August, 2006 Usenix Security 2006 SANE: Addressing the Protection Problem in Enterprise Networks Martin Casado Tal Garfinkel Michael Freedman Aditya Akaella.

Slides:

Advertisements

Similar presentations

June 2007NSF Find Forensics and Attribution in Ethane Martin Casado Stanford University With: Michael Freedman, Justin Pettit, Jianying Luo, Natasha Gude,

Advertisements

Secure Mobile IP Communication

Cs/ee 143 Communication Networks Chapter 6 Internetworking Text: Walrand & Parekh, 2010 Steven Low CMS, EE, Caltech.

Guide to Network Defense and Countermeasures Second Edition

CSE 534 Fundamentals of Computer Networks Lecture 4: Bridging (From Hub to Switch by Way of Tree) Based on slides from D. Choffnes Northeastern U. Revised.

CS 4700 / CS 5700 Network Fundamentals Lecture 7: Bridging (From Hub to Switch by Way of Tree) Revised 1/14/13.

May, 2006 EdgeNet 2006 The Protection Problem in Enterprise Networks Martin Casado PhD Student in Computer Science, Stanford University

SANE: A Protection Architecture for Enterprise Networks Authors: Martin Casado, Tal Garfinkel, Aditya Akella, Michael J. Freedman Dan Boneh, Nick McKeown,

SANE: A Protection Architecture for Enterprise Networks Offense by: Amit Mondal Bert Gonzalez.

June, 2006 Stanford 2006 Ethane: Addressing the Protection Problem in Enterprise Networks Martin Casado Michael Freedman Glen Gibb Lew Glendenning Dan.

© 2003 By Default! A Free sample background from Slide 1 SAVE: Source Address Validity Enforcement Protocol Authors: Li,

1 Problems and Solutions in Enterprise Network Control: Motivations for a 4D Architecture David A. Maltz Microsoft Research Joint work with Albert Greenberg,

1 Routing as a Service Karthik Lakshminarayanan (with Ion Stoica and Scott Shenker) Sahara/i3 retreat, January 2004.

Introduction to Computer Networks 09/23 Presenter: Fatemah Panahi.

Spanning Tree and Multicast. The Story So Far Switched ethernet is good – Besides switching needed to join even multiple classical ethernet networks Routing.

Chapter 6 Configuring, Monitoring & Troubleshooting IPsec

Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.

Process-to-Process Delivery:

CECS 5460 – Assignment 3 Stacey VanderHeiden Güney.

Semester 1 Module 8 Ethernet Switching Andres, Wen-Yuan Liao Department of Computer Science and Engineering De Lin Institute of Technology

Module 10: Designing an AD RMS Infrastructure in Windows Server 2008.

23-Support Protocols and Technologies Dr. John P. Abraham Professor UTPA.

Module 9: Planning Network Access. Overview Introducing Network Access Selecting Network Access Connection Methods Selecting a Remote Access Policy Strategy.

Implementing ISA Server Publishing. Introduction What Are Web Publishing Rules? ISA Server uses Web publishing rules to make Web sites on protected networks.

Chapter 13 – Network Security

Common Devices Used In Computer Networks

Remote Access Chapter 4. Learning Objectives Understand implications of IEEE 802.1x and how it is used Understand VPN technology and its uses for securing.

1 IP Forwarding Relates to Lab 3. Covers the principles of end-to-end datagram delivery in IP networks.

Lesson 20-Wireless Security. Overview Introduction to wireless networks. Understanding current wireless technology. Understanding wireless security issues.

Huda AL_Omairl - Network 71 Protocols and Network Software.

SANE: A Protection Architecture for Enterprise Networks

OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.

1 Chapter 8 Copyright 2003 Prentice-Hall Cryptographic Systems: SSL/TLS, VPNs, and Kerberos.

1 Week 6 – NPS and RADIUS Install and Configure a Network Policy Server Configure RADIUS Clients and Servers NPS Authentication Methods Monitor and Troubleshoot.

Module 4: Configuring ISA Server as a Firewall. Overview Using ISA Server as a Firewall Examining Perimeter Networks and Templates Configuring System.

OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.

1 The Internet and Networked Multimedia. 2 Layering  Internet protocols are designed to work in layers, with each layer building on the facilities provided.

Authentication Mechanism for Port Control Protocol (PCP) draft-wasserman-pcp-authentication-01.txt Margaret Wasserman Sam Hartman Painless Security Dacheng.

June, 2006 Stanford 2006 Ethane. June, 2006 Stanford 2006 Security and You  What does security mean to you?  Data on personal PC?  Data on family PC?

