POSTS TAGGED: burt_kaliski
Designers would like to be able to show that a system, properly implemented and operated, meets its objectives for confidentiality, integrity, availability and other attributes against the variety of threats the system may encounter.
A half century into the computing revolution, this goal remains elusive.Read more
As described by Jerome Saltzer in a July 1974 Communications of the ACM article, Protection and the Control of Information Sharing in Multics, the principle of least privilege states, “Every program and every privileged user should operate using the least amount of privilege necessary to complete the job.”
There may be tradeoffs, of course, between minimizing the amount of privilege or information given to a component in a system, and other objectives such as performance or simplicity. For instance, a component may be able to do its job more efficiently if given more than the minimum amount. And it may be easier just to share more than is needed, than to extract out just the minimum required. The minimum amounts of privilege may also be hard to determine exactly, and they might change over time as the system evolves or if it is used in new ways.Read more
A network traffic analyzer can tell you what’s happening in your network, while a Domain Name System (DNS) analyzer can provide context on the “why” and “how.”
This was the theme of the recent Verisign Labs Distinguished Speaker Series discussion led by Paul Vixie and Robert Edmonds, titled Passive DNS Collection and Analysis – The "dnstap" Approach.
Vixie, a long-time Internet and DNS innovator, current CEO of Farsight Security, and recent inductee into the Internet Hall of Fame, described recent innovations in information sharing among DNS resolvers that can help network operators detect and remediate security threats. As a result of Farsight’s efforts, DNS measurements are currently being collected at the rate of 150 Mbit/s of compressed data and being made available to the Internet security community for analysis.
The dnstap approach builds on initial work on “passive DNS” data collection by Florian Weimer, where responses received from authoritative name servers by DNS resolvers are collected to understand DNS behavior and configurations. Rather than collecting network packets, dnstap is “generated from within DNS implementations” via a new protocol. The data collection operates asynchronously, meaning that regular DNS operations within resolvers continue independently of measurements being taken, thus minimizing the impact on performance.Read more
UCLA and Washington University in St. Louis recently announced the launch of the Named Data Networking (NDN) Consortium, a new forum for collaboration among university and industry researchers, including Verisign, on one candidate next-generation information-centric architecture for the Internet.
Verisign Labs has been collaborating with UCLA Professor Lixia Zhang, one of the consortium’s co-leaders, on this future-directed design as part our university research program for some time. The consortium launch is a natural next step in facilitating this research and its eventual application.
Van Jacobson, an Internet Hall of Fame member and the other co-leader of the NDN Consortium, surveyed developments in this area in his October 2012 talk in the Verisign Labs Distinguished Speaker Series titled “The Future of the Internet? Content-Centric Networking.”
As I stated in my summary of the talk, content-centric networking and related research areas under the heading of information-centric networking and NDN bring Internet protocols up to date to match the way many of us already are using the Internet. As Van noted, when people want to access content over the Internet– for instance the recording of his talk – they typically reference a URL, for instancehttp://www.youtube.com/watch?v=3zOLrQJ5kbU.