Towards SDN-Defined Programmable BYOD (Bring Your Own Device) Security

Similar documents
2016 BITGLASS, INC. mobile. solution brief

Mobile Security using IBM Endpoint Manager Mobile Device Management

Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall

Software Defined Networks and OpenFlow. Courtesy of: AT&T Tech Talks.

Transform your network and your customer experience. Introducing SD-WAN Concierge

Virtualized Network Services SDN solution for service providers

Virtualized Network Services SDN solution for enterprises

BYOD: BRING YOUR OWN DEVICE.

Securing Office 365 with MobileIron

Software Defined Networking

Exam Code: Exam Code: Exam Name: Advanced Borderless Network Architecture Systems Engineer test.

IX: A Protected Dataplane Operating System for High Throughput and Low Latency

KODO for Samsung Knox Enterprise Data Protection & Secure Collaboration Platform

MOBILE SECURITY 2017 SPOTLIGHT REPORT. Information Security PRESENTED BY. Group Partner

Auditing Bring Your Own Devices (BYOD) Risks. Shannon Buckley

Application Delivery Using SDN

Mobile Middleware Course. Mobile Platforms and Middleware. Sasu Tarkoma

Implementing Your BYOD Mobility Strategy An IT Checklist and Guide

Enable Infrastructure Beyond Cloud

Introducing KASPERSKY ENDPOINT SECURITY FOR BUSINESS

Transform your network and your customer experience. Introducing SD-WAN Concierge

DeepDroid: Dynamically Enforcing Enterprise Policy on Android Devices

How Parallels RAS Enhances Microsoft RDS. White Paper Parallels Remote Application Server

The Device Has Left the Building

BYOD Success Kit. Table of Contents. Current state of BYOD in enterprise Checklist for BYOD Success Helpful Pilot Tips

WHITE PAPER MICRO-SEGMENTATION. illumio.com

Introducing. Secure Access. for the Next Generation. Bram De Blander Sales Engineer

Cisco Data Center Network Manager 5.1

EBOOK. Mobile Experience Virtualization: Extend Virtualized Windows Apps to Mobile

Building Security Services on top of SDN

ETSI FUTURE Network SDN and NFV for Carriers MP Odini HP CMS CT Office April 2013

Data Centers and Cloud Computing

Data Centers and Cloud Computing. Slides courtesy of Tim Wood

Software-Defined Networking (SDN) Overview

Calculating Source Line Level Energy Information for Android Applications

Cisco SAN Analytics and SAN Telemetry Streaming

Service Mesh and Microservices Networking

Application of SDN: Load Balancing & Traffic Engineering

Thomas Lippert Principal Product Manager. Sophos Mobile. Spring 2017

Systems Manager Cloud-Based Enterprise Mobility Management

Suspend-aware Segment Cleaning in Log-Structured File System

Introducing Unified Critical Communications

WHITE PAPER AIRWATCH SUPPORT FOR OFFICE 365

Data Centers and Cloud Computing. Data Centers

WORKPLACE Data Leak Prevention: Keeping your sensitive out of the public domain. Frans Oudendorp Ronny de Jong

EXTENSIBLE WIDE AREA NETWORKING

ENTERPRISE MOBILITY TRENDS

Mastering Mobile Web with 8 Key Rules. Mastering Mobile Web with 8 Key Rules

MaaS360 Secure Productivity Suite

SD-WAN / Hybrid WAN : Leveraging SDN-NFV for Networks Agility

How to Secure ipads, Tablets and Android Devices for Corporate Use. John Masserini CISO Dow Jones

High-performance. Enterprise Scale. Global Mobility.

BYOD the HP Way: Secure, Device-Agnostic Network Access Management Jochen Fischer Solution Architect (MASE) September 2013

How to Build a Successful Business with Flash Green. powered by America s Largest and Most Reliable Network

SECURE, CENTRALIZED, SIMPLE

HPE Intelligent Management Center

DefDroid: Towards a More Defensive Mobile OS Against Disruptive App Behavior

Fence: Protecting Device Availability With Uniform Resource Control

Virtual Machine Encryption Security & Compliance in the Cloud

OpenADN: Service Chaining of Globally Distributed VNFs

15-744: Computer Networking. Middleboxes and NFV

Managing BYOD Networks

Agenda. Introduction Network functions virtualization (NFV) promise and mission cloud native approach Where do we want to go with NFV?

