEARCH: SECURITY MECHANISMS AND HOW TO USE THEM CARSTEN WEINHOLD

INFLUENTIAL OPERATING SYSTEM RESEARCH: SECURITY MECHANISMS AND HOW TO USE THEM CARSTEN WEINHOLD Faculty of Computer Science Institute of Systems Architecture, Operating Systems Group INFLUENTIAL OPERATING SYSTEM RESEARCH: SECURITY MECHANISMS AND HOW TO USE THEM CARSTEN WEINHOLD OVERVIEW Fundamental

More information

IPSec. Slides by Vitaly Shmatikov UT Austin. slide 1

IPSec. Slides by Vitaly Shmatikov UT Austin. slide 1 IPSec Slides by Vitaly Shmatikov UT Austin slide 1 TCP/IP Example slide 2 IP Security Issues Eavesdropping Modification of packets in transit Identity spoofing (forged source IP addresses) Denial of service

More information

Firewalls, Tunnels, and Network Intrusion Detection

Firewalls, Tunnels, and Network Intrusion Detection Firewalls, Tunnels, and Network Intrusion Detection 1 Firewalls A firewall is an integrated collection of security measures designed to prevent unauthorized electronic access to a networked computer system.

More information

Influential OS Research Security. Michael Raitza

Influential OS Research Security. Michael Raitza Influential OS Research Security Michael Raitza raitza@os.inf.tu-dresden.de 1 Security recap Various layers of security Application System Communication Aspects of security Access control / authorization

More information

Application Note. Providing Secure Remote Access to Industrial Control Systems Using McAfee Firewall Enterprise (Sidewinder )

Application Note. Providing Secure Remote Access to Industrial Control Systems Using McAfee Firewall Enterprise (Sidewinder ) Application Note Providing Secure Remote Access to Industrial Control Systems Using McAfee Firewall Enterprise (Sidewinder ) This document describes how to configure McAfee Firewall Enterprise to provide

More information

G-NET: Effective GPU Sharing In NFV Systems

G-NET: Effective GPU Sharing In NFV Systems G-NET: Effective Sharing In NFV Systems Kai Zhang*, Bingsheng He^, Jiayu Hu #, Zeke Wang^, Bei Hua #, Jiayi Meng #, Lishan Yang # *Fudan University ^National University of Singapore #University of Science

More information

ResQ: Enabling SLOs in Network Function Virtualization

ResQ: Enabling SLOs in Network Function Virtualization ResQ: Enabling SLOs in Network Function Virtualization Amin Tootoonchian* Aurojit Panda Chang Lan Melvin Walls Katerina Argyraki Sylvia Ratnasamy Scott Shenker *Intel Labs UC Berkeley ICSI NYU Nefeli EPFL

More information

RISCV with Sanctum Enclaves. Victor Costan, Ilia Lebedev, Srini Devadas

RISCV with Sanctum Enclaves. Victor Costan, Ilia Lebedev, Srini Devadas RISCV with Sanctum Enclaves Victor Costan, Ilia Lebedev, Srini Devadas Today, privilege implies trust (1/3) If computing remotely, what is the TCB? Priviledge CPU HW Hypervisor trusted computing base OS

More information

Rule based Forwarding (RBF): improving the Internet s flexibility and security. Lucian Popa, Ion Stoica, Sylvia Ratnasamy UC Berkeley Intel Labs

Rule based Forwarding (RBF): improving the Internet s flexibility and security. Lucian Popa, Ion Stoica, Sylvia Ratnasamy UC Berkeley Intel Labs Rule based Forwarding (RBF): improving the Internet s flexibility and security Lucian Popa, Ion Stoica, Sylvia Ratnasamy UC Berkeley Intel Labs Motivation Improve network s flexibility Middlebox support,

More information

Rule-Based Forwarding

Rule-Based Forwarding Building Extensible Networks with Rule-Based Forwarding Lucian Popa Norbert Egi Sylvia Ratnasamy Ion Stoica UC Berkeley/ICSI Lancaster Univ. Intel Labs Berkeley UC Berkeley Making Internet forwarding flexible

More information

Firewalls. IT443 Network Security Administration Slides courtesy of Bo Sheng

Firewalls. IT443 Network Security Administration Slides courtesy of Bo Sheng Firewalls IT443 Network Security Administration Slides courtesy of Bo Sheng 1 Internet Security Mechanisms Prevent: Firewall, IPsec, SSL Detect: Intrusion Detection Survive/ Response: Recovery, Forensics

