SeaCat: an SDN End-to-end
Application Containment ArchitecTure
Enabling Secure Role Based Network Access in Healthcare
- U...
Motivation
• “Everything” is networked
– Nearly all business applications assume network
availability
• Also true in healt...
Motivation cont.
• Problem:
– Same individual, using same device potentially
using several of these applications simultane...
Motivation cont.
• Current approaches, combinations of:
– Devices scans when new devices attach to network
– Run applicati...
SeaCat Approach
• Combine SDN and
application
containment:
– End-to-end application
containment
• Non-healthcare app:
– de...
Threat Model
• Concerned with security and performance of health care
applications used from variety of devices in a healt...
SeaCat Architecture
• SDN to create
contexts for
apps
• Extend contexts
into endpoint:
– Controller
creates virtual
interf...
SeaCat Architecture
Default context to bootstrap:
1. App uses default
context ->
authentication and
policy entity
2. Reque...
Challenges and status
• Create secure end-to-end contexts
– Network and host SDN as basis
– Authentication and policy driv...
Upcoming SlideShare
Loading in...5
×

SeaCat: and SDN End-to-end Application Containment ArchitecTure

285
-1

Published on

SeaCat: and SDN End-to-end Application Containment ArchitecTure a presentation by Jacobus Van der Merwe, U. Utah at US Ignite ONF GENI workshop on October 8, 2013

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
285
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
9
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

SeaCat: and SDN End-to-end Application Containment ArchitecTure

  1. 1. SeaCat: an SDN End-to-end Application Containment ArchitecTure Enabling Secure Role Based Network Access in Healthcare - US Ignite Project - Kobus Van der Merwe and Brent Elieson
  2. 2. Motivation • “Everything” is networked – Nearly all business applications assume network availability • Also true in healthcare – Accessing patient records – Remote diagnoses and consultation – In-home monitoring – Healthcare analytics – Plus “regular” vocational applications • HR/payroll functions, accessing domain specific literature – Plus non vocational use • Browsing the web, social networking etc.
  3. 3. Motivation cont. • Problem: – Same individual, using same device potentially using several of these applications simultaneously – Applications have very different security and performance constraints: • Healthcare records: stringent regulatory privacy and security requirements • In-home patient monitoring: different privacy and security needs + reliability and soft real time guarantees • Web use: no impact on core healthcare applications
  4. 4. Motivation cont. • Current approaches, combinations of: – Devices scans when new devices attach to network – Run applications on application servers with thin clients on devices – Complex network and server access control polices • Inadequate: – Device with up-to-date patch levels might still contain malware – Application servers with thin clients constrain the type of applications that can be used – Access control policies only deal with access. Provide no protection once data is accessed
  5. 5. SeaCat Approach • Combine SDN and application containment: – End-to-end application containment • Non-healthcare app: – default context • Healthcare app: – dynamic app specific context – from server, through network, into device – app and data contained in this context – protect against data leakage and malicious actors
  6. 6. Threat Model • Concerned with security and performance of health care applications used from variety of devices in a health care environment • Assume healthcare applications can be trusted – different from conventional threat model where device needs to be protected against untrusted applications • Specific concerns: – Unauthorized access • role based authentication and policies – Data leakage • end-to-end application containment – Resource guarantees • context based resource allocation with preemption – Denial of service • resource guarantees plus separation of resources
  7. 7. SeaCat Architecture • SDN to create contexts for apps • Extend contexts into endpoint: – Controller creates virtual interfaces on host switch – Bind applications to these interfaces
  8. 8. SeaCat Architecture Default context to bootstrap: 1. App uses default context -> authentication and policy entity 2. Request: create network context 3. Create context in network and host SDN 4. Application gets credentials to bind to virtual NIC (unbind from default NIC/context) 5. Traffic constrained to dedicated context
  9. 9. Challenges and status • Create secure end-to-end contexts – Network and host SDN as basis – Authentication and policy driven control framework – Host application containment – Secure binding mechanisms – Need for encryption • Status and plans – Just got started • Work in progress – Explore architecture with specific healthcare apps • Electronic health records (EHR) • Medical imaging
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×