IQ for DNA. Interactive Query for Dynamic Network Analytics. Haoyu Song. HUAWEI TECHNOLOGIES Co., Ltd.

The Black Box Institute

Cisco Nexus Data Broker for Network Traffic Monitoring and Visibility

OpenFlow: What s it Good for?

ForeScout CounterACT. Continuous Monitoring and Mitigation. Real-time Visibility. Network Access Control. Endpoint Compliance.

NETWORKING GLOBAL ACCESS ONE SOURCE SERENUS NETWORK SERVICES NEXT GENERATION CLOUD

Network Behavior Analysis

Mobility, Security Concerns, and Avoidance

IEEE NetSoft 2016 Keynote. June 7, 2016

Multi-Platform Enterprise Mobility Management. Perfectly balancing end-user and corporate needs

DaaS. Contents. Overview. Overview Features DaaS Clients What is DaaS FAQ s Migration Services. Benefits. 1 P a g e

Microsoft 365 Security & Compliance For Small- and Mid-Sized Businesses

The threat landscape is constantly

Profiling and Debugging Games on Mobile Platforms

Bring Your Own TVH. Kalman Tiboldi CBIO

Cisco Extensible Network Controller

BYOD Risks, Challenges and Solutions. The primary challenges companies face when it comes to BYOD and how these challenges can be handled

Optimizing Pulse Secure Access Suite with Pulse Secure Virtual Application Delivery Controller solution

Symantec Endpoint Protection Family Feature Comparison

Enterprise Mobility Management: completing the EMM story

BYOD Business year of decision!

Mobile Device Growth 1

A Guide to Closing All Potential VDI Security Gaps

Cisco Wide Area Application Services (WAAS) Mobile

Power Attack Defense: Securing Battery-Backed Data Centers

SECURE, FLEXIBLE ON-PREMISE STORAGE WITH EMC SYNCPLICITY AND EMC ISILON

Say Yes to BYOD How Fortinet Enables You to Protect Your Network from the Risk of Mobile Devices WHITE PAPER

905M 67% of the people who use a smartphone for work and 70% of people who use a tablet for work are choosing the devices themselves

MediaTek CorePilot. Heterogeneous Multi-Processing Technology. Delivering extreme compute performance with maximum power efficiency

Next Generation Enterprise Solutions from ARM

Pulse Secure Mobile Android

Potpuna virtualizacija od servera do desktopa. Saša Hederić Senior Systems Engineer VMware Inc.

OpenADN: A Case for Open Application Delivery Networking

Samsung Knox Tizen Wearable v2.0

Enterprise Mobility Management Buyers Guide

3CX Mobile Device Manager

Webinar: Mitigating the risks of uncontrolled content access from mobile devices. Presented By: Brian Ulmer, Product Management Director

Transcription:

Towards SDN-Defined Programmable BYOD (Bring Your Own Device) Security Sungmin Hong, Robert Baykov, Lei Xu, Srinath Nadimpalli, Guofei Gu SUCCESS Lab Texas A&M University

Outline Introduction & Motivation Related Work Challenges Our Solution PBS (Programmable BYOD Security) Evaluation Conclusion 2

Bring Your Own Device BYOD is the new paradigm in the workplace 44% of users in developed countries and 75% in developing countries are now utilizing BYOD in the workplace 1 The adoption rate shows no signs of slowing Surveys have indicated that businesses are unable to stop employees from bringing personal devices into the workplace 2 Image source: www.itproportal.com 1 Logicalis, http://cxounplugged.com/2012/11/ovum byod research-findings-re leased/ 2 Wikipedia, https://en.wikipedia.org/wiki/bring_your_own_device 3

Admins Headache I need to set what apps are allowed at work But during the whole work hours? Allow an email app any time and facebook at lunch time? Anywhere in the workplace? Apply it for any one? I want to restrict the rule by role I want to let a visitor access to the Internet through different VLAN I need to monitor what apps access to our database Sigh What if an employee turn off WiFi and turn on LTE to enjoy Twitter at the bathroom What if the policy is changed? 4

Admins Concerns Ideally, Manage & control BYOD devices easily, efficiently, and securely Less budget expense However, Management of dynamic BYOD-enabled devices become significantly more complex Diverse (biz/non-biz) apps to monitor Network itself needs more security and management capabilities to protect enterprise resource Additional infrastructure required 5

