Removing the Reliance on Perimeters for Security using Network Views

Traditional enterprise security relies on network perimeters to define and enforce network security policies. Emerging application-focused Zero Trust architectures attempt to address this long-standing challenge by moving business applications to the cloud and performing enhanced identity and access control checks within a web gateway. However, these solutions ignore the security needs of workstations, development servers, and device management interfaces. In this work, we propose Network Views (abbrev. NetViews) for least-privilege network access control where each host has a different, limited view of the other hosts and services within a network. We present an SDN-based design and demonstrate that our implementation has network latency and throughput comparable to baseline reactive forwarding. We further provide an optimization for multi-connection flows that significantly reduces both redundant access control checks and forwarding state storage in switches. As such, NetViews provides a practical primitive for removing the reliance on security perimeters within enterprise networks.

[1]  Elisa Bertino,et al.  Can I Reach You? Do I Need To? New Semantics in Security Policy Specification and Testing , 2021, SACMAT.

[2]  Rudra Dutta,et al.  Traffic Analysis in Support of Hybrid SDN Campus Architectures for Enhanced Cybersecurity , 2021, 2021 24th Conference on Innovation in Clouds, Internet and Networks and Workshops (ICIN).

[3]  Michael K. Reiter,et al.  Role-Based Deception in Enterprise Networks , 2020, CODASPY.

[4]  Adrian Perrig,et al.  SVLAN: Secure & Scalable Network Virtualization , 2020, NDSS.

[5]  Mingwei Xu,et al.  When Match Fields Do Not Need to Match: Buffered Packets Hijacking in SDN , 2020, NDSS.

[6]  Jianping Wu,et al.  Poseidon: Mitigating Volumetric DDoS Attacks with Programmable Switches , 2020, NDSS.

[7]  Abdallah Shami,et al.  Software-Defined Perimeter (SDP): State of the Art Secure Solution for Modern Networks , 2019, IEEE Network.

[8]  William Enck,et al.  Hestia: simple least privilege network policies for smart homes , 2019, WiSec.

[9]  Tarik Taleb,et al.  Benchmarking the ONOS Intent Interfaces to Ease 5G Service Management , 2018, 2018 IEEE Global Communications Conference (GLOBECOM).

[10]  Jun Bi,et al.  Control Plane Reflection Attacks in SDNs: New Attacks and Countermeasures , 2018, RAID.

[11]  Elisa Bertino,et al.  Network Policy Enforcement Using Transactions: The NEUTRON Approach , 2018, SACMAT.

[12]  Indrakshi Ray,et al.  An efficient implementation of next generation access control for the mobile health cloud , 2018, 2018 Third International Conference on Fog and Mobile Edge Computing (FMEC).

[13]  Rami J. Haddad,et al.  Next Generation Firewall for Network Security: A Survey , 2018, SoutheastCon 2018.

[14]  William Enck,et al.  PivotWall: SDN-Based Information Flow Control , 2018, SOSR.

[15]  Jennifer Rexford,et al.  Alpaca: Compact Network Policies With Attribute-Encoded Addresses , 2017, IEEE/ACM Transactions on Networking.

[16]  Srinivasan Seshan,et al.  PSI: Precise Security Instrumentation for Enterprise Networks , 2017, NDSS.

[17]  William Koch,et al.  Identifier Binding Attacks and Defenses in Software-Defined Networks , 2017, USENIX Security Symposium.

[18]  David F. Ferraiolo,et al.  Exploring the Next Generation of Access Control Methodologies | NIST , 2016 .

[19]  Serban I. Gavrila,et al.  Restricting Insider Access Through Efficient Implementation of Multi-Policy Access Control Systems , 2016, MIST@CCS.

[20]  Anja Feldmann,et al.  Reins to the Cloud: Compromising Cloud Systems via the Data Plane , 2016, 1610.08717.

[21]  Ramaswamy Chandramouli,et al.  Extensible Access Control Markup Language (XACML) and Next Generation Access Control (NGAC) , 2016, ABAC '16.

[22]  Lei Xu,et al.  Towards SDN-Defined Programmable BYOD (Bring Your Own Device) Security , 2016, NDSS.

[23]  D. Richard Kuhn,et al.  Attribute-Based Access Control , 2017, Computer.

