1、A Protection Architecture for Enterprise Networks(and comments on security-centric network design)Martin Casado (Stanford)Tal Garfinkel (Stanford)Aditya Akella (CMU/Stanford)Michael Freedman (NYU)Dan Boneh (Stanford)Nick McKeown (Stanford)Scott Shenker (ICSI/Berkeley)淘 寶 網(wǎng)What Im Going to Talk About

2、A lot about security in the EnterpriseA little bit about security on the InternetGenerally exploit this opportunity to pontificateRemember . this is Clean SlateMaybe a little “out-thereMaybe a little “wrongSupposed to foment ideas and discussion(so please interrupt me)Public vs. Private NetworksPubl

3、ic (google, ebay, etc.)Get as wide exposure(mostly) everyone welcomeWant some protection from evil-doersPrivate (internal commercial, financial etc.)Special purposeLimited user baseKnows whats running whereFundamentally different(but use same technologies)Ability to identify individual usersAbility

4、to revoke access to individual users(stop them from using your network resources)Ability to determine location of individual users(regulatory compliance)(more on this later)Infrastructure Support for Public Servicesidentify individual users by useridrevoke access to usersdetermine location of indivi

5、dual users andstrictly define connectivity between users, hosts, services, protocols and access pointscontrol routes at the session levelcentralized trust and controlrestrict access to informationInfrastructure Support for Private Networksidentify individual users by useridrevoke access to usersdete

6、rmine location of individual users andstrictly define connectivity between users, hosts, services, protocols and access pointscontrol routes at the session levelCentralized trust and controlRestrict access to informationSupported by IPMotivation Punch LineAttempting to do all these things today but

7、without the support of the architectureResult is:Insecure networkInflexible networkHard to manage networkDefining ConnectivityWhy?Attempt at limiting resources to that which is neededLimit damage of internal malware, perimeter breach, or insiderToday: Use lots of filteringMAC, IP, transportPhysical

8、ports (VLANs)Deep packet inspection (e.g. first data packet of a protocol)Full proxiesAccess control lists on services(not network aware but could be!)Defining Connectivity (the bad)Network only really aware of addressesFirewall rules embeds topology into configuration stateDifficult to move machine

9、sHard to read and understand (100k lines of proprietary, different configurations)Forwarding path unaware of filtering rulesWill try to circumvent if it canAdding a new network component not good(hence have “choked networks)Higher level filtering can be undermined by lower levels(e.g. permissive lin

10、k layer)Control Over RoutingWhy?Different access points have different security requirements(e.g. wireless users must go through proxy)Different protocols have different security requirements(e.g. all files sent over IM must be checked for viruses)Different user groups have different security requir

11、ements(e.g. log all connections from marketing)Today: make all routes go through the same point (large, expensive do-it-all proxies)Or use two/three/four separate networksOr application protocol aware routing (Ciscos OER, application aware routing)Centralized Trust and ControlWhy? Limited number of

12、trusted componentsNetworks often centrally administeredPretty new area, but products are starting to pop upConsentryApaniSecurifyNetworks by nature are distributedDistributed routing computation (trust every router)Many (many many) heavily trusted components(DNS, DHCP server, gateway, routers, switc

13、hes, end-hosts, directory services, authentication services, proxies etc.)Restrict Access to InformationWhy? (first resource available to attacker)Turn off (normally filter at host or perimeter firewall)RSTICMP (TTL Time exceeded, echo reply, port unreach)DetectARP scansAutomated IP scansLimit visib

14、ility network resourcesVLANNATs, Proxies etc.Still really hard to do(e.g Topology information passed unencrypted in routing protocols)No “switch for auditing(should be controlled the same as other resources)Retrofitting Security onto IPDesigned for SecurityFirewalls, Router ACLS Port SecurityIDS/NDS

15、/IPS (scan detection, anomaly detection, signature detection)VLANsPushed Into ServiceEthernet SwitchesNATs, ProxiesPhysicalDatalinkNetworkTransportApplicationInflexible Hard to move a machine (yet difficult to know if someone has moved)Really difficult to deploy a new protocolBrittleChange a firewal

