SANE: A protection architecture for enterprise networks
Authors: M. Casado, Tal Garfinkel, A. Akella, M. Freedman, D. Boneh, N. McKeown, and S. Shenker
Abstract:
Connectivity in today's enterprise networks is regulated
by a combination of complex routing and bridging policies,
along with various interdiction mechanisms such as
ACLs, packet filters, and other middleboxes that attempt
to retrofit access control onto an otherwise permissive
network architecture. This leads to enterprise networks
that are inflexible, fragile, and difficult to manage.
To address these limitations, we offer SANE, a protection
architecture for enterprise networks. SANE defines
a single protection layer that governs all connectivity
within the enterprise. All routing and access control
decisions are made by a logically-centralized server
that grants access to services by handing out capabilities
(encrypted source routes) according to declarative access
control policies (e.g., "Alice can access http server foo").
Capabilities are enforced at each switch, which are simple
and only minimally trusted. SANE offers strong attack
resistance and containment in the face of compromise,
yet is practical for everyday use. Our prototype implementation
shows that SANE could be deployed in current
networks with only a few modifications, and it can
easily scale to networks of tens of thousands of nodes.
Reference:
In proceedings of Usenix Security '06, pp. 137-151, 2006
Full paper: pdf