copyright 2005 NTT information sharing platform labs 1 safe and secure ubiquitous...
Post on 18-Dec-2015
218 views
TRANSCRIPT
Copyright 2005 NTT Information Sharing Platform Labs 1
Safe and Secure Ubiquitous Communication
Jan. 27, 2005Atsuhiro GOTO
Information Sharing Platform LaboratoriesNippon Telegraph and Telephone Corporation (NTT)
Copyright 2005 NTT Information Sharing Platform Labs 2
Safe & Secure v.s. Easy & Simple• “DVR attacked Web Server”, Sept. 2004
• How to cope with both:Safe & Secure Easy & Simple
in consumer appliance network?• Two topics
– A new remote configurable firewall system for home-use gateways
– A detachable IPsec device for secure consumer communication platform, “IPsec-Proxy technology”
Copyright 2005 NTT Information Sharing Platform Labs 3
Easy access to home-network
From School/Office
From a friend’s house
The InternetThe Internet
Home network
Watch your children, pet, plants etc. while away from home
Listen to the music, stored at home servers
From a relative’s house
Share digital photo with relatives
Share digital photo of an event among group members
Search and download documents which are stored at home servers
From outside home
From Hot Spot /From Internet Cafe
Access permitted for parents
Access permitted for family members
Access permitted for friends
HGW
Location-free, device-free, secure and convenient access to the contents or devices at home.
Unauthorized access is denied
Copyright 2005 NTT Information Sharing Platform Labs 4
What is the option we have now?• VPN? (e.g. L2TP, IPSec, SSL-VPN etc.)
– Complex configuration• For both server and client.
– Client software dependent• May require software installation
– High-cost appliances• Mainly used in business
• Reverse proxy or application server?– FW/NAT problems– Vendor dependency
• Static firewall configuration?– Opening the port to people all over the Internet, or only statically sp
ecified client is permitted to access– Configuration is yet complex for end-users
• IP address, port numbers, NAT rules…
We wanta simpler and
an easier way…
Copyright 2005 NTT Information Sharing Platform Labs 5
Our solution: a new security gateway
On-demand creation of source address based firewall/NAT rules.
Simplified configuration procedure of access policy settings for network appliances.
Office, Friend’s house, Internet Café, etc.
Access Policy for each device
Communication originated from the authenticated IP address is temporarily permitted
Internet
Attacker
Denial of unauthorized access
(1) Configuration supporting system (2) Dynamic firewall system
Security gateway
Home-network
User authentication (over SSL)
User data
outside
UPnP based simple policy configuration
Copyright 2005 NTT Information Sharing Platform Labs 6
Security gateway architecture
Configurationsupporting
system
DynamicFW
system
I/F2 I/F1
templates
ACLs
NW appliances(Home Network)
User from outside(Internet)
dataaccess requestregistration
FW
UPnP SSL
Other home gateway functions
setting policy
On-demand creation of firewall/NAT rules•Creates source-address based firewall/NAT rules to prevent ports from being opened to everyone•Multiple rules can be applied to a single port
Universal Plug and Play (UPnP) based •Creating templates for firewall/NAT rules based on UPnP request from network appliances•Also creates user-name based ACLs•Templates and ACLs are used by dynamic-firewall system
Copyright 2005 NTT Information Sharing Platform Labs 7
home
Pseudo-Internet(hub)
friend’s house
Security GatewayTV with web browser Network camera Friend’s PC
Photo demo (the demo system)
Copyright 2005 NTT Information Sharing Platform Labs 8
1. Connect a new UPnP enabled
network camera.2. UPnP negotiation between the camera and the gateway
3. Gateway does not open the port
immediately. But creates firewall/NAT
policy templatesEx) TCP:80
IPaddress: 192.168.0.21
Security Gateway
UPnP enabledNW Camera
Connecting Device
Copyright 2005 NTT Information Sharing Platform Labs 9
You can optionally configure per-user ACLs using a web browser.
(ex. browser embedded TV)
Check boxes represents user’s access right to the
network appliance
Editing ACL
Copyright 2005 NTT Information Sharing Platform Labs 10
Main page of the security gateway. Each of the circle icon represents a set of firewall policy and ACLs for the corresponding appliance
Access the security gateway with any web browser. User authentication over SSL session is required.
FW control from outside- accessing home from friend’s PC -
Copyright 2005 NTT Information Sharing Platform Labs 11
Clicking on an icon activates the policy
Red icon represents an activated appliance
(e.g. ports are opened for the user’s PC)
Activating policy
Copyright 2005 NTT Information Sharing Platform Labs 12
Once the firewall is opened for the user, you can access to home network appliance
using an appropriate browser. (ex. web browser)
Activation is valid until the user deactivates the policy or if the main window is closed (e.g. SSL session is destroyed)
Accessing home network
Copyright 2005 NTT Information Sharing Platform Labs 13
Secure Network for Consumer Appliances
• Consumer appliance network– Easy-to-Use = Plug-and-play
• Secure network– protected against sniffing, falsification, spoofing and attacks
Insecurenetwork
Securenetwork
: Easy-to-use secure device
: Eavesdropper: Consumer appliance
insecure(current)
(goal)secure
Copyright 2005 NTT Information Sharing Platform Labs 14
Approach• Plug-and-play
• Secure protection
In the router In the wire In the stack
Simplicity △ ○ ×
Cost × △ ○
Controllability ○ △ ×
SSL/TLS IPsec L2sec
Encryption ○ ○ ×
Authentication ○ △ △
Versatility × ○ ○
⇒ IPsec in the wire ⇒ IPsec bridgeIPsec bridge
placefeature
protocolfeature
Copyright 2005 NTT Information Sharing Platform Labs 15
IPsec-Proxy Technology• Unique IPsec implementation
– Bump in the wire– non IP addressable
• Arrangement
Application
OS
Network device
IPsec OS
IPsec
Application
OS
Network device
IPsec
TheInternet
Current New
Appliance (w/ IPsec) Appliance (wo/ IPsec)
IPsec-Proxy Adapter( IP Bridge )
IP addressIP address no IP address
no IP address
OutsourcingIPsec
Secure communication
Clearcommunication
Copyright 2005 NTT Information Sharing Platform Labs 16
Prototype and Experiment
The Internet
IPsec-Proxy(Prototype A)
3.5 inchEthernet
Port
Serial Port for Debugging
CF Card Slot
CPU: 133MHz (486 compatible)MEM: 32MBEthernet: 10Base-T
Copyright 2005 NTT Information Sharing Platform Labs 17
Wrap Ups• How to cope with both:
Safe & Secure Easy & Simplein consumer appliance network?
• Two topics– A new remote configurable firewall system for home-use
gateways• Easy to set up and Dynamically open/close ports
– True plug-and-play “IPsec-Proxy technology” for secure consumer communication platform
• “non IP addressable” • “transport mode (not tunnel mode)”.