Transcript Security at Line Speed

Security at Line Speed:
Integrating Academic Research
and Enterprise Security
Topics
Overview – Ken Klingenstein
Wireless, Security and Performance: A Tale to Tell – Steve
Wallace
The needs of the many and the needs of the few – Terry Gray
Nextsteps – Charles Yun
Acknowledgements
•National Science Foundation, ANIR
•Internet2 support staff
•Program Committee
• Guy Almes, Jeff Schiller, Ken Klingenstein, Steve Wallace, Charles
Yun
• Terry Gray, fearless and tireless
•Participants
S@LS Workshop 2003
•
NSF Sponsored workshop, in conjunction with Indiana University, Internet2,
the Massachusetts Institute of Technology and the University of Washington.
•
1.5 day Workshop
•
Held in Chicago, Illinois
•
12-13 Aug 2003
Project Goals
•Effective practices whitepaper
technology oriented, architectural principles and
specific recommendations
•Research agenda suggestions
to NSF and any other agencies that might be interested
•Recommendations for mechanisms for maintenance of the
above
Workshop Structure and Mechanics
Big picture
what are the basic tensions and dynamics
what are the possible futures
Drill downs
IPv6, private addresses and NATs, firewalls, IDS
Summaries and next steps
Practical recommendations
Policy requirements
Research agenda
A Few Thoughts
•There needs to be some connection with a trust fabric, at
several levels of the stack.
•There are internal and external trust fabrics to consider
•What does the potential existence of a middleware fabric
(directories, authentication, authorization assertions, etc.) mean
for the network?
•What does reemergence of circuit-switched technologies mean
for enterprise security? What does development of non-IP
transports mean for enterprise security?
•Performance requirements of research computing are easier to
predict than configuration requirements.
•Configuration requirements range from opening ports to
multicast capabilities
A few more thoughts
•How do the requirements of universities for enterprise security
compare to those at government labs?
•How can enterprises work with research funding agencies ti
improve the delivery of network services to campus based
researchers?
Workshop Findings
•First, and foremost, this is getting a lot harder
•2003 seems to mark a couple of turning points
• New levels of stresses
• Necessary but doomed approaches
•There are areas to work in
• Architectures and technologies
• Interactions with middleware
• Education and awareness always a need
•There is some applied research that would be helpful
•There are some non-technical issues that need to be worked to
achieve real security at real line speed…
By “Line Speed”, we really mean…
•High bandwidth
•Exceptional low latency, e.g. remote instrument control
•End-to-end clarity, e.g. Grids
•Exceptional low jitter, e.g. real time interactive HDTV
•Advanced features, e.g. multicast
Architectures
•A mix of perimeter defenses, careful subnetting, and desktop
firewalls
•Separation of internal and external servers (e.g. SMTP servers,
routers, etc…)
•Managed and unmanaged desktops
•Cautions:
• Cost
• Traffic loads
• Diagnostics
Integration with middleware
•Network authentication and authorization
• Of users
• Of devices
•What is done after authentication?
•
•
•
•
•
•
Access
Scanning
Patching
Configuration of local firewalls
Subnetting
Configuration of performance parameters
•Accommodating distinctive needs of higher education
• Network mobility
• Role-based access
Applied Research
and Research Computing
•Policy-based firewalls
•Easier connections of IDS with other enterprise services and
systems
•Unlisted IP addresses – asymmetric connectivity
•--------------------------------------------------------•Inform research computing environment developers (e.g.
Grids) about the real world security issues and approaches
being deployed.
Non-technical issues
•Proposals may be funded that haven’t gotten agreements from
campus IT on architecture
•Policies on encryption
•Policies on permitting new applications (.e.g video)
•Inconsistencies on what campuses will permit will affect interinstitutional collaborations
•Trust fabrics need to underpin security
•Pulling policies from several disparate but applicable sources