SlideShare a Scribd company logo

Security Framework for the IPv6 Era

Download as PPT, PDF
S
Shinsuke SUZUKI

APRICOT2005 講演資料

Internet
1 of 18
Apricot2005, Feb 2005 1 Security Framework for the IPv6 Era SUZUKI, Shinsuke (Hitachi, Ltd. / KAME Project / WIDE Project Secure-6 WG) suz@crl.hitachi.co.jp / suz@kame.net HIROMI, Ruri (Intec NetCore, Inc. / WIDE Project Secure-6 WG) hiromi@inetcore.com
Apricot2005, Feb 2005 2 Outline 1. Legacy security framework 2. What is necessary in IPv6 network? 3. Quarantine Network * Backbone-network issue is out of scope in this presentation (e.g. DoS, source-spoofing, Phishing)
Apricot2005, Feb 2005 3 1.1. Various kinds of Security Frameworks • Perimeter Defense – e.g. Firewall, VPN • Legacy IPv4 operational security • to drop unnecessary traffic from inside / outside • Edge Defense – e.g. IPsec (Transparent-mode), Personal Firewall • Current IPv6 protocol-level security • to keep Confidentiality/Integrity/Authentication of communication • Object Defense – e.g. Data encryption, Access authentication, Mandatory Access Control, Anti-virus software • Recent IPv4 operational security • to drop application-level attack (e.g. spam, virus, worm, spy-ware, theft) on a PC
Apricot2005, Feb 2005 4 1.2. Assumptions in Each Framework • Each framework has some assumptions – Perimeter Defense • “all the communication MUST goes through a firewall” – “communication” = Web/Mail/FTP – A host does not physically move so frequently – A host cannot have an external connectivity by itself – Edge Defense • “A user may make any communication as he/she wants” – Object Defense • “A user must/can defend oneself by him/herself”
Apricot2005, Feb 2005 5 1.3. Advantages/Disadvantages in Each Framework • Perimeter Defense – Advantages • concentrated management – Disadvantages • uncovered security threats (e.g. insider attack) • difficulty in user-specific customization (e.g. “it’s secure, but I cannot work!”) • singular point of failure (e.g. network performance) • Edge Defense – Advantages • user-specific customization (e.g. end-to-end encrypted session) – Disadvantages • difficulty in consistent management (e.g. security policy, traffic inspection) • Object Defense – Advantages • detailed inspection • user-specific customization – Disadvantages • difficulty in consistent management (e.g. operational mistake, zero-day attack)
Apricot2005, Feb 2005 6 1.4. Current Deployment Status • Perimeter Defense is still preferred by administrators, because it fully satisfies the administrators’ requirement: – Administrators’ requirement • manageable security – Enforce a security policy to all the nodes in a centrally consistent manner – Users’ requirement • customizable and easy security – Obtain a user-specific security policy automatically
Apricot2005, Feb 2005 7 2.1. What Does Perimeter Defense Matter with IPv6? • Perimeter Defense often unnecessarily restricts communication – Non-problematic user operation is denied, because of the management difficulty... • Essentially not an IPv6-specific issue – but getting much more serious in IPv6, since it completely denies the benefit of IPv6 by nature • Plug & Play • non-PC equipment • end-to-end (encrypted) communication • new applications
Apricot2005, Feb 2005 8 2.2. What Is Necessary? • Integration of “Manageable Security” and “Customizable and Easy Security” – automatic integration is desirable – should work in IPv4 as well as in IPv6 • Integration way is different, depending on – the definition of a “security policy” – network environment • This makes the things complex...
Apricot2005, Feb 2005 9 e.g.) Security Policy Examples • ISP network – Customers may make any communication, if it does not interfere with other customer’s communication severely  Traffic management is important • Enterprise network – Customers may make any communication, if it contributes to the profit of the enterprise  Detailed contents management is important • SOHO network – Provide every service to the very limited number of customers  Customer authentication is important
Apricot2005, Feb 2005 10 2.3. How To Proceed? • There are two ways – Newly create a protocol to synchronize between a host and a network manager – Just make use of such existing mechanism • Each way has its own pros and cons – New protocol • vendor-neutral • general-purpose protocol is quite difficult – Existing Mechanism • Can be vendor-specific • easier because it is often dedicated for a single purpose solution • The latter one seems practical
Apricot2005, Feb 2005 11 3.1. Quarantine Network • Quarantine Network – Framework to provide a precise and refined network management – dynamic network separation based on the security level of a node • Equivalent to a quarantine procedure in the immigration at an international-airport
Apricot2005, Feb 2005 12 3.2 Components of the Quarantine Network • Security Level Management – by Quarantine Server • monitors the security level of a node • accomplished by a legacy auditing tool • Dynamic Network Separation – by Policy Enforcer • accommodate the node to a network segment according to the security level of the node • accomplished by several methods (Layer2, Layer3, Layer4, Layer7)
Apricot2005, Feb 2005 13 e.g.) How to Integrate Security Framework in Quarantine Network? • ISP – Security Level Measurement • Amount of traffic from a PC – Dynamic Separation • heavy-user, ordinary-user, malicious-user • Enterprise – Security Level Measurement • Installed software on a PC (e.g. Anti-virus software) – Dynamic Separation • staff, staff not installing the required software, guest • SOHO – Security Level Management • User authentication – Dynamic Separation • staff, guest
Apricot2005, Feb 2005 14 3.3. Implementation Status • Security Level Management – Legacy auditing tools seems satisfactory • Dynamic Network Separation – Layer2: IEEE802.1x (not specific to IPv6) • several vendors – Layer3: PANA/DHCPv6 • WIDE Project Secure6 WG – Layer4: Tunnel-Broker – Layer7: Distributed Firewall • Euro6IX
Apricot2005, Feb 2005 15 3.4. Issues in Dynamic Network Separation • Yet Another Management – Layer2 • Layer3 address need be managed, together with Layer2 management – Layer7 • How to describe/distribute/confirm a policy for every node? • Encrypted Communication – Layer2, Layer3, Layer4 • cannot manage encrypted communication in the middle • Protocol Independence – Layer3, Layer4, Layer7 • Need to do the same thing for IPv4, too. • Access Concentration – Layer4 • a bottle neck in performance, or a single point of failure
Apricot2005, Feb 2005 16 3.4 Remaining Issues • Analysis of a Possible Vulnerability in Quarantine Network itself • Evaluation in the Actual Operation – really IP-version independent? – tolerable delay /performance? – Comparison between installation/running-cost and the hedged risk
Apricot2005, Feb 2005 17 4. Conclusion • (Automatic) Integration of Perimeter Defense, Edge Defense, and Object Defense is necessary in the IPv6 era • Introduced Quarantine Network as an integration example
Apricot2005, Feb 2005 18 c.f.) What’s going on in standardization? • IETF v6ops WG – Trying to summarize IPv6 security overview – Based on that overview, ask Security Area people to work on specific items – slow and steady progress …. • IETF netconf WG – XML-based network configuration protocol – Originally aiming at a router/switch configuration – protocol is almost done, and working on data-model

