Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Resonance: Dynamic Access Control in Enterprise Networks Ankur Nayak, Alex Reimers, Nick Feamster, Russ Clark School of Computer Science Georgia Institute of Technology 1 Motivation • Enterprise and campus networks are dynamic – Hosts continually coming and leaving – Hosts may become infected • Today, access control is static, and poorly integrated with the network layer itself • Resonance: Dynamic access control – Track state of each host on the network – Update forwarding state of switches per host as these states change 2 State of the Art • Today’s networks have many components “bolted on” after the fact – Firewalls, VLANs, Web authentication portal, vulnerability scanner • Separate (and perhaps competing) devices for performing the following functions – Registration (based on MAC addresses) – Scanning – Filtering and rate limiting traffic 3 Authentication at GT : “START” 3. VLAN with Private IP 7. REBOOT Switch .1. New MAC Addr 2. VQP 6. VLAN with Public IP New Host 4. Web Authentication VMPS 5. Authentication and Scanning Result Web Portal, Scanner 4 Problems with Current Architecture • Access Control is too coarse-grained – Static, inflexible and prone to misconfigurations – Need to rely on VLANs to isolate infected machines • Cannot dynamically remap hosts to different portions of the network – Needs a DHCP request which for a windows user would mean a reboot • Monitoring is not continuous Idea: Express access control to incorporate network dynamics. 5 Resonance Methodology • Step 1: Associate each host with generic states and security classes • Step 2: Specify a state machine for moving machines from one state to the other • Step 3: Control forwarding state in switches based on the current state of each machine – Actions from other network elements, and distributed inference, can affect network state 6 Applying resonance to START Infection removed or manually fixed Registration Failed Authentication Quarantined Successful Authentication Clean after update Authenticated Operation Vulnerability detected 7 Resonance: Step by Step DHCP Server Web Portal Openflow Switch Controller 1. DHCP request Internet 2. Web Authenticaition 4. To the Internet New Host 3. Scanning 8 Preliminary Implementation: OpenFlow • OpenFlow: Flow-based control over the forwarding behavior of switches and routers – A switch, a centralized controller and end-hosts – Switches communicate with the controller through an open protocol over a secure channel • Why OpenFlow? – Dynamically change security policies – Central control enables • Specifying a single, centralized security policy • Coordinating the mechanisms for switches • Granularity of control. VLANs don’t provide that granularity 9 Resonance Controller: NOX • NOX: Programmatic interface to the OpenFlow controller – Ability to add, remove and reuse components • We are building the Resonance controller using NOX 10 Research Testbed 11 Potential Challenges • Scale – How many forwarding entries per switch? • OF switches support ~130K flow entries and 100 wildcard entries. – How much traffic at the controller? • Performance – Responsiveness • Security – MAC address spoofing – Securing the controller (and control framework) 12 Summary • Resonance: An architecture to secure and maintain enterprise networks. – Preliminary design – Application to Georgia Tech campus network – Planned evaluation • Many challenges remain – Scaling – Performance Questions? 13