[24]  Zonghua Zhang,et al.  Enabling security functions with SDN: A feasibility study , 2015, Comput. Networks.

[25]  Cleotilde Gonzalez,et al.  Effects of cyber security knowledge on attack detection , 2015, Comput. Hum. Behav..

[26]  Russell J. Clark,et al.  Kinetic: Verifiable Dynamic Network Control , 2015, NSDI.

[27]  David M. Nicol,et al.  Modeling and analysis of stepping stone attacks , 2014, Proceedings of the Winter Simulation Conference 2014.

[28]  Anja Feldmann,et al.  Panopticon: Reaping the Benefits of Incremental SDN Deployment in Enterprise Networks , 2014, USENIX Annual Technical Conference.

[29]  Minlan Yu,et al.  Enforcing Network-Wide Policies in the Presence of Dynamic Middlebox Actions using FlowTags , 2014, NSDI.

[30]  George Varghese,et al.  P4: programming protocol-independent packet processors , 2013, CCRV.

[31]  Betsy Beyer,et al.  BeyondCorp: A New Approach to Enterprise Security , 2014, login Usenix Mag..

[32]  Minlan Yu,et al.  SIMPLE-fying middlebox policy enforcement using SDN , 2013, SIGCOMM.

[33]  Edward J. Coyne,et al.  ABAC and RBAC: Scalable, Flexible, and Auditable Access Management , 2013, IT Professional.

[34]  David Walker,et al.  Composing Software Defined Networks , 2013, NSDI.

[35]  Cole Schlesinger,et al.  Splendid isolation: a slice abstraction for software-defined networks , 2012, HotSDN '12.

[36]  George Varghese,et al.  Header Space Analysis: Static Checking for Networks , 2012, NSDI.

[37]  David Walker,et al.  A compiler and run-time system for network programming languages , 2012, POPL '12.

[38]  Russell J. Clark,et al.  Lithium: Event-Driven Network Control , 2012 .

[39]  David Walker,et al.  Frenetic: a network programming language , 2011, ICFP.

[40]  Vijayalakshmi Atluri,et al.  The Policy Machine: A novel architecture and framework for access control policy specification and enforcement , 2011, J. Syst. Archit..

[41]  Rob Sherwood,et al.  Carving research slices out of your production networks with OpenFlow , 2010, CCRV.

[42]  Martín Casado,et al.  Practical declarative network management , 2009, WREN '09.

[43]  Russell J. Clark,et al.  Resonance: dynamic access control for enterprise networks , 2009, WREN '09.

[44]  C. Issariyapat,et al.  Inference of network-wide VLAN usage in small enterprise networks , 2008, IEEE INFOCOM Workshops 2008.

[45]  Nick McKeown,et al.  OpenFlow: enabling innovation in campus networks , 2008, CCRV.

[46]  S. Shenker,et al.  Ethane: taking control of the enterprise , 2007, SIGCOMM '07.

[47]  R. Cunningham,et al.  Validating and Restoring Defense in Depth Using Attack Graphs , 2006, MILCOM 2006 - 2006 IEEE Military Communications conference.

[48]  Jyh-Cheng Chen,et al.  Extensible authentication protocol (EAP) and IEEE 802.1x: tutorial and empirical experience , 2005, IEEE Communications Magazine.

[49]  Avishai Wool,et al.  A quantitative study of firewall configuration errors , 2004, Computer.

[50]  Mohamed G. Gouda,et al.  Firewall design: consistency, completeness, and compactness , 2004, 24th International Conference on Distributed Computing Systems, 2004. Proceedings..

[51]  Somesh Jha,et al.  Automated generation and analysis of attack graphs , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[52]  Avishai Wool,et al.  Fang: a firewall analysis engine , 2000, Proceeding 2000 IEEE Symposium on Security and Privacy. S&P 2000.

[53]  Gitae Kim,et al.  NOMAD: traffic-based network monitoring framework for anomaly detection , 1999, Proceedings IEEE International Symposium on Computers and Communications (Cat. No.PR00250).

[54]  Ravi S. Sandhu,et al.  Roles versus groups , 1996, RBAC '95.

[55]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[56]  Bill Cheswick,et al.  Firewalls and internet security - repelling the wily hacker , 2003, Addison-Wesley professional computing series.