Recommended

Chapter 8 Presentaion
Chapter 8 PresentaionChapter 8 Presentaion
Chapter 8 PresentaionAmy McMullin
 
Security 101: Controlling Access to IBM i Systems and Data
Security 101: Controlling Access to IBM i Systems and DataSecurity 101: Controlling Access to IBM i Systems and Data
Security 101: Controlling Access to IBM i Systems and DataPrecisely
 
Security 101: Controlling Access to IBM i Systems and Data
Security 101: Controlling Access to IBM i Systems and DataSecurity 101: Controlling Access to IBM i Systems and Data
Security 101: Controlling Access to IBM i Systems and DataPrecisely
 
DEF CON 27 - XIAOHUIHUI - all the 4g modules could be hacked
DEF CON 27 - XIAOHUIHUI - all the 4g modules could be hackedDEF CON 27 - XIAOHUIHUI - all the 4g modules could be hacked
DEF CON 27 - XIAOHUIHUI - all the 4g modules could be hackedFelipe Prado
 
Cybersecurity Network Security Training (Featured) - Tonex Training
Cybersecurity Network Security Training (Featured) - Tonex TrainingCybersecurity Network Security Training (Featured) - Tonex Training
Cybersecurity Network Security Training (Featured) - Tonex TrainingBryan Len
 
CNIT 123: Ch 13: Network Protection Systems
CNIT 123: Ch 13: Network Protection SystemsCNIT 123: Ch 13: Network Protection Systems
CNIT 123: Ch 13: Network Protection SystemsSam Bowne
 
CNIT 123: Ch 9: Embedded Operating Systems: The Hidden Threat
CNIT 123: Ch 9: Embedded Operating Systems: The Hidden ThreatCNIT 123: Ch 9: Embedded Operating Systems: The Hidden Threat
CNIT 123: Ch 9: Embedded Operating Systems: The Hidden ThreatSam Bowne
 
Information Security Lesson 4 - Baselines - Eric Vanderburg
Information Security Lesson 4 - Baselines - Eric VanderburgInformation Security Lesson 4 - Baselines - Eric Vanderburg
Information Security Lesson 4 - Baselines - Eric VanderburgEric Vanderburg
 

Recommended

Chapter 8 Presentaion
Chapter 8 PresentaionChapter 8 Presentaion
Chapter 8 PresentaionAmy McMullin
 
Security 101: Controlling Access to IBM i Systems and Data
Security 101: Controlling Access to IBM i Systems and DataSecurity 101: Controlling Access to IBM i Systems and Data
Security 101: Controlling Access to IBM i Systems and DataPrecisely
 
Security 101: Controlling Access to IBM i Systems and Data
Security 101: Controlling Access to IBM i Systems and DataSecurity 101: Controlling Access to IBM i Systems and Data
Security 101: Controlling Access to IBM i Systems and DataPrecisely
 
DEF CON 27 - XIAOHUIHUI - all the 4g modules could be hacked
DEF CON 27 - XIAOHUIHUI - all the 4g modules could be hackedDEF CON 27 - XIAOHUIHUI - all the 4g modules could be hacked
DEF CON 27 - XIAOHUIHUI - all the 4g modules could be hackedFelipe Prado
 
Cybersecurity Network Security Training (Featured) - Tonex Training
Cybersecurity Network Security Training (Featured) - Tonex TrainingCybersecurity Network Security Training (Featured) - Tonex Training
Cybersecurity Network Security Training (Featured) - Tonex TrainingBryan Len
 
CNIT 123: Ch 13: Network Protection Systems
CNIT 123: Ch 13: Network Protection SystemsCNIT 123: Ch 13: Network Protection Systems
CNIT 123: Ch 13: Network Protection SystemsSam Bowne
 
CNIT 123: Ch 9: Embedded Operating Systems: The Hidden Threat
CNIT 123: Ch 9: Embedded Operating Systems: The Hidden ThreatCNIT 123: Ch 9: Embedded Operating Systems: The Hidden Threat
CNIT 123: Ch 9: Embedded Operating Systems: The Hidden ThreatSam Bowne
 
Information Security Lesson 4 - Baselines - Eric Vanderburg
Information Security Lesson 4 - Baselines - Eric VanderburgInformation Security Lesson 4 - Baselines - Eric Vanderburg
Information Security Lesson 4 - Baselines - Eric VanderburgEric Vanderburg
 
Firewall in Perl by Chankey Pathak
Firewall in Perl by Chankey PathakFirewall in Perl by Chankey Pathak
Firewall in Perl by Chankey PathakChankey Pathak
 
