SlideShare ist ein Scribd-Unternehmen logo

Tech trendnotes

Studying
Studying
BildungTechnologie
1 von 9
Downloaden Sie, um offline zu lesen
Tech Trend Notes Preview of Tomorrow’s Information Technologies Volume: 9 Edition: 4 Fall 2000 Page 3 High-Reflectance, Real T ime Dielectric Mirrors Intrusion Detection Page 12 Page 16 Focus - Page 22 Pointers - Page 32 Technology Forecasts - Page 28 Calendar of Events - Page 41
NetTop Commercial Technology in High Assurance Applications By Robert Meushaw and Donald Simard Introduction of familiar COTS technology to our identify several investigated applica- users, but they believed that we tions, and suggest future capabilities. The decade of the nineties has would not be able to influence the been particularly challenging for the security of COTS technology for User Requirements National Security Agency's high assurance applications. The Information Assurance mission. The board challenged the Information The ISSO’s customers have long gradual but accelerating changeover Assurance Research Office to initi- identified shortcomings with the from government produced tech- ate a project to develop architectures security technology that was avail- nologies to commercial products and that would allow COTS technology able to them. One significant con- services has seriously eroded our to be used safely in high assurance cern is that their workspaces are ability to protect information applications. cluttered with computer equipment processed by the national security to support access to multiple net- community. Numerous government A Tiger Team was assembled for works of differing sensitivity. programs intended to produce high a one-year effort to develop an archi- Dealing with this duplication of assurance data systems and worksta- tectural approach to allow the safe equipment has long been a problem, tion platforms have been largely use of COTS in sensitive since there is no single system that unsuccessful, and the buying power Government applications. The user can support all of their access needs. of the government has not com- should see a familiar interface, e.g., A second concern is that government manded the attention of the IT Microsoft Windows Operating developed security solutions have industry. The historical flow of tech- System (OS) and off-the-shelf appli- often been incompatible with other nology from government to industri- cation software, but achieve the standards-based IT products, which al and home users has largely been assurance needed for DoD use. The has significantly complicated the reversed. We often find technologies NSAAB suggested that one or more interfacing and upgrading of system that are more sophisticated in our government-off-the-shelf (GOTS) components. The cost and complexi- homes earlier than in our govern- components be included, preferably ty of network management is also a ment workspaces. The shortcomings as plug-ins; and their removal should steadily growing issue, particularly of our information assurance tech- allow the system to be used as a nor- in times of declining resources and nologies are further evidenced by the mal COTS machine. The notion of a mounting security concerns over the shift of R&D resources away from "Vault" was introduced as an outsourcing of support. Our cus- protection and into detection and Internet accessible, protected enclave tomers also need the ability to move response initiatives. that would provide high assurance data across isolated networks in services to connected user machines. order to perform their daily tasks, To address these issues, during and the techniques to make such the summer of 1999 the NSA The results of the Tiger Team transfers efficient and safe. Finally, Advisory Board (NSAAB) reviewed effort are a proof-of-concept archi- the increased importance placed on the Information Systems Security tecture and a set of components that coalition operations brings new chal- Organization's (ISSO) commercial- are referred to as NetTop. The lenges for technology to securely off-the-shelf (COTS) strategy. The remainder of this article will support these operations. The archi- board acknowledged the need to describe the concept and technical tecture of the NetTop prototype sug- provide the functionality and the feel approach used in the architecture, gests a near-term approach that can Fall 2000 Research & Advanced Technology Publication 1
provide a useful and practical set of capabilities to satisfy these needs. An Initial Capability To begin the development of the NetTop architecture, a modest, initial capability was sought. Opportunely, Figure 1 - Typical Virtual Private Network Client Configuration the ISSO's System Solutions Group identified an Internet-based version Recycling Technology tion software could be executed in of the Remote Access Security VMs running more current OS ver- Program (RASP) system as an The requirement that NetTop sions. excellent prospect. The RASP pro- users see a familiar COTS computer vides secure remote access to a host desktop environment was taken as a Commodity VMMs computer over a dial-up connection, fundamental precept of the architec- and includes a laptop computer and ture. One consequence of this During the NetTop design discus- a specially developed encrypting approach is that for high assurance sions, we identified a new commer- modem to protect the communica- applications, the end-user environ- cial product, VMware, that provided tions link. Many customers have ment must be presumed to be a practical VMM capability. The requested a similar capability for untrustworthy, and the NetTop archi- VMware product is a spin-off of remote network connectivity, but tecture must protect against poten- DARPA-sponsored research at using Internet connections through a tially hostile behavior. Stanford University, and is generally local Internet Service Provider (ISP), used for providing a safe test envi- i.e., use the public data network In order to place limitations upon ronment for OS and networking rather than the public voice network. a potentially malicious component, software. The ability to provide a secure, we explored the concept of encapsu- remote connection over the Internet lation to constrain the behavior of There were several novel capabil- to a secure enclave was selected as the end-user operating system and ities of VMware that made it attrac- the initial NetTop goal. application software. The method tive for use in NetTop. First, it was selected for encapsulating the OS designed for efficient operation on An architecture that can achieve was based upon a 30-year-old tech- Intel x86 platforms rather than on this capability has been known for nology, Virtual Machine Monitors large mainframe computers, which some time. It typically includes an (VMM). VMM technology was made it suitable for use on common- end-user workstation, an in-line designed and developed in the era of place personal computers, worksta- encryptor, and possibly a filtering large IBM mainframe computers, tions, and laptops. Next, VMware router or firewall to connect to the and was intended to help extend the operates on top of an underlying Internet. Commercially, such solu- life of legacy software, when host OS rather than directly on the tions are knows as Virtual Private improved hardware or OS software system hardware. VMMs that run Networks (VPN). Figure 1 depicts a was released. In essence, a VMM directly on hardware have been stud- typical VPN client configuration. was a software system that ran ied previously under Project This system configuration would directly on the computer hardware, Neptune for their use in securing provide the required functionality, and allowed multiple operating sys- systems. A Neptune type of VMM but it would be cumbersome and tems to be installed on top of it. By would face the enormous challenge expensive for a mobile user. running older OS versions in some of keeping pace with changes in the virtual machines, legacy software underlying hardware platform. could be run, while newer applica- VMware takes advantage of the host 2 Research & Advanced Technology Publication Tech Trend Notes
OS's need to track these changes. This is a much more practical approach, and would be particularly important to produce a GOTS VMM for NetTop. Lastly, VMware pro- vides an abstraction for "virtual Ethernet hubs." This capability allows virtual machines to be inter- connected in a fashion that is well understood by network designers and administrators. A Network on a Desktop Figure 2 - Simple NetTop System Configuration Using VMware, the initial NetTop system was constructed Any of the individual virtual desired technology, including dial- using a powerful laptop computer. machines can be replaced or upgrad- up, Ethernet, ATM, wireless, etc. The operating system chosen for the ed with standards-based compo- host OS was Redhat Linux Version nents. The interconnection of the vir- The basic NetTop configuration 6.2. Three virtual machines net- tual machines is based upon familiar provides the same functionality as worked by two virtual hubs were TCP/IP networking. Finally, a single three separate hardware platforms. installed on top of the host OS, pro- platform replaces several traditional Each virtualized component should viding an in-line configuration of components, thereby reducing hard- operate identically to its real-world three machines comprising (1) an ware and maintenance costs. An counterpart with "bug for bug com- end-user Windows NT machine, (2) important side benefit is that the patibility." The simple NetTop con- an encrypting machine using IPSec, architecture makes no assumptions figuration was successfully connect- and (3) a Filtering Router (FR) about the communications technolo- ed across the Internet to a simulated, machine. Both the VPN and FR gy used to connect the external net- secure enclave on an unclassified were hosted on VMs running the work. The user is free to select the NSA network, using both dial-up Linux operating system. Figure 2 displays the initial NetTop prototype configuration. The initial NetTop configuration demonstrates a number of important capabilities. It encapsulates the unmodified, end-user Windows operating system in a VM. An important characteristic of this approach is that the encryption can be provided as an in-line function that cannot be bypassed by mali- cious actions of the end-user OS or application software. Rudimentary protection from network attacks is provided through a filtering router. Figure 3 - NetTop Logical Configuration Fall 2000 Research & Advanced Technology Publication 3
network connections are already physically isolated, encrypted com- munication tunnels are not needed. This type of NetTop configuration may be appropriate to replace multi- ple end user workstations, when sep- arate communications infrastructures are already available. Thin-Client VMs While the VMs described so far have been fully configured Windows or Linux systems, there is nothing Figure 4 - NetTop Multiple Security Level Configuration preventing a VM from being a "thin and cable modem connections. Such ality. The second version of the client." In fact, there may be reasons a configuration could have all of the NetTop prototype included another why a thin-client would be prefer- capabilities of a locally connected Windows NT machine connected able. For example, if the Windows machine, including the ability to directly to the filtering router as NT in Figure 4 was installed as a connect to the Internet, if permitted shown in Figure 4. This machine "display only" thin-client, all classi- within the enclave. Figure 3 illus- allows a user to access the Internet fied files could be kept on a remote trates a NetTop logical configura- directly. This extended prototype server in a protected enclave. This tion. suggests a powerful feature of the configuration increases assurance, NetTop architecture - the ability to since the NetTop device contains Multiple Security Levels replace multiple end-user worksta- minimal sensitive information. tions within a single, hardware plat- A natural extension to the first form. In theory, multiple user con- Assurance prototype was the addition of other nections to networks of differing VMs to provide increased function- sensitivity could be provided using Despite the functional and cost multiple VPNs. This envi- advantages that the NetTop architec- ronment provides ture described above may offer to Multiple (single) Security some users, its usefulness will Level (MSL) capability depend upon its ability to withstand rather than true Multi- determined attacks from the external Level Security, but still network and from malicious end- addresses an important user software. The most sensitive customer need. applications may require additional protection against compromising Another configuration system failures. While NetTop for a MSL system is attempts to deal with insecurities shown in Figure 5, where that may be caused by user errors, two isolated VM worksta- no attempt has been made to thwart tions are connected to two malicious insiders. As a practical different networks matter, it should only be necessary through two network to demonstrate that a NetTop config- Figure 5 - NetTop Dual Network MSL Configuration interface cards. Since the uration provides the same degree of 4 Research & Advanced Technology Publication Tech Trend Notes
