Towards Policy Enforcement Point as a Service (PEPS)

In this paper, we coin the term Policy Enforcement as a Service (PEPS), which enables the provision of innovative inter-layer and inter-domain Access Control. We leverage the architecture of Software-Defined-Network (SDN) to introduce a common network-level enforcement point, which is made available to a range of access control systems. With our PEPS model, it is possible to have a ‘defense in depth’ protection model and drop unsuccessful access requests before engaging the data provider (e.g. a database system). Moreover, the current implementation of access control within the ‘trusted’ perimeter of an organization is no longer a restriction so that the potential for novel, distributed and cooperative security services can be realized. We conduct an analysis of the security requirements and technical challenges for implementing Policy Enforcement as a Service. To illustrate the benefits of our proposal in practice, we include a report on our prototype PEPS-enabled location-based access control.

[1]  Guofei Gu,et al.  CloudWatcher: Network security monitoring using OpenFlow in dynamic cloud networks (or: How to provide security monitoring as a service in clouds?) , 2012, 2012 20th IEEE International Conference on Network Protocols (ICNP).

[2]  Michael Huth,et al.  Towards an Access-Control Framework for Countering Insider Threats , 2010, Insider Threats in Cyber Security.

[3]  Vijay Sivaraman,et al.  Third-party customization of residential Internet sharing using SDN , 2015, 2015 International Telecommunication Networks and Applications Conference (ITNAC).

[4]  Ahmad-Reza Sadeghi,et al.  I Know Where You are: Proofs of Presence Resilient to Malicious Provers , 2015, AsiaCCS.

[5]  Srdjan Marinovic,et al.  Decentralized Composite Access Control , 2014, POST.

[6]  Vainius Dangovas,et al.  SDN-Driven Authentication and Access Control System , 2014 .

[7]  SandhuRavi,et al.  The UCONABC usage control model , 2004 .

[8]  Yudhijit Bhattacharjee,et al.  The Danger Within , 2009, Science.

[9]  Sakir Sezer,et al.  A Survey of Security in Software Defined Networks , 2016, IEEE Communications Surveys & Tutorials.

[10]  Kostas Pentikousis,et al.  C-BAS: Certificate-Based AAA for SDN Experimental Facilities , 2014, 2014 Third European Workshop on Software Defined Networks.

[11]  Hsiao-Cheng Yu,et al.  Challenges to Global RFID Adoption , 2006, 2006 Technology Management for the Global Future - PICMET 2006 Conference.

[12]  Minlan Yu,et al.  FlowTags: enforcing network-wide policies in the presence of dynamic middlebox actions , 2013, HotSDN '13.

[13]  P. Samarati,et al.  Access control: principle and practice , 1994, IEEE Communications Magazine.

[14]  Syed Ali Khayam,et al.  Revisiting Traffic Anomaly Detection Using Software Defined Networking , 2011, RAID.

[15]  Dianxiang Xu,et al.  Security of Software Defined Networks: A survey , 2015, Comput. Secur..

[16]  C. Moler,et al.  Advances in Cryptology , 2000, Lecture Notes in Computer Science.

[17]  Dong Hoon Lee,et al.  Advances in Cryptology - ASIACRYPT 2011 - 17th International Conference on the Theory and Application of Cryptology and Information Security, Seoul, South Korea, December 4-8, 2011. Proceedings , 2011, ASIACRYPT.

[18]  Minlan Yu,et al.  SIMPLE-fying middlebox policy enforcement using SDN , 2013, SIGCOMM.

[19]  Otto Carlos Muniz Bandeira Duarte,et al.  AuthFlow: authentication and access control mechanism for software defined networking , 2016, Ann. des Télécommunications.

[20]  Yvo Desmedt,et al.  Function-Based Access Control (FBAC): From Access Control Matrix to Access Control Tensor , 2016, MIST@CCS.

[21]  Urs Hengartner,et al.  Proving your location without giving up your privacy , 2010, HotMobile '10.

[22]  Dirk Günnewig,et al.  Digital Rights Management , 2005, Wirtsch..

[23]  Kostas Pentikousis,et al.  Implementation of C-BAS: Certificate-Based AAA for SDN Experimental Facilities , 2015, 2015 IEEE Fourth Symposium on Network Cloud Computing and Applications (NCCA).

[24]  Andrei V. Gurtov,et al.  Security in Software Defined Networks: A Survey , 2015, IEEE Communications Surveys & Tutorials.

[25]  Nick Feamster,et al.  A slick control plane for network middleboxes , 2013, HotSDN '13.

[26]  Fernando M. V. Ramos,et al.  Software-Defined Networking: A Comprehensive Survey , 2014, Proceedings of the IEEE.