copyright 2005 NTT information sharing platform labs 1 safe and secure ubiquitous...

17
Copyright 2005 NTT Information Sharing Platform La Safe and Secure Ubiquitous Communication Jan. 27, 2005 Atsuhiro GOTO Information Sharing Platform Labo ratories Nippon Telegraph and Telephone Cor poration (NTT)

Post on 18-Dec-2015

218 views

Category:

Documents


2 download

TRANSCRIPT

Page 1: Copyright 2005 NTT Information Sharing Platform Labs 1 Safe and Secure Ubiquitous Communication Jan. 27, 2005 Atsuhiro GOTO Information Sharing Platform

Copyright   2005  NTT Information Sharing Platform Labs 1

Safe and Secure Ubiquitous Communication

Jan. 27, 2005Atsuhiro GOTO

Information Sharing Platform LaboratoriesNippon Telegraph and Telephone Corporation (NTT)

Page 2: Copyright 2005 NTT Information Sharing Platform Labs 1 Safe and Secure Ubiquitous Communication Jan. 27, 2005 Atsuhiro GOTO Information Sharing Platform

Copyright   2005  NTT Information Sharing Platform Labs 2

Safe & Secure v.s. Easy & Simple• “DVR attacked Web Server”, Sept. 2004

• How to cope with both:Safe & Secure Easy & Simple

in consumer appliance network?• Two topics

– A new remote configurable firewall system for home-use gateways

– A detachable IPsec device for secure consumer communication platform, “IPsec-Proxy technology”

Page 3: Copyright 2005 NTT Information Sharing Platform Labs 1 Safe and Secure Ubiquitous Communication Jan. 27, 2005 Atsuhiro GOTO Information Sharing Platform

Copyright   2005  NTT Information Sharing Platform Labs 3

Easy access to home-network

From School/Office

From a friend’s house

The InternetThe Internet

Home network

Watch your children, pet, plants etc. while away from home

Listen to the music, stored at home servers

From a relative’s house

Share digital photo with relatives

Share digital photo of an event among group members

Search and download documents which are stored at home servers

From outside home

From Hot Spot /From Internet Cafe

Access permitted for parents

Access permitted for family members

Access permitted for friends

HGW

Location-free, device-free, secure and convenient access to the contents or devices at home.

Unauthorized access is denied

Page 4: Copyright 2005 NTT Information Sharing Platform Labs 1 Safe and Secure Ubiquitous Communication Jan. 27, 2005 Atsuhiro GOTO Information Sharing Platform

Copyright   2005  NTT Information Sharing Platform Labs 4

What is the option we have now?• VPN? (e.g. L2TP, IPSec, SSL-VPN etc.)

– Complex configuration• For both server and client.

– Client software dependent• May require software installation

– High-cost appliances• Mainly used in business

• Reverse proxy or application server?– FW/NAT problems– Vendor dependency

• Static firewall configuration?– Opening the port to people all over the Internet, or only statically sp

ecified client is permitted to access– Configuration is yet complex for end-users

• IP address, port numbers, NAT rules…

We wanta simpler and

an easier way…

Page 5: Copyright 2005 NTT Information Sharing Platform Labs 1 Safe and Secure Ubiquitous Communication Jan. 27, 2005 Atsuhiro GOTO Information Sharing Platform

Copyright   2005  NTT Information Sharing Platform Labs 5

Our solution: a new security gateway

On-demand creation of source address based firewall/NAT rules.

Simplified configuration procedure of access policy settings for network appliances.

Office, Friend’s house, Internet Café, etc.

Access Policy for each device

Communication originated from the authenticated IP address is temporarily permitted

 Internet

Attacker

Denial of unauthorized access

(1) Configuration supporting system (2) Dynamic firewall system

Security gateway

Home-network

User authentication (over SSL)

User data

outside

UPnP based simple policy configuration

Page 6: Copyright 2005 NTT Information Sharing Platform Labs 1 Safe and Secure Ubiquitous Communication Jan. 27, 2005 Atsuhiro GOTO Information Sharing Platform

Copyright   2005  NTT Information Sharing Platform Labs 6

Security gateway architecture

Configurationsupporting

system

DynamicFW

system

I/F2 I/F1

templates

ACLs

NW appliances(Home Network)

User from outside(Internet)

dataaccess requestregistration

FW

UPnP SSL

Other home gateway functions

setting policy

On-demand creation of firewall/NAT rules•Creates source-address based firewall/NAT rules to prevent ports from being opened to everyone•Multiple rules can be applied to a single port

Universal Plug and Play (UPnP) based •Creating templates for firewall/NAT rules based on UPnP request from network appliances•Also creates user-name based ACLs•Templates and ACLs are used by dynamic-firewall system

Page 7: Copyright 2005 NTT Information Sharing Platform Labs 1 Safe and Secure Ubiquitous Communication Jan. 27, 2005 Atsuhiro GOTO Information Sharing Platform

Copyright   2005  NTT Information Sharing Platform Labs 7

home

Pseudo-Internet(hub)

friend’s house

Security GatewayTV with web browser Network camera Friend’s PC

Photo demo (the demo system)

Page 8: Copyright 2005 NTT Information Sharing Platform Labs 1 Safe and Secure Ubiquitous Communication Jan. 27, 2005 Atsuhiro GOTO Information Sharing Platform

Copyright   2005  NTT Information Sharing Platform Labs 8

1. Connect a new UPnP enabled

network camera.2. UPnP negotiation between the camera and the gateway

3. Gateway does not open the port

immediately. But creates firewall/NAT

policy templatesEx) TCP:80

IPaddress: 192.168.0.21

Security Gateway

UPnP enabledNW Camera

Connecting Device

Page 9: Copyright 2005 NTT Information Sharing Platform Labs 1 Safe and Secure Ubiquitous Communication Jan. 27, 2005 Atsuhiro GOTO Information Sharing Platform

Copyright   2005  NTT Information Sharing Platform Labs 9

You can optionally configure per-user ACLs using a web browser.

