淘宝怎么延长收货时间

AProtectionArchitectureforEnterpriseNetworks

(andcommentsonsecurity-centricnetworkdesign)MartinCasado(Stanford)TalGarfinkel(Stanford)AdityaAkella(CMU/Stanford)MichaelFreedman(NYU)DanBoneh(Stanford)NickMcKeown(Stanford)ScottShenker(ICSI/Berkeley)WhatI’mGoingtoTalkAboutAlotaboutsecurityintheEnterpriseAlittlebitaboutsecurityontheInternetGenerallyexploitthisopportunitytopontificateRemember..thisisCleanSlateMaybealittle“out-there”Maybealittle“wrong”Supposedtofomentideasanddiscussion

(sopleaseinterruptme)Publicvs.PrivateNetworksPublic(google,ebay,etc.)Getaswideexposure(mostly)everyonewelcomeWantsomeprotectionfromevil-doersPrivate(internalcommercial,financialetc.)SpecialpurposeLimiteduserbaseKnowswhat’srunningwhere

Fundamentallydifferent

(butusesametechnologies)AbilitytoidentifyindividualusersAbilitytorevokeaccesstoindividualusers

(stopthemfromusingyournetworkresources)Abilitytodeterminelocationofindividualusers

(regulatorycompliance)

(moreonthislater)InfrastructureSupportforPublicServicesidentifyindividualusersbyuseridrevokeaccesstousersdeterminelocationofindividualusers

andstrictlydefineconnectivitybetweenusers,hosts,services,protocolsandaccesspointscontrolroutesatthesessionlevelcentralizedtrustandcontrolrestrictaccesstoinformationInfrastructureSupportforPrivateNetworksidentifyindividualusersbyuseridrevokeaccesstousersdeterminelocationofindividualusers

andstrictlydefineconnectivitybetweenusers,hosts,services,protocolsandaccesspointscontrolroutesatthesessionlevelCentralizedtrustandcontrolRestrictaccesstoinformationSupportedbyIPMotivationPunchLineAttemptingtodoallthesethingstoday

…butwithoutthesupportofthearchitecture

Resultis:InsecurenetworkInflexiblenetworkHardtomanagenetworkDefiningConnectivityWhy?AttemptatlimitingresourcestothatwhichisneededLimitdamageofinternalmalware,perimeterbreach,orinsider

Today:UselotsoffilteringMAC,IP,transportPhysicalports(VLANs)Deeppacketinspection(e.g.firstdatapacketofaprotocol)FullproxiesAccesscontrollistsonservices

(notnetworkaware…butcouldbe!)DefiningConnectivity(thebad)NetworkonlyreallyawareofaddressesFirewallrulesembedstopologyintoconfigurationstateDifficulttomovemachinesHardtoreadandunderstand

(100klinesofproprietary,differentconfigurations)Forwardingpathunawareoffilteringrules WilltrytocircumventifitcanAddinganewnetworkcomponentnotgood

(hencehave“choked”networks)Higherlevelfilteringcanbeunderminedbylowerlevels

(e.g.permissivelinklayer)ControlOverRoutingWhy?Differentaccesspointshavedifferentsecurityrequirements(e.g.wirelessusersmustgothroughhttpproxy)Differentprotocolshavedifferentsecurityrequirements(e.g.allfilessentoverIMmustbecheckedforviruses)Differentusergroupshavedifferentsecurityrequirements(e.g.logallconnectionsfrommarketing)Today:makeallroutesgothroughthesamepoint(large,expensivedo-it-allproxies)Orusetwo/three/fourseparatenetworksOrapplicationprotocolawarerouting(CiscosOER,applicationawarerouting)CentralizedTrustandControlWhy?LimitednumberoftrustedcomponentsNetworksoftencentrallyadministeredPrettynewarea,butproductsarestartingtopopupConsentryApaniSecurifyNetworksbynaturearedistributedDistributedroutingcomputation(trusteveryrouter)Many(manymany)heavilytrustedcomponents(DNS,DHCPserver,gateway,routers,switches,end-hosts,directoryservices,authenticationservices,proxiesetc.)RestrictAccesstoInformationWhy?(firstresourceavailabletoattacker)Turnoff(normallyfilterathostorperimeterfirewall)RSTICMP(TTLTimeexceeded,echoreply,portunreach)DetectARPscansAutomatedIPscansLimitvisibilitynetworkresourcesVLANNATs,Proxiesetc.Stillreallyhardtodo(e.gTopologyinformationpassedunencryptedinroutingprotocols)No““switch””forauditing(shouldbecontrolledthesameasotherresources)RetrofittingSecurityontoIPDesignedforSecurityFirewalls,RouterACLSPortSecurityIDS/NDS/IPS(scandetection,anomalydetection,signaturedetection)VLANsPushedIntoServiceEthernetSwitchesNATs,ProxiesPhysicalDatalinkNetworkTransportApplicationInflexibleHardtomoveamachine(yetdifficulttoknowifsomeonehasmoved)ReallydifficulttodeployanewprotocolBrittleChangeafirewallrule,breaksecuritypolicyAddaswitch,breaksecuritypolicyConfusingManydisparatepointsolutionsState=abunchofsoftstateHardtostatemeaningfulpoliciesLoseredundancyIntroducechokepointsCan'tmigrateroutesb/cofallthesoftstateCommonSolutions=CrummyNetworks

