Download EE579S Computer Security - Worcester Polytechnic Institute

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

Document related concepts

Wireless security wikipedia , lookup

Recursive InterNetwork Architecture (RINA) wikipedia , lookup

Wake-on-LAN wikipedia , lookup

Piggybacking (Internet access) wikipedia , lookup

Computer network wikipedia , lookup

Distributed firewall wikipedia , lookup

List of wireless community networks by region wikipedia , lookup

Cracking of wireless networks wikipedia , lookup

Network tap wikipedia , lookup

Airborne Networking wikipedia , lookup

Zero-configuration networking wikipedia , lookup

Transcript
ECE537 Advanced and High
Performance Networks
10: HAIPE, Management in High-Speed
Networks
Professor Richard A. Stanley, P.E.
Spring 2009
© 2000-2009, Richard A. Stanley
ECE537/10 #1
Overview of Tonight’s Class
• Student presentations/discussions
• Review of last time
• Overview of management issues in highspeed networks
ECE537/10 #2
Last time
• There are an increasing number of
approaches for providing minimum levels
of service over packet networks
• Many of these schemes do not fit nicely into
the n-layer protocol model (e.g. MPLS)
• Many of these schemes do not interoperate
well with one another, so decisions must be
taken about implementation
ECE537/10 #3
HAIPE
• High Assurance Internet Protocol
Encryption
• Developed to provide IPSec-like encryption
in a Type 1 cryptographic device (i.e., one
that is usable in U. S. DoD networks)
• Increasingly found in military networks,
and often misunderstood
ECE537/10 #4
Type 1 Cryptographic Product
• NSA endorsed classified or controlled
cryptographic item for classified or
sensitive U.S. government information,
including cryptographic equipment,
assembly or component classified or
certified by NSA for encrypting and
decrypting classified and sensitive national
security information when appropriately
keyed.
ECE537/10 #5
Type 2 Cryptographic Product
• NSA endorsed unclassified cryptographic
equipment, assemblies or components for
sensitive but unclassified U.S. government
information.
ECE537/10 #6
Type 3 Cryptographic Product
• Unclassified cryptographic equipment, assembly,
or component used, when appropriately keyed, for
encrypting or decrypting unclassified sensitive
U.S. Government or commercial information, and
to protect systems requiring protection
mechanisms consistent with standard commercial
practices. A Type 3 Algorithm refers to NIST
endorsed algorithms, registered and FIPS
published, for sensitive but unclassified U.S.
government and commercial information.
ECE537/10 #7
Type 4 Cryptographic Product
• A Type 4 Algorithm refers to algorithms
that are registered by the NIST but are not
FIPS published. Unevaluated commercial
cryptographic equipment, assemblies, or
components that neither NSA nor NIST
certify for any Government usage.
ECE537/10 #8
Example of HAIPE Tunnel
• Diagram of Tunnel design
ECE537/10 #9
Design of HAIPE
• Example of HAIPE Design
• Breakdown of IP Traffic
• HAIPE on both sides of connection
ECE537/10 #10
Packet Format Examples
ECE537/10 #11
Compression
• HAIPE can compress many pieces of data
• Plain Text Compression
ECE537/10 #12
HAIPE Configuration Steps
• Configure and setup Security Policy Database for
Plaintext and cipher text.
• Configure and setup the Security Association Database
• Configure and setup the Traffic Flow Security
• Configure the HAIPE Generic Discovery Client
• Understand and configure the HAIPE Internet Key
Exchange
• Configure and setup the HAIPE Peers and Transforms
• Setup a Tunnel between two HAIPE Devices
• Solicit a Transmit Address Table
ECE537/10 #13
HAIPE Configuration Options
ECE537/10 #14
HAIPE Network Basics
ECE537/10 #15
Sharing the Network Load for Efficiency and
Reliability
ECE537/10 #16
Version 1.35
• v 1.3.5
– Created to act as a Gateway similar to a Proxy
Sever (Applications-Level)
– Cannot support routing operations
– No Open Network Management (Rulesets
within Network)
– Added equipment to deal with these
shortcomings necessary in networks
ECE537/10 #17
Version 3.X
• v 3.X.X
– Able to meet the demand of an IPv6 structured
network
– Supports Routing Information Protocol (RIP)
– Preferred version for maintaining larger scaled
network
– Supports Integration of single Red/Black
HAIPE devices (less equipment = reduced
configuration complexity).
ECE537/10 #18
General Dynamics C4 Systems INEs*
• TACLANE (Tactical Local
Area Network Encryptor or
Tactical FASTLANE)
• TACLANE Micro
– KG-175D
• HAIPE IS version 1.3.5
certified
• Transmits at up to 200 Mb/s
• General Dynamics HAIPE INE
Manager is called GEM-X.
* Inline Network Encryption
Fall 2009
© 2000-2009, Richard A. Stanley
ECE537/10 #19
General Dynamics C4 Systems INEs
• TACLANE Micro
– KG-175A
• HAIPE IS version 1.3.5
certified
• Transmits at up to 2 Gb/s
• Older versions of
TACLANE such as KG175 and KG-175B (mini)
are no longer available but
are supported.
Fall 2009
© 2000-2009, Richard A. Stanley
ECE537/10 #20
L3 Communications INEs
• Red Eagle INEs
• KG-240A
• HAIPE IS version
3.0.2
• 100 Mbps
• Managed by L3s
CHM software
Fall 2009
© 2000-2009, Richard A. Stanley
ECE537/10 #21
L3 Communications INEs
• KG-245A
• HAIPE IS version