More information

Slicing a Network. Software-Defined Network (SDN) FlowVisor. Advanced! Computer Networks. Centralized Network Control (NC)

Slicing a Network. Software-Defined Network (SDN) FlowVisor. Advanced! Computer Networks. Centralized Network Control (NC) Slicing a Network Advanced! Computer Networks Sherwood, R., et al., Can the Production Network Be the Testbed? Proc. of the 9 th USENIX Symposium on OSDI, 2010 Reference: [C+07] Cascado et al., Ethane:

More information

Intel Software Guard Extensions

Intel Software Guard Extensions Intel Software Guard Extensions Dr. Matthias Hahn, Intel Deutschland GmbH July 12 th 2017 cryptovision Mindshare, Gelsenkirchen Intel SGX Making Headlines Premium Content requiring Intel SGX on PC Intel

More information

CSC Network Security

CSC Network Security CSC 474 -- Security Topic 9. Firewalls CSC 474 Dr. Peng Ning 1 Outline Overview of Firewalls Filtering Firewalls Proxy Servers CSC 474 Dr. Peng Ning 2 Overview of Firewalls CSC 474 Dr. Peng Ning 3 1 Internet

More information

Ryoan: A Distributed Sandbox for Untrusted Computation on Secret Data

Ryoan: A Distributed Sandbox for Untrusted Computation on Secret Data Ryoan: A Distributed Sandbox for Untrusted Computation on Secret Data Tyler Hunt, Zhiting Zhu, Yuanzhong Xu, Simon Peter, and Emmett Witchel University of Texas at Austin OSDI 2016 Presented by John Alsop

More information

IX: A Protected Dataplane Operating System for High Throughput and Low Latency

IX: A Protected Dataplane Operating System for High Throughput and Low Latency IX: A Protected Dataplane Operating System for High Throughput and Low Latency Adam Belay et al. Proc. of the 11th USENIX Symp. on OSDI, pp. 49-65, 2014. Presented by Han Zhang & Zaina Hamid Challenges

More information

IPSec. Overview. Overview. Levente Buttyán

IPSec. Overview. Overview. Levente Buttyán IPSec - brief overview - security associations (SAs) - Authentication Header (AH) protocol - Encapsulated Security Payload () protocol - combining SAs (examples) Overview Overview IPSec is an Internet

More information

CPS 510 final exam, 4/27/2015

CPS 510 final exam, 4/27/2015 CPS 510 final exam, 4/27/2015 Your name please: This exam has 25 questions worth 12 points each. For each question, please give the best answer you can in a few sentences or bullets using the lingo of

More information

Buffer overflow background

Buffer overflow background and heap buffer background Comp Sci 3600 Security Heap Outline and heap buffer Heap 1 and heap 2 3 buffer 4 5 Heap Outline and heap buffer Heap 1 and heap 2 3 buffer 4 5 Heap Address Space and heap buffer

More information

Distributed Systems. Lecture 14: Security. Distributed Systems 1

Distributed Systems. Lecture 14: Security. Distributed Systems 1 06-06798 Distributed Systems Lecture 14: Security Distributed Systems 1 What is security? policies and mechanisms threats and attacks Overview Security of electronic transactions secure channels authentication

More information

Distributed Systems. Lecture 14: Security. 5 March,

Distributed Systems. Lecture 14: Security. 5 March, 06-06798 Distributed Systems Lecture 14: Security 5 March, 2002 1 What is security? policies and mechanisms threats and attacks Overview Security of electronic transactions secure channels authentication

More information

Operating System Security

Operating System Security Operating System Security Operating Systems Defined Hardware: I/o...Memory.CPU Operating Systems: Windows or Android, etc Applications run on operating system Operating Systems Makes it easier to use resources.

