A Hands-On Environment for Teaching Networks
Download
Report
Transcript A Hands-On Environment for Teaching Networks
SANE: A Protection Architecture
for Enterprise Networks
Martin Casado (Stanford)
Tal Garfinkel
(Stanford)
Aditya Akella (CMU/Stanford)
Dan Boneh
(Stanford)
Nick McKeown (Stanford)
Scott Shenker (ICSI/Berkeley)
2005
Stanford and ICSI
Enterprise Security is
Important
$8.7
billion information security industry (US
alone)
Intellectual Property Protection
(Valve code leak)
Downtimes
(Disney)
are costly
User-information
leaks are bad
(California bill number: SB 1386)
Regulatory
HIPAA
Sarbanes
2005
Compliance
Oxley
Stanford and ICSI
A Quick Look at IP
Default
on: everyone can talk to everyone
Trusted
end-hosts, “stupid network”
Decentralized (trust)
Loosely
No
bound end-points
hiding of information
Communicating
end points
topology
Worms are a testimony to the success of IP!
2005
Stanford and ICSI
IP and Security
Default
ON overly permissive
(“every psychopath is your next-door neighbor” – Geer)
trusted
end-points powerful users/attackers
Stupid network no defense in depth
Proliferation of TCB 1 router is enough
weak end-points useless for discrimination
No hiding of info reconnaissance is easy
2005
Stanford and ICSI
Retrofitting Security onto IP
Designed
for Security
Firewalls,
Router ACLS
Port Security
IDS/NDS/IPS
(scan detection, anomaly
detection, signature detection)
Transport
VLANs
Pushed
Into Service
Ethernet
Switches
NATs, Proxies
2005
Application
Network
Datalink
Physical
Stanford and ICSI
Policies and Protection in Enterprises
Connectivity is difficult to reason about
Network config = sum of router and end-host
configs
Hard to express meaningful policies
Enterprise networks are brittle
Difficult to deploy new protocols, define new
policies
Easy to break existing policies
Yet, existing mechanisms don’t provide adequate security!!
2005
Stanford and ICSI
Short Recap
IP
networks
Default
on
No support in network
Decentralized trust
Loosely bound end-points
Proliferation of information
Exisiting
enterprise security technologies
Many
Complex
Can’t
2005
declare policy simply
Stanford and ICSI
Our Approach: SANE
(Security Architecture for the Networked
Enterprise)
Take an extreme point in design space…
Default
on Default off
Decentralized trust centralized
No network enforcement enforced per hop
Meaningless IPs Tightly bound end-points
Transparent information restricted
2005
Stanford and ICSI
When Does this make
sense?
Security
is paramount
Practical deployment strategy
Fork-lift
upgrades
New networks created often
Centralized
administration
Notion of principles (e.g. users)
Structured communication
2005
Stanford and ICSI
Provide Isolation Layer
Ethernet
SANE
IP ..
Transport
Network
Datalink
Physical
Introduce layer 2.5
Isolation Layer
Strictly
2005
Application
defines connectivity
Stanford and ICSI
SANE:
Action Sequence!
martin.friends.ambient-streams
Authenticate
Publish
Request
hi, I’m tal, my password is
martin.friends.ambient-streams
Authenticate
martin.friends.ambient-streams
allow
sundar,
hi, I’mtal,
martin,
myaditya
password is
1 4 3 4 4
Ambient streams
4 13 4 4
3 1 2 2 Ambient streams 4 4
Ambient streams
Client port
1 31 1 22 2
Client port 1 3 1 2 2 Client port
1
4
4
2
3
3
4 1
3 4 4
4
Ambient streams
Ambient streams
1 3 1 2 2
2005
1 3 1 2 2
Client port
Client port
Stanford and ICSI
Ambient streams
1 3 1 2 2
Client port
•Send link state information to
the DC
•Publish services at the•Provide
DC
default connectivity to
•Specify access controls
the DC
(export streams.ambient
allow tal)
•Validate
capabilities
Domain Controller
•Request access to services
•Forward packets base on
•Use appropriate capability
for each packet
capability
•Authenticates
switches/end•Enforce revocations
hosts
•Established secret with each
switch
Switches
•Contains network topology
•Hosts services (by name)
•Manages permission checking
•Creates and issues capabilities
SANE:
Overview
End-Hosts
2005
Stanford and ICSI
Security Properties (Saltzer and
Schroeder)
Default off (capabilities provide all connectivity)
(failsafe defaults, least privilege)
Single, simple mechanism
(economy of mechanism)
Capability checked at every step
(complete mediation)
Capabilities bind end-hosts to location
High level policy declaration
Fine-grained policies
(psychological acceptability)
Don’t reveal (sender, packet path, topology)
(least knowledge)
Immutable transport address allows fine grained access
controls
2005
Stanford and ICSI
SANE Details
How
is connectivity to the DC provided?
