May, 2006 EdgeNet 2006
The Protection Problem in EnterpriseNetworks
Martin CasadoPhD Student in Computer Science, Stanford University
[email protected]://www.stanford.edu/~casado
May, 2006 EdgeNet 2006
Talk Focus
Negative affects of protection measures on edge networks
Motivated by anecdotes from real networks
Introduce Ethane
May, 2006 EdgeNet 2006
Network Examples
National Lab, Small-moderate size business, academic, hospital
Security sensitiveMore LAN than large routable network
May, 2006 EdgeNet 2006
Problems Areas
InflexibilityLoss of RedundancyFiltering woes
May, 2006 EdgeNet 2006
Problems
InflexibilityLoss of RedundancyFiltering Woes
May, 2006 EdgeNet 2006
Inflexibility
L2 Switch
Firewall + Router
• If one is compromised, can’t sniff traffic of others• Can’t enumerate how many hosts on network• Can only get “out” through proxy• Prevent rogue connections
May, 2006 EdgeNet 2006
Inflexibility
L2 Switch
Firewall + Router
• If one is compromised, can’t sniff traffic of others• Can’t enumerate how many hosts on network• Can only get “out” through proxy• Prevent rogue connections
Firewall rulesACCEPT 192.168.1.20
May, 2006 EdgeNet 2006
Inflexibility
L2 Switch
Firewall + Router
•Turn of ARP
•Static ARP cache
•Ca:fe:d0:d0 192.168.1.1
Firewall rulesACCEPT 192.168.1.20
•Turn of ARP
•Static ARP cache ca:fe:de:ad:be:ef 192.168.1.20
May, 2006 EdgeNet 2006
Inflexibility
Firewall + Router•Turn of ARP
•Static ARP cache ca:fe:de:ad:be:ef 192.168.1.20
•Turn of ARP
•Static ARP cache
•Ca:fe:d0:d0 192.168.1.1
Firewall rulesACCEPT 192.168.1.20
No DHCP
•Also insecure
•Might undermine firewall rules
•Might undermine static ARP cache
May, 2006 EdgeNet 2006
Inflexibility
L2 Switch
Firewall + Router•Turn of ARP
•Static ARP cache ca:fe:de:ad:be:ef 192.168.1.20
•Turn of ARP
•Static ARP cache
•Ca:fe:d0:d0 192.168.1.1
Firewall rulesACCEPT 192.168.1.20
No DHCP
•Might undermine firewall rules
•Might undermine static ARP cache
Port Security
• Tie MAC address to Port ca:fe:de:ad:be:ef 192.168.1.20
May, 2006 EdgeNet 2006
Inflexibility
Topology (ports, interfaces) and addresses sprinkled throughout configuration stateNo distributed maintenance like routing tablesDifficult to move machines Moving machines can be bad
Indirection points (e.g. ARP, DHCP) insecure(.. often removed)
MAC addresses everywhereChew up memoryNo aggregation
May, 2006 EdgeNet 2006
Problems
InflexibilityLoss of RedundancyFiltering Woes
May, 2006 EdgeNet 2006
Loss of Redundancy
May, 2006 EdgeNet 2006
Loss of Redundancy
Easier to reason about/verifyProxies are a catalyst
Distributed firewalls are not the solutionLack of good support for L5 routing
(does anyone have this turned on?)
Existing solutions exacerbate the problem“do everything” proxiesSingle bridge NACs
May, 2006 EdgeNet 2006
Problems
InflexibilityLoss of RedundancyFiltering Woes
May, 2006 EdgeNet 2006
Filtering Woes
Filtering done on the datapath todayGenerally limited filtering state
(so can have large forwarding tables)
Common problem is running out of ACLs
MAC addresses everywhere Chew up memory No aggregation
In some networks, forwarding tables + filters doesn’t make sense ..
May, 2006 EdgeNet 2006
Centrally declare network policyAuthenticated end-hostsCentral-arbiter grants permission to connect
on a per flow basisCentral-arbiter has fine grained control of
routes
Ethane: Towards a Solution
May, 2006 EdgeNet 2006
Publishmartin.friends.ambient-streamsallow tal, sundar, aditya
Authenticatehi, I’m tal, my password is
martin.friends.ambient-streamsFirst packet to
martin.friends.ambient-streams
Global Network Policy:(allow all martin using rtp)
Authenticatehi, I’m martin, my password is
Ethane
May, 2006 EdgeNet 2006
FlexibilityDynamic bindings are secure
(movement is easy)
Security policy independent of topology
RedundancyMore switches != more configuration stateFine grained control of routes allows L5 routing
Permission checks done on connection setup(taken off data path)
Ethane: Properties
May, 2006 EdgeNet 2006
Thanks!
?
May, 2006 EdgeNet 2006
Isolation
Networks exist today with differing levels of sensitivityCasino FinancialMedicalGovernment/Military
Want reasonable IsolationNo DDoS from less secure to moreNo data exfiltration from more secure to lessNote, VLANs generally insufficient
This is not solely a governmentnetwork problem
May, 2006 EdgeNet 2006
Today’s Solution(really) heavyweight,
application proxy(cannonicalization + fuzzy timers)
OR …
May, 2006 EdgeNet 2006
Isolation Cont …
Obviously suboptimalManagement Number of components (MTTF)Could use same components, separate queues,
TDM
Consolidation on the road-map for some very large networks