(andmediocresecurity)ArgumentThusFarEnterprisenetworksuseIP(designforInternet)IPnotdesignedforattackresistancepermissiveUnauthenticatedend-pointsNoknowledgeofapplicationprotocolsHeavilydistributed(proliferationofTCB)NosupportforubiquitousloggingAttemptstoretrofitaccesscontrolshaveresultedinless-than-idealnetworksConfusingBrittleEtc.LetsStartfromScratchLeveragecharacteristicsuniquetoEnterpriseCentrallymanagedKnownusersStructuredconnectivityReducenumberoftrustedcomponentsSimplifypolicydeclarationRetainflexibilityandredundancy(decoupletopologyandsecuritypolicy)InsteadofDefaulton+filterDefaultoff+permissionDistributed,crypticpolicysimpleandcentralizedsecuritychoke-pointfinegrainedcontrolofroutesDistributedtrustcentralizedPermissivelinklayerlowlevelenforcementMomentaryDetourCurrentlytwocompetingapproachestosecuringEnterprise:A)Detectwhenthingsarebadbehaviorally(e.g.anomalydetection)Don’tknownetworkstateHowareyougoingtodefineanewprotocol?Whatifyourheuristicsarebad?B)StrictlydefinewhatispermissibleLimitconnectivitytowhatisneededtogetthejobdoneAssumetrafficusingthatisOKSANEDeclarepolicycentrallyoverusers,protocols,servicesandaccesspointsAllcommunicationsrequirea““capability””fromacentralarbiterCapabilitiesencodetherouteAllswitchesenforcethecapability(itisincludedandenforcedatlayer2)CapabilityProvidesIsolationLayerPhysicalDatalinkNetworkTransportApplicationIntroducelayer2.5IsolationLayerEthernetSANEIP..Contains,encrypted,immutable,route1,43,22,1ServiceportMACMACMACMACEsw1Esw2CAP-IDExpirationSANE:ActionSequence!Publishmartin.friends.ambient-streams

allowtal,sundar,adityaAuthenticatehi,I’mmartin,mypasswordisAuthenticatehi,I’mtal,mypasswordisRequest1434413122Ambientstreams13122Clientport14344Ambientstreams13122Clientport4344Ambientstreams13122Clientport344Ambientstreams13122Clientport44Ambientstreams13122Clientport13122Clientport4AmbientstreamsSANE:OverviewDomainControllerSwitchesEnd-HostsAuthenticatesusersContainsnetworktopologyHostsservices(byname)ManagespermissioncheckingCreatesandissuescapabilitiesSendtopologyinformationtotheDCProvidedefaultconnectivitytotheDCValidatecapabilitiesForwardpacketsbaseoncapabilityEnforcerevocationsPublishservicesattheDCSpecifyaccesscontrols(exportstreams.ambientallowtal)RequestaccesstoservicesUseappropriatecapabilityforeachpacketPermissioncheckbeforeconnectivity(Usersonlyaccessresourcestheyhavepermissionto)PolicyenforcedateveryswitchCentralized,simplypolicydeclaration(topologyindependent)ControlofroutesInformationrestrictedtoadministratorAuthenticatedendhosts(boundtolocation)SecurityPropertiesCentralpointforconnectionlogging(DC)Additionofswitches(redundancy)doesnotunderminesecuritypolicyAnti-mobilityOtherNicePropertiesBut……HowtocommunicatewiththeDC?HowtoprotecttheDC?HowtosecurelygettopologytoDC?GotoDCforeachflow…areyouinSANE?Thisisreally,reallycleanslateForkliftupgradeentirenetworkChangeallend-hoststoworkwithcapabilitiesChangenotionofservicesandnamingSwitchesconstructspanningtreeRootedatDCSwitchesdon’’tlearntopology(justneighbors)ProvidesbasicdatagramservicetoDCConnectivitytotheDCSwitchesauthenticatewithDCandestablishsymmetrickeyIke2forkeyestablishmentAllsubsequentpacketstoDChave“authenticationheader””(similartoipsecespheader)Ksw1Ksw2Ksw3Ksw4Ksw1Ksw3Ksw4Ksw2SwitchAuthenticationEstablishingTopologySwitchesgenerateneighborlistsduringMSTalgorithmSendencryptedneighbor-list

toDCDCaggregatestofulltopologyNoswitchknowsfulltopologyKsw1Ksw2Ksw3Ksw4Ksw1Ksw3Ksw4Ksw2Centralized?(andyoucallyourselfanetworkresearcher)Existstoday..Sortof(DNS)Permissioncheckisfast(andcontrolpath!=datapath)ReplicateDCComputationally(multipleservers)Topologically(multipleserversinmultipleplaces)Loadsaren’tashighasyoumightthinkUsefirstpacketofflowforpermissioncheckPorts,IPaddressesCanguessapplicationtypeInsteadofsourceroutesusevirtualcircuitsInsteadofreplacingswitches,add“bumps”BackwardsCompatibility(Ethane)ConnectionSetupSwitchesdisallowallEthernetbroadcast

