enforcing context-aware byod policies with in-network security · 2019-12-18 · enforcer cons:...
TRANSCRIPT
![Page 1: Enforcing Context-Aware BYOD Policies with In-Network Security · 2019-12-18 · Enforcer Cons: •Requires lots of trust in client •High overhead on mobile device •Missing network-wide](https://reader035.vdocuments.us/reader035/viewer/2022070803/5f03177c7e708231d4077e68/html5/thumbnails/1.jpg)
Enforcing Context-Aware BYOD
Policies with In-Network Security
ADAM MORRISON*, LEI XUE†, ANG CHEN*, XIAPU LUO†
*RICE UNIVERSITY, †THE HONG KONG POLYTECHNIC UNIVERSITY
1
![Page 2: Enforcing Context-Aware BYOD Policies with In-Network Security · 2019-12-18 · Enforcer Cons: •Requires lots of trust in client •High overhead on mobile device •Missing network-wide](https://reader035.vdocuments.us/reader035/viewer/2022070803/5f03177c7e708231d4077e68/html5/thumbnails/2.jpg)
Background: BYOD
• BYOD: Bring Your Own Device
– Allow personal devices to access enterprise network
– Reduces cost
– Increases employee satisfaction
• BYOD is everywhere, and it’s only growing*
As of 2016:
– 59% of companies used BYOD
– 13% more planned to within a year
2
*Tech Pro Research:
http://www.techproresearch.com/article/byod-iot-and-wearables-thriving-in-the-enterprise/
![Page 3: Enforcing Context-Aware BYOD Policies with In-Network Security · 2019-12-18 · Enforcer Cons: •Requires lots of trust in client •High overhead on mobile device •Missing network-wide](https://reader035.vdocuments.us/reader035/viewer/2022070803/5f03177c7e708231d4077e68/html5/thumbnails/3.jpg)
Motivation: BYOD has Security Issues
• Used to access both external and internal resources
• Not subject to the same robust security measures found on company-only devices
• Chinese-wall style perimeter policies are becoming outdated
3
App
![Page 4: Enforcing Context-Aware BYOD Policies with In-Network Security · 2019-12-18 · Enforcer Cons: •Requires lots of trust in client •High overhead on mobile device •Missing network-wide](https://reader035.vdocuments.us/reader035/viewer/2022070803/5f03177c7e708231d4077e68/html5/thumbnails/4.jpg)
We Need Context-Aware Policies!
• Context-aware policy: Looks at the environment, not
just the individual request
• Examples:
– “Only allow access if an administrator is online”
– “Only allow access if the device is inside the office”
– “Conduct deep packet inspection if the camera is on”
4
![Page 5: Enforcing Context-Aware BYOD Policies with In-Network Security · 2019-12-18 · Enforcer Cons: •Requires lots of trust in client •High overhead on mobile device •Missing network-wide](https://reader035.vdocuments.us/reader035/viewer/2022070803/5f03177c7e708231d4077e68/html5/thumbnails/5.jpg)
Properties of Context-Aware Policies
• Access to network-wide context
– “Only allow access if an administrator is online”
• Access to device-specific context
– “Only allow access if the device is inside the office”
• Dynamically changing context
– “Conduct deep packet inspection if the camera is on”
5
![Page 6: Enforcing Context-Aware BYOD Policies with In-Network Security · 2019-12-18 · Enforcer Cons: •Requires lots of trust in client •High overhead on mobile device •Missing network-wide](https://reader035.vdocuments.us/reader035/viewer/2022070803/5f03177c7e708231d4077e68/html5/thumbnails/6.jpg)
Existing Solutions 6
App
Server-Side
Client-Side
Both have pros and cons!
![Page 7: Enforcing Context-Aware BYOD Policies with In-Network Security · 2019-12-18 · Enforcer Cons: •Requires lots of trust in client •High overhead on mobile device •Missing network-wide](https://reader035.vdocuments.us/reader035/viewer/2022070803/5f03177c7e708231d4077e68/html5/thumbnails/7.jpg)
Server Side Solutions
• Unsupported policy: Conduct deep packet inspection if camera is on
7
Example: BeyondCorp• “No-Perimeter” network
security model
• “Unprivileged” network
Cons:• Missing device-specific
context
• Don’t always control server
• Missing network-wide
context
App
Pros:• Easy to update and
manage
• Minimal client trust
![Page 8: Enforcing Context-Aware BYOD Policies with In-Network Security · 2019-12-18 · Enforcer Cons: •Requires lots of trust in client •High overhead on mobile device •Missing network-wide](https://reader035.vdocuments.us/reader035/viewer/2022070803/5f03177c7e708231d4077e68/html5/thumbnails/8.jpg)
Client Side Solutions8
App
Context
Enforcer
Cons:• Requires lots of trust in client
• High overhead on mobile
device
• Missing network-wide
context
Pros:• Has easy access to
device context
• Tighter control over
device
• Unsupported policy: Allow access only if Admin is online
Example: PBS (NDSS 2016)• Client-side enforcement
of policies defined by
the network
![Page 9: Enforcing Context-Aware BYOD Policies with In-Network Security · 2019-12-18 · Enforcer Cons: •Requires lots of trust in client •High overhead on mobile device •Missing network-wide](https://reader035.vdocuments.us/reader035/viewer/2022070803/5f03177c7e708231d4077e68/html5/thumbnails/9.jpg)
Best of Both Worlds?
• Common limitation: No access to network-wide context
• Solution: Enforce policies in the network!
• Solves many issues with client/server solutions
– Full control over network
– Minimal trust in clients
– Easy access to network context
– Can get access to device context with client-side module*
9
![Page 10: Enforcing Context-Aware BYOD Policies with In-Network Security · 2019-12-18 · Enforcer Cons: •Requires lots of trust in client •High overhead on mobile device •Missing network-wide](https://reader035.vdocuments.us/reader035/viewer/2022070803/5f03177c7e708231d4077e68/html5/thumbnails/10.jpg)
Challenge: Traditional Networks
are not ProgrammableExisting in-network solutions:
• Fixed-function switches can’t recognize application-level contexts
– Access control lists, blacklisting, ..
• Hardware middleboxes aren’t customizable
– Deep packet inspection, traffic scrubbing, ..
Neither is flexible enough to meet our needs!
10
![Page 11: Enforcing Context-Aware BYOD Policies with In-Network Security · 2019-12-18 · Enforcer Cons: •Requires lots of trust in client •High overhead on mobile device •Missing network-wide](https://reader035.vdocuments.us/reader035/viewer/2022070803/5f03177c7e708231d4077e68/html5/thumbnails/11.jpg)
Opportunity: The Network is
Becoming Programmable!• Programmable dataplanes:
– Define your own headers
– Perform richer header operations
– Ex: Barefoot Tofino, Cavium Xpliant
• Domain-specific languages for programmable switches (e.g. P4):
– Define custom headers
– Create and apply custom match/action tables
– Support for read/write registers
11
![Page 12: Enforcing Context-Aware BYOD Policies with In-Network Security · 2019-12-18 · Enforcer Cons: •Requires lots of trust in client •High overhead on mobile device •Missing network-wide](https://reader035.vdocuments.us/reader035/viewer/2022070803/5f03177c7e708231d4077e68/html5/thumbnails/12.jpg)
POISE: Programmable In-Network Security
• Policy enforcement moved inside the network
- Leverages programmable dataplanes
• Client devices only responsible for collecting context information (using client-side module)
• Best of both worlds:
- Access to fine-grained device-specific context
- Access to dynamic network state
- Minimal trust in the client
12
![Page 13: Enforcing Context-Aware BYOD Policies with In-Network Security · 2019-12-18 · Enforcer Cons: •Requires lots of trust in client •High overhead on mobile device •Missing network-wide](https://reader035.vdocuments.us/reader035/viewer/2022070803/5f03177c7e708231d4077e68/html5/thumbnails/13.jpg)
Outline
✓Motivation
✓Existing Solutions
✓POISE: Programmable In-Network Security
- POISE Architecture- System Design- Policy Language- Compiler- Context Collector Module
