SANE: A Protection Architecture for Enterprise Networks Offense by: Amit Mondal Bert Gonzalez.

Slides:

Advertisements

Similar presentations

Barracuda Link Balancer Link Reliability and Bandwidth Optimization.

Advertisements

Introducing Campus Networks

Logically Centralized Control Class 2. Types of Networks ISP Networks – Entity only owns the switches – Throughput: 100GB-10TB – Heterogeneous devices:

Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net 1 E-VPN and Data Center R. Aggarwal

Not to be distributed or reproduced by anyone other than Qwest entities. Copyright © 2010 Qwest. All Rights Reserved. Government Services TIC from an Industry.

SPORC: Group Collaboration using Untrusted Cloud Resources Ariel J. Feldman, William P. Zeller, Michael J. Freedman, Edward W. Felten Published in OSDI’2010.

Denial of Service in Sensor Networks Anthony D. Wood and John A. Stankovic.

Guide to Network Defense and Countermeasures Second Edition

FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.

NETWORK LOAD BALANCING NLB.  Network Load Balancing (NLB) is a Clustering Technology.  Windows Based. (windows server).  To scale performance, Network.

Highly Available Central Services An Intelligent Router Approach Thomas Finnern Thorsten Witt DESY/IT.

SANE: A Protection Architecture for Enterprise Networks Authors: Martin Casado, Tal Garfinkel, Aditya Akella, Michael J. Freedman Dan Boneh, Nick McKeown,

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L6 1 Implementing Secure Converged Wide Area Networks (ISCW)

DFence: Transparent Network-based Denial of Service Mitigation CSC7221 Advanced Topics in Internet Technology Presented by To Siu Sang Eric ( )

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

Decongestion Control Offense by James Gross Amit Mondal.

August, 2006 Usenix Security 2006 SANE: Addressing the Protection Problem in Enterprise Networks Martin Casado Tal Garfinkel Michael Freedman Aditya Akaella.

Tesseract A 4D Network Control Plane

Handout # 4: Scaling Controllers in SDN - HyperFlow

Institute of Technology, Sligo Dept of Computing Semester 3, version Semester 3 Chapter 3 VLANs.

© 2008 Cisco Systems, Inc. All rights reserved. 1 Layer 2 Extensions for Data Center Interconnect with Catalyst 6500 Belmont Chia Consulting System Engineer.

Secure Network Design: Designing a Secure Local Area Network IT352 | Network Security |Najwa AlGhamdi1 Case Study

Faten Yahya Ismael.  It is technology creates a network that is physically public, but virtually it’s private.  A virtual private network (VPN) is a.

Microsoft Virtual Academy Module 4 Creating and Configuring Virtual Machine Networks.

Common forms and remedies Neeta Bhadane Raunaq Nilekani Sahasranshu.

Is Apple’s iMac Operating System Secure under flooding Attacks? by aditya chintala.

NETWORKING COMPONENTS Zach Avis. Hub A hub is a low cost way to connect two computers. A hub can also act as a repeater. When a signal comes from one.

Networking Components Mike Yardley LTEC 4550 Assignment 3

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.

SANE: A Protection Architecture for Enterprise Networks

Sungkyunkwan University (SKKU) Security Lab. A Framework for Security Services based on Software-Defined Networking Jaehoon (Paul) Jeong 1, Jihyeok Seo.

Network Security Principles & Practices

LAN Switching and Wireless – Chapter 1

June, 2006 Stanford 2006 Ethane. June, 2006 Stanford 2006 Security and You  What does security mean to you?  Data on personal PC?  Data on family PC?

S4-Chapter 3 WAN Design Requirements. WAN Technologies Leased Line –PPP networks –Hub and Spoke Topologies –Backup for other links ISDN –Cost-effective.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Introducing Network Design Concepts Designing and Supporting Computer Networks.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 1: Introduction to Scaling Networks Scaling Networks.

Class 11 Enterprise Network Protection CIS 755: Advanced Computer Security Spring 2014 Eugene Vasserman

Security Requirements of NVO3 draft-hartman-nvo3-security-requirements-01 S. Hartman M. Wasserman D. Zhang 1.

Content-oriented Networking Platform: A Focus on DDoS Countermeasure ( In incremental deployment perspective) Authors: Junho Suh, Hoon-gyu Choi, Wonjun.

Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung( ) Sriram Gopinath( )

Chapter 9 Cisco IOS Firewall. IOS Firewall  Stateful packet-filter firewall that runs on a router  Provides firewall capabilities and normal routing.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Introducing Network Design Concepts Designing and Supporting Computer Networks.

