1 resonance: dynamic access control in enterprise networks ankur nayak, alex reimers, nick feamster,...
TRANSCRIPT
![Page 1: 1 Resonance: Dynamic Access Control in Enterprise Networks Ankur Nayak, Alex Reimers, Nick Feamster, Russ Clark School of Computer Science Georgia Institute](https://reader035.vdocument.in/reader035/viewer/2022070305/551498fe550346d36e8b5631/html5/thumbnails/1.jpg)
1
Resonance: Dynamic Access Control in Enterprise Networks
Ankur Nayak, Alex Reimers, Nick Feamster, Russ Clark
School of Computer ScienceGeorgia Institute of Technology
![Page 2: 1 Resonance: Dynamic Access Control in Enterprise Networks Ankur Nayak, Alex Reimers, Nick Feamster, Russ Clark School of Computer Science Georgia Institute](https://reader035.vdocument.in/reader035/viewer/2022070305/551498fe550346d36e8b5631/html5/thumbnails/2.jpg)
2
Motivation
• Enterprise and campus networks are dynamic– Hosts continually coming and leaving
– Hosts may become infected
• Today, access control is static, and poorly integrated with the network layer itself
• Resonance: Dynamic access control– Track state of each host on the network
– Update forwarding state of switches per host as these states change
![Page 3: 1 Resonance: Dynamic Access Control in Enterprise Networks Ankur Nayak, Alex Reimers, Nick Feamster, Russ Clark School of Computer Science Georgia Institute](https://reader035.vdocument.in/reader035/viewer/2022070305/551498fe550346d36e8b5631/html5/thumbnails/3.jpg)
3
State of the Art
• Today’s networks have many components “bolted on” after the fact– Firewalls, VLANs, Web authentication portal,
vulnerability scanner
• Separate (and perhaps competing) devices for performing the following functions– Registration (based on MAC addresses)– Scanning– Filtering and rate limiting traffic
![Page 4: 1 Resonance: Dynamic Access Control in Enterprise Networks Ankur Nayak, Alex Reimers, Nick Feamster, Russ Clark School of Computer Science Georgia Institute](https://reader035.vdocument.in/reader035/viewer/2022070305/551498fe550346d36e8b5631/html5/thumbnails/4.jpg)
4
Authentication at GT : “START”
3. VLAN with Private IP
6. VLAN with Public IP
.1. New MAC Addr 2. VQP
7. REBOOT
Web Portal
4. Web Authentication 5. Authentication
Result
VMPS
Switch
New Host
![Page 5: 1 Resonance: Dynamic Access Control in Enterprise Networks Ankur Nayak, Alex Reimers, Nick Feamster, Russ Clark School of Computer Science Georgia Institute](https://reader035.vdocument.in/reader035/viewer/2022070305/551498fe550346d36e8b5631/html5/thumbnails/5.jpg)
5
Problems with Current Architecture
• Access Control is too coarse-grained– Static, inflexible and prone to misconfigurations– Need to rely on VLANs to isolate infected machines
• Cannot dynamically remap hosts to different portions of the network– Needs a DHCP request which for a windows user
would mean a reboot
• Monitoring is not continuous
Idea: Express access control to incorporate network dynamics.
![Page 6: 1 Resonance: Dynamic Access Control in Enterprise Networks Ankur Nayak, Alex Reimers, Nick Feamster, Russ Clark School of Computer Science Georgia Institute](https://reader035.vdocument.in/reader035/viewer/2022070305/551498fe550346d36e8b5631/html5/thumbnails/6.jpg)
6
Resonance Approach
• Step 1: Associate each host with generic states and security classes
• Step 2: Specify a state machine for moving machines from one state to the other
• Step 3: Control forwarding state in switches based on the current state of each machine– Actions from other network elements, and distributed
inference, can affect network state
![Page 7: 1 Resonance: Dynamic Access Control in Enterprise Networks Ankur Nayak, Alex Reimers, Nick Feamster, Russ Clark School of Computer Science Georgia Institute](https://reader035.vdocument.in/reader035/viewer/2022070305/551498fe550346d36e8b5631/html5/thumbnails/7.jpg)
7
Applying resonance to START
Registration
AuthenticatedOperation
Quarantined
SuccessfulAuthentication
Vulnerability detected
Clean after update
Failed Authentication
Infection removed or manually fixed
Still Infected afte
r an update
![Page 8: 1 Resonance: Dynamic Access Control in Enterprise Networks Ankur Nayak, Alex Reimers, Nick Feamster, Russ Clark School of Computer Science Georgia Institute](https://reader035.vdocument.in/reader035/viewer/2022070305/551498fe550346d36e8b5631/html5/thumbnails/8.jpg)
8
Resonance: Step by Step
Internet
3. Scanning
1. DHCP request
4. To the Internet
2. WebAuthenticai-tion
Controller
OpenflowSwitch
New Host
DHCP Server Web Portal
![Page 9: 1 Resonance: Dynamic Access Control in Enterprise Networks Ankur Nayak, Alex Reimers, Nick Feamster, Russ Clark School of Computer Science Georgia Institute](https://reader035.vdocument.in/reader035/viewer/2022070305/551498fe550346d36e8b5631/html5/thumbnails/9.jpg)
9
Preliminary Implementation: OpenFlow
• OpenFlow: Flow-based control over the forwarding behavior of switches and routers– A switch, a centralized controller and end-hosts– Switches communicate with the controller through an open
protocol over a secure channel
• Why OpenFlow?– Dynamically change security policies– Central control enables
• Specifying a single, centralized security policy• Coordinating the mechanisms for switches• Granularity of control. VLANs don’t provide that granularity
![Page 10: 1 Resonance: Dynamic Access Control in Enterprise Networks Ankur Nayak, Alex Reimers, Nick Feamster, Russ Clark School of Computer Science Georgia Institute](https://reader035.vdocument.in/reader035/viewer/2022070305/551498fe550346d36e8b5631/html5/thumbnails/10.jpg)
10
Resonance Controller: NOX
• NOX: Programmatic interface to the OpenFlow controller– Ability to add, remove
and reuse components
• We are building the Resonance controller using NOX
![Page 11: 1 Resonance: Dynamic Access Control in Enterprise Networks Ankur Nayak, Alex Reimers, Nick Feamster, Russ Clark School of Computer Science Georgia Institute](https://reader035.vdocument.in/reader035/viewer/2022070305/551498fe550346d36e8b5631/html5/thumbnails/11.jpg)
11
Research Testbed
![Page 12: 1 Resonance: Dynamic Access Control in Enterprise Networks Ankur Nayak, Alex Reimers, Nick Feamster, Russ Clark School of Computer Science Georgia Institute](https://reader035.vdocument.in/reader035/viewer/2022070305/551498fe550346d36e8b5631/html5/thumbnails/12.jpg)
12
Potential Challenges
• Scale– How many forwarding entries per switch?
• OF switches support ~130K flow entries and 100 wildcard entries.
– How much traffic at the controller?
• Performance– Responsiveness
• Security– MAC address spoofing– Securing the controller (and control framework)
![Page 13: 1 Resonance: Dynamic Access Control in Enterprise Networks Ankur Nayak, Alex Reimers, Nick Feamster, Russ Clark School of Computer Science Georgia Institute](https://reader035.vdocument.in/reader035/viewer/2022070305/551498fe550346d36e8b5631/html5/thumbnails/13.jpg)
13
Summary
• Resonance: An architecture to secure and maintain enterprise networks.– Preliminary design– Application to Georgia Tech campus network– Planned evaluation
• Many challenges remain– Scaling– Performance
Questions?