Presentation is loading. Please wait.

Presentation is loading. Please wait.

May, 2006 EdgeNet 2006 The Protection Problem in Enterprise Networks Martin Casado PhD Student in Computer Science, Stanford University

Published byCatherine Murphy Modified over 9 years ago

Similar presentations

Presentation on theme: "May, 2006 EdgeNet 2006 The Protection Problem in Enterprise Networks Martin Casado PhD Student in Computer Science, Stanford University"— Presentation transcript:

1 May, 2006 EdgeNet 2006 The Protection Problem in Enterprise Networks Martin Casado PhD Student in Computer Science, Stanford University casado@cs.stanford.edu http://www.stanford.edu/~casado

2 May, 2006 EdgeNet 2006 Talk Focus  Negative affects of protection measures on edge networks  Motivated by anecdotes from real networks  Introduce Ethane

3 May, 2006 EdgeNet 2006 Network Examples  National Lab, Small-moderate size business, academic, hospital  Security sensitive  More LAN than large routable network

4 May, 2006 EdgeNet 2006 Problems Areas  Inflexibility  Loss of Redundancy  Filtering woes

5 May, 2006 EdgeNet 2006 Problems  Inflexibility  Loss of Redundancy  Filtering Woes

6 May, 2006 EdgeNet 2006 Inflexibility L2 Switch Firewall + Router If one is compromised, can’t sniff traffic of others Can’t enumerate how many hosts on network Can only get “out” through proxy Prevent rogue connections

7 May, 2006 EdgeNet 2006 Inflexibility L2 Switch Firewall + Router If one is compromised, can’t sniff traffic of others Can’t enumerate how many hosts on network Can only get “out” through proxy Prevent rogue connections Firewall rules ACCEPT 192.168.1.20

8 May, 2006 EdgeNet 2006 Inflexibility L2 Switch Firewall + Router Turn of ARP Static ARP cache Ca:fe:d0:d0 192.168.1.1 Firewall rules ACCEPT 192.168.1.20 Turn of ARP Static ARP cache ca:fe:de:ad:be:ef 192.168.1.20

9 May, 2006 EdgeNet 2006 Inflexibility Firewall + Router Turn of ARP Static ARP cache ca:fe:de:ad:be:ef 192.168.1.20 Turn of ARP Static ARP cache Ca:fe:d0:d0 192.168.1.1 Firewall rules ACCEPT 192.168.1.20 No DHCP Also insecure Might undermine firewall rules Might undermine static ARP cache

10 May, 2006 EdgeNet 2006 Inflexibility L2 Switch Firewall + Router Turn of ARP Static ARP cache ca:fe:de:ad:be:ef 192.168.1.20 Turn of ARP Static ARP cache Ca:fe:d0:d0 192.168.1.1 Firewall rules ACCEPT 192.168.1.20 No DHCP Might undermine firewall rules Might undermine static ARP cache Port Security Tie MAC address to Port ca:fe:de:ad:be:ef 192.168.1.20

11 May, 2006 EdgeNet 2006 Inflexibility  Topology (ports, interfaces) and addresses sprinkled throughout configuration state  No distributed maintenance like routing tables  Difficult to move machines  Moving machines can be bad  Indirection points (e.g. ARP, DHCP) insecure (.. often removed)  MAC addresses everywhere  Chew up memory  No aggregation 

12 May, 2006 EdgeNet 2006 Problems  Inflexibility  Loss of Redundancy  Filtering Woes

13 May, 2006 EdgeNet 2006 Loss of Redundancy

14 May, 2006 EdgeNet 2006 Loss of Redundancy  Easier to reason about/verify  Proxies are a catalyst  Distributed firewalls are not the solution  Lack of good support for L5 routing (does anyone have this turned on?)  Existing solutions exacerbate the problem  “do everything” proxies  Single bridge NACs

15 May, 2006 EdgeNet 2006 Problems  Inflexibility  Loss of Redundancy  Filtering Woes

16 May, 2006 EdgeNet 2006 Filtering Woes  Filtering done on the datapath today  Generally limited filtering state (so can have large forwarding tables)  Common problem is running out of ACLs  MAC addresses everywhere  Chew up memory  No aggregation   In some networks, forwarding tables + filters doesn’t make sense..

17 May, 2006 EdgeNet 2006  Centrally declare network policy  Authenticated end-hosts  Central-arbiter grants permission to connect on a per flow basis  Central-arbiter has fine grained control of routes Ethane: Towards a Solution

18 May, 2006 EdgeNet 2006 Publish martin.friends.ambient-streams allow tal, sundar, aditya Authenticate hi, I’m tal, my password is martin.friends.ambient-streams First packet to martin.friends.ambient-streams Global Network Policy: (allow all martin using rtp) Authenticate hi, I’m martin, my password is Ethane

19 May, 2006 EdgeNet 2006  Flexibility  Dynamic bindings are secure (movement is easy)  Security policy independent of topology  Redundancy  More switches != more configuration state  Fine grained control of routes allows L5 routing  Permission checks done on connection setup (taken off data path) Ethane: Properties

20 May, 2006 EdgeNet 2006 Thanks! ?

21 May, 2006 EdgeNet 2006 Isolation  Networks exist today with differing levels of sensitivity  Casino  Financial  Medical  Government/Military  Want reasonable Isolation  No DDoS from less secure to more  No data exfiltration from more secure to less  Note, VLANs generally insufficient This is not solely a government network problem

22 May, 2006 EdgeNet 2006 Today’s Solution (really) heavyweight, application proxy (cannonicalization + fuzzy timers) OR …