Enterprise Security in Mainframe-Connected Environments
Enterprise Security in Mainframe-Connected EnvironmentsEnterprise Security in Mainframe-Connected Environments
Enterprise Security in Mainframe-Connected EnvironmentsPrecisely
 
Security Landscape Presentation
Security Landscape PresentationSecurity Landscape Presentation
Security Landscape PresentationDoug McTighe
 
A+ Chapter 4 Review
A+ Chapter 4 ReviewA+ Chapter 4 Review
A+ Chapter 4 ReviewAmy McMullin
 
Case Study: Running a DCS in a Highly Virtualized Environment, Chris Hughes o...
Case Study: Running a DCS in a Highly Virtualized Environment, Chris Hughes o...Case Study: Running a DCS in a Highly Virtualized Environment, Chris Hughes o...
Case Study: Running a DCS in a Highly Virtualized Environment, Chris Hughes o...Digital Bond
 
Security architecture design patterns iltam 2018 - ofer rivlin
Security architecture design patterns iltam 2018 - ofer rivlinSecurity architecture design patterns iltam 2018 - ofer rivlin
Security architecture design patterns iltam 2018 - ofer rivlinOfer Rivlin, CISSP
 
Secure remote device access
Secure remote device access Secure remote device access
Secure remote device access Nirmal Thaliyil
 
Cincinnati window shade technology overview
Cincinnati window shade technology overviewCincinnati window shade technology overview
Cincinnati window shade technology overviewrippea
 
CNIT 141 13. TLS
CNIT 141 13. TLSCNIT 141 13. TLS
CNIT 141 13. TLSSam Bowne
 
Secure your network - Segmentation and segregation
Secure your network - Segmentation and segregationSecure your network - Segmentation and segregation
Secure your network - Segmentation and segregationMagnus Jansson
 
Jakub Bartoszek (Samsung Electronics) - Hardware Security in Connected World
Jakub Bartoszek (Samsung Electronics) - Hardware Security in Connected WorldJakub Bartoszek (Samsung Electronics) - Hardware Security in Connected World
Jakub Bartoszek (Samsung Electronics) - Hardware Security in Connected WorldCodiax
 
ICS Security from the Plant Floor Up - A Controls Engineers Approach to Secur...
ICS Security from the Plant Floor Up - A Controls Engineers Approach to Secur...ICS Security from the Plant Floor Up - A Controls Engineers Approach to Secur...
ICS Security from the Plant Floor Up - A Controls Engineers Approach to Secur...Digital Bond
 
A+ Chapter 3 Review
A+ Chapter 3 ReviewA+ Chapter 3 Review
A+ Chapter 3 ReviewAmy McMullin
 
Secure nets-and-data
Secure nets-and-dataSecure nets-and-data
Secure nets-and-dataKevin Mayo
 
Managing 4,000 devices across 20+ remote sites on a single console
Managing 4,000 devices across 20+ remote sites on a single consoleManaging 4,000 devices across 20+ remote sites on a single console
Managing 4,000 devices across 20+ remote sites on a single consoleManageEngine, Zoho Corporation
 
Unidirectional Security, Andrew Ginter of Waterfall Security
Unidirectional Security, Andrew Ginter of Waterfall Security Unidirectional Security, Andrew Ginter of Waterfall Security
Unidirectional Security, Andrew Ginter of Waterfall Security Digital Bond
 
Maemo 6 Platform Security
Maemo 6 Platform SecurityMaemo 6 Platform Security
Maemo 6 Platform SecurityPeter Schneider
 
Palo alto outline course | Mostafa El Lathy
Palo alto outline course | Mostafa El LathyPalo alto outline course | Mostafa El Lathy
Palo alto outline course | Mostafa El LathyMostafa El Lathy
 
Nagios Conference 2007 | A Framework for Hardware-based Monitoring by Kevin ...
Nagios Conference 2007 | A Framework for Hardware-based Monitoring by Kevin ...Nagios Conference 2007 | A Framework for Hardware-based Monitoring by Kevin ...
Nagios Conference 2007 | A Framework for Hardware-based Monitoring by Kevin ...NETWAYS
 
How we breach small and medium enterprises (SMEs)
How we breach small and medium enterprises (SMEs)How we breach small and medium enterprises (SMEs)
How we breach small and medium enterprises (SMEs)NCC Group
 
OpenStack Infrastructure at any Scale - Simple is BEST!? - - OpenStack最新情報セミ...
OpenStack Infrastructure at any Scale - Simple is BEST!? - - OpenStack最新情報セミ...OpenStack Infrastructure at any Scale - Simple is BEST!? - - OpenStack最新情報セミ...
OpenStack Infrastructure at any Scale - Simple is BEST!? - - OpenStack最新情報セミ...VirtualTech Japan Inc.
 
CCNP Security-Firewall
CCNP Security-FirewallCCNP Security-Firewall
CCNP Security-Firewallmohannadalhanahnah
 

More Related Content

What's hot

Firewall in Perl by Chankey Pathak
Firewall in Perl by Chankey PathakFirewall in Perl by Chankey Pathak
Firewall in Perl by Chankey PathakChankey Pathak
 
Enterprise Security in Mainframe-Connected Environments
Enterprise Security in Mainframe-Connected EnvironmentsEnterprise Security in Mainframe-Connected Environments
Enterprise Security in Mainframe-Connected EnvironmentsPrecisely
 
Security Landscape Presentation
Security Landscape PresentationSecurity Landscape Presentation
Security Landscape PresentationDoug McTighe
 
A+ Chapter 4 Review
A+ Chapter 4 ReviewA+ Chapter 4 Review
A+ Chapter 4 ReviewAmy McMullin
 
Case Study: Running a DCS in a Highly Virtualized Environment, Chris Hughes o...
Case Study: Running a DCS in a Highly Virtualized Environment, Chris Hughes o...Case Study: Running a DCS in a Highly Virtualized Environment, Chris Hughes o...
Case Study: Running a DCS in a Highly Virtualized Environment, Chris Hughes o...Digital Bond
 
