The Protection Problem in Enterprise Networks - PowerPoint PPT Presentation

1 / 23
About This Presentation
Title:

The Protection Problem in Enterprise Networks

Description:

Ca:fe:d0:d0 192.168.1.1. Firewall rules. ACCEPT 192.168.1.20. No DHCP ... ca:fe:de:ad:be:ef 192.168.1.20. May, 2006. EdgeNet 2006. Inflexibility ... – PowerPoint PPT presentation

Number of Views:27
Avg rating:3.0/5.0
Slides: 24
Provided by: martin326
Category:

less

Transcript and Presenter's Notes

Title: The Protection Problem in Enterprise Networks


1
The Protection Problem in EnterpriseNetworks
Martin Casado PhD Student in Computer Science,
Stanford University casado_at_cs.stanford.edu http/
/www.stanford.edu/casado
2
Talk Focus
  • Negative affects of protection measures on edge
    networks
  • Motivated by anecdotes from real networks
  • Introduce Ethane

3
Network Examples
  • National Lab, Small-moderate size business,
    academic, hospital
  • Security sensitive
  • More LAN than large routable network

4
Problems Areas
  • Inflexibility
  • Loss of Redundancy
  • Filtering woes

5
Problems
  • Inflexibility
  • Loss of Redundancy
  • Filtering Woes

6
Inflexibility
Firewall Router
L2 Switch
  • If one is compromised, cant sniff traffic
    of others
  • Cant enumerate how many hosts on network
  • Can only get out through proxy
  • Prevent rogue connections

7
Inflexibility
Firewall rulesACCEPT 192.168.1.20
Firewall Router
L2 Switch
  • If one is compromised, cant sniff traffic
    of others
  • Cant enumerate how many hosts on network
  • Can only get out through proxy
  • Prevent rogue connections

8
Inflexibility
Firewall rulesACCEPT 192.168.1.20
  • Turn of ARP
  • Static ARP cache cafedeadbeef
    192.168.1.20

Firewall Router
L2 Switch
  • Turn of ARP
  • Static ARP cache
  • Cafed0d0 192.168.1.1

9
Inflexibility
  • No DHCP
  • Also insecure
  • Might undermine firewall rules
  • Might undermine static ARP cache

Firewall rulesACCEPT 192.168.1.20
  • Turn of ARP
  • Static ARP cache cafedeadbeef
    192.168.1.20

Firewall Router
  • Turn of ARP
  • Static ARP cache
  • Cafed0d0 192.168.1.1

10
Inflexibility
  • No DHCP
  • Might undermine firewall rules
  • Might undermine static ARP cache

Firewall rulesACCEPT 192.168.1.20
  • Turn of ARP
  • Static ARP cache cafedeadbeef
    192.168.1.20

Firewall Router
  • Port Security
  • Tie MAC address to Port cafedeadbeef
    192.168.1.20

L2 Switch
  • Turn of ARP
  • Static ARP cache
  • Cafed0d0 192.168.1.1

11
Inflexibility
  • Topology (ports, interfaces) and addresses
    sprinkled throughout configuration state
  • No distributed maintenance like routing tables
  • Difficult to move machines
  • Moving machines can be bad
  • Indirection points (e.g. ARP, DHCP) insecure(..
    often removed)
  • MAC addresses everywhere
  • Chew up memory
  • No aggregation ?

12
Problems
  • Inflexibility
  • Loss of Redundancy
  • Filtering Woes

13
Loss of Redundancy
14
Loss of Redundancy
  • Easier to reason about/verify
  • Proxies are a catalyst
  • Distributed firewalls are not the solution
  • Lack of good support for L5 routing (does anyone
    have this turned on?)
  • Existing solutions exacerbate the problem
  • do everything proxies
  • Single bridge NACs

15
Problems
  • Inflexibility
  • Loss of Redundancy
  • Filtering Woes

16
Filtering Woes
  • Filtering done on the datapath today
  • Generally limited filtering state (so can have
    large forwarding tables)
  • Common problem is running out of ACLs
  • MAC addresses everywhere
  • Chew up memory
  • No aggregation ?
  • In some networks, forwarding tables filters
    doesnt make sense ..

17
Ethane Towards a Solution
  • Centrally declare network policy
  • Authenticated end-hosts
  • Central-arbiter grants permission to connect on
    a per flow basis
  • Central-arbiter has fine grained control of
    routes

18
Ethane
martin.friends.ambient-streams
Publishmartin.friends.ambient-streamsallow tal,
sundar, aditya
Authenticatehi, Im tal, my password is
First packet tomartin.friends.ambient-streams
Authenticatehi, Im martin, my password is
Global Network Policy (allow all martin using
rtp)
19
Ethane Properties
  • Flexibility
  • Dynamic bindings are secure(movement is easy)
  • Security policy independent of topology
  • Redundancy
  • More switches ! more configuration state
  • Fine grained control of routes allows L5 routing
  • Permission checks done on connection setup(taken
    off data path)

20
Thanks!
  • ?

21
Isolation
  • Networks exist today with differing levels of
    sensitivity
  • Casino
  • Financial
  • Medical
  • Government/Military
  • Want reasonable Isolation
  • No DDoS from less secure to more
  • No data exfiltration from more secure to less
  • Note, VLANs generally insufficient

This is not solely a governmentnetwork problem
22
Todays Solution
(really) heavyweight,application
proxy(cannonicalization fuzzy timers)
OR
23
Isolation Cont
  • Obviously suboptimal
  • Management
  • Number of components (MTTF)
  • Could use same components, separate queues, TDM
  • Consolidation on the road-map for some very large
    networks
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "The Protection Problem in Enterprise Networks" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!