More information

BUILDING SECURE (CLOUD) APPLICATIONS USING INTEL S SGX

BUILDING SECURE (CLOUD) APPLICATIONS USING INTEL S SGX BUILDING SECURE (CLOUD) APPLICATIONS USING INTEL S SGX FLORIAN KERSCHBAUM, UNIVERSITY OF WATERLOO JOINT WORK WITH BENNY FUHRY (SAP), ANDREAS FISCHER (SAP) AND MANY OTHERS DO YOU TRUST YOUR CLOUD SERVICE

More information

Virtual Private Networks (VPN)

Virtual Private Networks (VPN) CYBR 230 Jeff Shafer University of the Pacific Virtual Private Networks (VPN) 2 Schedule This Week Mon September 4 Labor Day No class! Wed September 6 VPN Project 1 Work Fri September 8 IPv6? Project 1

More information

Chapter 32 Security in the Internet: IPSec, SSL/TLS, PGP,

Chapter 32 Security in the Internet: IPSec, SSL/TLS, PGP, Chapter 32 Security in the Internet: IPSec, SSL/TLS, PGP, VPN, and Firewalls 32.1 Copyright The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 32.2 Figure 32.1 Common structure

More information

OpenADN: A Case for Open Application Delivery Networking

OpenADN: A Case for Open Application Delivery Networking OpenADN: A Case for Open Application Delivery Networking Subharthi Paul, Raj Jain, Jianli Pan Washington University in Saint Louis {Pauls, jain, jp10}@cse.wustl.edu International Conference on Computer

More information

Stateless Network Functions:

Stateless Network Functions: Stateless Network Functions: Breaking the Tight Coupling of State and Processing Murad Kablan, Azzam Alsudais, Eric Keller, Franck Le University of Colorado IBM Networks Need Network Functions Firewall

More information

Proxy server is a server (a computer system or an application program) that acts as an intermediary between for requests from clients seeking

Proxy server is a server (a computer system or an application program) that acts as an intermediary between for requests from clients seeking NETWORK MANAGEMENT II Proxy Servers Proxy server is a server (a computer system or an application program) that acts as an intermediary between for requests from clients seeking resources from the other

More information

Town Crier. Authenticated Data Feeds For Smart Contracts. CS5437 Lecture by Kyle Croman and Fan Zhang Mar 18, 2016

Town Crier. Authenticated Data Feeds For Smart Contracts. CS5437 Lecture by Kyle Croman and Fan Zhang Mar 18, 2016 Town Crier Authenticated Data Feeds For Smart Contracts CS5437 Lecture by Kyle Croman and Fan Zhang Mar 18, 2016 Smart Contract Decentralized App: Programs are executed by all miners who reach consensus

More information

Firewalls Network Security: Firewalls and Virtual Private Networks CS 239 Computer Software March 3, 2003

Firewalls Network Security: Firewalls and Virtual Private Networks CS 239 Computer Software March 3, 2003 Firewalls Network Security: Firewalls and Virtual Private Networks CS 239 Computer Software March 3, 2003 A system or combination of systems that enforces a boundary between two or more networks - NCSA

More information

Distributed Systems. 27. Firewalls and Virtual Private Networks Paul Krzyzanowski. Rutgers University. Fall 2013

Distributed Systems. 27. Firewalls and Virtual Private Networks Paul Krzyzanowski. Rutgers University. Fall 2013 Distributed Systems 27. Firewalls and Virtual Private Networks Paul Krzyzanowski Rutgers University Fall 2013 November 25, 2013 2013 Paul Krzyzanowski 1 Network Security Goals Confidentiality: sensitive

More information

Using the Cisco ACE Application Control Engine Application Switches with the Cisco ACE XML Gateway

Using the Cisco ACE Application Control Engine Application Switches with the Cisco ACE XML Gateway Using the Cisco ACE Application Control Engine Application Switches with the Cisco ACE XML Gateway Applying Application Delivery Technology to Web Services Overview The Cisco ACE XML Gateway is the newest

More information

Design and Performance of the OpenBSD Stateful Packet Filter (pf)

Design and Performance of the OpenBSD Stateful Packet Filter (pf) Usenix 2002 p.1/22 Design and Performance of the OpenBSD Stateful Packet Filter (pf) Daniel Hartmeier dhartmei@openbsd.org Systor AG Usenix 2002 p.2/22 Introduction part of a firewall, working on IP packet

More information

Messaging Overview. Introduction. Gen-Z Messaging

Messaging Overview. Introduction. Gen-Z Messaging Page 1 of 6 Messaging Overview Introduction Gen-Z is a new data access technology that not only enhances memory and data storage solutions, but also provides a framework for both optimized and traditional