security as the separate network components that it replaces. If this can be achieved, then the basic architectural approach is validated. A number of approaches have been identified to increase the assur- ance of the NetTop architecture. The critical aspect of the architecture that must be validated is the ability of the VMM/Host OS combination to suf- ficiently isolate the various NetTop components. Our approach to deal- ing with security in the underlying host is to use a Trusted Linux OS Figure 6 - NetTop Improved Assurance Configuration prototype that has been developed under the IARO's OS Security Another critical component of the developed to limit failure effects by research program. Trusted Linux underlying host platform is the severing external NetTop communi- incorporates flexible access control BIOS function that controls the ini- cations. mechanisms. In order to bolster the tial boot-up process, and its ability to inherent isolation provided by the arrive at a secure initial state. In order to make an effective VMM, a tailored security policy has Vulnerabilities in the BIOS have argument for the correct operation been developed for the Trusted long been identified as the "Achilles' of a failure checking mechanism, Linux host. The VMM/Trusted heel" of computer systems. Work hardware and software must be Linux combination will be evaluated presently underway to develop a completely independent of the sys- further during an internal "red team" robust, trusted BIOS should be tem being checked. A Dallas exercise to assess the degree of iso- incorporated into any high assurance Semiconductor Tiny InterNet lation it provides. NetTop system. Interface (TINI) embeddable com- puter was networked to the in-line The Trusted Linux prototype is Failure Checking Network Encryptor machine, and also envisioned for use as the guest was programmed to use a simple OS in the VPN and Filtering Router Even a minimal NetTop configu- network "ping" to the VPN VMs. It is likely that a substantially ration will be an extremely complex machine as a health check. If no reduced Trusted Linux OS could be hardware and software system. It response was received, the Internet configured to support each VM. In will not likely be amenable to the connection was interrupted. A more each case, specific security policies forms of failure analysis historically robust health check could include a need to be tailored to support the used for NSA high assurance sys- more complex set of tests to gain limited functionality of each tems. While it might seem that sig- increased assurance that the NetTop machine. The particular encryption nificant failures in a NetTop device device is working properly. The and filtering router products selected would result in complete system tests could include could be from National Information shutdown, sensitive applications challenge/response exchanges with Assurance Partnership approved lists will require more rigorous assur- a Failure Detection Server in the or specially developed GOTS com- ance arguments. Lacking failure protected enclave. A dead-man ponents. detection support in the workstation switch of this type may be suitable platform, an approach using a type for a GOTS plug-in component for of "dead man's switch" has been high assurance applications. The Fall 2000 Research & Advanced Technology Publication 5
maintained and monitored for sus- picious activity. Figure 8 depicts the protocol exchange between the Regrade Server and two hosts of different security levels. A trusted user token is employed in a chal- lenge/response exchange with the trusted server in order to safeguard against untrusted OS behavior. Coalition Support The paradigm of virtual machines creates abstractions of Figure 7 - Dead-Man Switch Architecture physical computers. Each VM is composed of a set of files that failure detection approach is shown capability includes a protocol for embody a hardware/software sys- in Figure 7. performing the regrade operation, tem. This set of files can be copied as well as a "Regrade Server" that from one physical machine to Moving Data Safely provides a trusted network service. another. Given the portability of By making the regrade operation a VMs, there is no inherent reason Many organizations require the centralized service, a number of why a VM, or set of VMs, could ability to move information advantages are gained. First, consis- not be electronically transferred. It between networks of differing secu- tency in the regrade operation can is possible for a NetTop device to rity levels. A common operation be achieved. Second, it would be become a member of a coalition by involves downgrading information possible to develop and enforce a downloading an appropriately con- from highly classified to lower clas- regrade policy that specified the figured VM over a secured commu- sified systems, but increasingly, conditions under which each user nications channel. The set of VMs information is imported from the could perform regrade operations. in each coalition would constitute a Internet into classified systems. In The regrade operation could include VPN, and would not be able to the first case, it is essential that "sanitization" functions to deter the communicate directly with VMs in classified information not be com- transfer of covert or malicious con- other coalitions. Cross-coalition promised, while in the second, a tent. Finally, an audit log could be communication is performed using primary concern is the protection of the classified host from malicious content. The VMware product includes a capability to copy and paste data between VMs via a clipboard. This feature does not include sufficient safeguards for use in a high assur- ance NetTop system. In order to provide a more trusted copy/paste function, a new capability, dubbed a "Regrader," was developed. This Figure 8 - Regrade Server Protocol 6 Research & Advanced Technology Publication Tech Trend Notes
a variation of the Regrade Server previously described. For some coalitions, it might be useful to distribute applica- tion specific VMs, such as a secure Voice-over-IP machine. A centralized Coalition Management Server could be used to manage the configura- tion and distribution of VMs to coalition members. The essence of NetTop's coalition support is its ability to distrib- ute virtual systems electroni- cally. Figure 9 displays a hypothetical situation in Figure 9 - NetTop Coalition Concept which four organizations par- ticipate in four data coalitions and During normal operation, all disk puter used in the prototype includes two voice coalitions. A simple capa- files, including temporary files, are a 500 MHz Pentium III processor bility to demonstrate electronic dis- stored encrypted on the hard disk. and 384 MB of memory. The tribution of VMs is under develop- VMware VMM is surprisingly ment. The hardware virtualization pro- modest in its affect upon the per- vided by the VMM also provides a formance of a VM, and only a Additional Capabilities capability to alter the operation of slight degradation is noticed. As the hard disks seen by each VM. In more VMs are introduced, more A number of useful capabilities one mode, all changes made to a serious performance degradation is are included in the prototypes that VM's hard disk are discarded when noticed, but can be minimized with were not described in the NetTop it is powered down. This may be additional memory. The 384-MB overview. The entire file system on useful in the operation of the IPSec configuration of the NetTop proto- the hard disk is encrypted in order and FR machines by preventing type shown in Figure 4 was suffi- to protect against compromise if the permanent changes to the system if cient to support the Linux host and machine is lost or stolen. The a successful attack did occur. Any four guest VMs - two Windows NT "International Patch" for Linux was changes would be lost when the machines for the end-user terminals installed, which provides software VM was restarted, which would and two Linux machines for the in- encryption capabilities and services force an adversary to repeat the line Network Encryptor and under the control of the Trusted attack. Filtering Router. Overall, the per- Linux host OS. The hard disk formance of the NetTop prototype encryption is transparent to all Performance is quite satisfactory, and easily VMs. Additionally, this disk keeps pace with a high-speed, cable encryption cannot be corrupted or Real-world performance deter- modem connection. Continuing bypassed by an VM. A process was mines any technology's acceptance. enhancements in hardware perform- developed that uses a floppy disk NetTop's architecture includes a lot ance will only improve its perform- and a user entered PIN to "boot- of functionality in a single hard- ance. strap" the decryption and loading of ware platform, yet the performance system files from the hard disk. is quite acceptable. The laptop com- Fall 2000 Research & Advanced Technology Publication 7
Future Development · IPSec modifications for NetTop Conclusion protocols The NetTop proof-of-concept has · User friendly interfaces The Information Assurance demonstrated an architecture that Research Office has responded to appears to have significant promise The set of capabilities identified the NSA Advisory Board's challenge for information assurance applica- as NetTop extensions - Failure with the NetTop proof-of-concept. tions. In its current form, however, it Detection Server, Regrade Server, The novel architecture builds upon is unsuitable for widespread use and and Coalition Management Server - COTS technology, fortifies it with requires considerable refinement. suggests an expansion of the security GOTS components, and provides a Our research has uncovered a num- services typically considered as part combination with the potential to be ber of shortcomings in current tech- of a Security Management securely used for sensitive applica- nology that need to be addressed. Infrastructure. The integration of tions. It also addresses other impor- Additionally, important topics still these services with traditional key tant concerns, and provides a frame- must be investigated. Areas requir- and certificate management services work for useful extensions. NetTop ing further development are: may deserve a separate investigation depends heavily upon the isolation to develop a concept for a more capabilities provided by the Trusted · Identification & Authentication comprehensive security infrastruc- Linux/VMM combination. The Architecture ture. robustness of the approach still · Biometric activation technique requires a comprehensive security · Key & certificate management Development of the NetTop pro- evaluation. TTN · Filtering Router management totype is continuing. Some of the · Un-spoofable labels for MSL concepts previously described Donald Simard is the Technical windows including a Regrade Server, thin- Director for the System and Network · Trusted VM switching mechanism clients, and coalition support will be Attack Center and has been with the · Installation & configuration wizards integrated as each is developed. Agency since 1979. The majority of his work has been in the Information Systems Security Organization. He is a Master in the INFOSEC Technical Track and has a Masters Degree in Computer Science. Robert Meushaw is Technical Director for the Information Assurance Research Office. He joined the Agency in 1973 with BS and MS degrees in Electrical A very simple NetTop configuration with only one user Virtual Machine can provide Engineering. Mr. Meushaw had a very useful feature - media encryption - which could not otherwise be done with a long career in the Information a high-level of confidence. Since the host operating system does not run Systems Security Organization applications software, it is protected from virus attacks and other malicious software prior to his current position. He that might corrupt the user VM. With the media encryption function embedded in the host OS, all of the files on the hard disk can be encrypted transparently to the is a Master in the Computer user OS. The user OS cannot bypass the cryptography that is protecting the media. Systems Technical Track. 8 Research & Advanced Technology Publication Tech Trend Notes

