Presentation is loading. Please wait.

Presentation is loading. Please wait.

SANE: A Protection Architecture for Enterprise Networks Offense by: Amit Mondal Bert Gonzalez.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "SANE: A Protection Architecture for Enterprise Networks Offense by: Amit Mondal Bert Gonzalez."— Presentation transcript:

1 SANE: A Protection Architecture for Enterprise Networks Offense by: Amit Mondal Bert Gonzalez

2 SANE or INSANE?

3 Single-point-of-failure SANE design essentially reduces the whole network to a single DC. If this DC fails or is compromised, the entire network is at stake. Even with multiple DCs, the network is at a greater risk because there always a single point-of-failure Compare with “Tesseract: A 4D Network Control Plane”

4 Performance Huge performance overhead! Decryption is involved at every intermediate switches Compare with IPSec Computation burden on the network switches? Bottleneck! Decryption per packet

5 Scalability Is SANE architecture scalable?  Every sender needs to get capabilities (encrypted source routes) from the DC to communicate with any other hosts  DC becomes a bottleneck! Route computation, capability computation etc.

6 Network Visibility Network switches are reduced to dumb entities  Network Monitoring  Troubleshooting Traceroute  Failure detection Dynamic failover Convergence time? Network partitioning

7 Packet Forwarding in Dark Strict switch-level source routing  Dynamic load balancing  Traffic Engineering Virus, worm propagation Prevents deployment of advanced transport protocols e.g. XCP

8 Resiliency against attack Resource exhaustion  “ … simply generates a new key; this invalidates all existing capabilities …” What about the ongoing behaved flows? They are just victim of DoS attack Attack against routing infrastructure  Misbehaving switch Advertise fake paths to DC! Compromised DC?

9 Implementation and Evaluation “– interconnecting seven physical hosts on 100 Mb Ethernet … ” “ … only a few domain controller are necessary to handle DC requests from ten of thousands of end host.”  No justification, no evaluation!

10 Multiple DC? Consistency among multiple DC? If someone can configure and manage multiple DCs then what’s the big difference from configuring and managing firewalls, NATs and ACLs?

11 Performance bottleneck Encryption/Decryption overhead “ – 99% of CPU time was spent on decryption alone – leading to poor throughput performance”

12 Hardware Implementation Cisco Catalyst 6513 Switch (Latest Model)  “Can perform MAC level encryption at 10 Gb/s” Misleading: Model support 10 Gbps Ethernet, does not mean it encrypts at that speed.  Cisco states with the use of a Service Module, 2 Gbps of encryption can be provided.

13 Security Tests Revocation  Not Tested DoS Attacks  Not Tested Flooding Attacks  Not Tested Malicious DCs  Not Tested  Only one DC! Evaluations show that SANE can fit into a network but does not show that it makes a network more secure! Secure Architecture for the Networked Enterprise SANE: A Protection Architecture for Enterprise Networks

Download ppt "SANE: A Protection Architecture for Enterprise Networks Offense by: Amit Mondal Bert Gonzalez."

Similar presentations

Barracuda Link Balancer Link Reliability and Bandwidth Optimization.

Barracuda Link Balancer Link Reliability and Bandwidth Optimization.
Introducing Campus Networks

Introducing Campus Networks
Logically Centralized Control Class 2. Types of Networks ISP Networks – Entity only owns the switches – Throughput: 100GB-10TB – Heterogeneous devices:

Logically Centralized Control Class 2. Types of Networks ISP Networks – Entity only owns the switches – Throughput: 100GB-10TB – Heterogeneous devices:
Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net 1 E-VPN and Data Center R. Aggarwal

Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net 1 E-VPN and Data Center R. Aggarwal
Not to be distributed or reproduced by anyone other than Qwest entities. Copyright © 2010 Qwest. All Rights Reserved. Government Services TIC from an Industry.

Not to be distributed or reproduced by anyone other than Qwest entities. Copyright © 2010 Qwest. All Rights Reserved. Government Services TIC from an Industry.
SPORC: Group Collaboration using Untrusted Cloud Resources Ariel J. Feldman, William P. Zeller, Michael J. Freedman, Edward W. Felten Published in OSDI’2010.

SPORC: Group Collaboration using Untrusted Cloud Resources Ariel J. Feldman, William P. Zeller, Michael J. Freedman, Edward W. Felten Published in OSDI’2010.
Denial of Service in Sensor Networks Anthony D. Wood and John A. Stankovic.

Denial of Service in Sensor Networks Anthony D. Wood and John A. Stankovic.
Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.

FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.
NETWORK LOAD BALANCING NLB.  Network Load Balancing (NLB) is a Clustering Technology.  Windows Based. (windows server).  To scale performance, Network.

NETWORK LOAD BALANCING NLB.  Network Load Balancing (NLB) is a Clustering Technology.  Windows Based. (windows server).  To scale performance, Network.
Highly Available Central Services An Intelligent Router Approach Thomas Finnern Thorsten Witt DESY/IT.

Highly Available Central Services An Intelligent Router Approach Thomas Finnern Thorsten Witt DESY/IT.
SANE: A Protection Architecture for Enterprise Networks Authors: Martin Casado, Tal Garfinkel, Aditya Akella, Michael J. Freedman Dan Boneh, Nick McKeown,

SANE: A Protection Architecture for Enterprise Networks Authors: Martin Casado, Tal Garfinkel, Aditya Akella, Michael J. Freedman Dan Boneh, Nick McKeown,
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L6 1 Implementing Secure Converged Wide Area Networks (ISCW)

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L6 1 Implementing Secure Converged Wide Area Networks (ISCW)
DFence: Transparent Network-based Denial of Service Mitigation CSC7221 Advanced Topics in Internet Technology Presented by To Siu Sang Eric (07016080)

DFence: Transparent Network-based Denial of Service Mitigation CSC7221 Advanced Topics in Internet Technology Presented by To Siu Sang Eric ( )
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
Decongestion Control Offense by James Gross Amit Mondal.

Decongestion Control Offense by James Gross Amit Mondal.
August, 2006 Usenix Security 2006 SANE: Addressing the Protection Problem in Enterprise Networks Martin Casado Tal Garfinkel Michael Freedman Aditya Akaella.

August, 2006 Usenix Security 2006 SANE: Addressing the Protection Problem in Enterprise Networks Martin Casado Tal Garfinkel Michael Freedman Aditya Akaella.
Tesseract A 4D Network Control Plane

Tesseract A 4D Network Control Plane
Handout # 4: Scaling Controllers in SDN - HyperFlow

Handout # 4: Scaling Controllers in SDN - HyperFlow
Institute of Technology, Sligo Dept of Computing Semester 3, version 2.1.3 Semester 3 Chapter 3 VLANs.

Institute of Technology, Sligo Dept of Computing Semester 3, version Semester 3 Chapter 3 VLANs.

Similar presentations

Ads by Google