Security architecture design patterns iltam 2018 - ofer rivlin
Security architecture design patterns iltam 2018 - ofer rivlinSecurity architecture design patterns iltam 2018 - ofer rivlin
Security architecture design patterns iltam 2018 - ofer rivlinOfer Rivlin, CISSP
 
Secure remote device access
Secure remote device access Secure remote device access
Secure remote device access Nirmal Thaliyil
 
Cincinnati window shade technology overview
Cincinnati window shade technology overviewCincinnati window shade technology overview
Cincinnati window shade technology overviewrippea
 
CNIT 141 13. TLS
CNIT 141 13. TLSCNIT 141 13. TLS
CNIT 141 13. TLSSam Bowne
 
Secure your network - Segmentation and segregation
Secure your network - Segmentation and segregationSecure your network - Segmentation and segregation
Secure your network - Segmentation and segregationMagnus Jansson
 
Jakub Bartoszek (Samsung Electronics) - Hardware Security in Connected World
Jakub Bartoszek (Samsung Electronics) - Hardware Security in Connected WorldJakub Bartoszek (Samsung Electronics) - Hardware Security in Connected World
Jakub Bartoszek (Samsung Electronics) - Hardware Security in Connected WorldCodiax
 
ICS Security from the Plant Floor Up - A Controls Engineers Approach to Secur...
ICS Security from the Plant Floor Up - A Controls Engineers Approach to Secur...ICS Security from the Plant Floor Up - A Controls Engineers Approach to Secur...
ICS Security from the Plant Floor Up - A Controls Engineers Approach to Secur...Digital Bond
 
A+ Chapter 3 Review
A+ Chapter 3 ReviewA+ Chapter 3 Review
A+ Chapter 3 ReviewAmy McMullin
 
Secure nets-and-data
Secure nets-and-dataSecure nets-and-data
Secure nets-and-dataKevin Mayo
 
Managing 4,000 devices across 20+ remote sites on a single console
Managing 4,000 devices across 20+ remote sites on a single consoleManaging 4,000 devices across 20+ remote sites on a single console
Managing 4,000 devices across 20+ remote sites on a single consoleManageEngine, Zoho Corporation
 
Unidirectional Security, Andrew Ginter of Waterfall Security
Unidirectional Security, Andrew Ginter of Waterfall Security Unidirectional Security, Andrew Ginter of Waterfall Security
Unidirectional Security, Andrew Ginter of Waterfall Security Digital Bond
 
Maemo 6 Platform Security
Maemo 6 Platform SecurityMaemo 6 Platform Security
Maemo 6 Platform SecurityPeter Schneider
 
Palo alto outline course | Mostafa El Lathy
Palo alto outline course | Mostafa El LathyPalo alto outline course | Mostafa El Lathy
Palo alto outline course | Mostafa El LathyMostafa El Lathy
 
Nagios Conference 2007 | A Framework for Hardware-based Monitoring by Kevin ...
Nagios Conference 2007 | A Framework for Hardware-based Monitoring by Kevin ...Nagios Conference 2007 | A Framework for Hardware-based Monitoring by Kevin ...
Nagios Conference 2007 | A Framework for Hardware-based Monitoring by Kevin ...NETWAYS
 
How we breach small and medium enterprises (SMEs)
How we breach small and medium enterprises (SMEs)How we breach small and medium enterprises (SMEs)
How we breach small and medium enterprises (SMEs)NCC Group
 

What's hot (20)

Firewall in Perl by Chankey Pathak
Firewall in Perl by Chankey PathakFirewall in Perl by Chankey Pathak
Firewall in Perl by Chankey Pathak
 
Enterprise Security in Mainframe-Connected Environments
Enterprise Security in Mainframe-Connected EnvironmentsEnterprise Security in Mainframe-Connected Environments
Enterprise Security in Mainframe-Connected Environments
 
Security Landscape Presentation
Security Landscape PresentationSecurity Landscape Presentation
Security Landscape Presentation
 
A+ Chapter 4 Review
A+ Chapter 4 ReviewA+ Chapter 4 Review
A+ Chapter 4 Review
 
Case Study: Running a DCS in a Highly Virtualized Environment, Chris Hughes o...
Case Study: Running a DCS in a Highly Virtualized Environment, Chris Hughes o...Case Study: Running a DCS in a Highly Virtualized Environment, Chris Hughes o...
Case Study: Running a DCS in a Highly Virtualized Environment, Chris Hughes o...
 
Security architecture design patterns iltam 2018 - ofer rivlin
Security architecture design patterns iltam 2018 - ofer rivlinSecurity architecture design patterns iltam 2018 - ofer rivlin
Security architecture design patterns iltam 2018 - ofer rivlin
 
Secure remote device access
Secure remote device access Secure remote device access
Secure remote device access
 
Cincinnati window shade technology overview
Cincinnati window shade technology overviewCincinnati window shade technology overview
Cincinnati window shade technology overview
 
CNIT 141 13. TLS
CNIT 141 13. TLSCNIT 141 13. TLS
CNIT 141 13. TLS
 
Secure your network - Segmentation and segregation
Secure your network - Segmentation and segregationSecure your network - Segmentation and segregation
Secure your network - Segmentation and segregation
 
Jakub Bartoszek (Samsung Electronics) - Hardware Security in Connected World
Jakub Bartoszek (Samsung Electronics) - Hardware Security in Connected WorldJakub Bartoszek (Samsung Electronics) - Hardware Security in Connected World
Jakub Bartoszek (Samsung Electronics) - Hardware Security in Connected World
 
ICS Security from the Plant Floor Up - A Controls Engineers Approach to Secur...
ICS Security from the Plant Floor Up - A Controls Engineers Approach to Secur...ICS Security from the Plant Floor Up - A Controls Engineers Approach to Secur...
ICS Security from the Plant Floor Up - A Controls Engineers Approach to Secur...
 
