Patterns and Interactions in Network Security

Networks play a central role in cyber-security: networks deliver security attacks, suffer from them, defend against them, and sometimes even cause them. This article is a concise tutorial on the large subject of networks and security, written for all those interested in networking, whether their specialty is security or not. To achieve this goal, we derive our focus and organization from two perspectives. The first perspective is that, although mechanisms for network security are extremely diverse, they are all instances of a few patterns. Consequently, after a pragmatic classification of security attacks, the main sections of the tutorial cover the four patterns for providing network security, of which the familiar three are cryptographic protocols, packet filtering, and dynamic resource allocation. Although cryptographic protocols hide the data contents of packets, they cannot hide packet headers. When users need to hide packet headers from adversaries, which may include the network from which they are receiving service, they must resort to the pattern of compound sessions and overlays. The second perspective comes from the observation that security mechanisms interact in important ways, with each other and with other aspects of networking, so each pattern includes a discussion of its interactions.

[1]  Jukka Manner,et al.  A Survey of Ethernet LAN Security , 2013, IEEE Communications Surveys & Tutorials.

[2]  Vitaly Shmatikov,et al.  The most dangerous code in the world: validating SSL certificates in non-browser software , 2012, CCS.

[3]  Catherine A. Meadows,et al.  The NRL Protocol Analyzer: An Overview , 1996, J. Log. Program..

[4]  Gernot Heiser,et al.  Formally verified software in the real world , 2018, Commun. ACM.

[5]  Angelos D. Keromytis,et al.  SOS: secure overlay services , 2002, SIGCOMM 2002.

[6]  Nick Feamster,et al.  Oblivious DNS: Practical Privacy for DNS Queries , 2018, Proc. Priv. Enhancing Technol..

[7]  Pablo Rodriguez,et al.  Multi-Context TLS (mcTLS): Enabling Secure In-Network Functionality in TLS , 2015, Comput. Commun. Rev..

[8]  George Varghese,et al.  Checking Beliefs in Dynamic Networks , 2015, NSDI.

[9]  Ratul Mahajan,et al.  Don't Mind the Gap: Bridging Network-wide Objectives and Device-level Configurations , 2016, SIGCOMM.

[10]  Nikita Borisov,et al.  Cirripede: circumvention infrastructure using router redirection with plausible deniability , 2011, CCS '11.

[11]  Christos Gkantsidis,et al.  And Then There Were More: Secure Communication for More Than Two Parties , 2017, CoNEXT.

[12]  Adrian Perrig,et al.  The SCION internet architecture , 2017, Commun. ACM.

[13]  David D. Clark Designing an Internet , 2018 .

[14]  Ratul Mahajan,et al.  Controlling high bandwidth aggregates in the network , 2002, CCRV.

[15]  David D. Clark,et al.  Tussle in cyberspace: defining tomorrow's internet , 2005, TNET.

[16]  Scott Shenker,et al.  Ethane: taking control of the enterprise , 2007, SIGCOMM.

[17]  David D. Clark,et al.  Rethinking the design of the Internet , 2001, ACM Trans. Internet Techn..

[18]  Yan Grunenberger,et al.  The Cost of the "S" in HTTPS , 2014, CoNEXT.

[19]  Nick Feamster,et al.  Accountable internet protocol (aip) , 2008, SIGCOMM '08.

[20]  Seungyeop Han,et al.  Tor instead of IP , 2011, HotNets-X.

[21]  Anna R. Karlin,et al.  Practical network support for IP traceback , 2000, SIGCOMM.

[22]  Hiroyuki Ohsaki,et al.  Understanding TCP over TCP: effects of TCP tunneling on end-to-end throughput and latency , 2005, SPIE Optics East.

[23]  Arya Mazumdar,et al.  Compressive Traffic Analysis: A New Paradigm for Scalable Traffic Analysis , 2017, CCS.

[24]  George Varghese,et al.  Real Time Network Policy Checking Using Header Space Analysis , 2013, NSDI.

[25]  Giovane C. M. Moura,et al.  When the Dike Breaks: Dissecting DNS Defenses During DDoS , 2018, Internet Measurement Conference.