More information

Network Control, Con t

Network Control, Con t Network Control, Con t CS 161 - Computer Security Profs. Vern Paxson & David Wagner TAs: John Bethencourt, Erika Chin, Matthew Finifter, Cynthia Sturton, Joel Weinberger http://inst.eecs.berkeley.edu/~cs161/

More information

SYN Flood Attack Protection Technology White Paper

SYN Flood Attack Protection Technology White Paper Flood Attack Protection Technology White Paper Flood Attack Protection Technology White Paper Keywords: flood, Cookie, Safe Reset Abstract: This document describes the technologies and measures provided

More information

Networking interview questions

Networking interview questions Networking interview questions What is LAN? LAN is a computer network that spans a relatively small area. Most LANs are confined to a single building or group of buildings. However, one LAN can be connected

More information

Multi-Layered Security Framework for Metro-Scale Wi-Fi Networks

Multi-Layered Security Framework for Metro-Scale Wi-Fi Networks Multi-Layered Security Framework for Metro-Scale Wi-Fi Networks A Security Whitepaper January, 2004 Photo courtesy of NASA Image exchange. Image use in no way implies endorsement by NASA of any of the

More information

PROTECTING INFORMATION ASSETS NETWORK SECURITY

PROTECTING INFORMATION ASSETS NETWORK SECURITY PROTECTING INFORMATION ASSETS NETWORK SECURITY PAUL SMITH 20 years of IT experience (desktop, servers, networks, firewalls.) 17 years of engineering in enterprise scaled networks 10+ years in Network Security

More information

0x1A Great Papers in Computer Security

0x1A Great Papers in Computer Security CS 380S 0x1A Great Papers in Computer Security Vitaly Shmatikov http://www.cs.utexas.edu/~shmat/courses/cs380s/ slide 1 X. Chen, T, Garfinkel, E. Lewis, P. Subrahmanyam, C. Waldspurger, D. Boneh, J. Dwoskin,

More information

Verifiable Cloud Outsourcing for Network Func9ons (+ Verifiable Resource Accoun9ng for Cloud Services)

Verifiable Cloud Outsourcing for Network Func9ons (+ Verifiable Resource Accoun9ng for Cloud Services) 1 Verifiable Cloud Outsourcing for Network Func9ons (+ Verifiable Resource Accoun9ng for Cloud Services) Vyas Sekar vnfo joint with Seyed Fayazbakhsh, Mike Reiter VRA joint with Chen Chen, Petros Mania9s,

More information

CIS 4360 Secure Computer Systems SGX

CIS 4360 Secure Computer Systems SGX CIS 4360 Secure Computer Systems SGX Professor Qiang Zeng Spring 2017 Some slides are stolen from Intel docs Previous Class UEFI Secure Boot Windows s Trusted Boot Intel s Trusted Boot CIS 4360 Secure

More information

Controlled-Channel Attacks: Deterministic Side Channels for Untrusted Operating Systems. Yuanzhong Xu, Weidong Cui, Marcus Peinado

Controlled-Channel Attacks: Deterministic Side Channels for Untrusted Operating Systems. Yuanzhong Xu, Weidong Cui, Marcus Peinado : Deterministic Side Channels for Untrusted Operating Systems Yuanzhong Xu, Weidong Cui, Marcus Peinado 2 Goal Protect the data of applications running on remote hardware 3 New tech Trusted Platform Modules

More information

Firewalls for Secure Unified Communications

Firewalls for Secure Unified Communications Firewalls for Secure Unified Communications Positioning Guide 2008 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 1 of 12 Firewall protection for call control

More information

Creating VPN s with IPsec

Creating VPN s with IPsec 2014 Creating VPN s with IPsec SPRING ENTERPRISE INFO SECURITY 4040/601 WILSON CHANCE HINCHMAN This paper will define the term VPN, explain for what and why VPNs are used. IPsec, which is vital to the

More information

Model Checking Dynamic Datapaths

Model Checking Dynamic Datapaths Model Checking Dynamic Datapaths Aurojit Panda, Katerina Argyraki, Scott Shenker UC Berkeley, ICSI, EPFL Networks: Not Just for Delivery Enforce a variety of invariants: Packet Isolation: Packets from

More information

A Comparison Study of Intel SGX and AMD Memory Encryption Technology

A Comparison Study of Intel SGX and AMD Memory Encryption Technology A Comparison Study of Intel SGX and AMD Memory Encryption Technology Saeid Mofrad, Fengwei Zhang Shiyong Lu Wayne State University {saeid.mofrad, Fengwei, Shiyong}@wayne.edu Weidong Shi (Larry) University

