securing content based routing publish-subscribe systems
Post on 30-Dec-2015
33 Views
Preview:
DESCRIPTION
TRANSCRIPT
Securing Securing Content Based Routing Content Based Routing
Publish-Subscribe SystemsPublish-Subscribe Systems(SIENA)(SIENA)
John.Giacomoni@colorado.eduJohn.Giacomoni@colorado.edu
2002.01.282002.01.28
What is Content Based Routing?What is Content Based Routing?
Messages Routed Based on ContentMessages Routed Based on Content• No Fixed Address Field(s)No Fixed Address Field(s)• Generally Speaking Routers Need Full Generally Speaking Routers Need Full
Access to Message PayloadAccess to Message Payload
What is Publish-Subscribe?What is Publish-Subscribe?
Event Notification SystemEvent Notification System• Producers (Publishers)Producers (Publishers)• Consumers (Subscribers)Consumers (Subscribers)• Publications are Routed to Subscribers Based on Publications are Routed to Subscribers Based on
Filters (Subscriptions)Filters (Subscriptions)
Interesting Properties of Interesting Properties of Publish-SubscribePublish-Subscribe
Publishers and Subscribers can be Anonymous Publishers and Subscribers can be Anonymous to Each Otherto Each Other
Clients Can be Linked Together to Form an Clients Can be Linked Together to Form an Ad-Hoc Network Using only the Publish-Ad-Hoc Network Using only the Publish-Subscribe Interface Subscribe Interface
What is SIENA?What is SIENA?
ScalableScalable Internet (Scale)Internet (Scale) EventEvent NotificationNotification ArchitectureArchitecture
What/How Does SIENA Work?What/How Does SIENA Work?
Exports a Publish-Subscribe APIExports a Publish-Subscribe API Employs Content Based RoutingEmploys Content Based Routing
• Accurately Route Messages To Interested Accurately Route Messages To Interested PartiesParties
• Bandwidth Consumption ReductionBandwidth Consumption Reduction
Interesting Properties ofInteresting Properties ofSIENASIENA
Notifications(Messages) Routed Based on Notifications(Messages) Routed Based on ContentContent
Unspecified Number of Clients or ServersUnspecified Number of Clients or Servers Unspecified Network TopologyUnspecified Network Topology Unspecified Communication ProtocolsUnspecified Communication Protocols Unspecified Message Delivery WindowsUnspecified Message Delivery Windows Heterogeneous Host & Authority DomainsHeterogeneous Host & Authority Domains Fault PermissiveFault Permissive
Unspecified Network TopologyUnspecified Network Topology
Single ServerSingle Server HierarchicalHierarchical General GraphGeneral Graph Hibrid/Combination TopologyHibrid/Combination Topology
Combination TopologyCombination Topology(with heterogeneous authority)(with heterogeneous authority)
Security GoalsSecurity Goals
ConfidentialityConfidentiality IntegrityIntegrity AvailabilityAvailability
As Described In “Secrets & Lies” by Bruce Schneier p. 121
Confidentiality GoalsConfidentiality Goals
Data (Publications)Data (Publications)• Content Might Contain Sensitive InformationContent Might Contain Sensitive Information• Routing Depends on ContentRouting Depends on Content
SubscriptionsSubscriptions• Subscriptions May Contain Sensitive InformationSubscriptions May Contain Sensitive Information• Data Flow AnalysisData Flow Analysis• AnonymityAnonymity
Integrity GoalsIntegrity Goals
Altered MessagesAltered Messages Injected MessagesInjected Messages Dropped MessagesDropped Messages
Availability GoalsAvailability Goals
Denial of Service ProtectionDenial of Service Protection• Individual ServerIndividual Server• Network CongestionNetwork Congestion
Knowing When System is Overloaded/DoS’edKnowing When System is Overloaded/DoS’ed
Additional GoalsAdditional Goals
Billing/AccountabilityBilling/Accountability AuditAudit
Conflicting GoalsConflicting Goals
Scale vs. SecurityScale vs. Security Performance vs SecurityPerformance vs Security Anonymity vs SecurityAnonymity vs Security Anonymity vs BillingAnonymity vs Billing Communication Network vs User SecurityCommunication Network vs User Security Data Confidentiality vs ExpressivenessData Confidentiality vs Expressiveness
How do we Balance These How do we Balance These Conflicting Goals?Conflicting Goals?