Motivation of Our Work Application Awareness & Network Visibility App-aware network information & user/device contexts are invisible to traditional tools/infra. App may send data through other network interfaces (e.g., 3G/4G) equipped in the device Correlating app s network activities with the contexts is not easy Dynamic Policy Programming Static access/policy control is not sufficient for network/byod dynamics for finer-grained management 6

Outline Introduction & Motivation Related Work Challenges Our Solution PBS (Programmable BYOD Security) Evaluation Conclusion 7

Related Work Google Android Device Administration (ADA) Device-level control on password, remote device wiping, etc. Limited interfaces and features Android for Work (AFW) WorkProfile to separate enterprise and personal app data OS-level encryption and additional management APIs to thirdparty MDM/Enterprise Mobility Management (EMM) partners Focus on device/app data control and protection Limited functionalities to support dynamic context-aware policy enforcement Samsung KNOX Enterprise container to separate enterprise and personal app data H/W-level encryption and management APIs to EMM partners Dedicated device only Limited functionalities to support dynamic context-aware policy enforcement 8

Related Work Mobile Device Management (MDM) Provide additional granularity and complexity in management capabilities through ADA (normally through proprietary hardware) Requires additional infrastructure and network reconfiguration Android research DeepDroid Enforce app & context-aware policies to protect sensitive on-device resource by tracking the system APIs Less fine-grained policy configuration Lack programmable interfaces for dynamic, reactive policy enforcement è We provide a solution in our work to these shortcomings 9

Outline Introduction & Motivation Related Work Challenges Our Solution PBS (Programmable BYOD Security) Evaluation Conclusion 10

Research Challenges Can we use traditional security solutions? Difficult and inflexible for dynamic, N/W- and app-aware security policy enforcement (e.g., ACLs/firewalls) Typically coupled with physical devices/resources instead of applications Can we apply the legacy SDN infrastructure? Additional cost to build/manage the infrastructure (e.g., OpenFlowenabled switches) Lack of BYOD specifics App & context unaware Loss of global visibility from other on-device network interfaces (3G/4G, BT, etc.) How much granularity we should provide? The finer granularity (from layer 2, app & context-aware), the more useful to security policy enforcement 11

Outline Introduction & Motivation Related Work Challenges Our Solution PBS (Programmable BYOD Security) Evaluation Conclusion 12

PBS (SDN-Defined Programmable BYOD Security) Goals and Contributions Fine-grained Access Control Application & context-aware access control with layer2 and above granularity Dynamic Policy Enforcement Dynamic, reactive policy enforcement at run-time based on application-specific policy and network behavior Network-wide Programmability Programmable network-wide policy enforcement system to enterprise admin Minor Performance Overhead Minimize performance overhead and resource consumption for mobile devices No Additional Infrastructure On-device SDN-based solution without deploying additional OpenFlow switches 13

Basic Idea (1/2) Abstraction inside the device App & Context awareness + Visibility SDN-transparent flow management No infrastructure required Mobile Device App A App B Host A Host B eth1 eth3 eth2 eth4 Hardware Switch HW v.s. SW vport1 vport3 vport2 vport4 Software Switch PBS Client WiFi 3G/4 G Host C Server Traditional SDN Data Plane PBS Model Inside the Device 14

Basic Idea (2/2) Dynamic Programmability SDN-based Network Programming Capabilities with: App & Context awareness + Visibility Policy language +Context App A App B Policy by Policy Language PBS (BYOD) Applications vport1 vport3 vport2 vport4 Software Switch PBS Client Programming Interface WiFi 3G/4 G App-aware Flow Manager Policy Manager Context PBS Client PBS Controller (SDN-based) 15

Operations Application-aware flow control Mobile App Enterprise App Facebook Email PBS Client App-aware Flow Control Policy Engine User Context Net Inf. WiFi 3G/4G BT PBS App PBS Controller PBS Business Server Enterprise Network WiFi Internet Security Middlebox BT 3G/4G 16

Operations Visibility (No hidden network) Mobile App Enterprise App Facebook Email PBS Client App-aware Flow Control Policy Engine User Context Net Inf. WiFi 3G/4G BT PBS App PBS Controller PBS Business Server Enterprise Network WiFi Internet Security Middlebox BT 3G/4G 17