- Initial Results
- Future Work
- Conclusion
13
![Page 14: Enforcing Context-Aware BYOD Policies with In-Network Security · 2019-12-18 · Enforcer Cons: •Requires lots of trust in client •High overhead on mobile device •Missing network-wide](https://reader035.vdocuments.us/reader035/viewer/2022070803/5f03177c7e708231d4077e68/html5/thumbnails/14.jpg)
Threat Model
BYOD devices can be compromised by malicious apps,
but:
– Enterprise network is trustworthy
– OS kernel on BYOD device and context-collecting module
are intact
14
![Page 15: Enforcing Context-Aware BYOD Policies with In-Network Security · 2019-12-18 · Enforcer Cons: •Requires lots of trust in client •High overhead on mobile device •Missing network-wide](https://reader035.vdocuments.us/reader035/viewer/2022070803/5f03177c7e708231d4077e68/html5/thumbnails/15.jpg)
System Design 15
Switch (P4) Program
POISE Policy
Context
Collector
Config File
App
info
Sys
info
Sensor
info
CompilerPolicy
Language
Compiler
Runtime
![Page 16: Enforcing Context-Aware BYOD Policies with In-Network Security · 2019-12-18 · Enforcer Cons: •Requires lots of trust in client •High overhead on mobile device •Missing network-wide](https://reader035.vdocuments.us/reader035/viewer/2022070803/5f03177c7e708231d4077e68/html5/thumbnails/16.jpg)
POISE Policy Language
• Based on Pyretic NetCore– Match-action based control flow
• Key additions– Added support for device contexts
16
Examples:• Allow access only if admin is online
• Distance-based access control
if ((lat-x)*(lat-x)+(lon-y)*(lon-y) < D)then fwd(server)else drop
def adminlst = [“Bob”, “Alice”]c = count(match(usr in adminlst))match(c>0) >>fwd(server)
![Page 17: Enforcing Context-Aware BYOD Policies with In-Network Security · 2019-12-18 · Enforcer Cons: •Requires lots of trust in client •High overhead on mobile device •Missing network-wide](https://reader035.vdocuments.us/reader035/viewer/2022070803/5f03177c7e708231d4077e68/html5/thumbnails/17.jpg)
Compiler
Input: POISE policy programOutput: Switch programs, Context collector configuration files
Monitor → Switch read/write register
Constant list → Switch match/action table
Context variable → Customized header
→ Config file entry
17
![Page 18: Enforcing Context-Aware BYOD Policies with In-Network Security · 2019-12-18 · Enforcer Cons: •Requires lots of trust in client •High overhead on mobile device •Missing network-wide](https://reader035.vdocuments.us/reader035/viewer/2022070803/5f03177c7e708231d4077e68/html5/thumbnails/18.jpg)
Context Collector Module 18
Two strategies:• Add headers to all
outgoing packets
• Send separate context
packets– Periodically
– When an app opens a
new socket
– When an dormant
socket resumes activity
User Sub-Module
Information Collector
Kernel Sub-Module
Packet Monitor
Context TaggerCo
mm
un
icati
on
Ch
an
nel
App
info
Sys
info
Sensor
info
Network
User Layer
Kernel Layer
![Page 19: Enforcing Context-Aware BYOD Policies with In-Network Security · 2019-12-18 · Enforcer Cons: •Requires lots of trust in client •High overhead on mobile device •Missing network-wide](https://reader035.vdocuments.us/reader035/viewer/2022070803/5f03177c7e708231d4077e68/html5/thumbnails/19.jpg)
Outline
✓Motivation
✓Existing Solutions
✓POISE: Programmable In-Network Security
✓POISE Architecture✓System Design✓Policy Langauge✓Compiler✓Context Collector Module
- Initial Results
- Future Work
- Conclusion
19
![Page 20: Enforcing Context-Aware BYOD Policies with In-Network Security · 2019-12-18 · Enforcer Cons: •Requires lots of trust in client •High overhead on mobile device •Missing network-wide](https://reader035.vdocuments.us/reader035/viewer/2022070803/5f03177c7e708231d4077e68/html5/thumbnails/20.jpg)
Experimental Setup
• Compiler not implemented yet
– P4 Programs written by hand
– Context Collector hardcoded
• Mobile traces collected on Nexus 5 running client module
• Traces injected into Mininet topology with one switch and 6 end hosts
20
![Page 21: Enforcing Context-Aware BYOD Policies with In-Network Security · 2019-12-18 · Enforcer Cons: •Requires lots of trust in client •High overhead on mobile device •Missing network-wide](https://reader035.vdocuments.us/reader035/viewer/2022070803/5f03177c7e708231d4077e68/html5/thumbnails/21.jpg)
Evaluation Questions21
• How much CPU overhead does POISE place on the client device?
