This presentation covers Gen Z s Security capabilities.

Similar documents
This presentation covers the basic elements of the Gen Z protocol.

This presentation cover Gen Z Access Control.

Network Security - ISA 656 IPsec IPsec Key Management (IKE)

This presentation provides a high level overview of Gen Z unicast and multicast operations.

Mobile ad hoc networks Various problems and some solutions

IPSec. Slides by Vitaly Shmatikov UT Austin. slide 1

Chapter 32 Security in the Internet: IPSec, SSL/TLS, PGP,

CIP Security Phase 1 Secure Transport for EtherNet/IP

Gen-Z Identifiers September Copyright 2016 by Gen-Z. All rights reserved.

Cryptography and Network Security Chapter 16. Fourth Edition by William Stallings

School of Computer Sciences Universiti Sains Malaysia Pulau Pinang

IP Security. Have a range of application specific security mechanisms

Cryptography and Network Security

RID IETF Draft Update

Automotive Security An Overview of Standardization in AUTOSAR

The World Wide Web is widely used by businesses, government agencies, and many individuals. But the Internet and the Web are extremely vulnerable to

CSCE 715: Network Systems Security

A Solution Framework for Private Media in Privacy Enhanced RTP Conferencing (draft-jones-perc-private-media-framework-00)

When the Lights go out. Hacking Cisco EnergyWise. Version: 1.0. Date: 7/1/14. Classification: Ayhan Koca, Matthias Luft

IMPLEMENTING MICROSOFT CREDENTIAL GUARD FOR ISO 27001, PCI, AND FEDRAMP

Sample excerpt. Virtual Private Networks. Contents

VPN Overview. VPN Types

The IPsec protocols. Overview

Who s Protecting Your Keys? August 2018

IPSec. Overview. Overview. Levente Buttyán

CSC 6575: Internet Security Fall 2017

AN IPSWITCH WHITEPAPER. The Definitive Guide to Secure FTP

Secure Network Access Authentication (SeNAA)

On the Internet, nobody knows you re a dog.

This presentation covers Unsolicited Events notification and handling, and standalone acknowledgments used to confirm reliable delivery or

Wireless Network Security Spring 2015

Cisco Live /11/2016

Chapter 10: Cipher Techniques

Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls

Encrypted Phone Configuration File Setup

Distributed Systems. Lecture 14: Security. Distributed Systems 1

Virtual Private Networks.

Networking interview questions

A Survey of BGP Security Review

Virtual Private Networks

Distributed Systems. Lecture 14: Security. 5 March,

Control Plane Security Overview

Communication Networks ( ) / Fall 2013 The Blavatnik School of Computer Science, Tel-Aviv University. Allon Wagner

Virtual Private Network

This presentation covers Gen Z Operation Classes, also referred to as OpClasses.

Distributed Systems. 27. Firewalls and Virtual Private Networks Paul Krzyzanowski. Rutgers University. Fall 2013

CCEVS APPROVED ASSURANCE CONTINUITY MAINTENANCE REPORT

Client-side Defenses for Context-Aware Phishing and Transaction Generator Spyware

Security Requirements for Crypto Devices

Configuring Security for VPNs with IPsec

Configuring Internet Key Exchange Security Protocol

DNS Security DNSSEC. * zo.net/papers/dnssec/dnss ec.html. IT352 Network Security Najwa AlGhamdi

Security protocols. Correctness of protocols. Correctness of protocols. II. Logical representation and analysis of protocols.i

Internet 3.0: Ten Problems with Current Internet Architecture and a Proposal for the Next Generation

Routing Security* CSE598K/CSE545 - Advanced Network Security Prof. McDaniel - Spring * Thanks to Steve Bellovin for slide source material.