Empfohlen

Technology Portfolio
Technology PortfolioTechnology Portfolio
Technology PortfolioDominic Zucchero
 
Security in the cloud planning guide
Security in the cloud planning guideSecurity in the cloud planning guide
Security in the cloud planning guideYury Chemerkin
 
Bi cloud saa_s
Bi cloud saa_sBi cloud saa_s
Bi cloud saa_sYustinus Malawau
 
csec66 a user mode implementation of filtering rule management plane on virtu...
csec66 a user mode implementation of filtering rule management plane on virtu...csec66 a user mode implementation of filtering rule management plane on virtu...
csec66 a user mode implementation of filtering rule management plane on virtu...Ruo Ando
 
Protecting the movable Endeavor with Network-Based validation and Virtual Com...
Protecting the movable Endeavor with Network-Based validation and Virtual Com...Protecting the movable Endeavor with Network-Based validation and Virtual Com...
Protecting the movable Endeavor with Network-Based validation and Virtual Com...IOSR Journals
 
Virtualize More in 2012 with HyTrust-Boost Data Center Efficiency and Consoli...
Virtualize More in 2012 with HyTrust-Boost Data Center Efficiency and Consoli...Virtualize More in 2012 with HyTrust-Boost Data Center Efficiency and Consoli...
Virtualize More in 2012 with HyTrust-Boost Data Center Efficiency and Consoli...HyTrust
 
Belden Total Enterprise Network White Paper
Belden Total Enterprise Network White PaperBelden Total Enterprise Network White Paper
Belden Total Enterprise Network White Paperadventive1
 
Intelligent Devices Delivering The Promise
Intelligent Devices Delivering The PromiseIntelligent Devices Delivering The Promise
Intelligent Devices Delivering The PromisePeter Ashley
 

Empfohlen

Technology Portfolio
Technology PortfolioTechnology Portfolio
Technology PortfolioDominic Zucchero
 
Security in the cloud planning guide
Security in the cloud planning guideSecurity in the cloud planning guide
Security in the cloud planning guideYury Chemerkin
 
Bi cloud saa_s
Bi cloud saa_sBi cloud saa_s
Bi cloud saa_sYustinus Malawau
 
csec66 a user mode implementation of filtering rule management plane on virtu...
csec66 a user mode implementation of filtering rule management plane on virtu...csec66 a user mode implementation of filtering rule management plane on virtu...
csec66 a user mode implementation of filtering rule management plane on virtu...Ruo Ando
 
Protecting the movable Endeavor with Network-Based validation and Virtual Com...
Protecting the movable Endeavor with Network-Based validation and Virtual Com...Protecting the movable Endeavor with Network-Based validation and Virtual Com...
Protecting the movable Endeavor with Network-Based validation and Virtual Com...IOSR Journals
 
Virtualize More in 2012 with HyTrust-Boost Data Center Efficiency and Consoli...
Virtualize More in 2012 with HyTrust-Boost Data Center Efficiency and Consoli...Virtualize More in 2012 with HyTrust-Boost Data Center Efficiency and Consoli...
Virtualize More in 2012 with HyTrust-Boost Data Center Efficiency and Consoli...HyTrust
 
Belden Total Enterprise Network White Paper
Belden Total Enterprise Network White PaperBelden Total Enterprise Network White Paper
Belden Total Enterprise Network White Paperadventive1
 
Intelligent Devices Delivering The Promise
Intelligent Devices Delivering The PromiseIntelligent Devices Delivering The Promise
Intelligent Devices Delivering The PromisePeter Ashley
 
Cloud Security: Perception Vs. Reality
Cloud Security: Perception Vs. RealityCloud Security: Perception Vs. Reality
Cloud Security: Perception Vs. RealityInternap
 
Protecting Utilities from Risk - Iain Morton, Tyco Integrated Security
Protecting Utilities from Risk - Iain Morton, Tyco Integrated SecurityProtecting Utilities from Risk - Iain Morton, Tyco Integrated Security
Protecting Utilities from Risk - Iain Morton, Tyco Integrated SecurityEnergy Network marcus evans
 
Enabling on-device learning at scale
Enabling on-device learning at scaleEnabling on-device learning at scale
Enabling on-device learning at scaleQualcomm Research
 
SMARCOS Project Brochure
SMARCOS Project Brochure SMARCOS Project Brochure
SMARCOS Project Brochure Smarcos Eu
 
Reaching For The Cloud Wp101366
Reaching For The Cloud Wp101366Reaching For The Cloud Wp101366
Reaching For The Cloud Wp101366Erik Ginalick
 
Trend Micro - Virtualization and Security Compliance
Trend Micro - Virtualization and Security Compliance Trend Micro - Virtualization and Security Compliance
Trend Micro - Virtualization and Security Compliance 1CloudRoad.com
 
Ccsw
CcswCcsw
CcswVinit Zunjarrao
 
Tinysec
TinysecTinysec
TinysecDhara Ladumor
 
Advanced Applications & Networks
Advanced Applications & NetworksAdvanced Applications & Networks
Advanced Applications & NetworksPrakash Nagpal
 
A New Trust Model for 5G Networks
A New Trust Model for 5G NetworksA New Trust Model for 5G Networks
A New Trust Model for 5G NetworksPaul Bradley
 
Asigra Product Marketing Strategy
Asigra Product Marketing StrategyAsigra Product Marketing Strategy
Asigra Product Marketing StrategyJas Mann
 
Smart, Data-Centric Security for the Post-PC Era
Smart, Data-Centric Security for the Post-PC EraSmart, Data-Centric Security for the Post-PC Era
Smart, Data-Centric Security for the Post-PC EraTrend Micro (EMEA) Limited
 
Edge computing from standard to actual infrastructure deployment and software...
Edge computing from standard to actual infrastructure deployment and software...Edge computing from standard to actual infrastructure deployment and software...
Edge computing from standard to actual infrastructure deployment and software...DESMOND YUEN
 
Hadoop World 2011: Security Considerations for Hadoop Deployments - Jeremy Gl...
Hadoop World 2011: Security Considerations for Hadoop Deployments - Jeremy Gl...Hadoop World 2011: Security Considerations for Hadoop Deployments - Jeremy Gl...
Hadoop World 2011: Security Considerations for Hadoop Deployments - Jeremy Gl...Cloudera, Inc.
 