3.0.2
• 1 Gbps
• Interchangeable
modules for
fiber/copper
Fall 2009
© 2000-2009, Richard A. Stanley
ECE537/10 #22
L3 Communications INEs
• KG-245X
• HAIPE IS version
1.3.5
• 10 Gbps
• Interchangeable
Fiber Transceivers
Fall 2009
© 2000-2009, Richard A. Stanley
ECE537/10 #23
ViaSAT INEs
• AltaSEC
• KG-250
• HAIPE IS version
3.0
• 100 Mbps
• Managed by VINE
Fall 2009
© 2000-2009, Richard A. Stanley
ECE537/10 #24
ViaSAT INEs
• KG-255
• HAIPE IS version
3.0
• 1 Gbps
Fall 2009
© 2000-2009, Richard A. Stanley
ECE537/10 #25
General Dynamics INE Example Network
Fall 2009
© 2000-2009, Richard A. Stanley
ECE537/10 #26
INE Keying Material
• Operational CIKs
– CIK = Crypto Ignition Key
• Tamper Recovery Key
• PrePlaced Keys
– Symmetric Keys
– Support Multicast
• Firefly Keys
– Asymmetric Keys
Fall 2009
© 2000-2009, Richard A. Stanley
ECE537/10 #27
Fill Devices
• Used to Fill INEs with
PPK/FFV keys to allow for
transmission between
devices.
• Simple Key Loader
• Developed by Ralph
Osterhout and sold to Sierra
Nevada Corporation.
• SAIC was then hired by the
US Army to develop the
software.
Fall 2009
© 2000-2009, Richard A. Stanley
ECE537/10 #28
Fill Devices
• Secure DTD2000 System
(SDS)
• Developed by Sypris
Electronics
• Ribbon cable problems
when opening/closing lid
Fall 2009
© 2000-2009, Richard A. Stanley
ECE537/10 #29
Fill Devices
• AN-CYZ-10
• DTD (Data Transfer
Device)
• Older Version that the
SKL Replaced.
• Developed by the NSA
Fall 2009
© 2000-2009, Richard A. Stanley
ECE537/10 #30
Bottom Line
• HAIPE will likely be a major part of military
networks for a long time to come
• Commercial networks that are unable to use
HAIPE likely will seek to develop protocol
modifications to IPSec to achieve peer discovery
functionality
• Speeds will need to increase to keep pace with
network developments
– No one wants slower networking
ECE537/10 #31
Basic Network Management Tasks
• Configuration management
– Keeping track of device settings and how they function
• Fault management
– Dealing with problems and emergencies in the network
(router stops routing, server loses power, etc.)
• Performance management
– How smoothly is the network running?
– Can it handle the workload it currently has?
ECE537/10 #32
Must be…
• Interface must be
– Standardized
– Extendable
– Portable
• Management mechanism must be
– Inexpensive
– Implemented as software only
ECE537/10 #33
Functional Areas
• Configuration Management inventory, configuration, provisioning
• Fault Management - reactive and
proactive network fault management
• Performance Management - # of
packets dropped, timeouts, collisions,
CRC errors
• Security Management - SNMP doesn’t
ECE537/10 #34
SNMP
• Simple Network Management Protocol
• SNMP is a protocol that allows for remote and
local management of items on the network
including servers, workstations, routers, switches
and other managed devices.
• Comprised of agents and managers
– Agent - process running on each managed node
collecting information about the device it is running on.
– Manager - process running on a management
workstation that requests information about devices on
the network.
ECE537/10 #35
SNMP Advantages
•
•
•
•
•
•
standardized
universally supported
extendible
portable
allows distributed management access
lightweight protocol
ECE537/10 #36
Client Pull & Server Push
• The management system (client) “pulls” data from
the agent (server)
• The agent (server) “pushes” out a trap message to
a (client) management system
ECE537/10 #37
Built-In Assumption
• The management system can sense issues
and respond to them in a timely fashion
(i.e., while the action still makes sense)
• This is increasingly difficult to do in highperformance networks
ECE537/10 #38
Some Physics
• d = rt
– where:
d = distance traveled
r = rate of speed
t = elapsed time
• To keep things simple, let’s ignore for the
moment the fact that electromagnetic waves
travel more slowly in cables than in free
space
ECE537/10 #39
Example
• For EM waves, r = c = speed of light =
300 x 106 meters/second
• Therefore, in one microsecond, our signal
travels 300 meters!
ECE537/10 #40
What About Cabling?
• Velocity factor for network cabling is
typically between 0.45 and 0.75, for coaxial
cable it is about 0.66 (solid dielectric)
• This slows the signal down, but not by
much
– In a microsecond, the network signal still
travels 135 – 225 meters
ECE537/10 #41
And the Signal?
• For a 100 Mbps Ethernet, what happens in a
single microsecond?
(100 x 106 bits sent / second) x (10-6 seconds)
= 100 bits on the wire in 1 µsec
• So what?
• Let’s examine some of the implications
of this simple application of physics
ECE537/10 #42
Bottom Line
• Network management becomes an
increasingly difficult challenge as
network speeds increase
• This is further complicated by more
complex protocols requiring more
interaction to accomplish network
tasks
ECE537/10 #43
Disclaimer
• Parts of the lecture slides contain original work of
George Riveire, Jason Riddle, Rahul Parwani, and
Chris Francois, and remain copyrighted materials
by the original owner(s). The slides are intended
for the sole purpose of instruction in computer
networks at Worcester Polytechnic Institute.
Spring 2009
© 2000-2009, Richard A. Stanley
ECE537/8 #44