More information

Computer Security and Privacy

Computer Security and Privacy CSE P 590 / CSE M 590 (Spring 2010) Computer Security and Privacy Tadayoshi Kohno Thanks to Dan Boneh, Dieter Gollmann, John Manferdelli, John Mitchell, Vitaly Shmatikov, Bennet Yee, and many others for

More information

Network Security Fundamentals

Network Security Fundamentals Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University of Michigan 2013 Network Security Fundamentals Module 6 Firewalls & VPNs Topics Firewall Fundamentals Case

More information

Varys. Protecting SGX Enclaves From Practical Side-Channel Attacks. Oleksii Oleksenko, Bohdan Trach. Mark Silberstein

Varys. Protecting SGX Enclaves From Practical Side-Channel Attacks. Oleksii Oleksenko, Bohdan Trach. Mark Silberstein Varys Protecting SGX Enclaves From Practical Side-Channel Attacks Oleksii Oleksenko, Bohdan Trach Robert Krahn, Andre Martin, Christof Fetzer Mark Silberstein Key issue of the cloud: We cannot trust it

More information

Network Security. Thierry Sans

Network Security. Thierry Sans Network Security Thierry Sans HTTP SMTP DNS BGP The Protocol Stack Application TCP UDP Transport IPv4 IPv6 ICMP Network ARP Link Ethernet WiFi The attacker is capable of confidentiality integrity availability

More information

Slalom: Fast, Verifiable and Private Execution of Neural Networks in Trusted Hardware

Slalom: Fast, Verifiable and Private Execution of Neural Networks in Trusted Hardware Slalom: Fast, Verifiable and Private Execution of Neural Networks in Trusted Hardware Florian Tramèr (joint work with Dan Boneh) Intel, Santa Clara August 30 th 2018 Trusted execution of ML: 3 motivating

More information

Technology Brief. VeloCloud Dynamic. Multipath Optimization. Page 1 TECHNOLOGY BRIEF

Technology Brief. VeloCloud Dynamic. Multipath Optimization. Page 1 TECHNOLOGY BRIEF Technology Brief Page 1 This document discusses the key functionalities and benefits of (DMPO) that assures enterprise and cloud application performance over Internet and hybrid WAN. Contents Page 2 Introduction

More information

Introduction to Computer Networks. CS 166: Introduction to Computer Systems Security

Introduction to Computer Networks. CS 166: Introduction to Computer Systems Security Introduction to Computer Networks CS 166: Introduction to Computer Systems Security Network Communication Communication in modern networks is characterized by the following fundamental principles Packet

More information

COMPUTER NETWORK SECURITY

COMPUTER NETWORK SECURITY COMPUTER NETWORK SECURITY Prof. Dr. Hasan Hüseyin BALIK (9 th Week) 9. Firewalls and Intrusion Prevention Systems 9.Outline The Need for Firewalls Firewall Characterictics and Access Policy Type of Firewalls

More information

Identity-Based Cyber Defense. March 2017

Identity-Based Cyber Defense. March 2017 Identity-Based Cyber Defense March 2017 Attackers Continue to Have Success Current security products are necessary but not sufficient Assumption is you are or will be breached Focus on monitoring, detecting

More information

Leverage the Citrix WANScaler Software Client to Increase Application Performance for Mobile Users

Leverage the Citrix WANScaler Software Client to Increase Application Performance for Mobile Users Leverage the Citrix WANScaler Software Client to Increase Application Performance for Mobile Users Daniel Künzli System Engineer ANG Switzerland Citrix Systems International GmbH Specifications and Architecture

More information

HUAWEI USG6000 Series Next-Generation Firewall Technical White Paper VPN HUAWEI TECHNOLOGIES CO., LTD. Issue 1.1. Date

HUAWEI USG6000 Series Next-Generation Firewall Technical White Paper VPN HUAWEI TECHNOLOGIES CO., LTD. Issue 1.1. Date HUAWEI USG6000 Series Next-Generation Firewall Technical White Paper VPN Issue 1.1 Date 2014-03-14 HUAWEI TECHNOLOGIES CO., LTD. 2014. All rights reserved. No part of this document may be reproduced or

