| Enterprise networks are often large, run a wide variety of applications and protocols, and operate under strict reliability constraints; thus, they represent a challenging environment for security management. Security policies in todays enterprise are typically enforced by regulating connectivity with a combination of complex routing and bridging policies along with various interdiction mechanisms such as ACLs, packet filters, and middleboxes that attempt to retrofit access control onto an otherwise permissive network architecture. This leads to networks that are inflexible, fragile, difficult to manage, and still riddled with security problems.; This thesis presents a principled approach to network redesign that creates more secure and manageable networks. We propose a new network architecture in which a global security policy defines all connectivity. The policy is declared at a logically centralized Controller and then enforced directly at each switch. All communication must first obtain permission from the Controller before being forwarded by any of the network switches. The Controller manages the policy namespace and performs all routing and access control decisions, while the switches are reduced to simple forwarding engines that enforce the Controller's decisions.; We present an idealized instantiation of the network architecture called SANE. In SANE, the Controller grants permission to requesting flows by handing out capabilities (encrypted source routes). SANE switches will only forward a packet if it contains a valid capability between the link and network headers. SANE thus introduces a new, low-level protection layer that defines all connectivity on the network.; SANE would require a fork-lift replacement of an enterprise's entire networking infrastructure and changes to all the end-hosts. While this might be suitable in some cases, it is clearly a significant impediment to widespread adoption. To address this, we present Ethane a deployable instantiation of our architecture. Ethane does not require modification to end-hosts and can be incrementally deployed within an existing network. Instead of handing out capabilities, permission is granted by explicitly setting up flows at each switch. We have implemented Ethane in both hardware and software, supporting both wired and wireless hosts. We describe our experience managing an operational Ethane network of over 300 hosts. |