A+ Chapter 3 Review
A+ Chapter 3 ReviewA+ Chapter 3 Review
A+ Chapter 3 Review
 
Secure nets-and-data
Secure nets-and-dataSecure nets-and-data
Secure nets-and-data
 
Managing 4,000 devices across 20+ remote sites on a single console
Managing 4,000 devices across 20+ remote sites on a single consoleManaging 4,000 devices across 20+ remote sites on a single console
Managing 4,000 devices across 20+ remote sites on a single console
 
Unidirectional Security, Andrew Ginter of Waterfall Security
Unidirectional Security, Andrew Ginter of Waterfall Security Unidirectional Security, Andrew Ginter of Waterfall Security
Unidirectional Security, Andrew Ginter of Waterfall Security
 
Maemo 6 Platform Security
Maemo 6 Platform SecurityMaemo 6 Platform Security
Maemo 6 Platform Security
 
Palo alto outline course | Mostafa El Lathy
Palo alto outline course | Mostafa El LathyPalo alto outline course | Mostafa El Lathy
Palo alto outline course | Mostafa El Lathy
 
Nagios Conference 2007 | A Framework for Hardware-based Monitoring by Kevin ...
Nagios Conference 2007 | A Framework for Hardware-based Monitoring by Kevin ...Nagios Conference 2007 | A Framework for Hardware-based Monitoring by Kevin ...
Nagios Conference 2007 | A Framework for Hardware-based Monitoring by Kevin ...
 
How we breach small and medium enterprises (SMEs)
How we breach small and medium enterprises (SMEs)How we breach small and medium enterprises (SMEs)
How we breach small and medium enterprises (SMEs)
 

Similar to Security Framework for the IPv6 Era

OpenStack Infrastructure at any Scale - Simple is BEST!? - - OpenStack最新情報セミ...
OpenStack Infrastructure at any Scale - Simple is BEST!? - - OpenStack最新情報セミ...OpenStack Infrastructure at any Scale - Simple is BEST!? - - OpenStack最新情報セミ...
OpenStack Infrastructure at any Scale - Simple is BEST!? - - OpenStack最新情報セミ...VirtualTech Japan Inc.
 
Design Like a Pro: Planning Enterprise Solutions
Design Like a Pro: Planning Enterprise SolutionsDesign Like a Pro: Planning Enterprise Solutions
Design Like a Pro: Planning Enterprise SolutionsInductive Automation
 
Design Like a Pro: Planning Enterprise Solutions
Design Like a Pro: Planning Enterprise SolutionsDesign Like a Pro: Planning Enterprise Solutions
Design Like a Pro: Planning Enterprise SolutionsInductive Automation
 
Plnog13 2014 security intelligence_pkedra_v1
Plnog13 2014 security intelligence_pkedra_v1Plnog13 2014 security intelligence_pkedra_v1
Plnog13 2014 security intelligence_pkedra_v1PROIDEA
 
Why Its time to Upgrade a Next-Generation Firewall
Why Its time to Upgrade a Next-Generation FirewallWhy Its time to Upgrade a Next-Generation Firewall
Why Its time to Upgrade a Next-Generation FirewallAli Kapucu
 
SDN_and_NFV_technologies_in_IoT_Networks
SDN_and_NFV_technologies_in_IoT_NetworksSDN_and_NFV_technologies_in_IoT_Networks
SDN_and_NFV_technologies_in_IoT_NetworksSrinivasa Addepalli
 
Palo Alto Networks y la tecnología de Next Generation Firewall
Palo Alto Networks y la tecnología de Next Generation FirewallPalo Alto Networks y la tecnología de Next Generation Firewall
Palo Alto Networks y la tecnología de Next Generation FirewallMundo Contact
 
Swisscom: Testing von IPv6 Security Devices
Swisscom: Testing von IPv6 Security DevicesSwisscom: Testing von IPv6 Security Devices
Swisscom: Testing von IPv6 Security DevicesSwiss IPv6 Council
 
Unified Threat Management
Unified Threat ManagementUnified Threat Management
Unified Threat ManagementTapas Shome
 
Automated Deployment and Management of Edge Clouds
Automated Deployment and Management of Edge CloudsAutomated Deployment and Management of Edge Clouds
Automated Deployment and Management of Edge CloudsJay Bryant
 
Firewall Design and Implementation
Firewall Design and ImplementationFirewall Design and Implementation
Firewall Design and Implementationajeet singh
 

Similar to Security Framework for the IPv6 Era (20)

OpenStack Infrastructure at any Scale - Simple is BEST!? - - OpenStack最新情報セミ...
OpenStack Infrastructure at any Scale - Simple is BEST!? - - OpenStack最新情報セミ...OpenStack Infrastructure at any Scale - Simple is BEST!? - - OpenStack最新情報セミ...
OpenStack Infrastructure at any Scale - Simple is BEST!? - - OpenStack最新情報セミ...
 