23 May, 2006 EdgeNet 2006 Isolation Cont …  Obviously suboptimal  Management  Number of components (MTTF)  Could use same components, separate queues, TDM  Consolidation on the road-map for some very large networks

Download ppt "May, 2006 EdgeNet 2006 The Protection Problem in Enterprise Networks Martin Casado PhD Student in Computer Science, Stanford University"

Similar presentations

June 2007NSF Find Forensics and Attribution in Ethane Martin Casado Stanford University With: Michael Freedman, Justin Pettit, Jianying Luo, Natasha Gude,

June 2007NSF Find Forensics and Attribution in Ethane Martin Casado Stanford University With: Michael Freedman, Justin Pettit, Jianying Luo, Natasha Gude,
Resonance: Dynamic Access Control in Enterprise Networks Ankur Nayak, Alex Reimers, Nick Feamster, Russ Clark School of Computer Science Georgia Institute.

Resonance: Dynamic Access Control in Enterprise Networks Ankur Nayak, Alex Reimers, Nick Feamster, Russ Clark School of Computer Science Georgia Institute.
1 Resonance: Dynamic Access Control in Enterprise Networks Ankur Nayak, Alex Reimers, Nick Feamster, Russ Clark School of Computer Science Georgia Institute.

1 Resonance: Dynamic Access Control in Enterprise Networks Ankur Nayak, Alex Reimers, Nick Feamster, Russ Clark School of Computer Science Georgia Institute.
Flow-based Management Language Tim Hinrichs Natasha Gude* Martín Casado John Mitchell Scott Shenker University of Chicago Stanford University ICSI/UC Berkeley.

Flow-based Management Language Tim Hinrichs Natasha Gude* Martín Casado John Mitchell Scott Shenker University of Chicago Stanford University ICSI/UC Berkeley.
1 Resonance: Dynamic Access Control in Enterprise Networks Ankur Nayak, Alex Reimers, Nick Feamster, Russ Clark School of Computer Science Georgia Institute.

1 Resonance: Dynamic Access Control in Enterprise Networks Ankur Nayak, Alex Reimers, Nick Feamster, Russ Clark School of Computer Science Georgia Institute.
Precept 3 Host Configuration 1 Peng Sun. What TCP conn. running? Commands netstat [-n] [-p] [-c] (Linux) lsof -i -P (Mac) ss (newer version of netstat)

Precept 3 Host Configuration 1 Peng Sun. What TCP conn. running? Commands netstat [-n] [-p] [-c] (Linux) lsof -i -P (Mac) ss (newer version of netstat)
CCNPv5 Minimizing Service Loss and Data Theft in a Campus Network 1 Minimizing Service Loss and Data Theft in a Switched BCMSN Module 8 – Sec 2.

CCNPv5 Minimizing Service Loss and Data Theft in a Campus Network 1 Minimizing Service Loss and Data Theft in a Switched BCMSN Module 8 – Sec 2.
Ethernet and switches selected topics 1. Agenda Scaling ethernet infrastructure VLANs 2.

Ethernet and switches selected topics 1. Agenda Scaling ethernet infrastructure VLANs 2.
Wireless and Switch Security NETS David Mitchell.

Wireless and Switch Security NETS David Mitchell.
SANE: A Protection Architecture for Enterprise Networks Authors: Martin Casado, Tal Garfinkel, Aditya Akella, Michael J. Freedman Dan Boneh, Nick McKeown,

SANE: A Protection Architecture for Enterprise Networks Authors: Martin Casado, Tal Garfinkel, Aditya Akella, Michael J. Freedman Dan Boneh, Nick McKeown,
June, 2006 Stanford 2006 Ethane: Addressing the Protection Problem in Enterprise Networks Martin Casado Michael Freedman Glen Gibb Lew Glendenning Dan.

June, 2006 Stanford 2006 Ethane: Addressing the Protection Problem in Enterprise Networks Martin Casado Michael Freedman Glen Gibb Lew Glendenning Dan.
Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.

Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.
1 Internet Networking Spring 2004 Tutorial 1 Subnetting and CIDR Proxy ARP.

1 Internet Networking Spring 2004 Tutorial 1 Subnetting and CIDR Proxy ARP.
1 Version 3.0 Module 8 Virtual LANs. 2 Version 3.0.

1 Version 3.0 Module 8 Virtual LANs. 2 Version 3.0.
Security Awareness: Applying Practical Security in Your World

Security Awareness: Applying Practical Security in Your World
August, 2006 Usenix Security 2006 SANE: Addressing the Protection Problem in Enterprise Networks Martin Casado Tal Garfinkel Michael Freedman Aditya Akaella.

August, 2006 Usenix Security 2006 SANE: Addressing the Protection Problem in Enterprise Networks Martin Casado Tal Garfinkel Michael Freedman Aditya Akaella.
Institute of Technology, Sligo Dept of Computing Semester 3, version 2.1.3 Semester 3 Chapter 3 VLANs.

Institute of Technology, Sligo Dept of Computing Semester 3, version Semester 3 Chapter 3 VLANs.
COEN 252: Computer Forensics Router Investigation.

COEN 252: Computer Forensics Router Investigation.
Networking Components

Networking Components
Jennifer Rexford Princeton University MW 11:00am-12:20pm SDN Software Stack COS 597E: Software Defined Networking.

Jennifer Rexford Princeton University MW 11:00am-12:20pm SDN Software Stack COS 597E: Software Defined Networking.

Similar presentations

Ads by Google