Transcript ppt
Safe and Secure Ubiquitous Communication Jan. 27, 2005 Atsuhiro GOTO Information Sharing Platform Laboratories Nippon Telegraph and Telephone Corporation (NTT) Copyright 2005 NTT Information Sharing Platform Labs 1 Safe & Secure v.s. Easy & Simple • “DVR attacked Web Server”, Sept. 2004 • How to cope with both: Safe & Secure Easy & Simple in consumer appliance network? • Two topics – A new remote configurable firewall system for home-use gateways – A detachable IPsec device for secure consumer communication platform, “IPsec-Proxy technology” Copyright 2005 NTT Information Sharing Platform Labs 2 Easy access to home-network Location-free, device-free, secure and convenient access to the contents or devices at home. From outside home From School/Office Access permitted for parents Unauthorized access is denied Access permitted for family members Watch your children, pet, plants etc. while away from home Search and download documents which are stored at home servers The Internet Share digital photo of an event among group members HGW Access permitted for friends Home network From Hot Spot / From Internet Cafe Listen to the music, stored at home servers From a friend’s house Share digital photo with relatives From a relative’s house Copyright 2005 NTT Information Sharing Platform Labs 3 What is the option we have now? • VPN? (e.g. L2TP, IPSec, SSL-VPN etc.) – Complex configuration We want a simpler and an easier way… • For both server and client. – Client software dependent • May require software installation – High-cost appliances • Mainly used in business • Reverse proxy or application server? – FW/NAT problems – Vendor dependency • Static firewall configuration? – Opening the port to people all over the Internet, or only statically specified client is permitted to access – Configuration is yet complex for end-users • IP address, port numbers, NAT rules… Copyright 2005 NTT Information Sharing Platform Labs 4 Our solution: a new security gateway (1) Configuration supporting system (2) Dynamic firewall system Simplified configuration procedure of access policy settings for network appliances. UPnP based simple policy configuration On-demand creation of source address based firewall/NAT rules. Communication originated from the authenticated IP address is temporarily permitted Access Policy for each device Internet Office, Friend’s house, Internet Café, etc. User authentication (over SSL) User data Denial of unauthorized access Home-network outside Attacker Security gateway Copyright 2005 NTT Information Sharing Platform Labs 5 Security gateway architecture Other home gateway functions Universal Plug and Play (UPnP) based •Creating templates for firewall/NAT rules based on UPnP request from network appliances •Also creates user-name based ACLs •Templates and ACLs are used by dynamic-firewall system On-demand creation of firewall/NAT rules ACLs Configuration supporting system UPnP Dynamic FW system •Creates source-address based firewall/NAT rules to prevent ports from being opened to everyone •Multiple rules can be applied to a single port SSL templates setting policy FW I/F2 registration NW appliances (Home Network) I/F1 data access request User from outside (Internet) Copyright 2005 NTT Information Sharing Platform Labs 6 Photo demo (the demo system) home friend’s house Pseudo-Internet (hub) TV with web browser Network camera Security Gateway Friend’s PC Copyright 2005 NTT Information Sharing Platform Labs 7 Connecting Device 1. Connect a new UPnP enabled network camera. 2. UPnP negotiation between the camera and the gateway UPnP enabled NW Camera 3. Gateway does not open the port immediately. But creates firewall/NAT policy templates Ex) TCP:80 IPaddress: 192.168.0.21 Security Gateway Copyright 2005 NTT Information Sharing Platform Labs 8 Editing ACL You can optionally configure peruser ACLs using a web browser. (ex. browser embedded TV) Check boxes represents user’s access right to the network appliance Copyright 2005 NTT Information Sharing Platform Labs 9 FW control from outside - accessing home from friend’s PC Access the security gateway with any web browser. User authentication over SSL session is required. Main page of the security gateway. Each of the circle icon represents a set of firewall policy and ACLs for the corresponding appliance Copyright 2005 NTT Information Sharing Platform Labs 10 Activating policy Clicking on an icon activates the policy Red icon represents an activated appliance (e.g. ports are opened for the user’s PC) Copyright 2005 NTT Information Sharing Platform Labs 11 Accessing home network Once the firewall is opened for the user, you can access to home network appliance using an appropriate browser. (ex. web browser) Copyright Activation is valid until the user deactivates the policy or if the main window is closed (e.g. SSL session is destroyed) 2005 NTT Information Sharing Platform Labs 12 Secure Network for Consumer Appliances • Consumer appliance network – Easy-to-Use = Plug-and-play • Secure network – protected against sniffing, falsification, spoofing and attacks (goal) secure insecure (current) Insecure network Secure network : Easy-to-use secure device : Consumer appliance : Eavesdropper Copyright 2005 NTT Information Sharing Platform Labs 13 Approach • Plug-and-play place In the router In the wire In the stack Simplicity △ ○ × Cost × △ ○ Controllability ○ △ × SSL/TLS IPsec L2sec Encryption ○ ○ × Authentication ○ △ △ Versatility × ○ ○ feature • Secure protection feature protocol ⇒ IPsec in the wire ⇒ IPsec bridge Copyright 2005 NTT Information Sharing Platform Labs 14 IPsec-Proxy Technology • Unique IPsec implementation – Bump in the wire – non IP addressable • Arrangement Current Appliance (w/ IPsec) New Appliance (wo/ IPsec) Application Application IPsec-Proxy Adapter Outsourcing (IP Bridge) IPsec OS IPsec OS IPsec OS no IP address IPsec Network device IP address The Internet Network device Clear IP address communication no IP address Secure communication Copyright 2005 NTT Information Sharing Platform Labs 15 Prototype and Experiment Serial Port for Debugging Ethernet Port CF Card Slot 3.5 inch CPU: 133MHz (486 compatible) MEM: 32MB Ethernet: 10Base-T The Internet IPsec-Proxy (Prototype A) Copyright 2005 NTT Information Sharing Platform Labs 16 Wrap Ups • How to cope with both: Safe & Secure Easy & Simple in consumer appliance network? • Two topics – A new remote configurable firewall system for home-use gateways • Easy to set up and Dynamically open/close ports – True plug-and-play “IPsec-Proxy technology” for secure consumer communication platform • “non IP addressable” • “transport mode (not tunnel mode)”. Copyright 2005 NTT Information Sharing Platform Labs 17