1 Chapter Overview Password Protection Security Models Firewalls Security Protocols.

Chapter 15 – Part 2 Networks The Internal Operating System The Architecture of Computer Hardware and Systems Software: An Information Technology Approach.

Class 11 Enterprise Network Protection CIS 755: Advanced Computer Security Spring 2014 Eugene Vasserman

IPsec Introduction 18.2 Security associations 18.3 Internet Security Association and Key Management Protocol (ISAKMP) 18.4 Internet Key Exchange.

11 SECURING NETWORK COMMUNICATION Chapter 9. Chapter 9: SECURING NETWORK COMMUNICATION2 OVERVIEW  List the major threats to network communications. 

IPSec ● IP Security ● Layer 3 security architecture ● Enables VPN ● Delivers authentication, integrity and secrecy ● Implemented in Linux, Cisco, Windows.

Networking Fundamentals. Basics Network – collection of nodes and links that cooperate for communication Nodes – computer systems –Internal (routers,

Lecture 4 Overview. Ethernet Data Link Layer protocol Ethernet (IEEE 802.3) is widely used Supported by a variety of physical layer implementations Multi-access.

IPSec and TLS Lesson Introduction ●IPSec and the Internet key exchange protocol ●Transport layer security protocol.

Securing Data Transmission and Authentication. Securing Traffic with IPSec IPSec allows us to protect our network from within IPSec secures the IP protocol.

Networking Components Assignment 3 Corbin Watkins.

Lect 8 Tahani al jehain. Types of attack Remote code execution: occurs when an attacker exploits a software and runs a program that the user does not.

1 IPSec: An Overview Dr. Rocky K. C. Chang 4 February, 2002.

K. Salah1 Security Protocols in the Internet IPSec.

IP Security (IPSec) Matt Hermanson. What is IPSec? It is an extension to the Internet Protocol (IP) suite that creates an encrypted and secure conversation.

COMP1321 Digital Infrastructure Richard Henson March 2016.

IP - Internet Protocol No. 1  Seattle Pacific University IP: The Internet Protocol Kevin Bolding Electrical Engineering Seattle Pacific University.

Ethane: Taking Control of the Enterprise Presenter: KyoungSoo Park Department of Electrical Engineering KAIST.

Computer Science Least Privilege and Privilege Deprivation: Towards Tolerating Mobile Sink Compromises in Wireless Sensor Network Presented by Jennifer.

Network Processing Systems Design

ETHANE: TAKING CONTROL OF THE ENTERPRISE

The Stanford Clean Slate Program

DDoS Attack Detection under SDN Context

Process-to-Process Delivery:

Ethane: Addressing the Protection Problem in Enterprise Networks

Ethane: Addressing the Protection Problem in Enterprise Networks

Process-to-Process Delivery: UDP, TCP

Presentation transcript:

August, 2006 Usenix Security 2006 SANE: Addressing the Protection Problem in Enterprise Networks Martin Casado Tal Garfinkel Michael Freedman Aditya Akaella Dan Boneh Nick McKeown Scott Shenker Usenix Security ‘06

August, 2006 Usenix Security 2006  SANE: a proposal for a NAC (network access control) architecture –Enterprise networks only –“Default off” design –Centralized policy management, distributed policy enforcement. SANE

August, 2006 Usenix Security 2006  Brittle  Change a firewall rule, break security policy  Add a switch, break security policy  Many heavily trusted components (dhcp, DNS, AD/LDAP..)  Trade-off between security and diagnostics (e.g. ICMP often turned off..)  Confusing  Hard to state meaningful policies LAN Policy Today

August, 2006 Usenix Security 2006  Properties: –Policy declared centrally over high-level principles –All network entities (hosts, switches, users) are authenticated –Permissions checked per flow at central authority –Access granted in the form of routes (capability = encrypted source route) –Doesn’t reveal sender, packet path, topology SANE (Secure Architecture for the Networked Enterprise)

August, 2006 Usenix Security 2006 Provide Isolation Layer Physical Datalink Network Transport Application Introduce layer 2.5 Isolation Layer EthernetSANEIP..  Strictly defines connectivity

August, 2006 Usenix Security 2006 Action Sequence! Publish martin.friends.ambient-streams allow tal, sundar, aditya Authenticate hi, I’m martin, my password is Authenticate hi, I’m tal, my password is martin.friends.ambient-streams Request martin.friends.ambient-streams Ambient streams Client port Ambient streams Client port Ambient streams Client port Ambient streams Client port 4 4 Ambient streams Client port Ambient streams