Cloud securityperspectives cmg
Cloud securityperspectives cmgCloud securityperspectives cmg
Cloud securityperspectives cmgNeha Dhawan
 
AWS Partner Presentation - TrendMicro - Securing your Journey to the Cloud, A...
AWS Partner Presentation - TrendMicro - Securing your Journey to the Cloud, A...AWS Partner Presentation - TrendMicro - Securing your Journey to the Cloud, A...
AWS Partner Presentation - TrendMicro - Securing your Journey to the Cloud, A...Amazon Web Services
 
Neupart Isaca April 2012
Neupart Isaca April 2012Neupart Isaca April 2012
Neupart Isaca April 2012Lars Neupart
 
Trend Micro Dec 6 Toronto VMUG
Trend Micro Dec 6 Toronto VMUGTrend Micro Dec 6 Toronto VMUG
Trend Micro Dec 6 Toronto VMUGtovmug
 
The next generation ethernet gangster (part 3)
The next generation ethernet gangster (part 3)The next generation ethernet gangster (part 3)
The next generation ethernet gangster (part 3)Jeff Green
 
Groth data of-cloud
Groth data of-cloudGroth data of-cloud
Groth data of-cloudStudying
 
Database consolidation onto private
Database consolidation onto privateDatabase consolidation onto private
Database consolidation onto privateStudying
 
Intro cloud-1
Intro cloud-1Intro cloud-1
Intro cloud-1Studying
 

Weitere ähnliche Inhalte

Was ist angesagt?

Cloud Security: Perception Vs. Reality
Cloud Security: Perception Vs. RealityCloud Security: Perception Vs. Reality
Cloud Security: Perception Vs. RealityInternap
 
Protecting Utilities from Risk - Iain Morton, Tyco Integrated Security
Protecting Utilities from Risk - Iain Morton, Tyco Integrated SecurityProtecting Utilities from Risk - Iain Morton, Tyco Integrated Security
Protecting Utilities from Risk - Iain Morton, Tyco Integrated SecurityEnergy Network marcus evans
 
Enabling on-device learning at scale
Enabling on-device learning at scaleEnabling on-device learning at scale
Enabling on-device learning at scaleQualcomm Research
 
SMARCOS Project Brochure
SMARCOS Project Brochure SMARCOS Project Brochure
SMARCOS Project Brochure Smarcos Eu
 
Reaching For The Cloud Wp101366
Reaching For The Cloud Wp101366Reaching For The Cloud Wp101366
Reaching For The Cloud Wp101366Erik Ginalick
 
Trend Micro - Virtualization and Security Compliance
Trend Micro - Virtualization and Security Compliance Trend Micro - Virtualization and Security Compliance
Trend Micro - Virtualization and Security Compliance 1CloudRoad.com
 
Advanced Applications & Networks
Advanced Applications & NetworksAdvanced Applications & Networks
Advanced Applications & NetworksPrakash Nagpal
 
A New Trust Model for 5G Networks
A New Trust Model for 5G NetworksA New Trust Model for 5G Networks
A New Trust Model for 5G NetworksPaul Bradley
 
Asigra Product Marketing Strategy
Asigra Product Marketing StrategyAsigra Product Marketing Strategy
Asigra Product Marketing StrategyJas Mann
 
Smart, Data-Centric Security for the Post-PC Era
Smart, Data-Centric Security for the Post-PC EraSmart, Data-Centric Security for the Post-PC Era
Smart, Data-Centric Security for the Post-PC EraTrend Micro (EMEA) Limited
 
Edge computing from standard to actual infrastructure deployment and software...
Edge computing from standard to actual infrastructure deployment and software...Edge computing from standard to actual infrastructure deployment and software...
Edge computing from standard to actual infrastructure deployment and software...DESMOND YUEN
 
Hadoop World 2011: Security Considerations for Hadoop Deployments - Jeremy Gl...
Hadoop World 2011: Security Considerations for Hadoop Deployments - Jeremy Gl...Hadoop World 2011: Security Considerations for Hadoop Deployments - Jeremy Gl...
Hadoop World 2011: Security Considerations for Hadoop Deployments - Jeremy Gl...Cloudera, Inc.
 
Cloud securityperspectives cmg
Cloud securityperspectives cmgCloud securityperspectives cmg
Cloud securityperspectives cmgNeha Dhawan
 
AWS Partner Presentation - TrendMicro - Securing your Journey to the Cloud, A...
AWS Partner Presentation - TrendMicro - Securing your Journey to the Cloud, A...AWS Partner Presentation - TrendMicro - Securing your Journey to the Cloud, A...
AWS Partner Presentation - TrendMicro - Securing your Journey to the Cloud, A...Amazon Web Services
 
Neupart Isaca April 2012
Neupart Isaca April 2012Neupart Isaca April 2012
Neupart Isaca April 2012Lars Neupart
 
Trend Micro Dec 6 Toronto VMUG
Trend Micro Dec 6 Toronto VMUGTrend Micro Dec 6 Toronto VMUG
Trend Micro Dec 6 Toronto VMUGtovmug
 
The next generation ethernet gangster (part 3)
The next generation ethernet gangster (part 3)The next generation ethernet gangster (part 3)
The next generation ethernet gangster (part 3)Jeff Green
 

Was ist angesagt? (19)

Cloud Security: Perception Vs. Reality
Cloud Security: Perception Vs. RealityCloud Security: Perception Vs. Reality
Cloud Security: Perception Vs. Reality
 
Protecting Utilities from Risk - Iain Morton, Tyco Integrated Security
Protecting Utilities from Risk - Iain Morton, Tyco Integrated SecurityProtecting Utilities from Risk - Iain Morton, Tyco Integrated Security
Protecting Utilities from Risk - Iain Morton, Tyco Integrated Security
 
Enabling on-device learning at scale
Enabling on-device learning at scaleEnabling on-device learning at scale
Enabling on-device learning at scale
 
SMARCOS Project Brochure
SMARCOS Project Brochure SMARCOS Project Brochure
SMARCOS Project Brochure
 
Reaching For The Cloud Wp101366
Reaching For The Cloud Wp101366Reaching For The Cloud Wp101366
Reaching For The Cloud Wp101366
 
Trend Micro - Virtualization and Security Compliance
Trend Micro - Virtualization and Security Compliance Trend Micro - Virtualization and Security Compliance
Trend Micro - Virtualization and Security Compliance
 
Ccsw
CcswCcsw
Ccsw
 
Tinysec
TinysecTinysec
Tinysec
 
Advanced Applications & Networks
Advanced Applications & NetworksAdvanced Applications & Networks
Advanced Applications & Networks
 
A New Trust Model for 5G Networks
A New Trust Model for 5G NetworksA New Trust Model for 5G Networks
A New Trust Model for 5G Networks
 
Asigra Product Marketing Strategy
Asigra Product Marketing StrategyAsigra Product Marketing Strategy
Asigra Product Marketing Strategy
 
Smart, Data-Centric Security for the Post-PC Era
Smart, Data-Centric Security for the Post-PC EraSmart, Data-Centric Security for the Post-PC Era
Smart, Data-Centric Security for the Post-PC Era
 
Edge computing from standard to actual infrastructure deployment and software...
Edge computing from standard to actual infrastructure deployment and software...Edge computing from standard to actual infrastructure deployment and software...
Edge computing from standard to actual infrastructure deployment and software...
 
Hadoop World 2011: Security Considerations for Hadoop Deployments - Jeremy Gl...
Hadoop World 2011: Security Considerations for Hadoop Deployments - Jeremy Gl...Hadoop World 2011: Security Considerations for Hadoop Deployments - Jeremy Gl...
Hadoop World 2011: Security Considerations for Hadoop Deployments - Jeremy Gl...
 
Cloud securityperspectives cmg
Cloud securityperspectives cmgCloud securityperspectives cmg
Cloud securityperspectives cmg
 
AWS Partner Presentation - TrendMicro - Securing your Journey to the Cloud, A...
AWS Partner Presentation - TrendMicro - Securing your Journey to the Cloud, A...AWS Partner Presentation - TrendMicro - Securing your Journey to the Cloud, A...
AWS Partner Presentation - TrendMicro - Securing your Journey to the Cloud, A...
 