16、l rule, break security policyAdd a switch, break security policyConfusing Many disparate point solutionsState = a bunch of soft stateHard to state meaningful policiesLose redundancyIntroduce choke pointsCant migrate routes b/c of all the soft stateCommon Solutions = Crummy Networks(and mediocre secu

17、rity)Argument Thus FarEnterprise networks use IP (design for Internet)IP not designed for attack resistancepermissiveUnauthenticated end-pointsNo knowledge of application protocolsHeavily distributed (proliferation of TCB)No support for ubiquitous loggingAttempts to retrofit access controls have res

18、ulted in less-than-ideal networksConfusingBrittleEtc.Lets Start from ScratchLeverage characteristics unique to EnterpriseCentrally managedKnown usersStructured connectivityReduce number of trusted componentsSimplify policy declarationRetain flexibility and redundancy (decouple topology and security

19、policy)Instead ofDefault on + filter Default off + permissionDistributed, cryptic policy simple and centralizedsecurity choke-point fine grained control of routesDistributed trust centralizedPermissive link layer low level enforcementMomentary DetourCurrently two competing approaches to securing Ent

20、erprise: A) Detect when things are bad behaviorally(e.g. anomaly detection)Dont know network stateHow are you going to define a new protocol?What if your heuristics are bad? B) Strictly define what is permissibleLimit connectivity to what is needed to get the job doneAssume traffic using that is OKS

21、ANEDeclare policy centrally over users, protocols, services and access pointsAll communications require a “capability from a central arbiterCapabilities encode the routeAll switches enforce the capability(it is included and enforced at layer 2)Capability Provides Isolation LayerPhysicalDatalinkNetwo

22、rkTransportApplicationIntroduce layer 2.5Isolation LayerEthernetSANEIP .Contains, encrypted, immutable, route1,43,22,1Service portMACMACMACMACEsw1Esw2CAP-IDExpirationSANE:Action Sequence!Publishmartin.friends.ambient-streamsallow tal, sundar, adityaAuthenticatehi, Im martin, my password isAuthentica

23、tehi, Im tal, my password ismartin.friends.ambient-streamsRequestmartin.friends.ambient-streams1434413122Ambient streams13122Client port14344Ambient streams13122Client port4344Ambient streams13122Client port344Ambient streams13122Client port44Ambient streams13122Client port13122Client port4Ambient s

24、treamsSANE:OverviewDomain ControllerSwitchesEnd-HostsAuthenticates usersContains network topologyHosts services (by name)Manages permission checkingCreates and issues capabilitiesSend topology information to the DCProvide default connectivity to the DCValidate capabilitiesForward packets base on cap

25、abilityEnforce revocationsPublish services at the DCSpecify access controls(export streams.ambient allow tal)Request access to servicesUse appropriate capability for each packetPermission check before connectivity(Users only access resources they have permission to)Policy enforced at every switchCen

26、tralized, simply policy declaration (topology independent)Control of routesInformation restricted to administratorAuthenticated end hosts (bound to location)Security PropertiesCentral point for connection logging (DC)Addition of switches (redundancy) does not undermine security policyAnti-mobilityOt

27、her Nice PropertiesBut How to communicate with the DC?How to protect the DC?How to securely get topology to DC?Go to DC for each flow are you inSANE?This is really, really clean slateFork lift upgrade entire networkChange all end-hosts to work with capabilitiesChange notion of services and namingSwi

28、tches construct spanning tree Rooted at DCSwitches dont learn topology(just neighbors)Provides basic datagram service to DC Connectivity to the DCSwitches authenticate with DCand establish symmetric keyIke2 for key establishmentAll subsequent packets to DC have “authentication header(similar to ipse

29、c esp header)Ksw1Ksw2Ksw3Ksw4Ksw1Ksw3Ksw4Ksw2Switch AuthenticationEstablishing TopologySwitches generate neighbor listsduring MST algorithmSend encrypted neighbor-listto DCDC aggregates to full topologyNo switch knows full topologyKsw1Ksw2Ksw3Ksw4Ksw1Ksw3Ksw4Ksw2Centralized? (and you call yourself a

30、 network researcher)Exists today . Sort of (DNS)Permission check is fast(and control path != data path)Replicate DCComputationally (multiple servers)Topologically (multiple servers in multiple places)Loads arent as high as you might thinkUse first packet of flow for permission checkPorts, IP address