More information

SGXBounds Memory Safety for Shielded Execution

SGXBounds Memory Safety for Shielded Execution SGXBounds Memory Safety for Shielded Execution Dmitrii Kuvaiskii, Oleksii Oleksenko, Sergei Arnautov, Bohdan Trach, Pramod Bhatotia *, Pascal Felber, Christof Fetzer TU Dresden, * The University of Edinburgh,

More information

A Ten Minute Introduction to Middleboxes. Justine Sherry, UC Berkeley

A Ten Minute Introduction to Middleboxes. Justine Sherry, UC Berkeley A Ten Minute Introduction to Middleboxes Justine Sherry, UC Berkeley This Talk: Three Questions! What is a middlebox? What are some recent trends in middlebox engineering? What research challenges do middleboxes

More information

IX: A Protected Dataplane Operating System for High Throughput and Low Latency

IX: A Protected Dataplane Operating System for High Throughput and Low Latency IX: A Protected Dataplane Operating System for High Throughput and Low Latency Belay, A. et al. Proc. of the 11th USENIX Symp. on OSDI, pp. 49-65, 2014. Reviewed by Chun-Yu and Xinghao Li Summary In this

More information

Announcements. Reading. Project #1 due in 1 week at 5:00 pm Scheduling Chapter 6 (6 th ed) or Chapter 5 (8 th ed) CMSC 412 S14 (lect 5)

Announcements. Reading. Project #1 due in 1 week at 5:00 pm Scheduling Chapter 6 (6 th ed) or Chapter 5 (8 th ed) CMSC 412 S14 (lect 5) Announcements Reading Project #1 due in 1 week at 5:00 pm Scheduling Chapter 6 (6 th ed) or Chapter 5 (8 th ed) 1 Relationship between Kernel mod and User Mode User Process Kernel System Calls User Process

More information

Cyber Moving Targets. Yashar Dehkan Asl

Cyber Moving Targets. Yashar Dehkan Asl Cyber Moving Targets Yashar Dehkan Asl Introduction An overview of different cyber moving target techniques, their threat models, and their technical details. Cyber moving target technique: Defend a system

More information

Microsoft Architecting Microsoft Azure Solutions.

Microsoft Architecting Microsoft Azure Solutions. Microsoft 70-535 Architecting Microsoft Azure Solutions https://killexams.com/pass4sure/exam-detail/70-535 QUESTION: 106 Your organization has developed and deployed several Azure App Service Web and API

More information

Controlled- Channel Attacks: Deterministic Side Channels for Untrusted Operating Systems

Controlled- Channel Attacks: Deterministic Side Channels for Untrusted Operating Systems Controlled- Channel Attacks: Deterministic Side Channels for Untrusted Operating Systems Yuanzhong Xu, Weidong Cui, Marcus Peinado The University of Texas at Austin, Microsoft Research San Jose, CA May

More information

Using a Certified Hypervisor to Secure V2X communication

Using a Certified Hypervisor to Secure V2X communication SYSGO AG PUBLIC 1 Using a Certified Hypervisor to Secure V2X communication Author(s): Date: Version Chris Berg 08/05/2017 v1.1 SYSGO AG PUBLIC 2 Protecting Assets People started protecting their assets

More information

PDP : A Flexible and Programmable Data Plane. Massimo Gallo et al.

PDP : A Flexible and Programmable Data Plane. Massimo Gallo et al. PDP : A Flexible and Programmable Data Plane Massimo Gallo et al. Introduction Network Function evolution L7 Load Balancer TLS/SSL Server Proxy Server Firewall Introduction Network Function evolution Can

More information

SECURITY ARCHITECTURES CARSTEN WEINHOLD

SECURITY ARCHITECTURES CARSTEN WEINHOLD Department of Computer Science Institute of System Architecture, Operating Systems Group SECURITY ARCHITECTURES CARSTEN WEINHOLD MOTIVATION Common observations: Complex software has security bugs Users

More information

NFVnice: Dynamic Backpressure and Scheduling for NFV Service Chains

NFVnice: Dynamic Backpressure and Scheduling for NFV Service Chains NFVnice: Dynamic Backpressure and Scheduling for NFV Service Chains Sameer G Kulkarni 1, Wei Zhang 2, Jinho Hwang 3, Shriram Rajagopalan 3, K.K. Ramakrishnan 4, Timothy Wood 2, Mayutan Arumaithurai 1 &