How are keys established?
How does the DC get the topology?
2005
Stanford and ICSI
Connectivity to the DC
Switches
construct spanning tree
Rooted at DC
Switches don’t learn topology
(just neighbors)
Provides basic datagram service to DC
2005
Stanford and ICSI
Establishing Shared
Keys
Switches
authenticate with DC
and establish symmetric key
Ike2 for key establishment
K
All subsequent packets to DC
have “authentication header”
Ksw4
sw1
(similar to ipsec esp header)
2005
Stanford and ICSI
Ksw1
Ksw2
Ksw3
Ksw4
Ksw3
Ksw2
Return Capabilities
Added
to all packets to DC
Each switch adds a “layer”
Look the same as DC issued
capabilities
Used by the DC to determine the
Exact location of the sender
2005
Stanford and ICSI
payload
payload
payload
Establishing
Topology
generate neighbor lists
during MST algorithm
K
Send encrypted neighbor-list
to DC
DC aggregates to full topology
No switch knows full topology
Ksw1
Ksw2
Ksw3
Ksw4
Switches
Ksw4
sw1
2005
Stanford and ICSI
Ksw3
Ksw2
Summary of mechanism
Default
connectivity to DC (via MST)
All principles authenticate (switches, users)
Users publish/request services from DC
DC returns encrypted source route
Provides
all host-to-host connectivity
Opaque
Non-composable
Include
2005
transport address (fine-grained)
Stanford and ICSI
Additional Considerations
Fault
Tolerance
“You’re not SANE you’re INSANE”
Central
control!
Loss of adaptive routing!
Attack
resistance
Data
integrity
Revocation
Wide
2005
area issues
Stanford and ICSI
Fault Tolerance:
Adaptive Routing
On
failure, end-hosts must refresh capabilities
Timeouts
Can
to detect failures
result in “request storm” at DC
Issue multiple capabilities
(hand out n of the k shortest paths)
More switch level redundancy
(doesn’t undermine security!)
Path load balancing
(randomly choose one of the k shortest paths)
2005
Stanford and ICSI
Fault Tolerance:
DC: Single Point of Failure?
Exists
today (DNS)
Capability generation is fast
(crummy implementation = 20k – 40k per second)
Replicate
DC
Computationally
(multiple servers)
Topologically (multiple servers in multiple places)
2005
Stanford and ICSI
Attack Resistance
Capabilities
Onion-encrypted source routes
Encryption means, encrypt + MAC
Each “layer” using a secret key
shared by the DC and the switch
10 hops = 164 byte header
Contain
path information
Expiration
Unique ID
MAC
1,4
MAC
3,2
SW2
2
2
1
SW1
4
Esw1
MAC
2,1
MAC Service
Esw2
2005
1
3
Stanford and ICSI
port
CAP-ID Expiration
Attack Resistance:
And More Security!
Intermediary
data integrity checks
Hiding switch IDs in authentication header
Handling growth of trusted computing base using
threshold crypto
(n of k DCs must be compromised to
generate capabilities)
2005
Stanford and ICSI
Attack Resistance:
Revocation
Request
from DC
sent back along incoming path
Switches maintain small CAMs
If CAMs fill, switches generate new keys
too many revocations = loose privileges
payload
2005
Stanford and ICSI
Wide Area Issues
IP
Is used for
Wide
area routing
Common framing (compatibility between end hosts)
In
Enterprise Doesn’t provide
Identification
Location
Local
connectivity
Internet
connectivity provided by gateway
(similar to NAT)
2005
Stanford and ICSI
Implementation
All
components implemented in software
Integrated with 9 workstations
Managed our group’s traffic for a couple of weeks
2005
Stanford and ICSI
Future Work
Research
connectivity in the enterprise
Real implementation with hardware switches
Extend to multiple domain case
Plug into existing directory services (AD, LDAP)
Use DC as a KDC (a la kerberos)
2005
Stanford and ICSI
Questions?
2005
Stanford and ICSI