Operations Proactive Policy Enforcement Mobile App Enterprise App Facebook Email Policy PBS Client App-aware Flow Control Action Policy Engine Policy User Context New Flow Policy Net Inf. WiFi 3G/4G BT PBS App PBS Controller PBS Business Server Enterprise Network WiFi Internet Security Middlebox BT 3G/4G 18

Operations Dynamic & Reactive Policy Enforcement Mobile App Enterprise App Facebook Email PBS Client Net Inf. App-aware Flow Control Action Policy Engine Policy User Context WiFi 3G/4G BT Stats Context Policy PBS App Policy BYOD Logic PBS Controller PBS Business Server Enterprise Network WiFi Internet Security Middlebox BT 3G/4G 19

Real-time Context Operations Mobile App Enterprise App Facebook Email PBS Client Net Inf. App-aware Flow Control Action Policy Engine Policy Event User Context WiFi 3G/4G BT Stats Context Policy PBS App Policy BYOD Logic PBS Controller PBS Business Server Enterprise Network WiFi Internet Security Middlebox BT 3G/4G 20

Operations Tailored to Mobile Environment Minimize the controller intervention Optimize app & context aware flow management Mobile App Enterprise App Facebook Email PBS Client Message PushDown Two-tiered Programming Short-circuit Net Inf. WiFi 3G/4G BT PBS App PBS Controller PBS Business Server Enterprise Network WiFi Internet Security Middlebox BT 3G/4G 21

Operations High-level Policy Language Makes policy definition simple without requiring expert knowledge on SDN. Policy PBS App BYOD Logic PBS Controller 22

Operations Policy Example1 Policy Example2 23

Outline Introduction & Motivation Related Work Challenges Our Solution PBS (Programmable BYOD Security) Evaluation Conclusion 24

Evaluation Performance Overhead Testing Environment LG Nexus 5 with a Qualcomm MSM8974Snapdragon 800 CPU Asus Nexus 7 tablet with an ARM Cortex-A9 Both run Android system version 4.4 (KitKat) Controller runs on Ubuntu Linux x64 with a Quad Core CPU with 8 GB RAM Benchmark tools used for the evaluation: Iperf, Antutu, Geekbench, Vellamo, and PCMark 25

Performance Network Throughput Benchmark Test duration as 10 minutes with a two-second interval between periodic bandwidth reports. 90 80 9% Bandwidth (Mbps) 70 60 50 40 30 20 10 W/O PBS W/ PBS 7% 0 NX5 NX7 Battery Overhead (PCMark) (Note that lower is better) 26

Performance System Performance Benchmark Nexus 5 Nexus 7 Type Benchmark NX5 PBS NX5 Overhead % Antutu 31824 33600 5.3 Vellamo 3009 3044 1.1 PCMark 15201 16122 5.7 Overall Geekbench 2994 3185 6.0 Vellamo 1599 1644 2.7 CPU Geekbench 6349 6744 5.9 Antutu 2199 2295 4.2 RAM Geekbench 2323 2440 4.8 Type Benchmark NX7 PBS NX7 Overhead % Antutu 17822 18076 1.4 Overall Vellamo 1524 1609 5.3 PCMark 10937 11187 2.2 Geekbench 1363 1435 5.0 CPU Vellamo 1016 1095 7.3 Geekbench 3233 3413 5.3 RAM Antutu 2252 2269 0.8 Geekbench 353 354 0.2

Use Cases Use Case 1: Network Activity Logging netlog Global visibility of app-aware flows Network behavior monitoring Configuration validation Security audit Managed Facilities Use Case 2: Network Policy Enforcement netpol Dynamic, reactive network policy Real-time context-specific programmability Use Case 3: App Flow Path Management netbal Traffic redirection for network load management Security management Isolation, redirection, quarantine, Inner N/W Comm. Restriction

Outline Introduction & Motivation Related Work Challenges Our Solution PBS (Programmable BYOD Security) Evaluation Conclusion 29

Conclusion We propose a new network security framework for BYOD, PBS (Programmable BYOD Security) We achieve dynamic, fine-grained network control of applications on mobile devices With PBS, administrators also benefit from the global network visibility and fine-grained policy programmability Without imposing much performance overhead, PBS-DROID can effectively enforce the dynamic network access control policy with users context information. 30

Thank You 31

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback