Author: Martin Casado, Tal Garfinkel, Aditya Akella, Michael J. Freedman Dan Boneh, Nick McKeown,...
-
Upload
mercy-dickerson -
Category
Documents
-
view
216 -
download
2
Transcript of Author: Martin Casado, Tal Garfinkel, Aditya Akella, Michael J. Freedman Dan Boneh, Nick McKeown,...
![Page 1: Author: Martin Casado, Tal Garfinkel, Aditya Akella, Michael J. Freedman Dan Boneh, Nick McKeown, Scott Shenker Publisher: IEEE COMMUNICATIONS SURVEYS.](https://reader035.fdocuments.net/reader035/viewer/2022071718/56649e885503460f94b8c56d/html5/thumbnails/1.jpg)
Author: Martin Casado, Tal Garfinkel, Aditya Akella, Michael J. Freedman Dan Boneh, Nick McKeown, Scott Shenker
Publisher: IEEE COMMUNICATIONS SURVEYS & TUTORIALSPresenter: Ching Hsuan ShihDate: 2013/10/09
SANE: A Protection Architecture for Enterprise Networks
![Page 2: Author: Martin Casado, Tal Garfinkel, Aditya Akella, Michael J. Freedman Dan Boneh, Nick McKeown, Scott Shenker Publisher: IEEE COMMUNICATIONS SURVEYS.](https://reader035.fdocuments.net/reader035/viewer/2022071718/56649e885503460f94b8c56d/html5/thumbnails/2.jpg)
1. Instroduction
2. What’s Wrong with Existing Technuques?
3. System Architecture
4. Attack Resistance
5. Implementation
6. Evaluation
7. Related Work
8. Conclusion
Outline
![Page 3: Author: Martin Casado, Tal Garfinkel, Aditya Akella, Michael J. Freedman Dan Boneh, Nick McKeown, Scott Shenker Publisher: IEEE COMMUNICATIONS SURVEYS.](https://reader035.fdocuments.net/reader035/viewer/2022071718/56649e885503460f94b8c56d/html5/thumbnails/3.jpg)
Allow natural policies that are simple yet powerful.
- We seek an architecture that supports natural policies that are independent of the
topology and provide least privilege access to resources.
Enforcement should be at the link layer, to prevent lower layers from undermining it.
Hide information about topology and services from those without permission to see them.
Have only one trusted component.
1. Instroduction
![Page 4: Author: Martin Casado, Tal Garfinkel, Aditya Akella, Michael J. Freedman Dan Boneh, Nick McKeown, Scott Shenker Publisher: IEEE COMMUNICATIONS SURVEYS.](https://reader035.fdocuments.net/reader035/viewer/2022071718/56649e885503460f94b8c56d/html5/thumbnails/4.jpg)
• Complexity of Mechenism
• Proliferation of Trust
• Proliferation of Information
2. What’s Wrong with Existing Techniques?
![Page 5: Author: Martin Casado, Tal Garfinkel, Aditya Akella, Michael J. Freedman Dan Boneh, Nick McKeown, Scott Shenker Publisher: IEEE COMMUNICATIONS SURVEYS.](https://reader035.fdocuments.net/reader035/viewer/2022071718/56649e885503460f94b8c56d/html5/thumbnails/5.jpg)
This section describes two versions of the SANE architecture:
1. a clean –slate approach, in which every network component is modified to support SANE
2. inter-operate with unmodified end hosts running standard IP stacks
3. System Architecture
![Page 6: Author: Martin Casado, Tal Garfinkel, Aditya Akella, Michael J. Freedman Dan Boneh, Nick McKeown, Scott Shenker Publisher: IEEE COMMUNICATIONS SURVEYS.](https://reader035.fdocuments.net/reader035/viewer/2022071718/56649e885503460f94b8c56d/html5/thumbnails/6.jpg)
DC is the central component of a SANE network and responsible for authenticating users and hosts.
1. Authentication Service
2. Network Service Directory (NSD)
3. Protection Layer Controller Revoking Access
Figure 1: The SANE Service Model
Ethernet SANE header IP header data
Figure 2: SANE operates at the same layer as VLAN
3.1 Domain Controller (DC)
![Page 7: Author: Martin Casado, Tal Garfinkel, Aditya Akella, Michael J. Freedman Dan Boneh, Nick McKeown, Scott Shenker Publisher: IEEE COMMUNICATIONS SURVEYS.](https://reader035.fdocuments.net/reader035/viewer/2022071718/56649e885503460f94b8c56d/html5/thumbnails/7.jpg)
Translation ProxiesGatewaysBroadcastService Publication
3.2 Interoperability
![Page 8: Author: Martin Casado, Tal Garfinkel, Aditya Akella, Michael J. Freedman Dan Boneh, Nick McKeown, Scott Shenker Publisher: IEEE COMMUNICATIONS SURVEYS.](https://reader035.fdocuments.net/reader035/viewer/2022071718/56649e885503460f94b8c56d/html5/thumbnails/8.jpg)
Replicating the Domain Controller Service directory must maintain consistency among multiple DCs
Recovering from Network Failure Send periodic probes or keep-alive messages to detect failures and request
fresh capabilities
3.3 Fault Tolerance
![Page 9: Author: Martin Casado, Tal Garfinkel, Aditya Akella, Michael J. Freedman Dan Boneh, Nick McKeown, Scott Shenker Publisher: IEEE COMMUNICATIONS SURVEYS.](https://reader035.fdocuments.net/reader035/viewer/2022071718/56649e885503460f94b8c56d/html5/thumbnails/9.jpg)
Access-control lists The NSD uses ACLs for directories, preventing attackers from enumerating all services in the
system
Encrypted, authenticated source-routes and link-state updates These prevent an attacker from learning the topology or from enumerating hosts and performing
port scans
Authenticated network components The authentication mechanism prevents unautherticated switches from joining a SANE network,
thwarting a variety of topology attacks
4. Attack Resistance
![Page 10: Author: Martin Casado, Tal Garfinkel, Aditya Akella, Michael J. Freedman Dan Boneh, Nick McKeown, Scott Shenker Publisher: IEEE COMMUNICATIONS SURVEYS.](https://reader035.fdocuments.net/reader035/viewer/2022071718/56649e885503460f94b8c56d/html5/thumbnails/10.jpg)
Flooding Rate-limit requests for capabilities to the DC
Revocation state exhaustion Generate a new key to the DC
DC tracks the number of revocations issued per sender
4.1 Resource Exhaustion
![Page 11: Author: Martin Casado, Tal Garfinkel, Aditya Akella, Michael J. Freedman Dan Boneh, Nick McKeown, Scott Shenker Publisher: IEEE COMMUNICATIONS SURVEYS.](https://reader035.fdocuments.net/reader035/viewer/2022071718/56649e885503460f94b8c56d/html5/thumbnails/11.jpg)
Sabotaging MST Discovery
Bad Link-State Advertisement
4.2 Tolerating Malicious Switches
Figure 5: Attacker C can deny service to A by selectivelydropping A’s packets, yet letting the packets of its parent (B)through. As a result, A cannot communicate with the DC, eventhough a alternate path exists through D.
![Page 12: Author: Martin Casado, Tal Garfinkel, Aditya Akella, Michael J. Freedman Dan Boneh, Nick McKeown, Scott Shenker Publisher: IEEE COMMUNICATIONS SURVEYS.](https://reader035.fdocuments.net/reader035/viewer/2022071718/56649e885503460f94b8c56d/html5/thumbnails/12.jpg)
Split the DCs’ secret key across a few servers, such that two of them are needed to generate a capability.
4.3 Tolerating a Malicious DC
![Page 13: Author: Martin Casado, Tal Garfinkel, Aditya Akella, Michael J. Freedman Dan Boneh, Nick McKeown, Scott Shenker Publisher: IEEE COMMUNICATIONS SURVEYS.](https://reader035.fdocuments.net/reader035/viewer/2022071718/56649e885503460f94b8c56d/html5/thumbnails/13.jpg)
All development was done in C++ using the Virtual Network System (VNS) within the group LAN
- Seven physical hosts on 100 Mb Ethernet for one month
The implementation consists of a DC, switches and IP proxies
- No support for multiple DCs
- No support for tolerating malicious switches
5. Implementation
![Page 14: Author: Martin Casado, Tal Garfinkel, Aditya Akella, Michael J. Freedman Dan Boneh, Nick McKeown, Scott Shenker Publisher: IEEE COMMUNICATIONS SURVEYS.](https://reader035.fdocuments.net/reader035/viewer/2022071718/56649e885503460f94b8c56d/html5/thumbnails/14.jpg)
IP Proxies and SANE Switches The proxies use ARP (Address Resolution Protocol) cache
Support automatic neighbor discovery, MST construction, link-state updates and packet forwarding
Domain Controller Capability construction
Service Directory
5. Implementation (Cont.)
![Page 15: Author: Martin Casado, Tal Garfinkel, Aditya Akella, Michael J. Freedman Dan Boneh, Nick McKeown, Scott Shenker Publisher: IEEE COMMUNICATIONS SURVEYS.](https://reader035.fdocuments.net/reader035/viewer/2022071718/56649e885503460f94b8c56d/html5/thumbnails/15.jpg)
5 hops 10 hops 15 hops
DC 100,000 cap/s 40,000 cap/s 20,000 cap/s
Switch 762 Mb/s 480 Mb/s 250 Mb/s
6. Evalution
Table 1: Performance of a DC and switches
Figure 6: DNS requests, TCP connection establishment requests, and maximum concurrent TCP connections persecond, respectively, for the Lawrence Berkeley National Laboratory enterprise network.
![Page 16: Author: Martin Casado, Tal Garfinkel, Aditya Akella, Michael J. Freedman Dan Boneh, Nick McKeown, Scott Shenker Publisher: IEEE COMMUNICATIONS SURVEYS.](https://reader035.fdocuments.net/reader035/viewer/2022071718/56649e885503460f94b8c56d/html5/thumbnails/16.jpg)
Network Protection Mechanisms
Dealing with Routing Complexity
Expanding the Link-layer
Capabilities for DDOS prevention
7. Related Work
![Page 17: Author: Martin Casado, Tal Garfinkel, Aditya Akella, Michael J. Freedman Dan Boneh, Nick McKeown, Scott Shenker Publisher: IEEE COMMUNICATIONS SURVEYS.](https://reader035.fdocuments.net/reader035/viewer/2022071718/56649e885503460f94b8c56d/html5/thumbnails/17.jpg)
We believe that enterprise networks are different from the Internet at large and deserve special attention: Security is paramount
Centralized control is the norm
Uniform and consistent policies are important
8. Conclusion