Presentation is loading. Please wait.

Presentation is loading. Please wait.

June, 2006 Stanford 2006 Ethane: Addressing the Protection Problem in Enterprise Networks Martin Casado Michael Freedman Glen Gibb Lew Glendenning Dan.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "June, 2006 Stanford 2006 Ethane: Addressing the Protection Problem in Enterprise Networks Martin Casado Michael Freedman Glen Gibb Lew Glendenning Dan."— Presentation transcript:

1 June, 2006 Stanford 2006 Ethane: Addressing the Protection Problem in Enterprise Networks Martin Casado Michael Freedman Glen Gibb Lew Glendenning Dan Boneh Nick McKeown Scott Shenker Gregory Watson Presented By: Martin Casado PhD Student in Computer Science, Stanford University casado@cs.stanford.edu http://www.stanford.edu/~casado

2 June, 2006 Stanford 2006 Goal Design network where connectivity is governed by high-level, global policy “Nick can talk to Martin using IM” “marketing can use http via web proxy” “Administrator can access everything” “Traffic from secret access point cannot share infrastructure with traffic from open access point”

3 June, 2006 Stanford 2006 Two Main Challenges  Provide a secure namespace for the policy  Design mechanism to enforce policy

4 June, 2006 Stanford 2006 Goal: Provide Secure Namespace  Policy declared over network namespace (e.g. martin, machine-a, proxy, building1)  Words from namespace generally represent physical things (users, hosts, groups, access points)  Or at times, virtual things (e.g. services, protocol, QoS classes ) “Nick can talk to Martin using IM” “nity.stanford.edu can access dev-machines” “marketing can use http via web proxy” “Administrator can access everything”

5 June, 2006 Stanford 2006 Today’s Namespace  Lots of names in network namespace today  Hosts  Users  Services  Protocols  Names are generally bound to network realities (e.g. DNS names are bound to IP addresses)  Often are multiple bindings that map a name to the entity it represents (DNS -> IP -> MAC -> Physical Machine)

6 June, 2006 Stanford 2006 Problem with Bindings Today Host Name IP MAC Physical Interface Goal: map “hostname” to physical “host” But!!! What if attacker can interpose between any of the bindings? (e.g. change IP/MAC binding) What if bindings change dynamically? (e.g. DHCP lease is up) Or physical network changes? Host MAC Physical Interface Host

7 June, 2006 Stanford 2006 Examples of Problems Today are LEGION  ARP is unauthenticated (attacker can map IP to wrong MAC)  DHCP is unauthenticated (attacker can map gateway to wrong IP)  DNS caches aren’t invalidate as DHCP lease times come up (or clients leave)  Security filters aren’t often invalidated with permission changes  Many others …

8 June, 2006 Stanford 2006 Need “Secure Bindings” 1.Bindings are authenticated 2.Cached bindings are appropriately invalidated  Address reallocation  Topology change  Permissions changes/Revocation

9 June, 2006 Stanford 2006 Why Not Statically Bind?  This is very commonly done!  E.g.  Static ARP cache to/from gateway  MAC addresses tied to switch ports  Static IP allocations  Static rules for VLAN tagging  Results in crummy (inflexible) networks

10 June, 2006 Stanford 2006 Two Main Challenges  Provide a namespace for the policy  Design Mechanism to Enforce Policy

11 June, 2006 Stanford 2006 Policy Language  Declare connectivity constraints over  Users/groups  Hosts/Nodes  Access points  Protocols  Services  Connectivity constraints are …  Permit/deny  Require middlebox interposition  Isolation  Physical security

12 June, 2006 Stanford 2006 Threat Environment  Suitable for use in.mil,.gov,.com and.edu  Insider attack  Compromised machines  Targeted attacks yet …  Flexible enough for use in open environments

13 June, 2006 Stanford 2006 Our Solution: Ethane  Flow-based network  Central Domain Controller (DC)  Implements secure bindings  Authenticates users, hosts, services, …  Contains global security policy  Checks every new flow against security policy  Decides the route for each flow  Access is granted to a flow  Can enforce permit/deny  Can enforce middle-box interposition constraints  Can enforce isolation constraints