Chapter 3 - VLANs. VLANs Logical grouping of devices or users Configuration done at switch via software Not standardized – proprietary software from vendor.

Network design Topic 4 LAN design. Agenda Modular design Hierarchal model Campus network design Design considerations Switch features.

Security Patterns for Web Services 02/03/05 Nelly A. Delessy.

1 Firewall Rules. 2 Firewall Configuration l Firewalls can generally be configured in one of two fundamental ways. –Permit all that is not expressly denied.

Department of Computing, School of Electrical Engineering and Computer Sciences, NUST - Islamabad KTH Applied Information Security Lab Secure Sharding.

Attacking on IPv6 W.lilakiatsakun Ref: ipv6-attack-defense-33904http://

Network Security Principles & Practices By Saadat Malik Cisco Press 2003.

1 Routing security against Threat models CSCI 5931 Wireless & Sensor Networks CSCI 5931 Wireless & Sensor Networks Darshan Chipade.

Joe Budzyn Jeff Goeke-Smith Jeff Utter. Risk Analysis  Match the technologies used with the security need  Spend time and resources covering the most.

Lect 8 Tahani al jehain. Types of attack Remote code execution: occurs when an attacker exploits a software and runs a program that the user does not.

PART1: NETWORK COMPONENTS AND TRANSMISSION MEDIUM Wired and Wireless network management 1.

catalyst-2960_c19.

Securing Interconnect Networks By: Bryan Roberts.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Creating the Network Design Designing and Supporting Computer Networks – Chapter.

1 © 2007 Cisco Systems, Inc. All rights reserved.Cisco Public Network Architecture Characteristics  Explain four characteristics that are addressed by.

Cisco Discovery 3 Chapter 1 Networking in the Enterprise JEOPARDY.

Network Processing Systems Design

SDN challenges Deployment challenges

Instructor Materials Chapter 1: LAN Design

ETHANE: TAKING CONTROL OF THE ENTERPRISE

Revisiting Ethernet: Plug-and-play made scalable and efficient

VPN: Virtual Private Network

VPN: Virtual Private Network

Tesseract: A 4D Network Control Plane

Presentation transcript:

SANE: A Protection Architecture for Enterprise Networks Offense by: Amit Mondal Bert Gonzalez

SANE or INSANE?

Single-point-of-failure SANE design essentially reduces the whole network to a single DC. If this DC fails or is compromised, the entire network is at stake. Even with multiple DCs, the network is at a greater risk because there always a single point-of-failure Compare with “Tesseract: A 4D Network Control Plane”

Performance Huge performance overhead! Decryption is involved at every intermediate switches Compare with IPSec Computation burden on the network switches? Bottleneck! Decryption per packet

Scalability Is SANE architecture scalable?  Every sender needs to get capabilities (encrypted source routes) from the DC to communicate with any other hosts  DC becomes a bottleneck! Route computation, capability computation etc.

Network Visibility Network switches are reduced to dumb entities  Network Monitoring  Troubleshooting Traceroute  Failure detection Dynamic failover Convergence time? Network partitioning

Packet Forwarding in Dark Strict switch-level source routing  Dynamic load balancing  Traffic Engineering Virus, worm propagation Prevents deployment of advanced transport protocols e.g. XCP

Resiliency against attack Resource exhaustion  “ … simply generates a new key; this invalidates all existing capabilities …” What about the ongoing behaved flows? They are just victim of DoS attack Attack against routing infrastructure  Misbehaving switch Advertise fake paths to DC! Compromised DC?

Implementation and Evaluation “– interconnecting seven physical hosts on 100 Mb Ethernet … ” “ … only a few domain controller are necessary to handle DC requests from ten of thousands of end host.”  No justification, no evaluation!

Multiple DC? Consistency among multiple DC? If someone can configure and manage multiple DCs then what’s the big difference from configuring and managing firewalls, NATs and ACLs?

Performance bottleneck Encryption/Decryption overhead “ – 99% of CPU time was spent on decryption alone – leading to poor throughput performance”

Hardware Implementation Cisco Catalyst 6513 Switch (Latest Model)  “Can perform MAC level encryption at 10 Gb/s” Misleading: Model support 10 Gbps Ethernet, does not mean it encrypts at that speed.  Cisco states with the use of a Service Module, 2 Gbps of encryption can be provided.

Security Tests Revocation  Not Tested DoS Attacks  Not Tested Flooding Attacks  Not Tested Malicious DCs  Not Tested  Only one DC! Evaluations show that SANE can fit into a network but does not show that it makes a network more secure! Secure Architecture for the Networked Enterprise SANE: A Protection Architecture for Enterprise Networks