• How much traffic overhead does POISE add?
• How effective is POISE at expressing sophisticated policies?
![Page 22: Enforcing Context-Aware BYOD Policies with In-Network Security · 2019-12-18 · Enforcer Cons: •Requires lots of trust in client •High overhead on mobile device •Missing network-wide](https://reader035.vdocuments.us/reader035/viewer/2022070803/5f03177c7e708231d4077e68/html5/thumbnails/22.jpg)
• < 1% CPU overhead on client
• Additional traffic < 11.2 kbps
22Results: Overhead*
*Overhead measured when sending packets periodically, as opposed to tagging all outgoing packets
![Page 23: Enforcing Context-Aware BYOD Policies with In-Network Security · 2019-12-18 · Enforcer Cons: •Requires lots of trust in client •High overhead on mobile device •Missing network-wide](https://reader035.vdocuments.us/reader035/viewer/2022070803/5f03177c7e708231d4077e68/html5/thumbnails/23.jpg)
Results: Expressiveness + Effectiveness23
Policy Detected?
Block services during working hours ✓
Direct traffic from guests through a middlebox ✓
Allow access only if user is close to a location ✓
Allow access only if admin is online ✓
Block requests without user interaction ✓
Scrub traffic if UIs are overlapping ✓
Conduct DPI if the camera or recorder is on ✓
We can support both existing and new policies!
![Page 24: Enforcing Context-Aware BYOD Policies with In-Network Security · 2019-12-18 · Enforcer Cons: •Requires lots of trust in client •High overhead on mobile device •Missing network-wide](https://reader035.vdocuments.us/reader035/viewer/2022070803/5f03177c7e708231d4077e68/html5/thumbnails/24.jpg)
Ongoing Work
• Build a full prototype, including a functional compiler
• Enhance threat model
– Move information collector to kernel
– Look for ways to address malicious/compromised kernels
• Perform larger-scale experiments on real-world BYOD traces
24
![Page 25: Enforcing Context-Aware BYOD Policies with In-Network Security · 2019-12-18 · Enforcer Cons: •Requires lots of trust in client •High overhead on mobile device •Missing network-wide](https://reader035.vdocuments.us/reader035/viewer/2022070803/5f03177c7e708231d4077e68/html5/thumbnails/25.jpg)
Conclusion
• Motivation: BYOD presents new security threats
• Existing approaches have pros and cons:– Client-side solutions– Server-side solutions
• Our approach: POISE (programmable in-network security)– Decouple context collection from policy enforcement– Leverage programmable data planes– Best of both worlds: context-aware and network-aware
• Preliminary results:– < 1% overhead– Can support a wide variety of context-aware policies
25
![Page 26: Enforcing Context-Aware BYOD Policies with In-Network Security · 2019-12-18 · Enforcer Cons: •Requires lots of trust in client •High overhead on mobile device •Missing network-wide](https://reader035.vdocuments.us/reader035/viewer/2022070803/5f03177c7e708231d4077e68/html5/thumbnails/26.jpg)
Questions and Issues
• Circumvention
– What happens if a malicious app gets root access?
• Usability
– How easy is POISE for network administrators to use?
• Testing
– What kinds of testing/metrics would be important?
26
Thank you!