policy-driven, knowledge-centric, holis
TRANSCRIPT
NetSecOps:Policy-Driven,Knowledge-Centric,
Holis<cNetworkSecurityOpera<ons
(Acollabora<veprojectbetweentheUniversityofKentuckyandtheUniversityofUtah)
JamesGriffioen,
LaboratoryforAdvancedNetworkingUniversityofKentucky
NSFCC*/CICIPIWorkshop2017Albuquerque,NM
October3,2017
NSFCampusCyberinfrastructurePIandCybersecurityInnova9onforCyberinfrastructurePIWorkshop
October3-4,2017|Albuquerque,NM
BroaderImpact:• Limitorpreventthegrowingnumberof
a[acksoncampusnetworks.• Addresstheshortageofqualified
securityexpertsoncampuses,andmakeITsecurityteamsmoreeffec<ve.
• Advancescien<ficresearch,par<cularlyresearchusingbigdata
Solu9on/Approach:
Metadatatag:<tohelpothersunderstandyourcurrentstate–pickoneormany>• <projecturl>• <Readyfortransi5ontoprac5ce!>• <Publica5onspending>• <Needcollaborators!• <Needmorefunds>• <Socialmedia>• <Studentengagement>
QuadChartfor:SecureandResilientArchitecture:NetSecOps—Policy-Driven,Knowledge-Centric,Holis<cNetworkSecurityOpera<ons(Acollabora<veNSFCICIprojectbetweenUnivofUtahandUnivofKY)
Network
KnowledgeStore
NetworkControl
ExistingData Sources
NetworkControl Apps
KnowledgeDiscovery Apps
PolicyDocuments
Policy Generation& Verification Apps
h[p://www.flux.utah.edu/project/NetSecOps h[p://www.netlab.uky.edu/NetSecOps
Challenge:• Campussecurityopera<onsrelyon
humandomainexpertstointerpretandmaphigh-levelpolicydocumentstolow-levelnetworkconfigura<ons.
• Segmentsofthecampushaveverydifferentpoliciesandregula<on.
• Data-intensivescien<ficresearchtrafficoeenrequiresexcep<onstoITpolicies.
• Goal:AssistITsecurityteamsbyautoma<ngopera<onalstepsthataretediousanderror-prone.
• Systema<callycapturecampusnetworksecuritypolicies.
• Developfine-grainedcontrolabstrac<onsandSDNcapabili<estoimplementbothsecuritypoliciesand(research)policyexcep<on.
• Createpolicytraceabilitytoolstoverifyintegrityofpolicymappings.
• Reasonaboutsecurityusinginforma<onfrompointsolu<ons.
NetSecOps(NetworkSecurityOpera<ons)
BasicGoal:AssistITsecurityteamsbyautoma<ngnetworksecurityopera<onalstepsthataretediousanderror-prone.
Network
KnowledgeStore
NetworkControl
ExistingData Sources
NetworkControl Apps
KnowledgeDiscovery Apps
PolicyDocuments
Policy Generation& Verification Apps
NetSecOpsArchitecture
Network
KnowledgeStore
NetworkControl
ExistingData Sources
NetworkControl Apps
KnowledgeDiscovery Apps
PolicyDocuments
Policy Generation& Verification Apps
NetSecOpsArchitecture
Network
KnowledgeStore
NetworkControl
ExistingData Sources
NetworkControl Apps
KnowledgeDiscovery Apps
PolicyDocuments
Policy Generation& Verification Apps
NetSecOpsArchitectureHowdoesthisaffectthedesignofScienceDMZs?
