author: martin casado, tal garfinkel, aditya akella, michael j. freedman dan boneh, nick mckeown,...
TRANSCRIPT
Author: Martin Casado, Tal Garfinkel, Aditya Akella, Michael J. Freedman Dan Boneh, Nick McKeown, Scott Shenker
Publisher: IEEE COMMUNICATIONS SURVEYS & TUTORIALSPresenter: Ching Hsuan ShihDate: 2013/10/09
SANE: A Protection Architecture for Enterprise Networks
1. Instroduction
2. What’s Wrong with Existing Technuques?
3. System Architecture
4. Attack Resistance
5. Implementation
6. Evaluation
7. Related Work
8. Conclusion
Outline
Allow natural policies that are simple yet powerful.
- We seek an architecture that supports natural policies that are independent of the
topology and provide least privilege access to resources.
Enforcement should be at the link layer, to prevent lower layers from undermining it.
Hide information about topology and services from those without permission to see them.
Have only one trusted component.
1. Instroduction
• Complexity of Mechenism
• Proliferation of Trust
• Proliferation of Information
2. What’s Wrong with Existing Techniques?
This section describes two versions of the SANE architecture:
1. a clean –slate approach, in which every network component is modified to support SANE
2. inter-operate with unmodified end hosts running standard IP stacks
3. System Architecture
DC is the central component of a SANE network and responsible for authenticating users and hosts.
1. Authentication Service
2. Network Service Directory (NSD)
3. Protection Layer Controller Revoking Access
Figure 1: The SANE Service Model
Ethernet SANE header IP header data
Figure 2: SANE operates at the same layer as VLAN
3.1 Domain Controller (DC)
Translation ProxiesGatewaysBroadcastService Publication
3.2 Interoperability
Replicating the Domain Controller Service directory must maintain consistency among multiple DCs
Recovering from Network Failure Send periodic probes or keep-alive messages to detect failures and request
fresh capabilities
3.3 Fault Tolerance
Access-control lists The NSD uses ACLs for directories, preventing attackers from enumerating all services in the
system
Encrypted, authenticated source-routes and link-state updates These prevent an attacker from learning the topology or from enumerating hosts and performing
port scans
Authenticated network components The authentication mechanism prevents unautherticated switches from joining a SANE network,
thwarting a variety of topology attacks
4. Attack Resistance
Flooding Rate-limit requests for capabilities to the DC
Revocation state exhaustion Generate a new key to the DC
DC tracks the number of revocations issued per sender
4.1 Resource Exhaustion
Sabotaging MST Discovery
Bad Link-State Advertisement
4.2 Tolerating Malicious Switches
Figure 5: Attacker C can deny service to A by selectivelydropping A’s packets, yet letting the packets of its parent (B)through. As a result, A cannot communicate with the DC, eventhough a alternate path exists through D.
Split the DCs’ secret key across a few servers, such that two of them are needed to generate a capability.
4.3 Tolerating a Malicious DC
All development was done in C++ using the Virtual Network System (VNS) within the group LAN
- Seven physical hosts on 100 Mb Ethernet for one month
The implementation consists of a DC, switches and IP proxies
- No support for multiple DCs
- No support for tolerating malicious switches
5. Implementation
IP Proxies and SANE Switches The proxies use ARP (Address Resolution Protocol) cache
Support automatic neighbor discovery, MST construction, link-state updates and packet forwarding
Domain Controller Capability construction
Service Directory
5. Implementation (Cont.)
5 hops 10 hops 15 hops
DC 100,000 cap/s 40,000 cap/s 20,000 cap/s
Switch 762 Mb/s 480 Mb/s 250 Mb/s
6. Evalution
Table 1: Performance of a DC and switches
Figure 6: DNS requests, TCP connection establishment requests, and maximum concurrent TCP connections persecond, respectively, for the Lawrence Berkeley National Laboratory enterprise network.
Network Protection Mechanisms
Dealing with Routing Complexity
Expanding the Link-layer
Capabilities for DDOS prevention
7. Related Work
We believe that enterprise networks are different from the Internet at large and deserve special attention: Security is paramount
Centralized control is the norm
Uniform and consistent policies are important
8. Conclusion