Neupart Isaca April 2012
Neupart Isaca April 2012Neupart Isaca April 2012
Neupart Isaca April 2012
 
Trend Micro Dec 6 Toronto VMUG
Trend Micro Dec 6 Toronto VMUGTrend Micro Dec 6 Toronto VMUG
Trend Micro Dec 6 Toronto VMUG
 
The next generation ethernet gangster (part 3)
The next generation ethernet gangster (part 3)The next generation ethernet gangster (part 3)
The next generation ethernet gangster (part 3)
 

Andere mochten auch

Groth data of-cloud
Groth data of-cloudGroth data of-cloud
Groth data of-cloudStudying
 
Database consolidation onto private
Database consolidation onto privateDatabase consolidation onto private
Database consolidation onto privateStudying
 
Intro cloud-1
Intro cloud-1Intro cloud-1
Intro cloud-1Studying
 
How install-ubuntu-software
How install-ubuntu-softwareHow install-ubuntu-software
How install-ubuntu-softwareStudying
 
Smart survey
Smart surveySmart survey
Smart surveyStudying
 
Wg11 petro
Wg11 petroWg11 petro
Wg11 petroStudying
 

Andere mochten auch (6)

Groth data of-cloud
Groth data of-cloudGroth data of-cloud
Groth data of-cloud
 
Database consolidation onto private
Database consolidation onto privateDatabase consolidation onto private
Database consolidation onto private
 
Intro cloud-1
Intro cloud-1Intro cloud-1
Intro cloud-1
 
How install-ubuntu-software
How install-ubuntu-softwareHow install-ubuntu-software
How install-ubuntu-software
 
Smart survey
Smart surveySmart survey
Smart survey
 
Wg11 petro
Wg11 petroWg11 petro
Wg11 petro
 

Ähnlich wie Tech trendnotes

NXP'S-PORTFOLIO-FOR-ADDRESSING-IOT-SECURITY.pdf
NXP'S-PORTFOLIO-FOR-ADDRESSING-IOT-SECURITY.pdfNXP'S-PORTFOLIO-FOR-ADDRESSING-IOT-SECURITY.pdf
NXP'S-PORTFOLIO-FOR-ADDRESSING-IOT-SECURITY.pdfssuser57b3e5
 
10-ways-the-dissolving-perimeter-kills-IT
10-ways-the-dissolving-perimeter-kills-IT10-ways-the-dissolving-perimeter-kills-IT
10-ways-the-dissolving-perimeter-kills-ITIdan Hershkovich
 
IT Security for Oil and Gas Companies
IT Security for Oil and Gas CompaniesIT Security for Oil and Gas Companies
IT Security for Oil and Gas CompaniesRichard Cole
 
Evolution of #cloud computing
Evolution of #cloud computingEvolution of #cloud computing
Evolution of #cloud computingCirro
 
Jr genexus event2011
Jr genexus event2011Jr genexus event2011
Jr genexus event2011GeneXus
 
Jr genexus event2011
Jr genexus event2011Jr genexus event2011
Jr genexus event2011GeneXus
 
Telco Global Connect Vol3 Excerpt
Telco Global Connect Vol3 ExcerptTelco Global Connect Vol3 Excerpt
Telco Global Connect Vol3 ExcerptSadiq Malik
 
An Architecture for Providing Security to Cloud Resources
An Architecture for Providing Security to Cloud ResourcesAn Architecture for Providing Security to Cloud Resources
An Architecture for Providing Security to Cloud ResourcesNiranjana Padmanabhan
 
Securing Private 5G Networks (1).pdf
Securing Private 5G Networks (1).pdfSecuring Private 5G Networks (1).pdf
Securing Private 5G Networks (1).pdfSecurity Gen
 
Securing Private 5G Networks (1).pdf
Securing Private 5G Networks (1).pdfSecuring Private 5G Networks (1).pdf
Securing Private 5G Networks (1).pdfSecurity Gen
 
Empower Your Defense: SecurityGen's Comprehensive Approach to DDoS Attack Pre...
Empower Your Defense: SecurityGen's Comprehensive Approach to DDoS Attack Pre...Empower Your Defense: SecurityGen's Comprehensive Approach to DDoS Attack Pre...
Empower Your Defense: SecurityGen's Comprehensive Approach to DDoS Attack Pre...SecurityGen1
 
Cloud computing security- critical infrastructures
Cloud computing security- critical infrastructuresCloud computing security- critical infrastructures
Cloud computing security- critical infrastructuresMohammed Saqib
 
Tiarrah Computing: The Next Generation of Computing
Tiarrah Computing: The Next Generation of ComputingTiarrah Computing: The Next Generation of Computing
Tiarrah Computing: The Next Generation of ComputingIJECEIAES
 
Parallel and Distributed Computing: BOINC Grid Implementation Paper
Parallel and Distributed Computing: BOINC Grid Implementation PaperParallel and Distributed Computing: BOINC Grid Implementation Paper
Parallel and Distributed Computing: BOINC Grid Implementation PaperRodrigo Neves
 
NTT i3 Point of View: Network Infrastructure Elasticity
NTT i3 Point of View: Network Infrastructure ElasticityNTT i3 Point of View: Network Infrastructure Elasticity
NTT i3 Point of View: Network Infrastructure ElasticityNTT Innovation Institute Inc.
 
Sb securing-industrial-control-systems-with-fortinet
Sb securing-industrial-control-systems-with-fortinetSb securing-industrial-control-systems-with-fortinet
Sb securing-industrial-control-systems-with-fortinetIvan Carmona
 

Ähnlich wie Tech trendnotes (20)

NXP'S-PORTFOLIO-FOR-ADDRESSING-IOT-SECURITY.pdf
NXP'S-PORTFOLIO-FOR-ADDRESSING-IOT-SECURITY.pdfNXP'S-PORTFOLIO-FOR-ADDRESSING-IOT-SECURITY.pdf
NXP'S-PORTFOLIO-FOR-ADDRESSING-IOT-SECURITY.pdf
 
5691 computer network career
5691 computer network career5691 computer network career
5691 computer network career
 
10-ways-the-dissolving-perimeter-kills-IT
10-ways-the-dissolving-perimeter-kills-IT10-ways-the-dissolving-perimeter-kills-IT
10-ways-the-dissolving-perimeter-kills-IT
 
IT Security for Oil and Gas Companies
IT Security for Oil and Gas CompaniesIT Security for Oil and Gas Companies
IT Security for Oil and Gas Companies
 
Evolution of #cloud computing
Evolution of #cloud computingEvolution of #cloud computing
Evolution of #cloud computing
 
Presentation1.pptx
Presentation1.pptxPresentation1.pptx
Presentation1.pptx
 
Jr genexus event2011
Jr genexus event2011Jr genexus event2011
Jr genexus event2011
 
Jr genexus event2011
Jr genexus event2011Jr genexus event2011
Jr genexus event2011
 
Telco Global Connect Vol3 Excerpt
Telco Global Connect Vol3 ExcerptTelco Global Connect Vol3 Excerpt
Telco Global Connect Vol3 Excerpt
 
An Architecture for Providing Security to Cloud Resources
An Architecture for Providing Security to Cloud ResourcesAn Architecture for Providing Security to Cloud Resources
An Architecture for Providing Security to Cloud Resources
 
Securing Private 5G Networks (1).pdf
Securing Private 5G Networks (1).pdfSecuring Private 5G Networks (1).pdf
Securing Private 5G Networks (1).pdf
 
Securing Private 5G Networks (1).pdf
Securing Private 5G Networks (1).pdfSecuring Private 5G Networks (1).pdf
Securing Private 5G Networks (1).pdf
 
Empower Your Defense: SecurityGen's Comprehensive Approach to DDoS Attack Pre...
Empower Your Defense: SecurityGen's Comprehensive Approach to DDoS Attack Pre...Empower Your Defense: SecurityGen's Comprehensive Approach to DDoS Attack Pre...
Empower Your Defense: SecurityGen's Comprehensive Approach to DDoS Attack Pre...
 
Cloud computing security- critical infrastructures
Cloud computing security- critical infrastructuresCloud computing security- critical infrastructures
Cloud computing security- critical infrastructures
 
Tiarrah Computing: The Next Generation of Computing
Tiarrah Computing: The Next Generation of ComputingTiarrah Computing: The Next Generation of Computing
Tiarrah Computing: The Next Generation of Computing
 
"Parallel and Distributed Computing: BOINC Grid Implementation" por Rodrigo N...
"Parallel and Distributed Computing: BOINC Grid Implementation" por Rodrigo N..."Parallel and Distributed Computing: BOINC Grid Implementation" por Rodrigo N...
"Parallel and Distributed Computing: BOINC Grid Implementation" por Rodrigo N...
 
