Author: Martin Casado, Tal Garfinkel, Aditya Akella, Michael J. Freedman Dan Boneh, Nick McKeown, Scott Shenker

Publisher: IEEE COMMUNICATIONS SURVEYS & TUTORIALSPresenter: Ching Hsuan ShihDate: 2013/10/09

SANE: A Protection Architecture for Enterprise Networks

1. Instroduction

2. What’s Wrong with Existing Technuques?

3. System Architecture

4. Attack Resistance

5. Implementation

6. Evaluation

7. Related Work

8. Conclusion

Outline

Allow natural policies that are simple yet powerful.

- We seek an architecture that supports natural policies that are independent of the

topology and provide least privilege access to resources.

Enforcement should be at the link layer, to prevent lower layers from undermining it.

Hide information about topology and services from those without permission to see them.

Have only one trusted component.

1. Instroduction

• Complexity of Mechenism

• Proliferation of Trust

• Proliferation of Information

2. What’s Wrong with Existing Techniques?

This section describes two versions of the SANE architecture:

1. a clean –slate approach, in which every network component is modified to support SANE

2. inter-operate with unmodified end hosts running standard IP stacks

3. System Architecture

DC is the central component of a SANE network and responsible for authenticating users and hosts.

1. Authentication Service

2. Network Service Directory (NSD)

3. Protection Layer Controller Revoking Access

Figure 1: The SANE Service Model

Ethernet SANE header IP header data

Figure 2: SANE operates at the same layer as VLAN

3.1 Domain Controller (DC)

Translation ProxiesGatewaysBroadcastService Publication

3.2 Interoperability

Replicating the Domain Controller Service directory must maintain consistency among multiple DCs

Recovering from Network Failure Send periodic probes or keep-alive messages to detect failures and request

fresh capabilities

3.3 Fault Tolerance

Access-control lists The NSD uses ACLs for directories, preventing attackers from enumerating all services in the

system

Encrypted, authenticated source-routes and link-state updates These prevent an attacker from learning the topology or from enumerating hosts and performing

port scans

Authenticated network components The authentication mechanism prevents unautherticated switches from joining a SANE network,

thwarting a variety of topology attacks

4. Attack Resistance

Flooding Rate-limit requests for capabilities to the DC

Revocation state exhaustion Generate a new key to the DC

DC tracks the number of revocations issued per sender

4.1 Resource Exhaustion

Sabotaging MST Discovery

Bad Link-State Advertisement

4.2 Tolerating Malicious Switches

Figure 5: Attacker C can deny service to A by selectivelydropping A’s packets, yet letting the packets of its parent (B)through. As a result, A cannot communicate with the DC, eventhough a alternate path exists through D.

Split the DCs’ secret key across a few servers, such that two of them are needed to generate a capability.

4.3 Tolerating a Malicious DC

All development was done in C++ using the Virtual Network System (VNS) within the group LAN

- Seven physical hosts on 100 Mb Ethernet for one month

The implementation consists of a DC, switches and IP proxies

- No support for multiple DCs

- No support for tolerating malicious switches

5. Implementation

IP Proxies and SANE Switches The proxies use ARP (Address Resolution Protocol) cache

Support automatic neighbor discovery, MST construction, link-state updates and packet forwarding

Domain Controller Capability construction

Service Directory

5. Implementation (Cont.)

5 hops 10 hops 15 hops

DC 100,000 cap/s 40,000 cap/s 20,000 cap/s

Switch 762 Mb/s 480 Mb/s 250 Mb/s

6. Evalution

Table 1: Performance of a DC and switches

Figure 6: DNS requests, TCP connection establishment requests, and maximum concurrent TCP connections persecond, respectively, for the Lawrence Berkeley National Laboratory enterprise network.

Network Protection Mechanisms

Dealing with Routing Complexity

Expanding the Link-layer

Capabilities for DDOS prevention

7. Related Work

We believe that enterprise networks are different from the Internet at large and deserve special attention: Security is paramount

Centralized control is the norm

Uniform and consistent policies are important

8. Conclusion