CCNP Security-Firewall
CCNP Security-FirewallCCNP Security-Firewall
CCNP Security-Firewall
 
Smart Object Architecture
Smart Object ArchitectureSmart Object Architecture
Smart Object Architecture
 
Design Like a Pro: Planning Enterprise Solutions
Design Like a Pro: Planning Enterprise SolutionsDesign Like a Pro: Planning Enterprise Solutions
Design Like a Pro: Planning Enterprise Solutions
 
Design Like a Pro: Planning Enterprise Solutions
Design Like a Pro: Planning Enterprise SolutionsDesign Like a Pro: Planning Enterprise Solutions
Design Like a Pro: Planning Enterprise Solutions
 
Plnog13 2014 security intelligence_pkedra_v1
Plnog13 2014 security intelligence_pkedra_v1Plnog13 2014 security intelligence_pkedra_v1
Plnog13 2014 security intelligence_pkedra_v1
 
Zigbee Presentation
Zigbee PresentationZigbee Presentation
Zigbee Presentation
 
Why Its time to Upgrade a Next-Generation Firewall
Why Its time to Upgrade a Next-Generation FirewallWhy Its time to Upgrade a Next-Generation Firewall
Why Its time to Upgrade a Next-Generation Firewall
 
SDN_and_NFV_technologies_in_IoT_Networks
SDN_and_NFV_technologies_in_IoT_NetworksSDN_and_NFV_technologies_in_IoT_Networks
SDN_and_NFV_technologies_in_IoT_Networks
 
Chapter08
Chapter08Chapter08
Chapter08
 
Palo Alto Networks y la tecnología de Next Generation Firewall
Palo Alto Networks y la tecnología de Next Generation FirewallPalo Alto Networks y la tecnología de Next Generation Firewall
Palo Alto Networks y la tecnología de Next Generation Firewall
 
Seminar
SeminarSeminar
Seminar
 
Vp ns
Vp nsVp ns
Vp ns
 
Firewall
FirewallFirewall
Firewall
 
Myles firewalls
Myles firewallsMyles firewalls
Myles firewalls
 
Swisscom: Testing von IPv6 Security Devices
Swisscom: Testing von IPv6 Security DevicesSwisscom: Testing von IPv6 Security Devices
Swisscom: Testing von IPv6 Security Devices
 
Unified Threat Management
Unified Threat ManagementUnified Threat Management
Unified Threat Management
 
Automated Deployment and Management of Edge Clouds
Automated Deployment and Management of Edge CloudsAutomated Deployment and Management of Edge Clouds
Automated Deployment and Management of Edge Clouds
 
Virtual Private Network
Virtual Private NetworkVirtual Private Network
Virtual Private Network
 
Firewall Design and Implementation
Firewall Design and ImplementationFirewall Design and Implementation
Firewall Design and Implementation
 

More from Shinsuke SUZUKI

IPv6技術標準化の最新動向
IPv6技術標準化の最新動向IPv6技術標準化の最新動向
IPv6技術標準化の最新動向Shinsuke SUZUKI
 
Technology Updates in IPv6
Technology Updates in IPv6Technology Updates in IPv6
Technology Updates in IPv6Shinsuke SUZUKI
 
Plug and Play Using Prefix Delegation Mechanism
Plug and Play Using Prefix Delegation MechanismPlug and Play Using Prefix Delegation Mechanism
Plug and Play Using Prefix Delegation MechanismShinsuke SUZUKI
 
BSD UnixにおいてIPv6を有効にした際に発生する課題とその対策
BSD UnixにおいてIPv6を有効にした際に発生する課題とその対策BSD UnixにおいてIPv6を有効にした際に発生する課題とその対策
BSD UnixにおいてIPv6を有効にした際に発生する課題とその対策Shinsuke SUZUKI
 
Operational Issues inIPv6 --from vendors' point of view--
Operational Issues inIPv6 --from vendors' point of view--Operational Issues inIPv6 --from vendors' point of view--
Operational Issues inIPv6 --from vendors' point of view--Shinsuke SUZUKI
 
国際DVTS転送におけるネットワーク技術の使い方 -日伊間双方向DVTS送信を通じて-
国際DVTS転送におけるネットワーク技術の使い方 -日伊間双方向DVTS送信を通じて-国際DVTS転送におけるネットワーク技術の使い方 -日伊間双方向DVTS送信を通じて-
国際DVTS転送におけるネットワーク技術の使い方 -日伊間双方向DVTS送信を通じて-Shinsuke SUZUKI
 
IPv6標準化の最新動向
IPv6標準化の最新動向IPv6標準化の最新動向
IPv6標準化の最新動向Shinsuke SUZUKI
 
IPv6によってセキュリティはどう変化するか? -LAN上の挙動の観点でー
IPv6によってセキュリティはどう変化するか? -LAN上の挙動の観点でーIPv6によってセキュリティはどう変化するか? -LAN上の挙動の観点でー
IPv6によってセキュリティはどう変化するか? -LAN上の挙動の観点でーShinsuke SUZUKI
 
IPv6 移行時に注意が必要なセキュリティ上の脅威と対策 ー実装者の観点からー
IPv6 移行時に注意が必要なセキュリティ上の脅威と対策 ー実装者の観点からーIPv6 移行時に注意が必要なセキュリティ上の脅威と対策 ー実装者の観点からー
IPv6 移行時に注意が必要なセキュリティ上の脅威と対策 ー実装者の観点からーShinsuke SUZUKI
 
不正 RAの傾向と対策
不正 RAの傾向と対策不正 RAの傾向と対策
不正 RAの傾向と対策Shinsuke SUZUKI
 

More from Shinsuke SUZUKI (14)

IPv6標準化と実装
IPv6標準化と実装IPv6標準化と実装
IPv6標準化と実装
 
IPv6技術標準化の最新動向
IPv6技術標準化の最新動向IPv6技術標準化の最新動向
IPv6技術標準化の最新動向
 
Technology Updates in IPv6
Technology Updates in IPv6Technology Updates in IPv6
Technology Updates in IPv6
 
IPv6 Update
IPv6 UpdateIPv6 Update
IPv6 Update
 
Plug and Play Using Prefix Delegation Mechanism
Plug and Play Using Prefix Delegation MechanismPlug and Play Using Prefix Delegation Mechanism
Plug and Play Using Prefix Delegation Mechanism
 
IPv6の現状
IPv6の現状IPv6の現状
IPv6の現状
 
IPv6技術動向
IPv6技術動向IPv6技術動向
IPv6技術動向
 
BSD UnixにおいてIPv6を有効にした際に発生する課題とその対策
BSD UnixにおいてIPv6を有効にした際に発生する課題とその対策BSD UnixにおいてIPv6を有効にした際に発生する課題とその対策
BSD UnixにおいてIPv6を有効にした際に発生する課題とその対策
 