More information

Lotus Protector Interop Guide. Mail Encryption Mail Security Version 1.4

Lotus Protector Interop Guide. Mail Encryption Mail Security Version 1.4 Lotus Protector Mail Security and Mail Encryption Interop Guide Lotus Protector Interop Guide Mail Encryption 2.1.0.1 Mail Security 2.5.1 Version 1.4 Lotus Protector Mail Security and Mail Encryption Configuration

More information

SGX Security Background. Masab Ahmad Department of Electrical and Computer Engineering University of Connecticut

SGX Security Background. Masab Ahmad Department of Electrical and Computer Engineering University of Connecticut SGX Security Background Masab Ahmad masab.ahmad@uconn.edu Department of Electrical and Computer Engineering University of Connecticut 1 Security Background Outline Cryptographic Primitives Cryptographic

More information

Software Security: Buffer Overflow Defenses

Software Security: Buffer Overflow Defenses CSE 484 / CSE M 584: Computer Security and Privacy Software Security: Buffer Overflow Defenses Fall 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin,

More information

A Comparison of Performance and Accuracy of Measurement Algorithms in Software

A Comparison of Performance and Accuracy of Measurement Algorithms in Software A Comparison of Performance and Accuracy of Measurement Algorithms in Software Omid Alipourfard, Masoud Moshref 1, Yang Zhou 2, Tong Yang 2, Minlan Yu 3 Yale University, Barefoot Networks 1, Peking University

More information

Chapter 9. Firewalls

Chapter 9. Firewalls Chapter 9 Firewalls The Need For Firewalls Internet connectivity is essential Effective means of protecting LANs Inserted between the premises network and the Internet to establish a controlled link however

More information

Integrating WX WAN Optimization with Netscreen Firewall/VPN

Integrating WX WAN Optimization with Netscreen Firewall/VPN Application Note Integrating WX WAN Optimization with Netscreen Firewall/VPN Joint Solution for Firewall/VPN and WX Platforms Alan Sardella Portfolio Marketing Choh Mun Kok and Jaymin Patel Lab Configuration

More information

Overview. SSL Cryptography Overview CHAPTER 1

Overview. SSL Cryptography Overview CHAPTER 1 CHAPTER 1 Secure Sockets Layer (SSL) is an application-level protocol that provides encryption technology for the Internet. SSL ensures the secure transmission of data between a client and a server through

More information

Lecture 33. Firewalls. Firewall Locations in the Network. Castle and Moat Analogy. Firewall Types. Firewall: Illustration. Security April 15, 2005

Lecture 33. Firewalls. Firewall Locations in the Network. Castle and Moat Analogy. Firewall Types. Firewall: Illustration. Security April 15, 2005 Firewalls Lecture 33 Security April 15, 2005 Idea: separate local network from the Internet Trusted hosts and networks Intranet Firewall DMZ Router Demilitarized Zone: publicly accessible servers and networks

More information

Virtual Private Cloud. User Guide. Issue 03 Date

Virtual Private Cloud. User Guide. Issue 03 Date Issue 03 Date 2016-10-19 Change History Change History Release Date What's New 2016-10-19 This issue is the third official release. Modified the following content: Help Center URL 2016-07-15 This issue

More information

ISOLATION DEFENSES GRAD SEC OCT

ISOLATION DEFENSES GRAD SEC OCT ISOLATION DEFENSES GRAD SEC OCT 03 2017 ISOLATION Running untrusted code in a trusted environment Setting Possibly with multiple tenants OS: users / processes Browser: webpages / browser extensions Cloud:

More information

The IPsec protocols. Overview

The IPsec protocols. Overview The IPsec protocols -- components and services -- modes of operation -- Security Associations -- Authenticated Header (AH) -- Encapsulated Security Payload () (c) Levente Buttyán (buttyan@crysys.hu) Overview

More information

0x1A Great Papers in Computer Security

0x1A Great Papers in Computer Security CS 380S 0x1A Great Papers in Computer Security Vitaly Shmatikov http://www.cs.utexas.edu/~shmat/courses/cs380s/ slide 1 Reference Monitor Observes execution of the program/process At what level? Possibilities:

More information

Configuring SSL CHAPTER

Configuring SSL CHAPTER 7 CHAPTER This chapter describes the steps required to configure your ACE appliance as a virtual Secure Sockets Layer (SSL) server for SSL initiation or termination. The topics included in this section

