1 / 15

ISSUES RELEVANT TO DISTRIBUTED SECURITY

ISSUES RELEVANT TO DISTRIBUTED SECURITY. CSC8320. Outline. Content from the book Recent Work Future Work. Distributed Systems Security. Different from operating system security No central trusted authority that mediates interaction between users and processes.

marymejia
Télécharger la présentation

ISSUES RELEVANT TO DISTRIBUTED SECURITY

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. ISSUES RELEVANT TO DISTRIBUTED SECURITY CSC8320

  2. Outline • Content from the book • Recent Work • Future Work

  3. Distributed Systems Security • Different from operating system security • No central trusted authority that mediates interaction between users and processes. • Distributed system runs on top of a large number of loosely coupled autonomous hosts, that maybe running different OS’s with possibly different security policies. • Application level security is not the solution as programmers are not security experts and security depends on application call chain • Thus the issue of security is complex in distributed systems

  4. Security Issues • Confidentiality • Information might be revealed to unauthorized users • Integrity • Data is corrupted or changed either intentionally or unintentionally • Accountability • Information of actions cannot be attributed accurately to the person or user • Loss of Service • Service is denied to authorized users

  5. DDoS • Distributed Denial of Service • Attempts to make an available resource unavailable • Attacker uses a “botnet” – hacked computers/network of computers – to send traffic to a particular site or a system and this way slows down/denies regular users access to the site. With enough computers, the attacker could even bring down the site

  6. Protection against threats • Authentication • First line of defense. Only authenticated users have access to the system • Authorization • Second line of defense. Only authorized users have acces to a file or object • Auditing • Maintain a security log that logs all activities in the system. This helps to trace security attacks

  7. Proxy • Certificate used to verify that a principal truly delegates a subset of its rights to another principal for performing some tasks on its behalf • Properties that proxy protocols should ideally exhibit include authenticity, integrity, additivity, sufficiency and revocability • Advantage of proxy is that the amount of file transfer in the network is reduced. Thus delegation of responsibilities improves the efficiency of processing

  8. Traffic Analysis Prevention • Unauthorized users may gain useful information from analyzing the network traffic • Traffic Analysis Prevention (TAP) regulates information flow in the network • Common TAP approaches include • Encryption – messages are encrypted to prevent unauthorized disclosure of the contents • Padding – Packets are padded with redundant bytes such that all packets appear to be of same size • Routing and Scheduling

  9. Auditing • Passive protection – acts as a last resort when other mechanisms such as authentication and authorization are not sufficient to protect the security of the system • Can be performed online in the firewalls for early detection of threats or offline when an attack or problem has already occured • Maintain log files that record all activity in the system and the network • Audit logs help to trace security attacks

  10. Recent Work • A stateful CSG-based Distributed Firewall Architecture for robust Distributed Security [2009, Ramsurrun.V, Soyjaudah] • Distributed security model following a bottom-up approach such that each cluster of end-user hosts are first secured using the Cluster Security Gateway architecture • Provides higher level of protection compared to traditional firewalls

  11. Architecture

  12. Architecture contd • Stateful CSG • Multiple active firewalls nodes acting in parallel to filter traffic • Network admin machine • Contains the Policy Repository (central repository where all firewall scripts deployed in the network are stored) and the Policy Distributor (sends firewall updates to the CSMs by establishing secure and encrypted end-end connections with the CSM)

  13. Architecture contd • Cluster Security Manager (CSM) • Receives firewall updates from the policy distributor. Each end user cluster has a CSM and this then distributes those updates across the multiple firewall nodes • Gateway firewall • First line of access control and protection against external attacks • Also has a CSM for receiving updates from the network administrator

  14. Future Work • Artificially Intelligent systems that enforce security policies and detect/prevent attacks based on past occurrences and heuristics ? • Adaptive distributed systems that evolve their behavior based on the changes in their environment so that they continually provide their intended functionalities

  15. References • R. Chow,T. Johnson, “Distributed Operating , Systems & Algorithms”, Addison Wesley, 1997 • Distributed Denial-of-Service Attacks and You, http://www.microsoft.com/technet/Security/bestprac/ddosatku.mspx?pf=true, April 11,2007 • “A stateful CSG-based distributed firewall architecture for robust distributed security” , Ramsurrun.V, Soyjaudah K.M.S, Jan 2009

More Related