Resonance: Dynamic Access Control in Enterprise Networks Ankur Nayak, Alex Reimers, Nick Feamster, Russ Clark School of Computer Science Georgia Institute.

Slides:



Advertisements
Similar presentations
1 OpenFlow Research on the Georgia Tech Campus Network Russ Clark Nick Feamster Students: Yogesh Mundada, Hyojoon Kim, Ankur Nayak, Anirudh Ramachandran,
Advertisements

Research Summary Nick Feamster. The Big Picture Improving Internet availability by making networks easier to operate Three approaches –From the ground.
Campus Testbed for Network Management and Operations Nick Feamster Georgia Tech Joint with Ankur Nayak, Russ Clark, Ron Hutchins, Campus OIT Also input.
Network Troubleshooting: rcc and Beyond Nick Feamster Georgia Tech (joint with Russ Clark, Yiyi Huang, Anukool Lakhina)
1 Resonance: Dynamic Access Control in Enterprise Networks Ankur Nayak, Alex Reimers, Nick Feamster, Russ Clark School of Computer Science Georgia Institute.
Securing Enterprise Networks with Traffic Tainting Anirudh Ramachandran Nick Feamster Yogesh Mundada Mukarram bin Tariq.
1 Resonance: Dynamic Access Control in Enterprise Networks Ankur Nayak, Alex Reimers, Nick Feamster, Russ Clark School of Computer Science Georgia Institute.
OpenFlow : Enabling Innovation in Campus Networks SIGCOMM 2008 Nick McKeown, Tom Anderson, et el. Stanford University California, USA Presented.
© 2011 Georgia Institute of Technology OpenFlow/SDN at Georgia Tech Russ Clark in collaboration with Ron Hutchins, Nick Feamster, and Matt Sanders July.
Lithium: Event-Driven Network Control Nick Feamster, Hyojoon Kim, Russ Clark Georgia Tech Andreas Voellmy Yale University OpenFlow/Software Defined Networking.
May, 2006 EdgeNet 2006 The Protection Problem in Enterprise Networks Martin Casado PhD Student in Computer Science, Stanford University
1 Version 3.0 Module 8 Virtual LANs. 2 Version 3.0.
Circuit & Application Level Gateways CS-431 Dick Steflik.
VLANs Semester 3, Chapter 3 Allan Johnson Website:
Data Security in Local Networks using Distributed Firewalls
Institute of Technology, Sligo Dept of Computing Semester 3, version Semester 3 Chapter 3 VLANs.
Being Proactive with Computer Posture Assessment Department of Housing and Residence Education Charles Benjamin.
Networking Components By: Michael J. Hardrick. HUB  A low cost device that sends data from one computer to all others usually operating on Layer 1 of.
Nick McKeown, Tom Anderson, Hari Balakrishnan, Guru Parulkar, Larry Peterson, Jennifer Rexford, Scott Shenker, Jonathan Turner, SIGCOM CCR, 2008 Presented.
The Operator Neutral Access At KistaIP. KistaIP ? Is a student dorm with 144 apartments.
Information-Centric Networks10b-1 Week 13 / Paper 1 OpenFlow: enabling innovation in campus networks –Nick McKeown, Tom Anderson, Hari Balakrishnan, Guru.
Introduction to Networking Concepts. Introducing TCP/IP Addressing Network address – common portion of the IP address shared by all hosts on a subnet/network.
© 2007 Cisco Systems, Inc. All rights reserved.ICND1 v1.0—1-1  A network is a connected collection of devices (computers, interconnections, routers, and.
Chapter 13 – Network Security
Common Devices Used In Computer Networks
VLAN Trunking Protocol (VTP)
Objectives Configure routing in Windows Server 2008 Configure Routing and Remote Access Services in Windows Server 2008 Network Address Translation 1.
Security for the Optimized Link- State Routing Protocol for Wireless Ad Hoc Networks Stephen Asherson Computer Science MSc Student DNA Lab 1.
OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
11 SECURING YOUR NETWORK PERIMETER Chapter 10. Chapter 10: SECURING YOUR NETWORK PERIMETER2 CHAPTER OBJECTIVES  Establish secure topologies.  Secure.
OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
Sponsored by the National Science Foundation Campus Trials of Enterprise GENI: Georgia Tech Spiral 2 Year-end Project Review Georgia Tech PI: Russ Clark,
Thoughts on Firewalls: Topologies, Application Impact, Network Management, Tech Support and more Deke Kassabian, April 2007.
1 Chapter Overview Password Protection Security Models Firewalls Security Protocols.
Network Security. 2 SECURITY REQUIREMENTS Privacy (Confidentiality) Data only be accessible by authorized parties Authenticity A host or service be able.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Filtering Traffic Using Access Control Lists Introducing Routing and Switching.
Cisco 3 - Switch Perrine. J Page 111/6/2015 Chapter 5 At which layer of the 3-layer design component would users with common interests be grouped? 1.Access.
Terri Lahey Control System Cyber-Security Workshop October 14, SLAC Controls Security Overview Introduction SLAC has multiple.
SDN AND OPENFLOW SPECIFICATION SPEAKER: HSUAN-LING WENG DATE: 2014/11/18.
Switch Features Most enterprise-capable switches have a number of features that make the switch attractive for large organizations. The following is a.
Cisco S3C3 Virtual LANS. Why VLANs? You can define groupings of workstations even if separated by switches and on different LAN segments –They are one.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 2 ver.2 Module 8 City College.
Chapter 3 - VLANs. VLANs Logical grouping of devices or users Configuration done at switch via software Not standardized – proprietary software from vendor.
INTRUSION DETECTION SYSYTEM. CONTENT Basically this presentation contains, What is TripWire? How does TripWire work? Where is TripWire used? Tripwire.
SDN Management Layer DESIGN REQUIREMENTS AND FUTURE DIRECTION NO OF SLIDES : 26 1.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 4: Planning and Configuring Routing and Switching.
Improving Network Management with Software Defined Network Group 5 : z Xuling Wu z Haipeng Jiang z Sichen Wu z Aparna Sanil.
Network Management CCNA 4 Chapter 7. Monitoring the Network Connection monitoring takes place every day when users log on Ping only shows that the connection.
James S. Rothfuss, Computer Protection Program COMPUTING SCIENCES NETS Network Equipment Tracking System.
PART1: NETWORK COMPONENTS AND TRANSMISSION MEDIUM Wired and Wireless network management 1.
Header Space Analysis: Static Checking for Networks Broadband Network Technology Integrated M.S. and Ph.D. Eun-Do Kim Network Standards Research Section.
Address Resolution Protocol Yasir Jan 20 th March 2008 Future Internet.
ASHRAY PATEL Securing Public Web Servers. Roadmap Web server security problems Steps to secure public web servers Securing web servers and contents Implementing.
IPv6 Security Issues Georgios Koutepas, NTUA IPv6 Technology and Advanced Services Oct.19, 2004.
Atrium Router Project Proposal Subhas Mondal, Manoj Nair, Subhash Singh.
Mobile IP THE 12 TH MEETING. Mobile IP  Incorporation of mobile users in the network.  Cellular system (e.g., GSM) started with mobility in mind. 
Virtual Local Area Networks In Security By Mark Reed.
25/09/ Firewall, IDS & IPS basics. Summary Firewalls Intrusion detection system Intrusion prevention system.
Road to SDN Review the main features of SDN
ETHANE: TAKING CONTROL OF THE ENTERPRISE
NOX: Towards an Operating System for Networks
Click to edit Master subtitle style
Firewall – Survey Purpose of a Firewall Characteristic of a firewall
Overview of SDN Controller Design
VLAN Trunking Protocol
ONOS Drake Release September 2015.
Software Defined Networking (SDN)
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 4: Planning and Configuring Routing and Switching.
Data Security in Local Networks using Distributed Firewalls
Chapter 3 VLANs Chaffee County Academy
Presentation transcript:

Resonance: Dynamic Access Control in Enterprise Networks Ankur Nayak, Alex Reimers, Nick Feamster, Russ Clark School of Computer Science Georgia Institute of Technology

Summary Enterprise and campus networks are dynamic –Hosts continually coming and leaving –Hosts may become infected Today, access control is static, and poorly integrated with the network layer itself Resonance: Dynamic access control –Track state of each host on the network –Update forwarding state of switches per host as these states change

State of the Art Todays networks have many components bolted on after the fact –Firewalls, VLANs, Web authentication portal, vunerability scanner Separate (and perhaps competing) devices for performing the following functions –Registration (based on MAC addresses) –Scanning –Filtering and rate limiting traffic

Authentication at GT: START

Problems with Current Architecture Access Control is too coarse-grained Cannot dynamically remap hosts to different portions of the network –Needs a DHCP request which for a windows user would mean a reboot Monitoring is not continuous Idea: Express access control to incorporate network dynamics.

Problems with Current Approaches Existing enterprise security techniques are reactive and ad-hoc A mix of security middleboxes, intrusion detection systems etc. result in collection of complex network configurations Possible negative side effects –Misconfiguration –Security problems

Resonance: Summary Step 1: Associate each host with generic states and security classes. Step 2: Specify a state machine for moving machines from one state to the other. Step 3: Control forwarding state in switches based on the current state of each machine. –Actions from other network elements, and distributed inference, can affect network state.

Applying Resonance to START

Resonance: Step-by-Step

Preliminary Implementation: OpenFlow OpenFlow: Flow-based control over the forwarding behavior of switches and routers –A switch, a centralized controller and end-hosts –Switches communicate with the controller through an open protocol over a secure channel Why OpenFlow? –Dynamically change security policies –Central control enables Specifying a single, centralized security policy Coordinating the mechanisms for switches

Resonance Controller: NOX NOX: Programmatic interface to the OpenFlow controller –Ability to add, remove and reuse components We are building the Resonance controller using NOX

Research Testbed

Challenges Scale –How many forwarding entries per switch? –How much traffic at the controller? Performance Responsiveness Security –MAC address spoofing –Securing the controller (and control framework)

Summary Resonance: An architecture to secure and maintain enterprise networks. –Preliminary design –Application to Georgia Tech campus network –Planned evaluation Many challenges remain –Scaling –Performance Questions?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.