[26]  Ratul Mahajan,et al.  A General Approach to Network Configuration Verification , 2017, SIGCOMM.

[27]  Steven J. Murdoch,et al.  Do You See What I See? Differential Treatment of Anonymous Users , 2016, NDSS.

[28]  Mark Handley,et al.  Network Intrusion Detection: Evasion, Traffic Normalization, and End-to-End Protocol Semantics , 2001, USENIX Security Symposium.

[29]  Angelos D. Keromytis,et al.  SOS: secure overlay services , 2002, SIGCOMM '02.

[30]  Ran Canetti,et al.  Universally composable security: a new paradigm for cryptographic protocols , 2001, Proceedings 2001 IEEE International Conference on Cluster Computing.

[31]  Mark Handley,et al.  Why the Internet only just works , 2006 .

[32]  Dawn Xiaodong Song,et al.  Pi: a path identification mechanism to defend against DDoS attacks , 2003, 2003 Symposium on Security and Privacy, 2003..

[33]  David D. Clark,et al.  The design philosophy of the DARPA internet protocols , 1988, SIGCOMM '88.

[34]  Yael Tauman Kalai,et al.  Reusable garbled circuits and succinct functional encryption , 2013, STOC '13.

[35]  Morris Sloman,et al.  A survey of trust in internet applications , 2000, IEEE Communications Surveys & Tutorials.

[36]  Joan Feigenbaum,et al.  Delegation logic: A logic-based approach to distributed authorization , 2003, TSEC.

[37]  Ramesh Govindan,et al.  A General Approach to Network Configuration Analysis , 2015, NSDI.

[38]  Argyraki,et al.  Network Capabilities : The Good , the Bad and the Ugly Katerina , 2022 .

[39]  Xiaowei Yang,et al.  A DoS-limiting network architecture , 2005, SIGCOMM '05.

[40]  Paul F. Syverson,et al.  Anonymous connections and onion routing , 1998, IEEE J. Sel. Areas Commun..

[41]  Mark Handley,et al.  How Hard Can It Be? Designing and Implementing a Deployable Multipath TCP , 2012, NSDI.

[42]  Pamela Zave,et al.  The compositional architecture of the internet , 2019, Commun. ACM.

[43]  Patrick Crowley,et al.  Named data networking , 2014, CCRV.

[44]  Ian Goldberg,et al.  Telex: Anticensorship in the Network Infrastructure , 2011, USENIX Security Symposium.

[45]  David G. Andersen,et al.  Proceedings of Usits '03: 4th Usenix Symposium on Internet Technologies and Systems Mayday: Distributed Filtering for Internet Services , 2022 .

[46]  Peter Saint-Andre,et al.  Summarizing Known Attacks on Transport Layer Security (TLS) and Datagram TLS (DTLS) , 2015, RFC.

[47]  Ratul Mahajan,et al.  Understanding BGP misconfiguration , 2002, SIGCOMM 2002.

[48]  Vern Paxson,et al.  An Analysis of China's "Great Cannon" , 2015 .

[49]  Nick Mathewson,et al.  Tor: The Second-Generation Onion Router , 2004, USENIX Security Symposium.

[50]  Fan Yang,et al.  The QUIC Transport Protocol: Design and Internet-Scale Deployment , 2017, SIGCOMM.

[51]  Sylvia Ratnasamy,et al.  BlindBox: Deep Packet Inspection over Encrypted Traffic , 2015, SIGCOMM.

[52]  Jim Kurose,et al.  Computer Networking: A Top-Down Approach , 1999 .

[53]  Stefan Mangard,et al.  Systematic Classification of Side-Channel Attacks: A Case Study for Mobile Devices , 2016, IEEE Communications Surveys & Tutorials.

[54]  Vern Paxson,et al.  Outside the Closed World: On Using Machine Learning for Network Intrusion Detection , 2010, 2010 IEEE Symposium on Security and Privacy.

[55]  David R. Cheriton,et al.  Active Internet Traffic Filtering: Real-time Response to Denial of Service Attacks , 2003, ArXiv.