14 June, 2006 Stanford 2006 Host authenticate hi, I’m host B, my password is … Can I have an IP? Send tcp SYN packet to host A port 2525 User Authentication “ hi, I’m martin, my password is” Ethane: High-Level Operation Domain Controller Host A Host Authentication “ hi, I’m host A, my password is … can I have an IP address?” Host B User authentication hi, I’m Nick, my password is ? Permission check Route computation Secure Binding State ICQ → 2525/tcp IP 1.2.3.4 switch3 port 4 Host A IP 1.2.3.5 switch 1 port 2 HostB Network Policy “Nick can access Martin using ICQ” Host A → IP 1.2.3.4 → Martin → Host B → IP 1.2.3.5 → Nick →

15 June, 2006 Stanford 2006  Don’t have to maintain consistency of distributed access control lists  DC picks route for every flow  Can interpose middle-boxes on route  Can isolate flow to be within physical boundaries  Can isolate two sets of flows to traverse different switches  Can load balance requests over different routes  DC determines how a switch processes a flow  Different queue, priority classes, QoS, etc  Rate limit a flow  Amount of flow state is not a function of the network policy  Forwarding complexity is not a function of the network policy  Anti-mobility: can limit machines to particular physical ports  Can apply policy to network diagnostics Some Cool Consequences

16 June, 2006 Stanford 2006  How do you bootstrap securely?  How is forwarding accomplished?  What are the performance implications? Many Unanswered Questions

17 June, 2006 Stanford 2006 Component Overview Domain Controller Switches End-Hosts Authenticates users/switches/end-hosts Manages secure bindings Contains network topology Does permissions checking Computes routes Send topology information to the DC Provide default connectivity to the DC Enforce paths created by DC Handle flow revocation Specify access controls Request access to services

18 June, 2006 Stanford 2006  Finding the DC  Authentication  Generating topology at DC Bootstrapping

19 June, 2006 Stanford 2006  DC knows all switches and their public keys  All switches know DC’s public key Assumptions

20 June, 2006 Stanford 2006 Finding the DC  Switches construct spanning tree Rooted at DC  Switches don’t advertise path to DC until they’ve authenticated  Once authenticated, switches pass all traffic without flow entries to the DC (next slide) 0 0 1 1 1 2 2 2

21 June, 2006 Stanford 2006 Initial Traffic to DC 2

22 June, 2006 Stanford 2006 Initial Traffic to DC  All packets to the DC (except first hop switch) are tunneled  Tunneling includes incoming port  DC can shut off malicious packet sources

23 June, 2006 Stanford 2006 Establishing Topology  Switches generate neighbor lists during MST algorithm  Send encrypted neighbor-list to DC  DC aggregates to full topology  Note: no switch knows full topology K sw1 K sw2 K sw3 K sw4 K sw1 K sw3 K sw4 K sw2

24 June, 2006 Stanford 2006  Each switch maintains flow table  Only DC can add entry to flow table  Flow lookup is over: in port, ether proto, src ip, dst ip, src port, dst port Forwarding = Really simple out port

25 June, 2006 Stanford 2006  Switches disallow all Ethernet broadcast (and respond to ARP for all IPs)  First packet of every new flow is sent to DC for permission check  DC sets up flow at each switch  Packets of established flows are forwarded using multi-layer switching DC AliceBob ? Detailed Connection Setup

26 June, 2006 Stanford 2006  Decouple control and data path in switches  Software control path (connection setup) (slightly higher latency)  DC can handle complicated policy  Switches just forward (very simple datapath)  Simple, fast, hardware forwarding path (Gigabits)  Single exact-match lookup per packet Performance

27 June, 2006 Stanford 2006  Exists today, sort of.. (DNS)  Paths can be long lived (used by multiple transport-level flows)  Permission check is fast  Replicate DC  Computationally (multiple servers)  Topologically (multiple servers in multiple places) Permission Check per Flow?

28 June, 2006 Stanford 2006  Support multiple deployments with varying policy requirements  first deployment by Oct. 31rst  Remote deployment by Nov. 15th  Backwards compatible, no modification to end- hosts  1k - 5k requests per second  Control path in software  Data path in hardware (gigabit speeds) Implementation Goals

29 June, 2006 Stanford 2006  Switches implemented on multi-port PCs  Bootstrapping, flow-setup and software forwarding completed  Switches currently deployed and supporting traffic of 16 hosts Implementation Status

30 June, 2006 Stanford 2006  Use simple 2-port switches (bumps)  On links between Ethernet switches Prototyping Strategy

31 June, 2006 Stanford 2006 Questions?

Download ppt "June, 2006 Stanford 2006 Ethane: Addressing the Protection Problem in Enterprise Networks Martin Casado Michael Freedman Glen Gibb Lew Glendenning Dan."