(andrespondtoARPforallIPs)FirstpacketofeverynewflowissenttoDCforpermissioncheckDCsetsupflowateachswitchPacketsofestablishedflowsareforwardedusingmulti-layerswitchingDC<src,dst,sprt,dprt><ARP,bob>AliceBob<ARPreply>?<src,dst,sprt,dprt>EasingDeploymentUsetrivial2-portswitches(bumps)Onlinksbetween

EthernetswitchesCanbeenhancedbyusingVLANperportStatusBuiltsoftwareversionSANEAllcomponentsinsoftwareRaningroupnetwork(7hosts)1monthCurrentlyindevelopmentof““Ethane”Switchesinhardware+softwareDCusingstandardPCNetworkSupportforPublicServices?AbilitytoidentifyindividualusersAbilitytorevokeaccesstoindividualusersAbilitytodeterminelocationofindividualusers

(regulatorycompliance)Problem:IdentityFirstlevelofidentityistheIPaddressIsitforged?(maybe)IshalfofThailandbehindit?(maybe)ObviouslyabaddiscriminatorAllow1person,allowhalfofThailand(e.g.IPA)Ban1person,banhalfofThailand(e.g.AOLproxies)Today’ssolution?Usehigh-bandwidthinfrastructureforTCPhandshakeUseseparate,low-functionloginserviceOnlyallow““blessed”sessionstouseservicesIsthissufficient?Tomorrow’ssolution?(hip?Note……IPv6doesnothingtohelpushere)Problem:ProtectingDownstreamBWLotsofsharedqueues(crosstraffic)PacketsmaynotgettodestinationtotriggerfilteringImanuallysetmyTTLIfutzwiththetransportchecksumsoyourproxydropsitSYNpacketsourcemaybeforged(cannotfilter)Note:Overprovisionbymagicalpowerof2notreallyhelpfulToday’’ssolutionsGetfloodedIdentify“aggregates””inthenetworkHiresomeoneelsetofigureoutwhatisgoingonThirdPartyVettingModelLikelyper-flowstateAndotheranomalydetectionvoodoopeerpeerpeerpeerIPsectunnelOrprivatecircuitIsthistherightmodel?Isper-flowstateatafewpointsratherthanthroughoutthenetworkOK?Howabouthavingastatic,layer-2circuittoprotecttrustrelationships(soundsreasonabletome)CanwegeneralizethistoofferandsupportasaservicefromtheInternet?Problem:GeoLocationInformationisn’’treallystoredanywhereRegistriesaren’’taccurateDNSlocisn’twidelyusedPeopleliewhenfillingoutonlineaccountsProxiesandDial-UpsfurthercomplicatethingsTodayssolution?Alotofbadacademictools(e.g.unDNS,netgeo)Afewdecentcommercialofferings(Quova,Akamai)Offering90–95%accuracyatcountrylevelStill,maybebreakingthelaw5%ofthetimeTomorrowssolution?shouldthisevenbeatthenetworklevel?ohno!,whataboutprivacy?SecurityandtheInternetDoesIPprovideadequatesecuritythepublicNetworks?(no,butitsprettyclose..)WillafutureInternetlooksimilartoIP(maybe)Whatistheproblemthen?MalwareSPAMAdmissionControlPhishingetc.Questions?ControlofroutesispowerfulDCcanforceroutesthroughmiddlebox

basedonpolicyE.g.signaturedetectionfor

allflowsfromlaptopsandusersinmarketingSignaturedetectionMiddleboxIntegrationDecouplecontrolanddatapathinswitchesSoftwarecontrolpath(connectionsetup)(slightlyhigherlatency)Simple,fast,hardwareforwardingpath(Gigabits)PerformanceIncidentalattacks(phishing,spam,worms,viruses,kiddies)External,TargetedAttacksCompetitors(e.g.)Idealists(e.g.SCO)Insiders(29%ofallattacks?)EnterpriseThreatEnvironmentIncidentalattacks(worms,viruses,kiddies)ExternalTargetedAttacksMoreaccesstoresourcesAbilitytohireskilledattackerInsiders(29%ofallattacks?)Locality(accesstointernalnetwork)KnowledgeofinternalworkingsEnterpriseThreatEnvironmentExample:ExternalTargetedAttackTarget:Largecompany(B)AttackerProfile:RulesofEngagement:NophysicalaccessCannotlimitavailabilityofnetworkresourcesGoals:MapoutoperationsGainaccesstosensitiveinformationAbilitytodisruptinternalcommunica