论文信息 - Pushing Enterprise Security Down the Network Stack

Pushing Enterprise Security Down the Network Stack

Network security is typically reactive: Networks provide connectivity and subsequently alter this connectivity according to various security policies, as implemented in middleboxes, or at higher layers. This approach gives rise to complicated interactions between protocols and systems that can cause incorrect behavior and slow response to attacks. In this paper, we propose a proactive approach to securing networks, whereby security-related actions (e.g., dropping or redirecting traffic) are embedded into the network fabric itself, leaving only a fixed set of actions to higher layers. We explore this approach in the context of network access control. Our design uses programmable switches to manipulate traffic at lower layers; these switches interact with policy and monitoring at higher layers. We apply our approach to Georgia Tech’s network access control system, show how the new design can both overcome the current shortcomings and provide new security functions, describe our proposed deployment, and discuss open research questions.

Russell J. Clark | Nick Feamster | Ankur Nayak | Alex Reimers

[1] Santosh S. Vempala,et al. Filtering spam with behavioral blacklisting , 2007, CCS '07.

[2] Martín Casado,et al. Rethinking Packet Forwarding Hardware , 2008, HotNets.

[3] Martín Casado,et al. NOX: towards an operating system for networks , 2008, CCRV.

[4] Scott Shenker,et al. Ethane: taking control of the enterprise , 2007, SIGCOMM.

[5] Luke M. Leslie,et al. The Tempest-a practical framework for network programmability , 1998, IEEE Netw..

[6] Nick Feamster,et al. Detecting BGP configuration faults with static analysis , 2005 .

[7] Hong Yan,et al. A clean slate 4D approach to network control and management , 2005, CCRV.

[8] Nick Feamster,et al. The case for separating routing from routers , 2004, FDNA '04.

[9] Greg Minshall,et al. Ip Switching: Atm under Ip * , 1998 .

[10] Guofei Gu,et al. BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection , 2008, USENIX Security Symposium.