The Protection Problem in Enterprise Networks

May, 2006 EdgeNet 2006

The Protection Problem in EnterpriseNetworks

Martin CasadoPhD Student in Computer Science, Stanford University

[email protected]://www.stanford.edu/~casado


Talk Focus

Negative affects of protection measures on edge networks

Motivated by anecdotes from real networks

Introduce Ethane


Network Examples

National Lab, Small-moderate size business, academic, hospital

Security sensitiveMore LAN than large routable network


Problems Areas

InflexibilityLoss of RedundancyFiltering woes


Problems

InflexibilityLoss of RedundancyFiltering Woes


Inflexibility

L2 Switch

Firewall + Router

• If one is compromised, can’t sniff traffic of others• Can’t enumerate how many hosts on network• Can only get “out” through proxy• Prevent rogue connections


Inflexibility

L2 Switch

Firewall + Router

• If one is compromised, can’t sniff traffic of others• Can’t enumerate how many hosts on network• Can only get “out” through proxy• Prevent rogue connections

Firewall rulesACCEPT 192.168.1.20


Inflexibility

L2 Switch

Firewall + Router

•Turn of ARP

•Static ARP cache

•Ca:fe:d0:d0 192.168.1.1


•Turn of ARP

•Static ARP cache ca:fe:de:ad:be:ef 192.168.1.20


Inflexibility

Firewall + Router•Turn of ARP


•Turn of ARP

•Static ARP cache

•Ca:fe:d0:d0 192.168.1.1


No DHCP

•Also insecure

•Might undermine firewall rules

•Might undermine static ARP cache


Inflexibility

L2 Switch

Firewall + Router•Turn of ARP


•Turn of ARP

•Static ARP cache

•Ca:fe:d0:d0 192.168.1.1


No DHCP

•Might undermine firewall rules

•Might undermine static ARP cache

Port Security

• Tie MAC address to Port ca:fe:de:ad:be:ef 192.168.1.20


Inflexibility

Topology (ports, interfaces) and addresses sprinkled throughout configuration stateNo distributed maintenance like routing tablesDifficult to move machines Moving machines can be bad

Indirection points (e.g. ARP, DHCP) insecure(.. often removed)

MAC addresses everywhereChew up memoryNo aggregation


Problems



Loss of Redundancy


Loss of Redundancy

Easier to reason about/verifyProxies are a catalyst

Distributed firewalls are not the solutionLack of good support for L5 routing

(does anyone have this turned on?)

Existing solutions exacerbate the problem“do everything” proxiesSingle bridge NACs


Problems



Filtering Woes

Filtering done on the datapath todayGenerally limited filtering state

(so can have large forwarding tables)

Common problem is running out of ACLs

MAC addresses everywhere Chew up memory No aggregation

In some networks, forwarding tables + filters doesn’t make sense ..


Centrally declare network policyAuthenticated end-hostsCentral-arbiter grants permission to connect

on a per flow basisCentral-arbiter has fine grained control of

routes

Ethane: Towards a Solution


Publishmartin.friends.ambient-streamsallow tal, sundar, aditya

Authenticatehi, I’m tal, my password is

martin.friends.ambient-streamsFirst packet to

martin.friends.ambient-streams

Global Network Policy:(allow all martin using rtp)

Authenticatehi, I’m martin, my password is

Ethane


FlexibilityDynamic bindings are secure

(movement is easy)

Security policy independent of topology

RedundancyMore switches != more configuration stateFine grained control of routes allows L5 routing

Permission checks done on connection setup(taken off data path)

Ethane: Properties


Thanks!

?


Isolation

Networks exist today with differing levels of sensitivityCasino FinancialMedicalGovernment/Military

Want reasonable IsolationNo DDoS from less secure to moreNo data exfiltration from more secure to lessNote, VLANs generally insufficient

This is not solely a governmentnetwork problem


Today’s Solution(really) heavyweight,

application proxy(cannonicalization + fuzzy timers)

OR …


Isolation Cont …

Obviously suboptimalManagement Number of components (MTTF)Could use same components, separate queues,

TDM

Consolidation on the road-map for some very large networks

The Protection Problem in Enterprise Networks

Documents