PDL Abstract

Design and Implementation of Self-Securing Network Interface Applications

M.S. Thesis. Electrical and Computer Engineering, Carnegie Mellon University. December 2005.

Stanley M. Bielski

Electrical and Computer Engineering
Carnegie Mellon University
Pittsburgh, PA 15213

This thesis presents a novel security platform that narrows the architectural gaps between traditional network security perimeters in a highly scalable and fault-isolated manner while providing administrators with a simple and powerful interface for configuration and coordination of security policies across multiple network components. The heart of this platform is the concept of self-securing network interfaces (SS-NIs), components that sit between a host system and the rest of the intranet, moving packets between the system’s components and the network. Additionally SS-NIs examine the packets being moved and enforce network security policies.

This thesis makes four main contributions: First, it makes a case for NI-embedded intrusion detection and containment functionality. Second, it describes the design of NI system software for supporting such functionality. Third, it discusses our implementation of NI system software and the Castellan administrative console. Fourth, it describes several promising applications for detecting and containing network threats enabled by the placement of self-securing NIs at the host’s LAN access point.