(ex. browser embedded TV)

Check boxes represents user’s access right to the

network appliance

Editing ACL

Page 10: Copyright 2005 NTT Information Sharing Platform Labs 1 Safe and Secure Ubiquitous Communication Jan. 27, 2005 Atsuhiro GOTO Information Sharing Platform

Copyright   2005  NTT Information Sharing Platform Labs 10

Main page of the security gateway. Each of the circle icon represents a set of firewall policy and ACLs for the corresponding appliance

Access the security gateway with any web browser. User authentication over SSL session is required.

FW control from outside- accessing home from friend’s PC -

Page 11: Copyright 2005 NTT Information Sharing Platform Labs 1 Safe and Secure Ubiquitous Communication Jan. 27, 2005 Atsuhiro GOTO Information Sharing Platform

Copyright   2005  NTT Information Sharing Platform Labs 11

Clicking on an icon activates the policy

Red icon represents an activated appliance

(e.g. ports are opened for the user’s PC)

Activating policy

Page 12: Copyright 2005 NTT Information Sharing Platform Labs 1 Safe and Secure Ubiquitous Communication Jan. 27, 2005 Atsuhiro GOTO Information Sharing Platform

Copyright   2005  NTT Information Sharing Platform Labs 12

Once the firewall is opened for the user, you can access to home network appliance

using an appropriate browser. (ex. web browser)

Activation is valid until the user deactivates the policy or if the main window is closed (e.g. SSL session is destroyed)

Accessing home network

Page 13: Copyright 2005 NTT Information Sharing Platform Labs 1 Safe and Secure Ubiquitous Communication Jan. 27, 2005 Atsuhiro GOTO Information Sharing Platform

Copyright   2005  NTT Information Sharing Platform Labs 13

Secure Network for Consumer Appliances

• Consumer appliance network– Easy-to-Use = Plug-and-play

• Secure network– protected against sniffing, falsification, spoofing and attacks

Insecurenetwork

Securenetwork

: Easy-to-use secure device

: Eavesdropper: Consumer appliance

insecure(current)

(goal)secure

Page 14: Copyright 2005 NTT Information Sharing Platform Labs 1 Safe and Secure Ubiquitous Communication Jan. 27, 2005 Atsuhiro GOTO Information Sharing Platform

Copyright   2005  NTT Information Sharing Platform Labs 14

Approach• Plug-and-play

• Secure protection

In the router In the wire In the stack

Simplicity △ ○ ×

Cost × △ ○

Controllability ○ △ ×

SSL/TLS IPsec L2sec

Encryption ○ ○ ×

Authentication ○ △ △

Versatility × ○ ○

⇒ IPsec in the wire ⇒ IPsec bridgeIPsec bridge

placefeature

protocolfeature

Page 15: Copyright 2005 NTT Information Sharing Platform Labs 1 Safe and Secure Ubiquitous Communication Jan. 27, 2005 Atsuhiro GOTO Information Sharing Platform

Copyright   2005  NTT Information Sharing Platform Labs 15

IPsec-Proxy Technology• Unique IPsec implementation

– Bump in the wire– non IP addressable

• Arrangement

Application

OS

Network device

IPsec OS

IPsec

Application

OS

Network device

IPsec

TheInternet

Current New

Appliance (w/ IPsec) Appliance (wo/ IPsec)

IPsec-Proxy Adapter( IP Bridge )

IP addressIP address no IP address

no IP address

OutsourcingIPsec

Secure communication

Clearcommunication

Page 16: Copyright 2005 NTT Information Sharing Platform Labs 1 Safe and Secure Ubiquitous Communication Jan. 27, 2005 Atsuhiro GOTO Information Sharing Platform

Copyright   2005  NTT Information Sharing Platform Labs 16

Prototype and Experiment

The Internet

IPsec-Proxy(Prototype A)

3.5 inchEthernet

Port

Serial Port for Debugging

CF Card Slot

CPU: 133MHz (486 compatible)MEM: 32MBEthernet: 10Base-T

Page 17: Copyright 2005 NTT Information Sharing Platform Labs 1 Safe and Secure Ubiquitous Communication Jan. 27, 2005 Atsuhiro GOTO Information Sharing Platform

Copyright   2005  NTT Information Sharing Platform Labs 17

Wrap Ups• How to cope with both:

Safe & Secure Easy & Simplein consumer appliance network?

• Two topics– A new remote configurable firewall system for home-use

gateways• Easy to set up and Dynamically open/close ports

– True plug-and-play “IPsec-Proxy technology” for secure consumer communication platform

• “non IP addressable” • “transport mode (not tunnel mode)”.