August, 2006 Usenix Security 2006 Overview Domain Controller Switches End-Hosts Authenticates switches/end- hosts Established secret with each switch Contains network topology Hosts services (by name) Manages permission checking Creates and issues capabilities Send link state information to the DC Provide default connectivity to the DC Validate capabilities Forward packets base on capability Enforce revocations Publish services at the DC Specify access controls (export streams.ambient allow tal) Request access to services Use appropriate capability for each packet

August, 2006 Usenix Security 2006  How is connectivity to the DC provided? –Initial MST construction  How are keys established? –Ike2 establishes symmetric key with DC  How does the DC get the topology? –DC aggregates topology after MST creation Bootstrapping

August, 2006 Usenix Security 2006  Switches construct spanning tree Rooted at DC –Only advertise new path after successfully authenticating  Provides basic datagram service to DC (switches build capabilities as packets are forwarded to the DC)  Switches don’t learn topology (just neighbors) Connectivity to the DC

August, 2006 Usenix Security 2006 Establishing Shared Keys  Switches authenticate with DC and establish symmetric key  Ike2 for key establishment  All subsequent packets to DC protected by esp header K sw1 K sw2 K sw3 K sw4 K sw1 K sw3 K sw4 K sw2

August, 2006 Usenix Security 2006 Establishing Topology  Switches generate neighbor lists during MST algorithm  Send encrypted neighbor-list to DC  DC aggregates full topology –Can verify false advertisements –Can verify if duplicate or non-registered switches on network  No switch knows full topology K sw1 K sw2 K sw3 K sw4 K sw1 K sw3 K sw4 K sw2

August, 2006 Usenix Security 2006  Fault Tolerance –Central control! –Loss of adaptive routing!  Revocation Are you INSANE?

August, 2006 Usenix Security 2006  On failure, end-hosts must refresh capabilities –Timeouts to detect failures  Can result in “request storm” at DC –Issue multiple capabilities (hand out n of the k shortest paths) –More switch level redundancy (doesn’t undermine security!) –Path load balancing (randomly choose one of the k shortest paths) Adaptive Routing

August, 2006 Usenix Security 2006  Exists today, sort of.. (DNS)  Permission check is fast  Replicate DC –Computationally (multiple servers) –Topologically (multiple servers in multiple places) Permission Check per Flow?

August, 2006 Usenix Security 2006 Revocation  Request from DC  Sent back along incoming path  Switches maintain small CAMs  If CAMs fill, switches generate new keys  Too many revocations = loose privileges  Complexity is a result of “stateless” DC payload

August, 2006 Usenix Security 2006  Prototype system built in software (currently working on the hardware)  Ran in 9 workstation network for a month Implementation

August, 2006 Usenix Security 2006  Onion-encrypted source routes  Encryption means, encrypt + MAC  Each “layer” using a secret key shared by the DC and the switch  10 hops = 164 byte header  Contain –path information –Expiration –Unique ID ,4 3,2 4 2,1 Service port MAC E sw1 E sw2 SW1 SW2 CAP-IDExpiration Capabilities

August, 2006 Usenix Security 2006  DC creates route from itself to authentication server  Use third-party mechanism for user authentication –(e.g. radius)  DC places itself on-route for all authentication  Snoops protocol to determine if authentication is successful  Identifies user by location + network identifier (e.g. MAC address) DC Kerberos User Authentication

August, 2006 Usenix Security 2006  Routing and permission check can be decoupled  Network functionality provided by DE’s  Permission check at DC, informs DE to set up route with optional constraints  DE’s describe in 4D work (Albert Greenberg, Gisli Hjalmtysson, David A. Maltz, Andy Myers, Jennifer Rexford, Geoffrey Xie, Hong Yan, Jibin Zhan, Hui Zhang ) Actually ….

August, 2006 Usenix Security 2006 Scalability  DCs can be physically replicated  Test - 8,000 IP addresses for 34 hours –47 million packets, 21,000 DNS requests, 150,000 TCP connections –Peak: only 200 requests/sec on DC Test DC can handle 40x this traffic –Link Failure Worst case: only 2 requests/sec more  Handful of DCs can handle tens of thousands of end hosts

August, 2006 Usenix Security 2006 Conclusion  Enterprise networks have different needs than the Internet as a whole –Increased security to protect resources –Centralized control  SANE takes an extreme approach to security –Provides minimum possible privileges to end users –Gives attackers fewest possible attack vectors  SANE is still practical –Can be implemented with few modifications to current networks –Scalable to networks with thousands of nodes