Securing Content Based Routing PublishSubscribe Systems

1
Securing Content Based Routing Publish-Subscribe
Systems

• (SIENA)
• John.Giacomoni_at_colorado.edu
• 2002.01.28

2
What is Content Based Routing?

• Messages Routed Based on Content
• No Fixed Address Field(s)
• Generally Speaking Routers Need Full Access to
  Message Payload

3
What is Publish-Subscribe?

• Event Notification System
• Producers (Publishers)
• Consumers (Subscribers)
• Publications are Routed to Subscribers Based on
  Filters (Subscriptions)

4
Interesting Properties of Publish-Subscribe

• Publishers and Subscribers can be Anonymous to
  Each Other
• Clients Can be Linked Together to Form an Ad-Hoc
  Network Using only the Publish-Subscribe
  Interface

5
What is SIENA?

• Scalable
• Internet (Scale)
• Event
• Notification
• Architecture

6
What/How Does SIENA Work?

• Exports a Publish-Subscribe API
• Employs Content Based Routing
• Accurately Route Messages To Interested Parties
• Bandwidth Consumption Reduction

7
Interesting Properties ofSIENA

• Notifications(Messages) Routed Based on Content
• Unspecified Number of Clients or Servers
• Unspecified Network Topology
• Unspecified Communication Protocols
• Unspecified Message Delivery Windows
• Heterogeneous Host Authority Domains
• Fault Permissive

8
Unspecified Network Topology

• Single Server
• Hierarchical
• General Graph
• Hibrid/Combination Topology

9
Combination Topology(with heterogeneous
authority)
10
Security Goals

• Confidentiality
• Integrity
• Availability

As Described In Secrets Lies by Bruce
Schneier p. 121
11
Confidentiality Goals

• Data (Publications)
• Content Might Contain Sensitive Information
• Routing Depends on Content
• Subscriptions
• Subscriptions May Contain Sensitive Information
• Data Flow Analysis
• Anonymity

12
Integrity Goals

• Altered Messages
• Injected Messages
• Dropped Messages

13
Availability Goals

• Denial of Service Protection
• Individual Server
• Network Congestion
• Knowing When System is Overloaded/DoSed

14
Additional Goals

• Billing/Accountability
• Audit

15
Conflicting Goals

• Scale vs. Security
• Performance vs Security
• Anonymity vs Security
• Anonymity vs Billing
• Communication Network vs User Security
• Data Confidentiality vs Expressiveness

16
How do we Balance These Conflicting Goals?
17
Observations

• Single Solution Very Unlikely
• Each Environment Will Need Its Own Setup
• Military Always Does Its Own Thing
• Minimization of Security in the Servers Maximizes
  Flexibility
• Heterogeneous Solutions do Not Cover Homogeneous
  Solutions

18
Homogeneous Authority Domains

• Communication Security
• IPSEC
• SSL (requires server changes)
• Bogus Notifications (Traffic Analysis)
• Some Faith can be Put into Software
• Simple Authentication Tokens Can be Used
• Multilevel/Multilateral Security Possible
• Military Applications

19
Heterogeneous Authority Domains

• Users Cannot Trust Network
• Unknown Recipients
• Unknown Servers
• Network Cannot Trust Users OR Network
• Publications/Subscriptions Valid?
• Unknown 3rd Party Server Behavior

20
User Land Models

• Accept Subscriptions and Publications as Public
  Domain
• Subscriptions can be Obfuscated to a Certain
  Degree
• Encrypted Messages
• Signed Messages

21
Problems with Encrypted Notifications

• Decreased Routing Performance
• 100 Content Confidentiality Results in an
  Unroutable Message

22
User Land Security Models(Client/Client)

• Protects Data
• Anonymity Issues
• Key Management/Revocation Issues
• Scaling Issues
• Organization
• No Additional Load on Servers

23
User Land Security Models(Client/PKI/Client)

• Maintains Anonymity Between Publishers and
  Subscribers
• No Additional Load on Servers
• Multiple PKIs can be in Place
• Billing Can be Based on Key Management
• PKI Management Issues
• Initial Key Distribution

Closed-PKI, (Public Key) Infrastructure
24
Server Models

• Trusted Gateways
• Authenticated Publications/Subscriptions
• Loss of Anonymity
• Foreign Networks Still a Problem
• Audit
• Loss of Anonymity

25
Main Problem

• Specifying a Security Model Without a Well
  Defined Environment Will Result in Many Problems

26
Directions

• SSL Aware Communication Layer
• Encryption
• Authentication
• IPSEC Between Servers
• Clients if System is Homogeneous
• Trusted Gateways

27
Trusted Gateways

• Tunnel Flagged Messages (Encrypted) to Remote
  Trusted Networks
• Unflagged Messages Forwarded Blindly
• Rate Limit Unflagged Messages
• Minimize Need for Obfuscated Publications
• Permits Large Public SIENA Backbones

28
Parting Comments On Securing SIENA

• All Users are Equal in SIENA
• Concept of Users and Permissions/Roles Needs to
  be Introduced.

29
Trusted Gateways
TGW
TGW
30
QA Time )