May, 2006 EdgeNet 2006 The Protection Problem in Enterprise Networks Martin Casado PhD Student in Computer Science, Stanford University

Slides:



Advertisements
Similar presentations
June 2007NSF Find Forensics and Attribution in Ethane Martin Casado Stanford University With: Michael Freedman, Justin Pettit, Jianying Luo, Natasha Gude,
Advertisements

Resonance: Dynamic Access Control in Enterprise Networks Ankur Nayak, Alex Reimers, Nick Feamster, Russ Clark School of Computer Science Georgia Institute.
1 Resonance: Dynamic Access Control in Enterprise Networks Ankur Nayak, Alex Reimers, Nick Feamster, Russ Clark School of Computer Science Georgia Institute.
Flow-based Management Language Tim Hinrichs Natasha Gude* Martín Casado John Mitchell Scott Shenker University of Chicago Stanford University ICSI/UC Berkeley.
1 Resonance: Dynamic Access Control in Enterprise Networks Ankur Nayak, Alex Reimers, Nick Feamster, Russ Clark School of Computer Science Georgia Institute.
Precept 3 Host Configuration 1 Peng Sun. What TCP conn. running? Commands netstat [-n] [-p] [-c] (Linux) lsof -i -P (Mac) ss (newer version of netstat)
CCNPv5 Minimizing Service Loss and Data Theft in a Campus Network 1 Minimizing Service Loss and Data Theft in a Switched BCMSN Module 8 – Sec 2.
Ethernet and switches selected topics 1. Agenda Scaling ethernet infrastructure VLANs 2.
Wireless and Switch Security NETS David Mitchell.
SANE: A Protection Architecture for Enterprise Networks Authors: Martin Casado, Tal Garfinkel, Aditya Akella, Michael J. Freedman Dan Boneh, Nick McKeown,
June, 2006 Stanford 2006 Ethane: Addressing the Protection Problem in Enterprise Networks Martin Casado Michael Freedman Glen Gibb Lew Glendenning Dan.
Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.
1 Internet Networking Spring 2004 Tutorial 1 Subnetting and CIDR Proxy ARP.
1 Version 3.0 Module 8 Virtual LANs. 2 Version 3.0.
Security Awareness: Applying Practical Security in Your World
August, 2006 Usenix Security 2006 SANE: Addressing the Protection Problem in Enterprise Networks Martin Casado Tal Garfinkel Michael Freedman Aditya Akaella.
Institute of Technology, Sligo Dept of Computing Semester 3, version Semester 3 Chapter 3 VLANs.
COEN 252: Computer Forensics Router Investigation.
Networking Components
Jennifer Rexford Princeton University MW 11:00am-12:20pm SDN Software Stack COS 597E: Software Defined Networking.
Jennifer Rexford Fall 2010 (TTh 1:30-2:50 in COS 302) COS 561: Advanced Computer Networks Network.
Firewalls CS158B Don Tran. What is a Firewall? A firewall can be a program or a device that controls access to a network.
BY- NIKHIL TRIPATHI 12MCMB10.  What is a FIREWALL?  Can & Can’t in Firewall perspective  Development of Firewalls  Firewall Architectures  Some Generalization.
Formal checkings in networks James Hongyi Zeng with Peyman Kazemian, George Varghese, Nick McKeown.
Network Redundancy Multiple paths may exist between systems. Redundancy is not a requirement of a packet switching network. Redundancy was part of the.
The Operator Neutral Access At KistaIP. KistaIP ? Is a student dorm with 144 apartments.
Common Devices Used In Computer Networks
– Chapter 5 – Secure LAN Switching
Network Security1 – Chapter 5 – Secure LAN Switching Layer 2 security –Port security –IP permit lists –Protocol filtering –Controlling LAN floods (using.
Objectives Configure routing in Windows Server 2008 Configure Routing and Remote Access Services in Windows Server 2008 Network Address Translation 1.
1/28/2010 Network Plus Network Device Review. Physical Layer Devices Repeater –Repeats all signals or bits from one port to the other –Can be used extend.
SANE: A Protection Architecture for Enterprise Networks
11 SECURING YOUR NETWORK PERIMETER Chapter 10. Chapter 10: SECURING YOUR NETWORK PERIMETER2 CHAPTER OBJECTIVES  Establish secure topologies.  Secure.
Thoughts on Firewalls: Topologies, Application Impact, Network Management, Tech Support and more Deke Kassabian, April 2007.
June, 2006 Stanford 2006 Ethane. June, 2006 Stanford 2006 Security and You  What does security mean to you?  Data on personal PC?  Data on family PC?
OpenFlow:Enabling Innovation in Campus Network
Day11 Devices/LAN/WAN. Network Devices Hub Switches Bridge Router Gateway.
Computer Networks 15-1 Chapter 15. Connecting LANs, Backbone Networks, and Virtual LANs 15.1 Connecting devices 15.2 Backbone networks 15.3 Virtual LANs.
© 1999, Cisco Systems, Inc. 1-1 Chapter 2 Overview of a Campus Network © 1999, Cisco Systems, Inc.
Cisco 3 - Switch Perrine. J Page 111/6/2015 Chapter 5 At which layer of the 3-layer design component would users with common interests be grouped? 1.Access.
Firewall Security.
Intro to Switching Lecture # 3 Hassan Shuja 03/14/2006.
1 CSCD 433 Network Programming Fall 2011 Lecture 5 VLAN's.
Secure Wired Local Area Network( LAN ) By Sentuya Francis Derrick ID Module code:CT3P50N BSc Computer Networking London Metropolitan University.
A machine that acts as the central relay between computers on a network Low cost, low function machine usually operating at Layer 1 Ties together the.
The University of Bolton School of Games Computing & Creative Technologies LCT2516 Network Architecture CCNA Exploration LAN Switching and Wireless Chapter.
Security fundamentals Topic 10 Securing the network perimeter.
Chapter 6: Securing the Local Area Network
Star Topology Star Networks are one of the most common network topologies. consists of one central switch, hub or computer, which acts as a conduit to.
Networking Components Quick Guide. Hubs Device that splits a network connection into multiple computers Data is transmitted to all devices attached Computers.
1 Version 3.0 Module 8 Virtual LANs. 2 Version 3.0.
This courseware is copyrighted © 2016 gtslearning. No part of this courseware or any training material supplied by gtslearning International Limited to.
Ethane: Taking Control of the Enterprise Presenter: KyoungSoo Park Department of Electrical Engineering KAIST.
Network Virtualization Ben Pfaff Nicira Networks, Inc.
InterVLAN Routing 1. InterVLAN Routing 2. Multilayer Switching.
Security fundamentals
Configuring DHCP Relay Configuration Example
ETHANE: TAKING CONTROL OF THE ENTERPRISE
Switch Setup Connectivity to Other locations Via MPLS/LL etc
NOX: Towards an Operating System for Networks
Chapter 4 Data Link Layer Switching
– Chapter 5 – Secure LAN Switching
Introduction to Networking
Virtual LANs.
Virtual Local Area Network
The Stanford Clean Slate Program
OPS235: Configuring a Network Using Virtual Machines – Part 2
Ethane: Addressing the Protection Problem in Enterprise Networks
Ethane: Addressing the Protection Problem in Enterprise Networks
Computer Networks ARP and RARP
Presentation transcript:

May, 2006 EdgeNet 2006 The Protection Problem in Enterprise Networks Martin Casado PhD Student in Computer Science, Stanford University

May, 2006 EdgeNet 2006 Talk Focus  Negative affects of protection measures on edge networks  Motivated by anecdotes from real networks  Introduce Ethane

May, 2006 EdgeNet 2006 Network Examples  National Lab, Small-moderate size business, academic, hospital  Security sensitive  More LAN than large routable network

May, 2006 EdgeNet 2006 Problems Areas  Inflexibility  Loss of Redundancy  Filtering woes

May, 2006 EdgeNet 2006 Problems  Inflexibility  Loss of Redundancy  Filtering Woes

May, 2006 EdgeNet 2006 Inflexibility L2 Switch Firewall + Router If one is compromised, can’t sniff traffic of others Can’t enumerate how many hosts on network Can only get “out” through proxy Prevent rogue connections

May, 2006 EdgeNet 2006 Inflexibility L2 Switch Firewall + Router If one is compromised, can’t sniff traffic of others Can’t enumerate how many hosts on network Can only get “out” through proxy Prevent rogue connections Firewall rules ACCEPT

May, 2006 EdgeNet 2006 Inflexibility L2 Switch Firewall + Router Turn of ARP Static ARP cache Ca:fe:d0:d Firewall rules ACCEPT Turn of ARP Static ARP cache ca:fe:de:ad:be:ef

May, 2006 EdgeNet 2006 Inflexibility Firewall + Router Turn of ARP Static ARP cache ca:fe:de:ad:be:ef Turn of ARP Static ARP cache Ca:fe:d0:d Firewall rules ACCEPT No DHCP Also insecure Might undermine firewall rules Might undermine static ARP cache

May, 2006 EdgeNet 2006 Inflexibility L2 Switch Firewall + Router Turn of ARP Static ARP cache ca:fe:de:ad:be:ef Turn of ARP Static ARP cache Ca:fe:d0:d Firewall rules ACCEPT No DHCP Might undermine firewall rules Might undermine static ARP cache Port Security Tie MAC address to Port ca:fe:de:ad:be:ef

May, 2006 EdgeNet 2006 Inflexibility  Topology (ports, interfaces) and addresses sprinkled throughout configuration state  No distributed maintenance like routing tables  Difficult to move machines  Moving machines can be bad  Indirection points (e.g. ARP, DHCP) insecure (.. often removed)  MAC addresses everywhere  Chew up memory  No aggregation 

May, 2006 EdgeNet 2006 Problems  Inflexibility  Loss of Redundancy  Filtering Woes

May, 2006 EdgeNet 2006 Loss of Redundancy

May, 2006 EdgeNet 2006 Loss of Redundancy  Easier to reason about/verify  Proxies are a catalyst  Distributed firewalls are not the solution  Lack of good support for L5 routing (does anyone have this turned on?)  Existing solutions exacerbate the problem  “do everything” proxies  Single bridge NACs

May, 2006 EdgeNet 2006 Problems  Inflexibility  Loss of Redundancy  Filtering Woes

May, 2006 EdgeNet 2006 Filtering Woes  Filtering done on the datapath today  Generally limited filtering state (so can have large forwarding tables)  Common problem is running out of ACLs  MAC addresses everywhere  Chew up memory  No aggregation   In some networks, forwarding tables + filters doesn’t make sense..

May, 2006 EdgeNet 2006  Centrally declare network policy  Authenticated end-hosts  Central-arbiter grants permission to connect on a per flow basis  Central-arbiter has fine grained control of routes Ethane: Towards a Solution

May, 2006 EdgeNet 2006 Publish martin.friends.ambient-streams allow tal, sundar, aditya Authenticate hi, I’m tal, my password is martin.friends.ambient-streams First packet to martin.friends.ambient-streams Global Network Policy: (allow all martin using rtp) Authenticate hi, I’m martin, my password is Ethane

May, 2006 EdgeNet 2006  Flexibility  Dynamic bindings are secure (movement is easy)  Security policy independent of topology  Redundancy  More switches != more configuration state  Fine grained control of routes allows L5 routing  Permission checks done on connection setup (taken off data path) Ethane: Properties

May, 2006 EdgeNet 2006 Thanks! ?

May, 2006 EdgeNet 2006 Isolation  Networks exist today with differing levels of sensitivity  Casino  Financial  Medical  Government/Military  Want reasonable Isolation  No DDoS from less secure to more  No data exfiltration from more secure to less  Note, VLANs generally insufficient This is not solely a government network problem

May, 2006 EdgeNet 2006 Today’s Solution (really) heavyweight, application proxy (cannonicalization + fuzzy timers) OR …

May, 2006 EdgeNet 2006 Isolation Cont …  Obviously suboptimal  Management  Number of components (MTTF)  Could use same components, separate queues, TDM  Consolidation on the road-map for some very large networks

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.