Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Resonance: Dynamic Access Control in Enterprise Networks Ankur Nayak, Alex Reimers, Nick Feamster, Russ Clark School of Computer Science Georgia Institute.

Published byChristian Skinner Modified over 10 years ago

There are copies: 1
1 Resonance: Dynamic Access Control in Enterprise Networks Ankur Nayak, Alex Reimers, Nick Feamster, Russ Clark School of Computer Science Georgia Institute.
1 Resonance: Dynamic Access Control in Enterprise Networks Ankur Nayak, Alex Reimers, Nick Feamster, Russ Clark School of Computer Science Georgia Institute.

Similar presentations

Presentation on theme: "1 Resonance: Dynamic Access Control in Enterprise Networks Ankur Nayak, Alex Reimers, Nick Feamster, Russ Clark School of Computer Science Georgia Institute."— Presentation transcript:

1 1 Resonance: Dynamic Access Control in Enterprise Networks Ankur Nayak, Alex Reimers, Nick Feamster, Russ Clark School of Computer Science Georgia Institute of Technology

2 2 Motivation Enterprise and campus networks are dynamic –Hosts continually coming and leaving –Hosts may become infected Today, access control is static, and poorly integrated with the network layer itself Resonance: Dynamic access control –Track state of each host on the network –Update forwarding state of switches per host as these states change

3 3 State of the Art Todays networks have many components bolted on after the fact –Firewalls, VLANs, Web authentication portal, vulnerability scanner Separate (and perhaps competing) devices for performing the following functions –Registration (based on MAC addresses) –Scanning –Filtering and rate limiting traffic

4 4 Authentication at GT : START 3. VLAN with Private IP 6. VLAN with Public IP ta.1. New MAC Addr2. VQP 7. REBOOT Web Portal 4. Web Authentication 5. Authentication Result VMPS Switch New Host

5 5 Problems with Current Architecture Access Control is too coarse-grained –Static, inflexible and prone to misconfigurations –Need to rely on VLANs to isolate infected machines Cannot dynamically remap hosts to different portions of the network –Needs a DHCP request which for a windows user would mean a reboot Monitoring is not continuous Idea: Express access control to incorporate network dynamics.

6 6 Resonance Approach Step 1: Associate each host with generic states and security classes Step 2: Specify a state machine for moving machines from one state to the other Step 3: Control forwarding state in switches based on the current state of each machine –Actions from other network elements, and distributed inference, can affect network state

7 7 Applying resonance to START Registration Authenticated Operation Quarantined Successful Authentication Vulnerability detected Clean after update Failed Authentication Infection removed or manually fixed Still Infected after an update

8 8 Resonance: Step by Step Internet 3. Scanning 1. DHCP request 4. To the Internet 2. Web Authenticai- tion Controller Openflow Switch New Host DHCP Server Web Portal

9 9 Preliminary Implementation: OpenFlow OpenFlow: Flow-based control over the forwarding behavior of switches and routers –A switch, a centralized controller and end-hosts –Switches communicate with the controller through an open protocol over a secure channel Why OpenFlow? –Dynamically change security policies –Central control enables Specifying a single, centralized security policy Coordinating the mechanisms for switches Granularity of control. VLANs dont provide that granularity

10 10 Resonance Controller: NOX NOX: Programmatic interface to the OpenFlow controller –Ability to add, remove and reuse components We are building the Resonance controller using NOX

11 11 Research Testbed

12 12 Potential Challenges Scale –How many forwarding entries per switch? OF switches support ~130K flow entries and 100 wildcard entries. –How much traffic at the controller? Performance –Responsiveness Security –MAC address spoofing –Securing the controller (and control framework)

13 13 Summary Resonance: An architecture to secure and maintain enterprise networks. –Preliminary design –Application to Georgia Tech campus network –Planned evaluation Many challenges remain –Scaling –Performance Questions?

14 14

15 15 Applying Resonance to START

16 16 Resonance: Step-by-Step

17 17 Authentication at GT: START

18 18 Problems with Current Approaches Existing enterprise security techniques are reactive and ad-hoc A mix of security middleboxes, intrusion detection systems etc. result in collection of complex network configurations Possible negative side effects –Misconfiguration –Security problems

19 19

20 20 6262 ppt material (prototype implementation)

21 21 Host Scanner Network Monitors Openflow Switch Controller Web portal DNS server Openflow Switch Openflow Switch DHCP server Openflow Switch

Download ppt "1 Resonance: Dynamic Access Control in Enterprise Networks Ankur Nayak, Alex Reimers, Nick Feamster, Russ Clark School of Computer Science Georgia Institute."

Similar presentations

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 1 Network Security 2 Module 6 – Configure Remote Access VPN.

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 1 Network Security 2 Module 6 – Configure Remote Access VPN.
New Directions in Enterprise Network Management Aditya Akella University of Wisconsin, Madison MSR Networking Summit June 2006.