Parallel and Distributed Computing: BOINC Grid Implementation Paper
Parallel and Distributed Computing: BOINC Grid Implementation PaperParallel and Distributed Computing: BOINC Grid Implementation Paper
Parallel and Distributed Computing: BOINC Grid Implementation Paper
 
NTT i3 Point of View: Network Infrastructure Elasticity
NTT i3 Point of View: Network Infrastructure ElasticityNTT i3 Point of View: Network Infrastructure Elasticity
NTT i3 Point of View: Network Infrastructure Elasticity
 
Sb securing-industrial-control-systems-with-fortinet
Sb securing-industrial-control-systems-with-fortinetSb securing-industrial-control-systems-with-fortinet
Sb securing-industrial-control-systems-with-fortinet
 
8. 9590 1-pb
8. 9590 1-pb8. 9590 1-pb
8. 9590 1-pb
 

Kürzlich hochgeladen

Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...christianmathematics
 
The basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptxThe basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptxheathfieldcps1
 
Unit-IV; Professional Sales Representative (PSR).pptx
Unit-IV; Professional Sales Representative (PSR).pptxUnit-IV; Professional Sales Representative (PSR).pptx
Unit-IV; Professional Sales Representative (PSR).pptxVishalSingh1417
 
Python Notes for mca i year students osmania university.docx
Python Notes for mca i year students osmania university.docxPython Notes for mca i year students osmania university.docx
Python Notes for mca i year students osmania university.docxRamakrishna Reddy Bijjam
 
Spellings Wk 3 English CAPS CARES Please Practise
Spellings Wk 3 English CAPS CARES Please PractiseSpellings Wk 3 English CAPS CARES Please Practise
Spellings Wk 3 English CAPS CARES Please PractiseAnaAcapella
 
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfciinovamais
 
Fostering Friendships - Enhancing Social Bonds in the Classroom
Fostering Friendships - Enhancing Social Bonds in the ClassroomFostering Friendships - Enhancing Social Bonds in the Classroom
Fostering Friendships - Enhancing Social Bonds in the ClassroomPooky Knightsmith
 
ICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptxICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptxAreebaZafar22
 
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptxHMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptxEsquimalt MFRC
 
Dyslexia AI Workshop for Slideshare.pptx
Dyslexia AI Workshop for Slideshare.pptxDyslexia AI Workshop for Slideshare.pptx
Dyslexia AI Workshop for Slideshare.pptxcallscotland1987
 
SOC 101 Demonstration of Learning Presentation
SOC 101 Demonstration of Learning PresentationSOC 101 Demonstration of Learning Presentation
SOC 101 Demonstration of Learning Presentationcamerronhm
 
How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17Celine George
 
Understanding Accommodations and Modifications
Understanding Accommodations and ModificationsUnderstanding Accommodations and Modifications
Understanding Accommodations and ModificationsMJDuyan
 
Food safety_Challenges food safety laboratories_.pdf
Food safety_Challenges food safety laboratories_.pdfFood safety_Challenges food safety laboratories_.pdf
Food safety_Challenges food safety laboratories_.pdfSherif Taha
 
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdfQucHHunhnh
 
ComPTIA Overview | Comptia Security+ Book SY0-701
ComPTIA Overview | Comptia Security+ Book SY0-701ComPTIA Overview | Comptia Security+ Book SY0-701
ComPTIA Overview | Comptia Security+ Book SY0-701bronxfugly43
 
Sociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning ExhibitSociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning Exhibitjbellavia9
 
Holdier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfHoldier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfagholdier
 
Introduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsIntroduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsTechSoup
 
SKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptx
SKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptxSKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptx
SKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptxAmanpreet Kaur
 

Kürzlich hochgeladen (20)

Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
 
The basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptxThe basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptx
 
Unit-IV; Professional Sales Representative (PSR).pptx
Unit-IV; Professional Sales Representative (PSR).pptxUnit-IV; Professional Sales Representative (PSR).pptx
Unit-IV; Professional Sales Representative (PSR).pptx
 
Python Notes for mca i year students osmania university.docx
Python Notes for mca i year students osmania university.docxPython Notes for mca i year students osmania university.docx
Python Notes for mca i year students osmania university.docx
 
Spellings Wk 3 English CAPS CARES Please Practise
Spellings Wk 3 English CAPS CARES Please PractiseSpellings Wk 3 English CAPS CARES Please Practise
Spellings Wk 3 English CAPS CARES Please Practise
 
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdf
 
Fostering Friendships - Enhancing Social Bonds in the Classroom
Fostering Friendships - Enhancing Social Bonds in the ClassroomFostering Friendships - Enhancing Social Bonds in the Classroom
Fostering Friendships - Enhancing Social Bonds in the Classroom
 
ICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptxICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptx
 
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptxHMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
 
Dyslexia AI Workshop for Slideshare.pptx
Dyslexia AI Workshop for Slideshare.pptxDyslexia AI Workshop for Slideshare.pptx
Dyslexia AI Workshop for Slideshare.pptx
 
SOC 101 Demonstration of Learning Presentation
SOC 101 Demonstration of Learning PresentationSOC 101 Demonstration of Learning Presentation
SOC 101 Demonstration of Learning Presentation
 
How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17
 
Understanding Accommodations and Modifications
Understanding Accommodations and ModificationsUnderstanding Accommodations and Modifications
Understanding Accommodations and Modifications
 
Food safety_Challenges food safety laboratories_.pdf
Food safety_Challenges food safety laboratories_.pdfFood safety_Challenges food safety laboratories_.pdf
Food safety_Challenges food safety laboratories_.pdf
 
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf
 
ComPTIA Overview | Comptia Security+ Book SY0-701
ComPTIA Overview | Comptia Security+ Book SY0-701ComPTIA Overview | Comptia Security+ Book SY0-701
ComPTIA Overview | Comptia Security+ Book SY0-701
 
Sociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning ExhibitSociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning Exhibit
 
Holdier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfHoldier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdf
 
Introduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsIntroduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The Basics
 
SKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptx
SKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptxSKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptx
SKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptx
 