Internet
BldgA
BldgB
BldgC
Middleboxes
CampusCore
FirewallsEdgeRouter
HPC
MiddleboxBo[lenecks
TypicalCampusNetwork
HPC
Conven9onalScienceDMZ
ScienceDMZ
Internet
BldgA
BldgB
BldgC
Middleboxes
CampusCore
FirewallsEdgeRouter
UKYSDNCore
Internet
BldgA
BldgB
BldgC
Middleboxes
CampusCore
FirewallsEdgeRouter
SDNCore
SDNSwitch SDNSwitch SDNSwitch
HPC
UKYSDNNetwork
Internet
BldgA
BldgB
BldgC
Middleboxes
CampusCore
FirewallsEdgeRouter
SDNCore
SDNSwitch SDNSwitch SDNSwitch
HPC
UKYSDNNetwork
Internet
BldgA
BldgB
BldgC
Middleboxes
CampusCore
FirewallsEdgeRouter
SDNCore
SDNSwitch SDNSwitch SDNSwitch
HPC
SDNController
Controllertellsswitchesto:1. Actlikealegacyrouter
bydefault2. Routeauthorized
sciencetrafficdirectlytotheedge(bypassingmiddleboxes)
UKYSDNNetwork
Internet
BldgA
BldgB
BldgC
Middleboxes
CampusCore
FirewallsEdgeRouter
SDNCore
SDNSwitch SDNSwitch SDNSwitch
HPC
NormalFlowPath
UKYSDNNetwork
Internet
BldgA
BldgB
BldgC
Middleboxes
CampusCore
FirewallsEdgeRouter
SDNCore
SDNSwitch SDNSwitch SDNSwitch
HPC
NormalFlowPath
High-speedFlowPath
(a.k.a.,VIPLanes).Note:thesearePolicyExcep9ons
All-CampusScienceDMZ
Flows(notmachines)jointheDMZ.
UKYAll-CampusScienceDMZ
Internet
BldgA
BldgB
BldgC
Middleboxes
CampusCore
FirewallsEdgeRouter
SDNCore
SDNSwitch SDNSwitch SDNSwitch
HPC
NormalFlowPath
High-speedFlowPath
InternetPerformanceResults
SeeICCCN2017VIPLanesPaper
Mbps Gbps
SecuringanAll-CampusScienceDMZ
• ScalingtheScienceDMZtotheen<recampus– Thenumberofmachinesismuchlarger– Thenumberofpoten<alusersismuchlarger– Thenumberofpoliciesismuchlarger• policiesareperflow,notpermachine
• Scalingthedecision-makingprocesses– Definingpolicies– AuthorizingUsers– DefiningTrustrela<onships
Establishing/ManagingTrust(InanAll-campusScienceDMZ)
• AuthorizedBypassFlows:Authorizedbypasstrafficshouldbeatthegranularityofflows,asopposedtoallScienceDMZtraffic.
• TrustedUsers:Users(notmachines)shouldbeauthen<catedandtrusted(i.e.,trustshouldbetraceabletopeople,notmachines).
• LimitedTrust:Usertrustshouldbelimitedtoaspecificsetofflowsforalimitedamountof<me.
• DistributedTrustInfrastructure:Trustdecisionsshouldnotbemadebyasingleen<ty(e.g.,campusIT),butrathershouldbedistributedinacontrolledwayamongtrustedusers.
• DynamicallyEstablishedAuthorizedFlows:Trustedusersshouldbeabletodynamicallycreateauthorizedbypassflows.
• RefinableTrust:Ifaflow’scharacteris<cscannotbeknownun<ltheflowbecomesac<ve,trustshouldberefinedtomatchtheflowassoonastheflowappears.
• Trust,butverify:Userscouldmisuseprivilegeinunauthorizedways.Usageshouldbeverified.
• BackwardCompa<bility:Legacyapplica<onsshouldbeabletomakeuseofVIPLaneswithoutmodifica<on.
NetSecOpsPolicyExcep<ons
• Flowsspaceisarrangedintoahierarchy– Root=allflows– Subnodes=strictsubsetofparent’sflows– Flowsdefinedbytuple(e.g.,src/dstIPaddrsandports)
• TrustedUsersassignedtomanagepor<onsofthehierarchy– Caninstan<ateaflow(i.e.,createapolicyexcep<on)– CandelegatecontroltootherTrustedUser– Delega<ondefinesahierarchyofresponsibility
SeeICCCN2017VIPLanesPaper
Src:*Dst:*Group:CampusIT
Src:128.123.4.160/27Dst:*Group:CoEIT
Src:128.123.123.0/24Dst:*Group:A&SIT
Src:128.123.4.160/28Dst:*Group:CSResearchers
Src:128.123.4.176/28Dst:*Group:ECEResearchers
Src:128.123.4.160/29Dst:*Group:VIPLanes
Src:128.123.4.168/29Dst:*Group:GENIResearch
ExamplePolicyExcep<onTree
Policytreeiscreatedbyusersinadistributedway(throughawebserverthatmaintainsthepolicytree).
ThankYou
Ques<ons?
Thisworkissupported,inpart,bytheNa5onalScienceFounda5onunderNSFgrantsACI-1642134,ACI-1642158,ACI-1541426andACI-1541380