New Directions in Enterprise Network Management Aditya Akella University of Wisconsin, Madison MSR Networking Summit June 2006.
Using Network Virtualization Techniques for Scalable Routing Nick Feamster, Georgia Tech Lixin Gao, UMass Amherst Jennifer Rexford, Princeton University.

Using Network Virtualization Techniques for Scalable Routing Nick Feamster, Georgia Tech Lixin Gao, UMass Amherst Jennifer Rexford, Princeton University.
Network Monitoring System In CSTNET Long Chun China Science & Technology Network.

Network Monitoring System In CSTNET Long Chun China Science & Technology Network.
Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.
Resonance: Dynamic Access Control in Enterprise Networks Ankur Nayak, Alex Reimers, Nick Feamster, Russ Clark School of Computer Science Georgia Institute.

Resonance: Dynamic Access Control in Enterprise Networks Ankur Nayak, Alex Reimers, Nick Feamster, Russ Clark School of Computer Science Georgia Institute.
11/20/09 ONR MURI Project Kick-Off 1 Network-Level Monitoring for Tracking Botnets Nick Feamster School of Computer Science Georgia Institute of Technology.

11/20/09 ONR MURI Project Kick-Off 1 Network-Level Monitoring for Tracking Botnets Nick Feamster School of Computer Science Georgia Institute of Technology.
1 OpenFlow Research on the Georgia Tech Campus Network Russ Clark Nick Feamster Students: Yogesh Mundada, Hyojoon Kim, Ankur Nayak, Anirudh Ramachandran,

1 OpenFlow Research on the Georgia Tech Campus Network Russ Clark Nick Feamster Students: Yogesh Mundada, Hyojoon Kim, Ankur Nayak, Anirudh Ramachandran,
Challenges in Making Tomography Practical

Challenges in Making Tomography Practical
Usage-Based DHCP Lease- Time Optmization Manas Khadilkar, Nick Feamster, Russ Clark, Matt Sanders Georgia Tech.

Usage-Based DHCP Lease- Time Optmization Manas Khadilkar, Nick Feamster, Russ Clark, Matt Sanders Georgia Tech.
Campus Testbed for Network Management and Operations Nick Feamster Georgia Tech Joint with Ankur Nayak, Russ Clark, Ron Hutchins, Campus OIT Also input.

Campus Testbed for Network Management and Operations Nick Feamster Georgia Tech Joint with Ankur Nayak, Russ Clark, Ron Hutchins, Campus OIT Also input.
1 Building a Fast, Virtualized Data Plane with Programmable Hardware Bilal Anwer Nick Feamster.

1 Building a Fast, Virtualized Data Plane with Programmable Hardware Bilal Anwer Nick Feamster.
Network Troubleshooting: rcc and Beyond Nick Feamster Georgia Tech (joint with Russ Clark, Yiyi Huang, Anukool Lakhina)

Network Troubleshooting: rcc and Beyond Nick Feamster Georgia Tech (joint with Russ Clark, Yiyi Huang, Anukool Lakhina)
1 Dynamics of Online Scam Hosting Infrastructure Maria Konte, Nick Feamster Georgia Tech Jaeyeon Jung Intel Research.

1 Dynamics of Online Scam Hosting Infrastructure Maria Konte, Nick Feamster Georgia Tech Jaeyeon Jung Intel Research.
Securing Enterprise Networks with Traffic Tainting Anirudh Ramachandran Nick Feamster Yogesh Mundada Mukarram bin Tariq.

Securing Enterprise Networks with Traffic Tainting Anirudh Ramachandran Nick Feamster Yogesh Mundada Mukarram bin Tariq.
Theory Lunch. 2 Problem Areas Network Virtualization for Experimentation and Architecture –Embedding problems –Economics problems (markets, etc.) Network.

Theory Lunch. 2 Problem Areas Network Virtualization for Experimentation and Architecture –Embedding problems –Economics problems (markets, etc.) Network.
1 Resonance: Dynamic Access Control in Enterprise Networks Ankur Nayak, Alex Reimers, Nick Feamster, Russ Clark School of Computer Science Georgia Institute.

1 Resonance: Dynamic Access Control in Enterprise Networks Ankur Nayak, Alex Reimers, Nick Feamster, Russ Clark School of Computer Science Georgia Institute.
1 Introducing the Specifications of the Metro Ethernet Forum.

1 Introducing the Specifications of the Metro Ethernet Forum.
0 - 0.

0 - 0.
DIVIDING INTEGERS 1. IF THE SIGNS ARE THE SAME THE ANSWER IS POSITIVE 2. IF THE SIGNS ARE DIFFERENT THE ANSWER IS NEGATIVE.

DIVIDING INTEGERS 1. IF THE SIGNS ARE THE SAME THE ANSWER IS POSITIVE 2. IF THE SIGNS ARE DIFFERENT THE ANSWER IS NEGATIVE.

Similar presentations

Ads by Google