Secure Deployment of Network Configuration

网络配置的安全部署

• 批准号: RGPIN-2017-06659
• 负责人: Atwood, John
• 金额: $ 1.46万
• 依托单位: Concordia University
• 依托单位国家: 加拿大
• 项目类别: Discovery Grants Program - Individual
• 财政年份: 2020
• 资助国家: 加拿大
• 起止时间: 2020-01-01 至 2021-12-31
• 项目状态: 已结题
• 来源: https://www.nserc-crsng.gc.ca/ase-oro/Details-Detailles_eng.asp?id=712172
• 关键词: Secure; Deployment; Network; Configuration

Secure deployment of configuration information for network devices has been possible for a long time, but is relatively little used, because almost all of the management of Internet security has to be done manually. The security aspect is particularly difficult to retrofit to legacy equipment, especially in industries that use equipment with long expected lifetimes. Using a combination of novel intermediaries, careful assessment of management needs, and concepts from autonomic networks, we will investigate ways to reduce the initial and on-going costs of security enforcement, in ways that "play well" with existing operational practices. Our long-term objective is to formulate secure methods to manage the deployment of network configuration that are sufficiently automated that they will actually be deployed in operational networks, thus providing effective security for these networks. The research program will encompass four main areas of activity: 1) Development and validation of methods for managing the security of routing protocols, without requiring manual intervention by networking staff; 2) Exploration and validation of methods for managing mixed deployments of legacy devices and modern devices, while minimizing the disruption and maximizing the security during the transitioning of the control paradigm, thus encouraging the adoption of more up-to-date control and performance-assessment technologies, without requiring the de-commissioning of legacy equipment; 3) Demonstration of the utility of our security-management approach in the area of Software-Defined Networking, specifically on the control path between the controller and the switches, which will make it easier to ensure the security of the managed objects; 4) Assessment of selected application areas, such as power grids and industrial plants, as candidates for secure management of legacy devices, using our mixed-deployment solution. The lack of deployment for security solutions is based on an assessment (by network management executives) that the potential cost of security breaches is smaller than the cost of installing and maintaining the security solutions. The novelty of our work comes from the fact that we expect to be able to substantially lower the recurring costs of security management, to the point where the expected cost of maintaining (real) security is attractive (or at least acceptable). Governmental mandates will increase the desirability of these approaches, as they will increase the cost of not complying. The proposed areas of study will facilitate increased security in the Internet, which in turn responds to the statement by the Internet Engineering Task Force (the Standards Development Organization for the Internet) that "pervasive surveillance is an attack", which can only be mitigated by pervasive security.

网络设备的配置信息的安全部署已经有很长时间了，但使用相对较少，因为几乎所有的互联网安全管理都必须手动完成。 安全方面特别难以改造传统设备，特别是在使用具有长预期寿命的设备的行业中。 使用新的中介相结合，仔细评估管理需求，并从自主网络的概念，我们将研究如何降低安全执行的初始和持续成本，在“玩好”与现有的操作实践的方式。 我们的长期目标是制定安全的方法来管理网络配置的部署，这些方法可以充分自动化，以便实际部署在运营网络中，从而为这些网络提供有效的安全性。 该研究计划将包括四个主要活动领域： 1)制定和验证管理路由协议安全的方法，而不需要网络工作人员的人工干预; 2)探索和验证管理遗留设备和现代设备混合部署的方法，同时在控制模式过渡期间尽量减少干扰和最大限度地提高安全性，从而鼓励采用更先进的控制和性能评估技术，而不需要拆除遗留设备; 3)演示我们的安全管理方法在软件定义网络领域的实用性，特别是在控制器和交换机之间的控制路径上，这将更容易确保被管理对象的安全性; 4)使用我们的混合部署解决方案，评估选定的应用领域，如电网和工业工厂，作为传统设备安全管理的候选对象。 缺乏安全解决方案的部署是基于（网络管理人员）的评估，即安全漏洞的潜在成本小于安装和维护安全解决方案的成本。 我们的工作的新奇来自于这样一个事实，即我们期望能够大大降低安全管理的经常性成本，达到维持（真实的）安全的预期成本是有吸引力的（或至少是可接受的）。 政府授权将增加这些方法的可取性，因为它们将增加不遵守的成本。 拟议的研究领域将有助于加强因特网的安全，这反过来又响应了因特网工程工作队（因特网标准制定组织）的说法，即“无处不在的监视是一种攻击”，只有通过无处不在的安全才能减轻这种攻击。