Similar presentations

June 2007NSF Find Forensics and Attribution in Ethane Martin Casado Stanford University With: Michael Freedman, Justin Pettit, Jianying Luo, Natasha Gude,

June 2007NSF Find Forensics and Attribution in Ethane Martin Casado Stanford University With: Michael Freedman, Justin Pettit, Jianying Luo, Natasha Gude,
Flow-based Management Language Tim Hinrichs Natasha Gude* Martín Casado John Mitchell Scott Shenker University of Chicago Stanford University ICSI/UC Berkeley.

Flow-based Management Language Tim Hinrichs Natasha Gude* Martín Casado John Mitchell Scott Shenker University of Chicago Stanford University ICSI/UC Berkeley.
Enabling Secure Internet Access with ISA Server

Enabling Secure Internet Access with ISA Server
Router Implementation Project-2

Router Implementation Project-2
Internetworking II: MPLS, Security, and Traffic Engineering

Internetworking II: MPLS, Security, and Traffic Engineering
Cs/ee 143 Communication Networks Chapter 6 Internetworking Text: Walrand & Parekh, 2010 Steven Low CMS, EE, Caltech.

Cs/ee 143 Communication Networks Chapter 6 Internetworking Text: Walrand & Parekh, 2010 Steven Low CMS, EE, Caltech.
Implementing Inter-VLAN Routing

Implementing Inter-VLAN Routing
An Overview of Software-Defined Network Presenter: Xitao Wen.

An Overview of Software-Defined Network Presenter: Xitao Wen.
Multi-Layer Switching Layers 1, 2, and 3. Cisco Hierarchical Model Access Layer –Workgroup –Access layer aggregation and L3/L4 services Distribution Layer.

Multi-Layer Switching Layers 1, 2, and 3. Cisco Hierarchical Model Access Layer –Workgroup –Access layer aggregation and L3/L4 services Distribution Layer.
Module 10: Troubleshooting Network Access. Overview Troubleshooting Network Access Resources Troubleshooting LAN Authentication Troubleshooting Remote.

Module 10: Troubleshooting Network Access. Overview Troubleshooting Network Access Resources Troubleshooting LAN Authentication Troubleshooting Remote.
Ethane: Taking Control of the Enterprise

Ethane: Taking Control of the Enterprise
Module 5: Configuring Access for Remote Clients and Networks.

Module 5: Configuring Access for Remote Clients and Networks.
May, 2006 EdgeNet 2006 The Protection Problem in Enterprise Networks Martin Casado PhD Student in Computer Science, Stanford University

May, 2006 EdgeNet 2006 The Protection Problem in Enterprise Networks Martin Casado PhD Student in Computer Science, Stanford University
Security Firewall Firewall design principle. Firewall Characteristics.

Security Firewall Firewall design principle. Firewall Characteristics.
SANE: A Protection Architecture for Enterprise Networks Authors: Martin Casado, Tal Garfinkel, Aditya Akella, Michael J. Freedman Dan Boneh, Nick McKeown,

SANE: A Protection Architecture for Enterprise Networks Authors: Martin Casado, Tal Garfinkel, Aditya Akella, Michael J. Freedman Dan Boneh, Nick McKeown,
Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung(1203584897) SriramGopinath(1203800749)

Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung( ) SriramGopinath( )
A Security Pattern for a Virtual Private Network Ajoy Kumar and Eduardo B. Fernandez Dept. of Computer Science and Eng. Florida Atlantic University Boca.

A Security Pattern for a Virtual Private Network Ajoy Kumar and Eduardo B. Fernandez Dept. of Computer Science and Eng. Florida Atlantic University Boca.
Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.

Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.
August, 2006 Usenix Security 2006 SANE: Addressing the Protection Problem in Enterprise Networks Martin Casado Tal Garfinkel Michael Freedman Aditya Akaella.

August, 2006 Usenix Security 2006 SANE: Addressing the Protection Problem in Enterprise Networks Martin Casado Tal Garfinkel Michael Freedman Aditya Akaella.
1 A Policy-aware Switching Layer for Data Centers Dilip Joseph Arsalan Tavakoli Ion Stoica University of California at Berkeley.

1 A Policy-aware Switching Layer for Data Centers Dilip Joseph Arsalan Tavakoli Ion Stoica University of California at Berkeley.

Similar presentations

Ads by Google