31、esCan guess application typeInstead of source routes use virtual circuitsInstead of replacing switches, add “bumpsBackwards Compatibility(Ethane)Connection SetupSwitches disallow all Ethernet broadcast(and respond to ARP for all IPs)First packet of every new flow is sentto DC for permission checkDC

32、sets up flow at each switchPackets of established flows areforwarded using multi-layerswitchingDCAliceBob?Easing DeploymentUse trivial 2-port switches(bumps)On links betweenEthernet switchesCan be enhanced by usingVLAN per portStatusBuilt software version SANEAll components in softwareRan in group n

33、etwork (7 hosts) 1 monthCurrently in development of “EthaneSwitches in hardware + softwareDC using standard PCNetwork Support for Public Services?Ability to identify individual usersAbility to revoke access to individual usersAbility to determine location of individual users(regulatory compliance)Pr

34、oblem: IdentityFirst level of identity is the IP addressIs it forged? (maybe)Is half of Thailand behind it? (maybe)Obviously a bad discriminatorAllow 1 person, allow half of Thailand (e.g. IPA)Ban 1 person, ban half of Thailand (e.g. AOL proxies)Todays solution?Use high-bandwidth infrastructure for

35、TCP handshakeUse separate, low-function login serviceOnly allow “blessed sessions to use servicesIs this sufficient?Tomorrows solution? (hip? Note IPv6 does nothing to help us here)Problem: Protecting Downstream BWLots of shared queues (cross traffic)Packets may not get to destination to trigger fil

36、teringI manually set my TTLI futz with the transport checksum so your proxy drops itSYN packet source may be forged (cannot filter)Note: Overprovision by magical power of 2 not really helpfulTodays solutionsGet floodedIdentify “aggregates in the network Hire someone else to figure out what is going

37、onThird Party Vetting ModelLikely per-flow stateAnd other anomaly detection voodoopeerpeerpeerpeerIPsec tunnelOr private circuitIs this the right model? Is per-flow state at a few points rather thanthroughout the network OK?How about having a static, layer-2 circuit to protect trust relationships (s

38、ounds reasonable to me)Can we generalize this to offer and support as a service from the Internet? Problem: GeoLocationInformation isnt really stored anywhereRegistries arent accurateDNS loc isnt widely usedPeople lie when filling out online accountsProxies and Dial-Ups further complicate thingsToda

39、ys solution?A lot of bad academic tools (e.g. unDNS, netgeo)A few decent commercial offerings (Quova, Akamai)Offering 90 95% accuracy at country levelStill, may be breaking the law 5% of the timeTomorrows solution?should this even be at the network level?oh no!, what about privacy?Security and the I

40、nternetDoes IP provide adequate security the public Networks?(no, but its pretty close .)Will a future Internet look similar to IP(maybe)What is the problem then?MalwareSPAMAdmission ControlPhishing etc.Questions?Control of routes is powerfulDC can force routesthrough middlebox based on policyE.g. s

41、ignature detection forall flows from laptops and users in marketingSignaturedetectionMiddlebox IntegrationDecouple control and data path in switchesSoftware control path (connection setup)(slightly higher latency)Simple, fast, hardware forwarding path (Gigabits)PerformanceIncidental attacks (phishin

42、g, spam, worms, viruses, kiddies) External, Targeted AttacksCompetitors (e.g. getloaded vs. truckstop)Idealists (e.g. SCO)Insiders (29% of all attacks?)Enterprise Threat EnvironmentIncidental attacks (worms, viruses, kiddies)External Targeted AttacksMore access to resourcesAbility to hire skilled at

43、tackerInsiders (29% of all attacks?)Locality (access to internal network)Knowledge of internal workingsEnterprise Threat EnvironmentExample: External Targeted AttackTarget: Large company (Bank)Attacker Profile: Skill-level equivalent to a B.S. in computer scienceRules of Engagement: No physical acce

44、ssCannot limit availability of network resourcesGoals: Map out operationsGain access to sensitive informationAbility to disrupt internal communications if neededStep 1: ReconnaissanceNetcraft search: bank (find all relevant domains)Google/groups: bank “*at*bank*com “*bank*com “at*bank*frufru at media dot bank dot comlilo at sign