Tech trendnotes

  • 1. Tech Trend Notes Preview of Tomorrow’s Information Technologies Volume: 9 Edition: 4 Fall 2000 Page 3 High-Reflectance, Real T ime Dielectric Mirrors Intrusion Detection Page 12 Page 16 Focus - Page 22 Pointers - Page 32 Technology Forecasts - Page 28 Calendar of Events - Page 41
  • 2. NetTop Commercial Technology in High Assurance Applications By Robert Meushaw and Donald Simard Introduction of familiar COTS technology to our identify several investigated applica- users, but they believed that we tions, and suggest future capabilities. The decade of the nineties has would not be able to influence the been particularly challenging for the security of COTS technology for User Requirements National Security Agency's high assurance applications. The Information Assurance mission. The board challenged the Information The ISSO’s customers have long gradual but accelerating changeover Assurance Research Office to initi- identified shortcomings with the from government produced tech- ate a project to develop architectures security technology that was avail- nologies to commercial products and that would allow COTS technology able to them. One significant con- services has seriously eroded our to be used safely in high assurance cern is that their workspaces are ability to protect information applications. cluttered with computer equipment processed by the national security to support access to multiple net- community. Numerous government A Tiger Team was assembled for works of differing sensitivity. programs intended to produce high a one-year effort to develop an archi- Dealing with this duplication of assurance data systems and worksta- tectural approach to allow the safe equipment has long been a problem, tion platforms have been largely use of COTS in sensitive since there is no single system that unsuccessful, and the buying power Government applications. The user can support all of their access needs. of the government has not com- should see a familiar interface, e.g., A second concern is that government manded the attention of the IT Microsoft Windows Operating developed security solutions have industry. The historical flow of tech- System (OS) and off-the-shelf appli- often been incompatible with other nology from government to industri- cation software, but achieve the standards-based IT products, which al and home users has largely been assurance needed for DoD use. The has significantly complicated the reversed. We often find technologies NSAAB suggested that one or more interfacing and upgrading of system that are more sophisticated in our government-off-the-shelf (GOTS) components. The cost and complexi- homes earlier than in our govern- components be included, preferably ty of network management is also a ment workspaces. The shortcomings as plug-ins; and their removal should steadily growing issue, particularly of our information assurance tech- allow the system to be used as a nor- in times of declining resources and nologies are further evidenced by the mal COTS machine. The notion of a mounting security concerns over the shift of R&D resources away from "Vault" was introduced as an outsourcing of support. Our cus- protection and into detection and Internet accessible, protected enclave tomers also need the ability to move response initiatives. that would provide high assurance data across isolated networks in services to connected user machines. order to perform their daily tasks, To address these issues, during and the techniques to make such the summer of 1999 the NSA The results of the Tiger Team transfers efficient and safe. Finally, Advisory Board (NSAAB) reviewed effort are a proof-of-concept archi- the increased importance placed on the Information Systems Security tecture and a set of components that coalition operations brings new chal- Organization's (ISSO) commercial- are referred to as NetTop. The lenges for technology to securely off-the-shelf (COTS) strategy. The remainder of this article will support these operations. The archi- board acknowledged the need to describe the concept and technical tecture of the NetTop prototype sug- provide the functionality and the feel approach used in the architecture, gests a near-term approach that can Fall 2000 Research & Advanced Technology Publication 1
  • 3. provide a useful and practical set of capabilities to satisfy these needs. An Initial Capability To begin the development of the NetTop architecture, a modest, initial capability was sought. Opportunely, Figure 1 - Typical Virtual Private Network Client Configuration the ISSO's System Solutions Group identified an Internet-based version Recycling Technology tion software could be executed in of the Remote Access Security VMs running more current OS ver- Program (RASP) system as an The requirement that NetTop sions. excellent prospect. The RASP pro- users see a familiar COTS computer vides secure remote access to a host desktop environment was taken as a Commodity VMMs computer over a dial-up connection, fundamental precept of the architec- and includes a laptop computer and ture. One consequence of this During the NetTop design discus- a specially developed encrypting approach is that for high assurance sions, we identified a new commer- modem to protect the communica- applications, the end-user environ- cial product, VMware, that provided tions link. Many customers have ment must be presumed to be a practical VMM capability. The requested a similar capability for untrustworthy, and the NetTop archi- VMware product is a spin-off of remote network connectivity, but tecture must protect against poten- DARPA-sponsored research at using Internet connections through a tially hostile behavior. Stanford University, and is generally local Internet Service Provider (ISP), used for providing a safe test envi- i.e., use the public data network In order to place limitations upon ronment for OS and networking rather than the public voice network. a potentially malicious component, software. The ability to provide a secure, we explored the concept of encapsu- remote connection over the Internet lation to constrain the behavior of There were several novel capabil- to a secure enclave was selected as the end-user operating system and ities of VMware that made it attrac- the initial NetTop goal. application software. The method tive for use in NetTop. First, it was selected for encapsulating the OS designed for efficient operation on An architecture that can achieve was based upon a 30-year-old tech- Intel x86 platforms rather than on this capability has been known for nology, Virtual Machine Monitors large mainframe computers, which some time. It typically includes an (VMM). VMM technology was made it suitable for use on common- end-user workstation, an in-line designed and developed in the era of place personal computers, worksta- encryptor, and possibly a filtering large IBM mainframe computers, tions, and laptops. Next, VMware router or firewall to connect to the and was intended to help extend the operates on top of an underlying Internet. Commercially, such solu- life of legacy software, when host OS rather than directly on the tions are knows as Virtual Private improved hardware or OS software system hardware. VMMs that run Networks (VPN). Figure 1 depicts a was released. In essence, a VMM directly on hardware have been stud- typical VPN client configuration. was a software system that ran ied previously under Project This system configuration would directly on the computer hardware, Neptune for their use in securing provide the required functionality, and allowed multiple operating sys- systems. A Neptune type of VMM but it would be cumbersome and tems to be installed on top of it. By would face the enormous challenge expensive for a mobile user. running older OS versions in some of keeping pace with changes in the virtual machines, legacy software underlying hardware platform. could be run, while newer applica- VMware takes advantage of the host 2 Research & Advanced Technology Publication Tech Trend Notes
  • 4. OS's need to track these changes. This is a much more practical approach, and would be particularly important to produce a GOTS VMM for NetTop. Lastly, VMware pro- vides an abstraction for "virtual Ethernet hubs." This capability allows virtual machines to be inter- connected in a fashion that is well understood by network designers and administrators. A Network on a Desktop Figure 2 - Simple NetTop System Configuration Using VMware, the initial NetTop system was constructed Any of the individual virtual desired technology, including dial- using a powerful laptop computer. machines can be replaced or upgrad- up, Ethernet, ATM, wireless, etc. The operating system chosen for the ed with standards-based compo- host OS was Redhat Linux Version nents. The interconnection of the vir- The basic NetTop configuration 6.2. Three virtual machines net- tual machines is based upon familiar provides the same functionality as worked by two virtual hubs were TCP/IP networking. Finally, a single three separate hardware platforms. installed on top of the host OS, pro- platform replaces several traditional Each virtualized component should viding an in-line configuration of components, thereby reducing hard- operate identically to its real-world three machines comprising (1) an ware and maintenance costs. An counterpart with "bug for bug com- end-user Windows NT machine, (2) important side benefit is that the patibility." The simple NetTop con- an encrypting machine using IPSec, architecture makes no assumptions figuration was successfully connect- and (3) a Filtering Router (FR) about the communications technolo- ed across the Internet to a simulated, machine. Both the VPN and FR gy used to connect the external net- secure enclave on an unclassified were hosted on VMs running the work. The user is free to select the NSA network, using both dial-up Linux operating system. Figure 2 displays the initial NetTop prototype configuration. The initial NetTop configuration demonstrates a number of important capabilities. It encapsulates the unmodified, end-user Windows operating system in a VM. An important characteristic of this approach is that the encryption can be provided as an in-line function that cannot be bypassed by mali- cious actions of the end-user OS or application software. Rudimentary protection from network attacks is provided through a filtering router. Figure 3 - NetTop Logical Configuration Fall 2000 Research & Advanced Technology Publication 3
  • 5. network connections are already physically isolated, encrypted com- munication tunnels are not needed. This type of NetTop configuration may be appropriate to replace multi- ple end user workstations, when sep- arate communications infrastructures are already available. Thin-Client VMs While the VMs described so far have been fully configured Windows or Linux systems, there is nothing Figure 4 - NetTop Multiple Security Level Configuration preventing a VM from being a "thin and cable modem connections. Such ality. The second version of the client." In fact, there may be reasons a configuration could have all of the NetTop prototype included another why a thin-client would be prefer- capabilities of a locally connected Windows NT machine connected able. For example, if the Windows machine, including the ability to directly to the filtering router as NT in Figure 4 was installed as a connect to the Internet, if permitted shown in Figure 4. This machine "display only" thin-client, all classi- within the enclave. Figure 3 illus- allows a user to access the Internet fied files could be kept on a remote trates a NetTop logical configura- directly. This extended prototype server in a protected enclave. This tion. suggests a powerful feature of the configuration increases assurance, NetTop architecture - the ability to since the NetTop device contains Multiple Security Levels replace multiple end-user worksta- minimal sensitive information. tions within a single, hardware plat- A natural extension to the first form. In theory, multiple user con- Assurance prototype was the addition of other nections to networks of differing VMs to provide increased function- sensitivity could be provided using Despite the functional and cost multiple VPNs. This envi- advantages that the NetTop architec- ronment provides ture described above may offer to Multiple (single) Security some users, its usefulness will Level (MSL) capability depend upon its ability to withstand rather than true Multi- determined attacks from the external Level Security, but still network and from malicious end- addresses an important user software. The most sensitive customer need. applications may require additional protection against compromising Another configuration system failures. While NetTop for a MSL system is attempts to deal with insecurities shown in Figure 5, where that may be caused by user errors, two isolated VM worksta- no attempt has been made to thwart tions are connected to two malicious insiders. As a practical different networks matter, it should only be necessary through two network to demonstrate that a NetTop config- Figure 5 - NetTop Dual Network MSL Configuration interface cards. Since the uration provides the same degree of 4 Research & Advanced Technology Publication Tech Trend Notes
