Architectural Support for Security Management in Enterprise Networks
Total Page:16
File Type:pdf, Size:1020Kb
ARCHITECTURAL SUPPORT FOR SECURITY MANAGEMENT IN ENTERPRISE NETWORKS A DISSERTATION SUBMITTED TO THE DEPARTMENT OF COMPUTER SCIENCE AND THE COMMITTEE ON GRADUATE STUDIES OF STANFORD UNIVERSITY IN PARTIAL FULFILLMENT OF THE REQUIREMENTS FOR THE DEGREE OF DOCTOR OF PHILOSOPHY Martin Casado August 2007 Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. UMI Number: 3281806 INFORMATION TO USERS The quality of this reproduction is dependent upon the quality of the copy submitted. Broken or indistinct print, colored or poor quality illustrations and photographs, print bleed-through, substandard margins, and improper alignment can adversely affect reproduction. In the unlikely event that the author did not send a complete manuscript and there are missing pages, these will be noted. Also, if unauthorized copyright material had to be removed, a note will indicate the deletion. ® UMI UMI Microform 3281806 Copyright 2007 by ProQuest Information and Learning Company. All rights reserved. This microform edition is protected against unauthorized copying under Title 17, United States Code. ProQuest Information and Learning Company 300 North Zeeb Road P.O. Box 1346 Ann Arbor, Ml 48106-1346 Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. (c) Copyright by Martin Casado 2007 All Rights Reserved ii Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. I certify that I have read this dissertation and that, in my opinion, it is fully adequate in scope and quality as a dissertation for the degree of Doctor of Philosophy. f f- f (Nick McKeown) Principal Adviser I certify that I have read this dissertation and that, in my opinion, it is fully adequate in scope and quality as a dissertation for the degree of Doctor of Philosophy. (Scott Shenker) I certify that I have read this dissertation and that, in my opinion, it is fully adequate in scope and quality as a dissertation for the degree of Doctor of Philosophy. (Dan Boneh) Approved for the University Committee on Graduate Studies. iii Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. To my parents, and their power to lend dreams. And to my niece Brittani, and her power to achieve them. iv Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. Abstract Enterprise networks are often large, run a wide variety of applications and protocols, and operate under strict reliability constraints; thus, they represent a challenging environment for security management. Security policies in todays enterprise are typ ically enforced by regulating connectivity with a combination of complex routing and bridging policies along with various interdiction mechanisms such as ACLs, packet filters, and middleboxes that attempt to retrofit access control onto an otherwise permissive network architecture. This leads to networks that are inflexible, fragile, difficult to manage, and still riddled with security problems. This thesis presents a principled approach to network redesign that creates more secure and manageable networks. We propose a new network architecture in which a global security policy defines all connectivity. The policy is declared at a logically centralized Controller and then enforced directly at each switch. All communication must first obtain permission from the Controller before being forwarded by any of the network switches. The Controller manages the policy namespace and performs all routing and access control decisions, while the switches are reduced to simple forwarding engines that enforce the Controller’s decisions. We present an idealized instantiation of the network architecture called SANE. In SANE, the Controller grants permission to requesting flows by handing out ca pabilities (encrypted source routes). SANE switches will only forward a packet if it contains a valid capability between the link and network headers. SANE thus intro duces a new, low-level protection layer that defines all connectivity on the network. We present the design and prototype implementation, showing that the design can easily scale to networks of tens of thousands of nodes. v Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. SANE would require a fork-lift replacement of an enterprise’s entire networking infrastructure and changes to all the end-hosts. While this might be suitable in some cases, it is clearly a significant impediment to widespread adoption. To address this, we present Ethane a deployable instantiation of our architecture. Ethane does not require modification to end-hosts and can be incrementally deployed within an exist ing network. Instead of handing out capabilities, permission is granted by explicitly setting up flows at each switch. We have implemented Ethane in both hardware and software, supporting both wired and wireless hosts. We describe our experience managing an operational Ethane network of over 300 hosts. vi Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. Acknowledgements It is hard to overstate the impact my adviser, Nick McKeown, has had on my growth as a student, an engineer, and a researcher. His introductory networking course, which I took prior to attending graduate school, re-enforced my passion for networks, led me to apply for the Ph.D. program, and remains the best class I have ever taken. Through example, Nick has shaped my perception of what it takes to be a world class researcher: unwavering focus, comfort with risk, trend skepticism, attention to detail, and the ability to discern deep results over shallow findings. He is a model researcher, an accomplished entrepreneur, an inspiring educator, and a brilliant adviser. I am deeply honored to be a member of his group. I would also like to thank Dan Boneh and Scott Shenker for their mentorship dur ing my studies. In addition to research guidance, I am very grateful for the comments and feedback they provided while enduring positions on my reading committee. The primary focus of my thesis grew out of the SANE and Ethane projects, neither of which would have been successful without our exceptionally skilled team. I would like to thank Michael Freedman, Tal Garfinkel, Justin Pettit, Jianying Luo, Aditya Akella, Natasha Gude, Gregory Watson, Dan Boneh, Scott Shenker and Nick McKeown for their many significant contributions. Throughout my graduate studies I was fortunate enough to be a member of the high performance networking group, the best research group on the planet. Every member has had a hand in very positively shaping my graduate experience. In ad dition to those already mentioned, I thank Guido Appenzeller, Shang-Tse Chuang, Isaac Keslassy, Sundar Iyer, Neda Beheshti, Nandita Dukkipati, Glenn Gibb, Yashar vii Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. Ganjali, Jad Naous, Rui Zhang-Shen, Dan Wendlandt, Paul Tarjan, and David Er ickson. I also had the privilege to work with a number of extremely talented researchers outside of my core research group. With each new project, I learned a little more about software development, research, writing, and the vicissitudes of the peer review process. Certainly, my acquired skill-set over the last few years was largely snatched, borrowed, pilfered, and copied from my various collaborators. To this end, I would like to thank Pei Cao, Aditya Akella, Tal Garfinkel, Vern Paxson, and Michael Freedman. Finally, I would like to thank my wife Kristin - I simply could not have managed without her encouragement and support. It is widely accepted that being the spouse of a Ph.D. student requires tremendous patience and understanding. A less well-known corollary is that these requirements are doubled if the field of study is computer science, and again doubled if Nick is the research adviser. Enduring the trek with me was a monumental feat for which I will always be grateful. Above all, thanks to you, my love. viii Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. Contents iv Abstract v Acknowledgements vii 1 Introduction 1 1.1 Problems with Current Approaches ........................................................ 2 1.2 Solution Requirements .............................................................................. 4 1.2.1 Threat Environment..................................................................... 6 1.3 A Centralized, Default-Off Solution ........................................................ 6 1.4 Why Focus on the Enterprise? ................................................................. 8 1.5 Previous W orks .......................................................................................... 9 1.6 Organization of T hesis .............................................................................. 11 2 SANE: An Idealized Architecture 13 2.1 Introduction ................................................................................................ 13 2.2 System Architecture ................................................................................. 13 2.2.1 C ontroller........................................................................................ 14 2.2.2 Network Service D irectory ............................................................ 16 2.2.3 Protection L a y e