IPv6 Security Vendor Point of View. Eric Vyncke, Distinguished Engineer Cisco, CTO/Consulting Engineering

A Survey of BGP Security: Issues and Solutions

CIS 6930/4930 Computer and Network Security. Topic 8.1 IPsec

CSE543 Computer and Network Security Module: Network Security

Message authentication. Why message authentication. Authentication primitives. and secure hashing. To prevent against:

Cryptography and Network Security. Sixth Edition by William Stallings

CloudBridge :31:07 UTC Citrix Systems, Inc. All rights reserved. Terms of Use Trademarks Privacy Statement

Inter-domain routing validator based spoofing defence system

AIT 682: Network and Systems Security

TCP/IP-2. Transmission control protocol:

Wireless Network Security Fundamentals and Technologies

Some optimizations can be done because of this selection of supported features. Those optimizations are specifically pointed out below.

Network Encryption 3 4/20/17

CRYPTOGRAPHY AND NETWROK SECURITY-QUESTION BANK

Lecture outline. Internet Routing Security Issues. Previous lecture: Effect of MinRouteAdver Timer. Recap of previous lecture

Internet security and privacy

TSIN02 - Internetworking

ACS / Computer Security And Privacy. Fall 2018 Mid-Term Review

Improving Security in Embedded Systems Felix Baum, Product Line Manager

Firewalls, Tunnels, and Network Intrusion Detection

Firewalls (IDS and IPS) MIS 5214 Week 6

Student ID: CS457: Computer Networking Date: 5/8/2007 Name:

Cipher Suite Configuration Mode Commands

Junos Security. Chapter 8: IPsec VPNs Juniper Networks, Inc. All rights reserved. Worldwide Education Services

Secure Multi-Hop Infrastructure Access

DNS Cache Poisoning Looking at CERT VU#800113

Detecting Insider Attacks on Databases using Blockchains

S Series Switches. MACsec Technology White Paper. Issue 1.0. Date HUAWEI TECHNOLOGIES CO., LTD.

NETCONF Access Control

GEN-Z AN OVERVIEW AND USE CASES

Wireless Network Security Spring 2016

Multi-Layered Security Framework for Metro-Scale Wi-Fi Networks

Computer Security. 10r. Recitation assignment & concept review. Paul Krzyzanowski. Rutgers University. Spring 2018

A QUICK INTRODUCTION TO THE NFV SEC WG. Igor Faynberg, Cable Labs Chairman ETSI NFV SEC WG

Security and Privacy. SWE 432, Fall 2016 Design and Implementation of Software for the Web

Reflections on Security Options for the Real-time Transport Protocol Framework. Colin Perkins

Atmel Trusted Platform Module June, 2014

NETWORK INTRUSION. Information Security in Systems & Networks Public Development Program. Sanjay Goel University at Albany, SUNY Fall 2006

CONTENTS. vii. Chapter 1 TCP/IP Overview 1. Chapter 2 Symmetric-Key Cryptography 33. Acknowledgements

Stream Control Transmission Protocol (SCTP)

Combating Common Web App Authentication Threats

CMSC 414 S09 Exam 2 Page 1 of 6 Name:

Good Fences Make Good Neighbors: Rethinking Your Cloud Selection Strategy

Cryptography and Network Security Chapter 1

COSC 301 Network Management. Lecture 15: SSL/TLS and HTTPS

Transcription:

This presentation covers Gen Z s Security capabilities. 1

2

Gen Z architecture assumes every component is an attack vector. This is critical to appreciate, as time and again cyber attacks have exploited hardware and software that take no steps to authenticate access and establish trust. This slide illustrates how attacks are carried out today at all levels irrespective of the interconnect used. 3

This slide provides a high level breakdown on malicious component threats. Again, these threats are interconnect independent, and cyber attacks make use of these on a regular basis. 4

