Simplifying Access Control in Enterprise Networks

Today, access control configuration in large enterprise environments is a highly complex process that involves the manual configuration of a wide range of network devices including routers, VLANs and firewalls. Much of this complexity arises from the asynchrony between routing and access control that often requires contorted network topologies that lack redundant paths, have tight pinning of routes, and physical placement of firewalls along the data path to achieve access control. In this paper, we propose Access Control Routing (ACR), a clean-slate and flexible approach to simplify access control configuration in large-scale enterprise networks. ACR uses a single parameter, class, to couple access control and routing. It requires that each endhost specify its access control policies at the granularity of a class. On the network side, the control plane establishes logical reachability networks for every class, and the data plane explicitly labels each packet with a class based on the source. Unlike traditional access control configuration approaches, ACR can easily adapt to network topology or routing changes and is better suited to handle network failures. ACR eliminates the need for VLANs and also provides the flexibility of automatically routing traffic through arbitrary middle-boxes without physical topology manipulation. Using a software-based router implementation of ACR and access control policies gathered from four large commercial enterprise networks, we show that ACR can easily be adopted in large enterprise environments with little additional performance overhead.

[1]  John T. Kohl,et al.  The Kerberos Network Authentication Service (V5 , 2004 .

[2]  Daniel P. W. Ellis,et al.  Worms vs. perimeters: the case for hard-LANs , 2004, Proceedings. 12th Annual IEEE Symposium on High Performance Interconnects.

[3]  Eddie Kohler,et al.  The Click modular router , 1999, SOSP.

[4]  Bill Cheswick,et al.  Firewalls and internet security - repelling the wily hacker , 2003, Addison-Wesley professional computing series.

[5]  Hugo Krawczyk,et al.  A Security Architecture for the Internet Protocol , 1999, IBM Syst. J..

[6]  Angelos D. Keromytis,et al.  Implementing a distributed firewall , 2000, CCS.

[7]  Stephen T. Kent,et al.  Security Architecture for the Internet Protocol , 1998, RFC.

[8]  Allan C. Rubens,et al.  Remote Authentication Dial In User Service (RADIUS) , 2000, RFC.

[9]  Jason Lee,et al.  A first look at modern enterprise traffic , 2005, IMC '05.

[10]  Yakov Rekhter,et al.  BGP/MPLS VPNs , 1999, RFC.

[11]  Tal Garfinkel,et al.  SANE: A Protection Architecture for Enterprise Networks , 2006, USENIX Security Symposium.

[12]  Hong Yan,et al.  A clean slate 4D approach to network control and management , 2005, CCRV.

[13]  Vern Paxson,et al.  Bro: a system for detecting network intruders in real-time , 1998, Comput. Networks.

[14]  Helen J. Wang,et al.  Shield: vulnerability-driven network filters for preventing known vulnerability exploits , 2004, SIGCOMM.

[15]  Tim Dierks,et al.  The Transport Layer Security (TLS) Protocol Version 1.2 , 2008 .

[16]  Abhay Roy,et al.  Multi-Topology (MT) Routing in OSPF , 2007, RFC.

[17]  David Wetherall,et al.  Preventing Internet denial-of-service with capabilities , 2004, Comput. Commun. Rev..