  • 6. security as the separate network components that it replaces. If this can be achieved, then the basic architectural approach is validated. A number of approaches have been identified to increase the assur- ance of the NetTop architecture. The critical aspect of the architecture that must be validated is the ability of the VMM/Host OS combination to suf- ficiently isolate the various NetTop components. Our approach to deal- ing with security in the underlying host is to use a Trusted Linux OS Figure 6 - NetTop Improved Assurance Configuration prototype that has been developed under the IARO's OS Security Another critical component of the developed to limit failure effects by research program. Trusted Linux underlying host platform is the severing external NetTop communi- incorporates flexible access control BIOS function that controls the ini- cations. mechanisms. In order to bolster the tial boot-up process, and its ability to inherent isolation provided by the arrive at a secure initial state. In order to make an effective VMM, a tailored security policy has Vulnerabilities in the BIOS have argument for the correct operation been developed for the Trusted long been identified as the "Achilles' of a failure checking mechanism, Linux host. The VMM/Trusted heel" of computer systems. Work hardware and software must be Linux combination will be evaluated presently underway to develop a completely independent of the sys- further during an internal "red team" robust, trusted BIOS should be tem being checked. A Dallas exercise to assess the degree of iso- incorporated into any high assurance Semiconductor Tiny InterNet lation it provides. NetTop system. Interface (TINI) embeddable com- puter was networked to the in-line The Trusted Linux prototype is Failure Checking Network Encryptor machine, and also envisioned for use as the guest was programmed to use a simple OS in the VPN and Filtering Router Even a minimal NetTop configu- network "ping" to the VPN VMs. It is likely that a substantially ration will be an extremely complex machine as a health check. If no reduced Trusted Linux OS could be hardware and software system. It response was received, the Internet configured to support each VM. In will not likely be amenable to the connection was interrupted. A more each case, specific security policies forms of failure analysis historically robust health check could include a need to be tailored to support the used for NSA high assurance sys- more complex set of tests to gain limited functionality of each tems. While it might seem that sig- increased assurance that the NetTop machine. The particular encryption nificant failures in a NetTop device device is working properly. The and filtering router products selected would result in complete system tests could include could be from National Information shutdown, sensitive applications challenge/response exchanges with Assurance Partnership approved lists will require more rigorous assur- a Failure Detection Server in the or specially developed GOTS com- ance arguments. Lacking failure protected enclave. A dead-man ponents. detection support in the workstation switch of this type may be suitable platform, an approach using a type for a GOTS plug-in component for of "dead man's switch" has been high assurance applications. The Fall 2000 Research & Advanced Technology Publication 5
  • 7. maintained and monitored for sus- picious activity. Figure 8 depicts the protocol exchange between the Regrade Server and two hosts of different security levels. A trusted user token is employed in a chal- lenge/response exchange with the trusted server in order to safeguard against untrusted OS behavior. Coalition Support The paradigm of virtual machines creates abstractions of Figure 7 - Dead-Man Switch Architecture physical computers. Each VM is composed of a set of files that failure detection approach is shown capability includes a protocol for embody a hardware/software sys- in Figure 7. performing the regrade operation, tem. This set of files can be copied as well as a "Regrade Server" that from one physical machine to Moving Data Safely provides a trusted network service. another. Given the portability of By making the regrade operation a VMs, there is no inherent reason Many organizations require the centralized service, a number of why a VM, or set of VMs, could ability to move information advantages are gained. First, consis- not be electronically transferred. It between networks of differing secu- tency in the regrade operation can is possible for a NetTop device to rity levels. A common operation be achieved. Second, it would be become a member of a coalition by involves downgrading information possible to develop and enforce a downloading an appropriately con- from highly classified to lower clas- regrade policy that specified the figured VM over a secured commu- sified systems, but increasingly, conditions under which each user nications channel. The set of VMs information is imported from the could perform regrade operations. in each coalition would constitute a Internet into classified systems. In The regrade operation could include VPN, and would not be able to the first case, it is essential that "sanitization" functions to deter the communicate directly with VMs in classified information not be com- transfer of covert or malicious con- other coalitions. Cross-coalition promised, while in the second, a tent. Finally, an audit log could be communication is performed using primary concern is the protection of the classified host from malicious content. The VMware product includes a capability to copy and paste data between VMs via a clipboard. This feature does not include sufficient safeguards for use in a high assur- ance NetTop system. In order to provide a more trusted copy/paste function, a new capability, dubbed a "Regrader," was developed. This Figure 8 - Regrade Server Protocol 6 Research & Advanced Technology Publication Tech Trend Notes
  • 8. a variation of the Regrade Server previously described. For some coalitions, it might be useful to distribute applica- tion specific VMs, such as a secure Voice-over-IP machine. A centralized Coalition Management Server could be used to manage the configura- tion and distribution of VMs to coalition members. The essence of NetTop's coalition support is its ability to distrib- ute virtual systems electroni- cally. Figure 9 displays a hypothetical situation in Figure 9 - NetTop Coalition Concept which four organizations par- ticipate in four data coalitions and During normal operation, all disk puter used in the prototype includes two voice coalitions. A simple capa- files, including temporary files, are a 500 MHz Pentium III processor bility to demonstrate electronic dis- stored encrypted on the hard disk. and 384 MB of memory. The tribution of VMs is under develop- VMware VMM is surprisingly ment. The hardware virtualization pro- modest in its affect upon the per- vided by the VMM also provides a formance of a VM, and only a Additional Capabilities capability to alter the operation of slight degradation is noticed. As the hard disks seen by each VM. In more VMs are introduced, more A number of useful capabilities one mode, all changes made to a serious performance degradation is are included in the prototypes that VM's hard disk are discarded when noticed, but can be minimized with were not described in the NetTop it is powered down. This may be additional memory. The 384-MB overview. The entire file system on useful in the operation of the IPSec configuration of the NetTop proto- the hard disk is encrypted in order and FR machines by preventing type shown in Figure 4 was suffi- to protect against compromise if the permanent changes to the system if cient to support the Linux host and machine is lost or stolen. The a successful attack did occur. Any four guest VMs - two Windows NT "International Patch" for Linux was changes would be lost when the machines for the end-user terminals installed, which provides software VM was restarted, which would and two Linux machines for the in- encryption capabilities and services force an adversary to repeat the line Network Encryptor and under the control of the Trusted attack. Filtering Router. Overall, the per- Linux host OS. The hard disk formance of the NetTop prototype encryption is transparent to all Performance is quite satisfactory, and easily VMs. Additionally, this disk keeps pace with a high-speed, cable encryption cannot be corrupted or Real-world performance deter- modem connection. Continuing bypassed by an VM. A process was mines any technology's acceptance. enhancements in hardware perform- developed that uses a floppy disk NetTop's architecture includes a lot ance will only improve its perform- and a user entered PIN to "boot- of functionality in a single hard- ance. strap" the decryption and loading of ware platform, yet the performance system files from the hard disk. is quite acceptable. The laptop com- Fall 2000 Research & Advanced Technology Publication 7
  • 9. Future Development · IPSec modifications for NetTop Conclusion protocols The NetTop proof-of-concept has · User friendly interfaces The Information Assurance demonstrated an architecture that Research Office has responded to appears to have significant promise The set of capabilities identified the NSA Advisory Board's challenge for information assurance applica- as NetTop extensions - Failure with the NetTop proof-of-concept. tions. In its current form, however, it Detection Server, Regrade Server, The novel architecture builds upon is unsuitable for widespread use and and Coalition Management Server - COTS technology, fortifies it with requires considerable refinement. suggests an expansion of the security GOTS components, and provides a Our research has uncovered a num- services typically considered as part combination with the potential to be ber of shortcomings in current tech- of a Security Management securely used for sensitive applica- nology that need to be addressed. Infrastructure. The integration of tions. It also addresses other impor- Additionally, important topics still these services with traditional key tant concerns, and provides a frame- must be investigated. Areas requir- and certificate management services work for useful extensions. NetTop ing further development are: may deserve a separate investigation depends heavily upon the isolation to develop a concept for a more capabilities provided by the Trusted · Identification & Authentication comprehensive security infrastruc- Linux/VMM combination. The Architecture ture. robustness of the approach still · Biometric activation technique requires a comprehensive security · Key & certificate management Development of the NetTop pro- evaluation. TTN · Filtering Router management totype is continuing. Some of the · Un-spoofable labels for MSL concepts previously described Donald Simard is the Technical windows including a Regrade Server, thin- Director for the System and Network · Trusted VM switching mechanism clients, and coalition support will be Attack Center and has been with the · Installation & configuration wizards integrated as each is developed. Agency since 1979. The majority of his work has been in the Information Systems Security Organization. He is a Master in the INFOSEC Technical Track and has a Masters Degree in Computer Science. Robert Meushaw is Technical Director for the Information Assurance Research Office. He joined the Agency in 1973 with BS and MS degrees in Electrical A very simple NetTop configuration with only one user Virtual Machine can provide Engineering. Mr. Meushaw had a very useful feature - media encryption - which could not otherwise be done with a long career in the Information a high-level of confidence. Since the host operating system does not run Systems Security Organization applications software, it is protected from virus attacks and other malicious software prior to his current position. He that might corrupt the user VM. With the media encryption function embedded in the host OS, all of the files on the hard disk can be encrypted transparently to the is a Master in the Computer user OS. The user OS cannot bypass the cryptography that is protecting the media. Systems Technical Track. 8 Research & Advanced Technology Publication Tech Trend Notes