This slide describes aset of high level actions that can be used to mitigate the threats posed by malicious components. All of these actions are supported by Gen Z, and can be applied to any Gen Z based solution. The payload within a Gen Z packet can be encrypted to ensure privacy. Gen Z supports packet deadlines to enable more aggressive end to end request packet retransmission timers. Gen Z supports Hash based Message Authentication (HMAC) that can be included in any explicit OpClass packet. Gen Z Explicit OpClass packets contain Access Keys and select request packets contain R Keys to provide hardware enforced access control. Further, Gen Z supports additional access control and packet filtering to ensure components can communicate only with configured peers. Gen Z explicit OpClass packets can include an anti replay field (sequence number or precision time based) to ensure request packets are not intercepted and replayed multiple times. Precision time request and responses are exchanged using explicit OpClass packets, and can be cryptographically secured. 5

Gen Z architecture specifies mechanisms that cover all of the listed mitigations. 6

Gen Zspecifies the detailed steps to validate all packets and the actions to take upon detecting an issue. Gen Z supports HMAC to provide strong packet authentication. Gen Z supports anti replay protection in conjunction with HMAC to ensure packet uniqueness. Further, each packet is uniquely identified by a combination of its source component identifier, destination component identifier, and Tag or sequence number (SODonly). Gen Z supports multiple packet injection rate (congestion management) and access control mechanisms to provide hardware enforced isolation and permission validation. Components can encrypt data payloads to ensure privacy, can apply higher layer authentication mechanisms, e.g., service or service instance information, can replicate data or interleave memory in conjunction with erasure codes, etc. 7

All explicit OpClass packets may contain the Next Header field (the field is present if NH == 1b. Gen Z specifies control structures that enable the Next Header field to be applied to all explicit OpClass communications, to only control plane communications, on a per peer component basis, etc. Gen Z specifies the Component Security structure to provide security certificate and TIK (Transaction Integrity Key) management. A component can support multiple certificates and TIKs enabling different authentication to be applied per peer component. If a component detects a security violation, it can be configured to immediately inform management without informing the source component. Management can take steps to isolate, reset, or shutdown the source component based on customer specific policies. 8

The current specification supports three ART types: A per TIK sequence number. New or retransmitted packets must contain a SNA that is greater than or equal to the expected sequence number. Further, the SNA needs to fall within a window to prevent a malicious component from advancing the sequence number such that it will be easier to hijack communications. A Precision time ART requires global precision time management, i.e., not on a per TIK basis. All participating components advance their understanding of precision time, hence, any component can detect if a new packet falls within the configured precision time window. Packets that fall outside of this window are treated as malicious. Null ART this indicates ATR detection is disabled. 9

In Situ insertion is the physical interposition of hardware, e.g., crocodile clips or a Y cable to physically collect and / or modify packets. If all components support the Component Security structure, then a key management system can be used to populate the security certificates and TIKs. Certificates and TIKs can be populated such that these values can be trusted. Management ensures that only authorized components can communicate with one another. Switches can provide a limited level of packet filtering. For example, during leaf component configuration, a switch can filter any non Control OpClass packets to prevent the component or any other component from communicating with the component under configuration. Once configured or through a Link CTL exchange, the switch can filter the SCID / SSID in all packets to ensure that a leaf component only transmits packets corresponding to its component identifier. Though outside of the specification s scope, management can use a challenge response protocol to authenticate the public / private keys. Such a protocol can be transported in Gen Z Read / Write or Write MSG or Vendor defined packets. 10

The Component Security structure is used to manage security services. It contains a set of tables: Pointers to the component s security certificates. A component can support multiple security certificates. A certificate table containing all of the security certificates used by this components and its peer. This table can contain security certificates that are not used for Gen Z, e.g., for higher level security services such as encryption. A Transaction Integrity Key table. A TIK is a secret shared between the communicating components. Each entry specifies one of the 10 possible hash functions used perform HMAC, a sequence number to track how often this entry was updated, and the size of the TIK itself. A component uses the Component PA structure to locate the Certificate and TIK table entries. This enables a component to quickly identify a unique entry per component or to use a wildcard set of values applied to all communications. 11

This concludes this presentation. Thank you. 12

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback