1 / 19

Secure and Manageable Virtual Private Networks for End-users

This paper presents a solution for secure multi-homing by using Virtual Private Networks (VPNs) for end-users. It addresses the problems of uncontrollable information flow and IP addressing conflict in VPNs and LANs. The proposed solution includes personal networks that integrate VPNs and portspaces, providing easy network management, independent network routing, and closed IP addressing. Experimental results show minimal overhead and improved security.

noelt
Télécharger la présentation

Secure and Manageable Virtual Private Networks for End-users

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Secure and Manageable Virtual Private Networks for End-users K. Kourai (Tokyo Institute of Technology) T. Hirotsu K. Sato O. Akashi K. Fukuda T. Sugawara (NTT) S. Chiba (Tokyo Institute of Technology)

  2. Multi-homing by VPNs • Each host deals with multiple networks • LAN, VPNs • End-users use VPNs for more security • for each end-user • for each user’s activity • business mail, private mail, shopping site corporate network ISP VPN2 VPN1 LAN

  3. Problem 1:uncontrollable information flow • Information flow is mixed among VPNs and a LAN • through multi-homed hosts • Private information may be leaked • at the network layer • via a single routing table • at the application layer • via file systems or processes’ memory corporatenetwork ISP VPN2 VPN1 LAN

  4. Problem 2:IP addressing conflict • IP addressing may be overlapped among VPNs and a LAN • private IP addresses • Unintended routing • conflict, misuse, abuse 192.168.0.1 VPN 192.168.0.1 Assigning unique IP addressesfor every network is not realistic LAN networks are connectedat the points of multi-homed hosts

  5. personal network Personal network • Personal network integrates: • a VPN • per-VPN execution environments of hosts • called portspaces • single-homed • Closed network • VPNs are exclusive • Portspaces are exclusive web server mail server VPN web browser mail client

  6. Features • Separation of networking activities • Information flow is confined • Network routing is separated • File systems and processes are separated • Independent network management is provided • IP addressing is closed • Easy bootstrapping • End-users can constructpersonal networks easily

  7. Portspace • A portspace is a virtualized host • only one VPN • independent namespaces for network, files, and processes • base environment • pseudo portspace • base network (LAN) portspace VPN process network stack file system LAN

  8. Namespace for network • IP address • End-users can use the same IP address with the base environment • Protocol control blocks • End-users can use the same port numbers used in the base environment • Routing table • VPN configuration VPN1 httpd IP 192.168.0.1 port 80 VPN2 httpd IP 192.168.0.1 port 80

  9. Namespaces for files/processes • Namespace for files • Processes can access only files in the portspace • End-users can prepare configuration files to perform their own network management • resolv.conf, host.conf • Namespace for processes • This namespace prevents process interaction from the other portspaces • IPC, shared memory, signal

  10. Inheritance network services Requests are forwarded to the super-portspace file system Read from super-portspace Write to sub-portspace overriding/hiding network services files write reply forward read server process Inheritance request sub-portspace super-portspace

  11. information flow Inheritance problem • Unintended information flow may occur via a super-portspace • The super-portspace becomes multi-homed • Personal networks using the super-portspace are not independent forward personal network super-portspace

  12. join Chinese Wall security model • Membership control • A portspace can join a personal networkonly if: • The portspace’s information does not conflict with the personal network's inherit personal network Chinese Wall

  13. routing table PCB list IPsec database SPI SPI-portspace table routing table Implementation • We implemented based on FreeBSD 4.7 • IPsec for VPNs • union file system for inheritance • How to communicate between portspaces sender’s host receiver’s host

  14. Experiments • We measured overheads of personal networks • Benchmark programs • Netperf, ApacheBench • 3 network constructions • base network with IPsec • personal network without/with inheritance • Environments • 2 PCs (Pentium III-S 1.4GHz, Intel Pro/100+) • connected via a 100baseT Ethernet switch • no encryption/authentication for IPsec

  15. Result: Netperf latency increase: 1.5% throughput decline: 0.1% inheritance overhead: 0.2%

  16. Result: ApacheBench • web server • thttpd • request • an HTML file of 0 byte • overhead • 3.9%

  17. Related work: virtual networks • Virtual Internets [Touch’02] • An internal router controls the connection between environments and virtual networks • for fault-tolerance and persistence • not for security • Router partitioning [Lim’01, Scandarioato’02] • VPNs and routing are incorporated at routers • Routers provide per-VPN routing tables • only at the network layer

  18. Related work: virtual hosts • There are various virtual host techniques • FreeBSD jail • Clonable network stack [Zec’03] • Virtual machine [VMware] • Differences • Virtual hosts do not cooperate with virtual networks • Virtual hosts are not independent of the base environment

  19. Conclusion • We proposed personal networks • A personal network integrates a VPN and portspaces • separation of information flow • independent network management • Portspaces inherit services and file systems • Future work • loosening the Chinese Wall security model • QoS support for personal networks

More Related