ObservationsObservations
Single Solution Very UnlikelySingle Solution Very Unlikely• Each Environment Will Need Its Own SetupEach Environment Will Need Its Own Setup• Military Always Does Its Own ThingMilitary Always Does Its Own Thing
Minimization of Security in the Servers Minimization of Security in the Servers Maximizes FlexibilityMaximizes Flexibility
Heterogeneous Solutions do Not Cover Heterogeneous Solutions do Not Cover Homogeneous SolutionsHomogeneous Solutions
Homogeneous Authority DomainsHomogeneous Authority Domains
Communication SecurityCommunication Security• IPSECIPSEC• SSL (requires server changes)SSL (requires server changes)• Bogus Notifications (Traffic Analysis)Bogus Notifications (Traffic Analysis)
Some Faith can be Put into SoftwareSome Faith can be Put into Software Simple Authentication Tokens Can be UsedSimple Authentication Tokens Can be Used Multilevel/Multilateral Security PossibleMultilevel/Multilateral Security Possible
• Military ApplicationsMilitary Applications
Heterogeneous Authority DomainsHeterogeneous Authority Domains
Users Cannot Trust NetworkUsers Cannot Trust Network• Unknown RecipientsUnknown Recipients• Unknown ServersUnknown Servers
Network Cannot Trust Users OR NetworkNetwork Cannot Trust Users OR Network• Publications/Subscriptions Valid?Publications/Subscriptions Valid?• Unknown 3rd Party Server Behavior Unknown 3rd Party Server Behavior
User Land ModelsUser Land Models
Accept Subscriptions and Publications as Accept Subscriptions and Publications as Public DomainPublic Domain• Subscriptions can be Obfuscated to a Certain Subscriptions can be Obfuscated to a Certain
DegreeDegree Encrypted MessagesEncrypted Messages Signed MessagesSigned Messages
Problems with Encrypted Problems with Encrypted NotificationsNotifications
Decreased Routing PerformanceDecreased Routing Performance• 100% Content Confidentiality Results in an 100% Content Confidentiality Results in an
Unroutable MessageUnroutable Message
User Land Security ModelsUser Land Security Models(Client/Client)(Client/Client)
Protects DataProtects Data Anonymity IssuesAnonymity Issues Key Management/Revocation IssuesKey Management/Revocation Issues Scaling IssuesScaling Issues
• OrganizationOrganization No Additional Load on ServersNo Additional Load on Servers
User Land Security ModelsUser Land Security Models(Client/PKI/Client)(Client/PKI/Client)
Maintains Anonymity Between Publishers and Maintains Anonymity Between Publishers and SubscribersSubscribers
No Additional Load on ServersNo Additional Load on Servers Multiple PKI’s can be in PlaceMultiple PKI’s can be in Place Billing Can be Based on Key ManagementBilling Can be Based on Key Management PKI Management IssuesPKI Management Issues
• Initial Key DistributionInitial Key Distribution
Closed-PKI, “(Public Key) Infrastructure”
Server ModelsServer Models
Trusted GatewaysTrusted Gateways Authenticated Publications/SubscriptionsAuthenticated Publications/Subscriptions
• Loss of AnonymityLoss of Anonymity• Foreign Networks Still a ProblemForeign Networks Still a Problem
AuditAudit• Loss of AnonymityLoss of Anonymity
Main ProblemMain Problem
Specifying a Security Model Without a Well Specifying a Security Model Without a Well Defined Environment Will Result in Many Defined Environment Will Result in Many ProblemsProblems
DirectionsDirections
SSL Aware Communication LayerSSL Aware Communication Layer• EncryptionEncryption• AuthenticationAuthentication
IPSEC Between ServersIPSEC Between Servers• Clients if System is HomogeneousClients if System is Homogeneous
Trusted GatewaysTrusted Gateways
Trusted GatewaysTrusted Gateways
Tunnel Flagged Messages (Encrypted) to Tunnel Flagged Messages (Encrypted) to Remote Trusted NetworksRemote Trusted Networks
Unflagged Messages Forwarded BlindlyUnflagged Messages Forwarded Blindly Rate Limit Unflagged MessagesRate Limit Unflagged Messages Minimize Need for Obfuscated PublicationsMinimize Need for Obfuscated Publications Permits Large Public SIENA BackbonesPermits Large Public SIENA Backbones
Parting Comments On Securing Parting Comments On Securing SIENASIENA
All Users are Equal in SIENAAll Users are Equal in SIENA• Concept of Users and Permissions/Roles Concept of Users and Permissions/Roles
Needs to be Introduced.Needs to be Introduced.
Trusted GatewaysTrusted Gateways
TGW TGW
Q&A Time :)Q&A Time :)
top related