1 Resonance: Dynamic Access Control in Enterprise Networks Ankur Nayak, Alex Reimers, Nick Feamster, Russ Clark School of Computer Science Georgia Institute.

Slides:



Advertisements
Similar presentations
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 1 Network Security 2 Module 6 – Configure Remote Access VPN.
Advertisements

New Directions in Enterprise Network Management Aditya Akella University of Wisconsin, Madison MSR Networking Summit June 2006.
Using Network Virtualization Techniques for Scalable Routing Nick Feamster, Georgia Tech Lixin Gao, UMass Amherst Jennifer Rexford, Princeton University.
Network Monitoring System In CSTNET Long Chun China Science & Technology Network.
Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.
Resonance: Dynamic Access Control in Enterprise Networks Ankur Nayak, Alex Reimers, Nick Feamster, Russ Clark School of Computer Science Georgia Institute.
11/20/09 ONR MURI Project Kick-Off 1 Network-Level Monitoring for Tracking Botnets Nick Feamster School of Computer Science Georgia Institute of Technology.
1 OpenFlow Research on the Georgia Tech Campus Network Russ Clark Nick Feamster Students: Yogesh Mundada, Hyojoon Kim, Ankur Nayak, Anirudh Ramachandran,
Challenges in Making Tomography Practical
Usage-Based DHCP Lease- Time Optmization Manas Khadilkar, Nick Feamster, Russ Clark, Matt Sanders Georgia Tech.
Campus Testbed for Network Management and Operations Nick Feamster Georgia Tech Joint with Ankur Nayak, Russ Clark, Ron Hutchins, Campus OIT Also input.
1 Building a Fast, Virtualized Data Plane with Programmable Hardware Bilal Anwer Nick Feamster.
Network Troubleshooting: rcc and Beyond Nick Feamster Georgia Tech (joint with Russ Clark, Yiyi Huang, Anukool Lakhina)
1 Dynamics of Online Scam Hosting Infrastructure Maria Konte, Nick Feamster Georgia Tech Jaeyeon Jung Intel Research.
Securing Enterprise Networks with Traffic Tainting Anirudh Ramachandran Nick Feamster Yogesh Mundada Mukarram bin Tariq.
Theory Lunch. 2 Problem Areas Network Virtualization for Experimentation and Architecture –Embedding problems –Economics problems (markets, etc.) Network.
1 Resonance: Dynamic Access Control in Enterprise Networks Ankur Nayak, Alex Reimers, Nick Feamster, Russ Clark School of Computer Science Georgia Institute.
1 Introducing the Specifications of the Metro Ethernet Forum.
0 - 0.
DIVIDING INTEGERS 1. IF THE SIGNS ARE THE SAME THE ANSWER IS POSITIVE 2. IF THE SIGNS ARE DIFFERENT THE ANSWER IS NEGATIVE.
SUBTRACTING INTEGERS 1. CHANGE THE SUBTRACTION SIGN TO ADDITION
MULT. INTEGERS 1. IF THE SIGNS ARE THE SAME THE ANSWER IS POSITIVE 2. IF THE SIGNS ARE DIFFERENT THE ANSWER IS NEGATIVE.
Addition Facts
HotNets-VI 1 Architecting Citywide Ubiquitous Wi-Fi Access Nishanth Sastry Jon Crowcroft, Karen Sollins.
Communicating over the Network
Jennifer Rexford Princeton University MW 11:00am-12:20pm Logically-Centralized Control COS 597E: Software Defined Networking.
Chapter 1: Introduction to Scaling Networks
Networks: Introduction 1 CS4514 Computer Networks Term B06 Professor Bob Kinicki.
Application Server Based on SoftSwitch
1 Network Address Translation (NAT) Relates to Lab 7. Module about private networks and NAT.
ICS 434 Advanced Database Systems
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 EN0129 PC AND NETWORK TECHNOLOGY I NETWORK LAYER AND IP Derived From CCNA Network Fundamentals.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 VLANs LAN Switching and Wireless – Chapter 3.
© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—2-1 Extending Switched Networks with Virtual LANs Introducing VLAN Operations.
1 IU Campus GENI/Openflow Experience Matt Davy Quilt Meeting, July 22nd 2010.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialBCMSN BCMSN Module 1 Lesson 1 Network Requirements.
Addition 1’s to 20.
25 seconds left…...
Test B, 100 Subtraction Facts
Week 1.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.
OpenFlow : Enabling Innovation in Campus Networks SIGCOMM 2008 Nick McKeown, Tom Anderson, et el. Stanford University California, USA Presented.
© 2011 Georgia Institute of Technology OpenFlow/SDN at Georgia Tech Russ Clark in collaboration with Ron Hutchins, Nick Feamster, and Matt Sanders July.
11 TROUBLESHOOTING Chapter 12. Chapter 12: TROUBLESHOOTING2 OVERVIEW  Determine whether a network communications problem is related to TCP/IP.  Understand.
Lithium: Event-Driven Network Control Nick Feamster, Hyojoon Kim, Russ Clark Georgia Tech Andreas Voellmy Yale University OpenFlow/Software Defined Networking.
Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.
1 Version 3.0 Module 8 Virtual LANs. 2 Version 3.0.
Jennifer Rexford Princeton University MW 11:00am-12:20pm SDN Software Stack COS 597E: Software Defined Networking.
Being Proactive with Computer Posture Assessment Department of Housing and Residence Education Charles Benjamin.
The Operator Neutral Access At KistaIP. KistaIP ? Is a student dorm with 144 apartments.
Introduction to Networking Concepts. Introducing TCP/IP Addressing Network address – common portion of the IP address shared by all hosts on a subnet/network.
Common Devices Used In Computer Networks
Objectives Configure routing in Windows Server 2008 Configure Routing and Remote Access Services in Windows Server 2008 Network Address Translation 1.
11 SECURING YOUR NETWORK PERIMETER Chapter 10. Chapter 10: SECURING YOUR NETWORK PERIMETER2 CHAPTER OBJECTIVES  Establish secure topologies.  Secure.
OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
Thoughts on Firewalls: Topologies, Application Impact, Network Management, Tech Support and more Deke Kassabian, April 2007.
Network Security. 2 SECURITY REQUIREMENTS Privacy (Confidentiality) Data only be accessible by authorized parties Authenticity A host or service be able.
Cisco 3 - Switch Perrine. J Page 111/6/2015 Chapter 5 At which layer of the 3-layer design component would users with common interests be grouped? 1.Access.
Terri Lahey Control System Cyber-Security Workshop October 14, SLAC Controls Security Overview Introduction SLAC has multiple.
Cisco S3C3 Virtual LANS. Why VLANs? You can define groupings of workstations even if separated by switches and on different LAN segments –They are one.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 4: Planning and Configuring Routing and Switching.
Improving Network Management with Software Defined Network Group 5 : z Xuling Wu z Haipeng Jiang z Sichen Wu z Aparna Sanil.
Network Management CCNA 4 Chapter 7. Monitoring the Network Connection monitoring takes place every day when users log on Ping only shows that the connection.
James S. Rothfuss, Computer Protection Program COMPUTING SCIENCES NETS Network Equipment Tracking System.
Address Resolution Protocol Yasir Jan 20 th March 2008 Future Internet.
ASHRAY PATEL Securing Public Web Servers. Roadmap Web server security problems Steps to secure public web servers Securing web servers and contents Implementing.
Virtual Local Area Networks In Security By Mark Reed.
NOX: Towards an Operating System for Networks
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 4: Planning and Configuring Routing and Switching.
Zhihui Sun , Fazhi Qi, Tao Cui
Presentation transcript:

1 Resonance: Dynamic Access Control in Enterprise Networks Ankur Nayak, Alex Reimers, Nick Feamster, Russ Clark School of Computer Science Georgia Institute of Technology

2 Motivation Enterprise and campus networks are dynamic –Hosts continually coming and leaving –Hosts may become infected Today, access control is static, and poorly integrated with the network layer itself Resonance: Dynamic access control –Track state of each host on the network –Update forwarding state of switches per host as these states change

3 State of the Art Todays networks have many components bolted on after the fact –Firewalls, VLANs, Web authentication portal, vulnerability scanner Separate (and perhaps competing) devices for performing the following functions –Registration (based on MAC addresses) –Scanning –Filtering and rate limiting traffic

4 Authentication at GT : START 3. VLAN with Private IP 6. VLAN with Public IP ta.1. New MAC Addr2. VQP 7. REBOOT Web Portal 4. Web Authentication 5. Authentication Result VMPS Switch New Host

5 Problems with Current Architecture Access Control is too coarse-grained –Static, inflexible and prone to misconfigurations –Need to rely on VLANs to isolate infected machines Cannot dynamically remap hosts to different portions of the network –Needs a DHCP request which for a windows user would mean a reboot Monitoring is not continuous Idea: Express access control to incorporate network dynamics.

6 Resonance Approach Step 1: Associate each host with generic states and security classes Step 2: Specify a state machine for moving machines from one state to the other Step 3: Control forwarding state in switches based on the current state of each machine –Actions from other network elements, and distributed inference, can affect network state

7 Applying resonance to START Registration Authenticated Operation Quarantined Successful Authentication Vulnerability detected Clean after update Failed Authentication Infection removed or manually fixed Still Infected after an update

8 Resonance: Step by Step Internet 3. Scanning 1. DHCP request 4. To the Internet 2. Web Authenticai- tion Controller Openflow Switch New Host DHCP Server Web Portal

9 Preliminary Implementation: OpenFlow OpenFlow: Flow-based control over the forwarding behavior of switches and routers –A switch, a centralized controller and end-hosts –Switches communicate with the controller through an open protocol over a secure channel Why OpenFlow? –Dynamically change security policies –Central control enables Specifying a single, centralized security policy Coordinating the mechanisms for switches Granularity of control. VLANs dont provide that granularity

10 Resonance Controller: NOX NOX: Programmatic interface to the OpenFlow controller –Ability to add, remove and reuse components We are building the Resonance controller using NOX

11 Research Testbed

12 Potential Challenges Scale –How many forwarding entries per switch? OF switches support ~130K flow entries and 100 wildcard entries. –How much traffic at the controller? Performance –Responsiveness Security –MAC address spoofing –Securing the controller (and control framework)

13 Summary Resonance: An architecture to secure and maintain enterprise networks. –Preliminary design –Application to Georgia Tech campus network –Planned evaluation Many challenges remain –Scaling –Performance Questions?

14

15 Applying Resonance to START

16 Resonance: Step-by-Step

17 Authentication at GT: START

18 Problems with Current Approaches Existing enterprise security techniques are reactive and ad-hoc A mix of security middleboxes, intrusion detection systems etc. result in collection of complex network configurations Possible negative side effects –Misconfiguration –Security problems

19

ppt material (prototype implementation)

21 Host Scanner Network Monitors Openflow Switch Controller Web portal DNS server Openflow Switch Openflow Switch DHCP server Openflow Switch

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.