Operational Issues inIPv6 --from vendors' point of view--
Operational Issues inIPv6 --from vendors' point of view--Operational Issues inIPv6 --from vendors' point of view--
Operational Issues inIPv6 --from vendors' point of view--
 
国際DVTS転送におけるネットワーク技術の使い方 -日伊間双方向DVTS送信を通じて-
国際DVTS転送におけるネットワーク技術の使い方 -日伊間双方向DVTS送信を通じて-国際DVTS転送におけるネットワーク技術の使い方 -日伊間双方向DVTS送信を通じて-
国際DVTS転送におけるネットワーク技術の使い方 -日伊間双方向DVTS送信を通じて-
 
IPv6標準化の最新動向
IPv6標準化の最新動向IPv6標準化の最新動向
IPv6標準化の最新動向
 
IPv6によってセキュリティはどう変化するか? -LAN上の挙動の観点でー
IPv6によってセキュリティはどう変化するか? -LAN上の挙動の観点でーIPv6によってセキュリティはどう変化するか? -LAN上の挙動の観点でー
IPv6によってセキュリティはどう変化するか? -LAN上の挙動の観点でー
 
IPv6 移行時に注意が必要なセキュリティ上の脅威と対策 ー実装者の観点からー
IPv6 移行時に注意が必要なセキュリティ上の脅威と対策 ー実装者の観点からーIPv6 移行時に注意が必要なセキュリティ上の脅威と対策 ー実装者の観点からー
IPv6 移行時に注意が必要なセキュリティ上の脅威と対策 ー実装者の観点からー
 
不正 RAの傾向と対策
不正 RAの傾向と対策不正 RAの傾向と対策
不正 RAの傾向と対策
 

Recently uploaded

Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi EscortsRussian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi EscortsMonica Sydney
 
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girlsRussian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girlsMonica Sydney
 
Meaning of On page SEO & its process in detail.
Meaning of On page SEO & its process in detail.Meaning of On page SEO & its process in detail.
Meaning of On page SEO & its process in detail.krishnachandrapal52
 
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...kumargunjan9515
 
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdfMatthew Sinclair
 
"Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency""Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency"growthgrids
 
Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...
Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...
Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...meghakumariji156
 
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制pxcywzqs
 
一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理F
 
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge GraphsEleniIlkou
 
Call girls Service in Ajman 0505086370 Ajman call girls
Call girls Service in Ajman 0505086370 Ajman call girlsCall girls Service in Ajman 0505086370 Ajman call girls
Call girls Service in Ajman 0505086370 Ajman call girlsMonica Sydney
 
Best SEO Services Company in Dallas | Best SEO Agency Dallas
Best SEO Services Company in Dallas | Best SEO Agency DallasBest SEO Services Company in Dallas | Best SEO Agency Dallas
Best SEO Services Company in Dallas | Best SEO Agency DallasDigicorns Technologies
 
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC
 
20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdf20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdfMatthew Sinclair
 
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime NagercoilNagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoilmeghakumariji156
 
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查ydyuyu
 
Real Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirtReal Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirtrahman018755
 
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...kajalverma014
 
Mira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Mira Road Housewife Call Girls 07506202331, Nalasopara Call GirlsMira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Mira Road Housewife Call Girls 07506202331, Nalasopara Call GirlsPriya Reddy
 

Recently uploaded (20)

Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi EscortsRussian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
 
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girlsRussian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
 
Meaning of On page SEO & its process in detail.
Meaning of On page SEO & its process in detail.Meaning of On page SEO & its process in detail.
Meaning of On page SEO & its process in detail.
 
call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
 
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
 
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
 
"Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency""Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency"
 
Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...
Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...
Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...
 
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
 
一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理
 
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
 
Call girls Service in Ajman 0505086370 Ajman call girls
Call girls Service in Ajman 0505086370 Ajman call girlsCall girls Service in Ajman 0505086370 Ajman call girls
Call girls Service in Ajman 0505086370 Ajman call girls
 
Best SEO Services Company in Dallas | Best SEO Agency Dallas
Best SEO Services Company in Dallas | Best SEO Agency DallasBest SEO Services Company in Dallas | Best SEO Agency Dallas
Best SEO Services Company in Dallas | Best SEO Agency Dallas
 
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
 
20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdf20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdf
 
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime NagercoilNagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
 
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
 
Real Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirtReal Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirt
 
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
 
Mira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Mira Road Housewife Call Girls 07506202331, Nalasopara Call GirlsMira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Mira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
 