More information

Xen and the Art of Virtualization. CSE-291 (Cloud Computing) Fall 2016

Xen and the Art of Virtualization. CSE-291 (Cloud Computing) Fall 2016 Xen and the Art of Virtualization CSE-291 (Cloud Computing) Fall 2016 Why Virtualization? Share resources among many uses Allow heterogeneity in environments Allow differences in host and guest Provide

More information

Spring 2010 CS419. Computer Security. Vinod Ganapathy Lecture 14. Chapters 6 and 9 Intrusion Detection and Prevention

Spring 2010 CS419. Computer Security. Vinod Ganapathy Lecture 14. Chapters 6 and 9 Intrusion Detection and Prevention Spring 2010 CS419 Computer Security Vinod Ganapathy Lecture 14 Chapters 6 and 9 Intrusion Detection and Prevention Firewalls and IPSes effective means of protecting LANs internet connectivity essential

More information

Transport Level Security

Transport Level Security 2 Transport Level Security : Security and Cryptography Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 28 October 2013 css322y13s2l12, Steve/Courses/2013/s2/css322/lectures/transport.tex,

More information

firewalls perimeter firewall systems firewalls security gateways secure Internet gateways

firewalls perimeter firewall systems firewalls security gateways secure Internet gateways Firewalls 1 Overview In old days, brick walls (called firewalls ) built between buildings to prevent fire spreading from building to another Today, when private network (i.e., intranet) connected to public

More information

Chapter 26: Network Security

Chapter 26: Network Security Chapter 26: Network Security Introduction to the Drib Policy Development Network Organization Availability Anticipating Attacks Slide #26-1 Introduction Goal: apply concepts, principles, mechanisms discussed

More information

On Distributed Communications, Rand Report RM-3420-PR, Paul Baran, August 1964

On Distributed Communications, Rand Report RM-3420-PR, Paul Baran, August 1964 The requirements for a future all-digital-data distributed network which provides common user service for a wide range of users having different requirements is considered. The use of a standard format

More information

PrecisionAccess Trusted Access Control

PrecisionAccess Trusted Access Control Data Sheet PrecisionAccess Trusted Access Control Defeats Cyber Attacks Credential Theft: Integrated MFA defeats credential theft. Server Exploitation: Server isolation defeats server exploitation. Compromised

More information

A HIGH-PERFORMANCE OBLIVIOUS RAM CONTROLLER ON THE CONVEY HC-2EX HETEROGENEOUS COMPUTING PLATFORM

A HIGH-PERFORMANCE OBLIVIOUS RAM CONTROLLER ON THE CONVEY HC-2EX HETEROGENEOUS COMPUTING PLATFORM A HIGH-PERFORMANCE OBLIVIOUS RAM CONTROLLER ON THE CONVEY HC-2EX HETEROGENEOUS COMPUTING PLATFORM BASED ON PHANTOM: PRACTICAL OBLIVIOUS COMPUTATION IN A SECURE PROCESSOR FROM CCS-2013! Martin Maas, Eric

More information

SteelGate Overview. Manage perimeter security and network traffic to ensure operational efficiency, and optimal Quality of Service (QoS)

SteelGate Overview. Manage perimeter security and network traffic to ensure operational efficiency, and optimal Quality of Service (QoS) Internet Communications Made Safe SteelGate Overview SteelGate Overview SteelGate is a high-performance VPN firewall appliance that Prevent Eliminate threats & attacks at the perimeter Stop unauthorized

More information

DYNAMIC SERVICE CHAINING DYSCO WITH. forcing packets through middleboxes for security, optimizing performance, enhancing reachability, etc.

DYNAMIC SERVICE CHAINING DYSCO WITH. forcing packets through middleboxes for security, optimizing performance, enhancing reachability, etc. DYNAMIC SERVICE CHAINING WITH DYSCO forcing packets through es for security, optimizing performance, enhancing reachability, etc. Pamela Zave AT&T Labs Research Ronaldo A. Ferreira UFMS, Brazil Xuan Kelvin

More information

CSE 565 Computer Security Fall 2018

CSE 565 Computer Security Fall 2018 CSE 565 Computer Security Fall 2018 Lecture 20: Intrusion Prevention Department of Computer Science and Engineering University at Buffalo 1 Lecture Overview Firewalls purpose types locations Network perimeter

More information