Security Framework for the IPv6 Era

  • 1. Apricot2005, Feb 2005 1 Security Framework for the IPv6 Era SUZUKI, Shinsuke (Hitachi, Ltd. / KAME Project / WIDE Project Secure-6 WG) suz@crl.hitachi.co.jp / suz@kame.net HIROMI, Ruri (Intec NetCore, Inc. / WIDE Project Secure-6 WG) hiromi@inetcore.com
  • 2. Apricot2005, Feb 2005 2 Outline 1. Legacy security framework 2. What is necessary in IPv6 network? 3. Quarantine Network * Backbone-network issue is out of scope in this presentation (e.g. DoS, source-spoofing, Phishing)
  • 3. Apricot2005, Feb 2005 3 1.1. Various kinds of Security Frameworks • Perimeter Defense – e.g. Firewall, VPN • Legacy IPv4 operational security • to drop unnecessary traffic from inside / outside • Edge Defense – e.g. IPsec (Transparent-mode), Personal Firewall • Current IPv6 protocol-level security • to keep Confidentiality/Integrity/Authentication of communication • Object Defense – e.g. Data encryption, Access authentication, Mandatory Access Control, Anti-virus software • Recent IPv4 operational security • to drop application-level attack (e.g. spam, virus, worm, spy-ware, theft) on a PC
  • 4. Apricot2005, Feb 2005 4 1.2. Assumptions in Each Framework • Each framework has some assumptions – Perimeter Defense • “all the communication MUST goes through a firewall” – “communication” = Web/Mail/FTP – A host does not physically move so frequently – A host cannot have an external connectivity by itself – Edge Defense • “A user may make any communication as he/she wants” – Object Defense • “A user must/can defend oneself by him/herself”
  • 5. Apricot2005, Feb 2005 5 1.3. Advantages/Disadvantages in Each Framework • Perimeter Defense – Advantages • concentrated management – Disadvantages • uncovered security threats (e.g. insider attack) • difficulty in user-specific customization (e.g. “it’s secure, but I cannot work!”) • singular point of failure (e.g. network performance) • Edge Defense – Advantages • user-specific customization (e.g. end-to-end encrypted session) – Disadvantages • difficulty in consistent management (e.g. security policy, traffic inspection) • Object Defense – Advantages • detailed inspection • user-specific customization – Disadvantages • difficulty in consistent management (e.g. operational mistake, zero-day attack)
  • 6. Apricot2005, Feb 2005 6 1.4. Current Deployment Status • Perimeter Defense is still preferred by administrators, because it fully satisfies the administrators’ requirement: – Administrators’ requirement • manageable security – Enforce a security policy to all the nodes in a centrally consistent manner – Users’ requirement • customizable and easy security – Obtain a user-specific security policy automatically
  • 7. Apricot2005, Feb 2005 7 2.1. What Does Perimeter Defense Matter with IPv6? • Perimeter Defense often unnecessarily restricts communication – Non-problematic user operation is denied, because of the management difficulty... • Essentially not an IPv6-specific issue – but getting much more serious in IPv6, since it completely denies the benefit of IPv6 by nature • Plug & Play • non-PC equipment • end-to-end (encrypted) communication • new applications
  • 8. Apricot2005, Feb 2005 8 2.2. What Is Necessary? • Integration of “Manageable Security” and “Customizable and Easy Security” – automatic integration is desirable – should work in IPv4 as well as in IPv6 • Integration way is different, depending on – the definition of a “security policy” – network environment • This makes the things complex...
  • 9. Apricot2005, Feb 2005 9 e.g.) Security Policy Examples • ISP network – Customers may make any communication, if it does not interfere with other customer’s communication severely  Traffic management is important • Enterprise network – Customers may make any communication, if it contributes to the profit of the enterprise  Detailed contents management is important • SOHO network – Provide every service to the very limited number of customers  Customer authentication is important
  • 10. Apricot2005, Feb 2005 10 2.3. How To Proceed? • There are two ways – Newly create a protocol to synchronize between a host and a network manager – Just make use of such existing mechanism • Each way has its own pros and cons – New protocol • vendor-neutral • general-purpose protocol is quite difficult – Existing Mechanism • Can be vendor-specific • easier because it is often dedicated for a single purpose solution • The latter one seems practical
  • 11. Apricot2005, Feb 2005 11 3.1. Quarantine Network • Quarantine Network – Framework to provide a precise and refined network management – dynamic network separation based on the security level of a node • Equivalent to a quarantine procedure in the immigration at an international-airport
  • 12. Apricot2005, Feb 2005 12 3.2 Components of the Quarantine Network • Security Level Management – by Quarantine Server • monitors the security level of a node • accomplished by a legacy auditing tool • Dynamic Network Separation – by Policy Enforcer • accommodate the node to a network segment according to the security level of the node • accomplished by several methods (Layer2, Layer3, Layer4, Layer7)
  • 13. Apricot2005, Feb 2005 13 e.g.) How to Integrate Security Framework in Quarantine Network? • ISP – Security Level Measurement • Amount of traffic from a PC – Dynamic Separation • heavy-user, ordinary-user, malicious-user • Enterprise – Security Level Measurement • Installed software on a PC (e.g. Anti-virus software) – Dynamic Separation • staff, staff not installing the required software, guest • SOHO – Security Level Management • User authentication – Dynamic Separation • staff, guest
  • 14. Apricot2005, Feb 2005 14 3.3. Implementation Status • Security Level Management – Legacy auditing tools seems satisfactory • Dynamic Network Separation – Layer2: IEEE802.1x (not specific to IPv6) • several vendors – Layer3: PANA/DHCPv6 • WIDE Project Secure6 WG – Layer4: Tunnel-Broker – Layer7: Distributed Firewall • Euro6IX
  • 15. Apricot2005, Feb 2005 15 3.4. Issues in Dynamic Network Separation • Yet Another Management – Layer2 • Layer3 address need be managed, together with Layer2 management – Layer7 • How to describe/distribute/confirm a policy for every node? • Encrypted Communication – Layer2, Layer3, Layer4 • cannot manage encrypted communication in the middle • Protocol Independence – Layer3, Layer4, Layer7 • Need to do the same thing for IPv4, too. • Access Concentration – Layer4 • a bottle neck in performance, or a single point of failure
  • 16. Apricot2005, Feb 2005 16 3.4 Remaining Issues • Analysis of a Possible Vulnerability in Quarantine Network itself • Evaluation in the Actual Operation – really IP-version independent? – tolerable delay /performance? – Comparison between installation/running-cost and the hedged risk
  • 17. Apricot2005, Feb 2005 17 4. Conclusion • (Automatic) Integration of Perimeter Defense, Edge Defense, and Object Defense is necessary in the IPv6 era • Introduced Quarantine Network as an integration example
  • 18. Apricot2005, Feb 2005 18 c.f.) What’s going on in standardization? • IETF v6ops WG – Trying to summarize IPv6 security overview – Based on that overview, ask Security Area people to work on specific items – slow and steady progress …. • IETF netconf WG – XML-based network configuration protocol – Originally aiming at a router/switch configuration – protocol is almost done, and working on data-model