TY - CONF T1 - Decoupling policy from configuration in campus and enterprise networks T2 - Local and Metropolitan Area Networks (LANMAN), 2010 17th IEEE Workshop on Y1 - 2010 A1 - Feamster, Nick A1 - Nayak,A. A1 - Kim,Hyojoon A1 - Clark,R. A1 - Mundada,Y. A1 - Ramachandran,A. A1 - bin Tariq,M. KW - Access control KW - Business communication KW - campus network KW - decoupling policy KW - enterprise network management tasks KW - enterprise network operator KW - information flow control KW - software defined network KW - software radio KW - telecommunication network management KW - telecommunication security AB - This paper surveys our ongoing work on the use of software-defined networking to simplify two acute policy problems in campus and enterprise network operations: access control and information flow control. We describe how the current coupling of high-level policy with low-level configuration makes these problems challenging today. We describe the specific policy problems faced by campus and enterprise network operators; illustrate our approach, which leverages recent trends in separating the network's #x201C;control plane #x201D; from the data plane; and show how this approach can be applied to simplify these two enterprise network management tasks. We also describe our ongoing deployment efforts to build a campus network testbed where trial designs can be deployed and evaluated. We close with a summary of current and future research challenges for solving challenges within enterprise networks within the context of this new paradigm. JA - Local and Metropolitan Area Networks (LANMAN), 2010 17th IEEE Workshop on M3 - 10.1109/LANMAN.2010.5507162 ER - TY - CONF T1 - Resonance: dynamic access control for enterprise networks T2 - Proceedings of the 1st ACM workshop on Research on enterprise networking Y1 - 2009 A1 - Nayak,Ankur Kumar A1 - Reimers,Alex A1 - Feamster, Nick A1 - Clark,Russ KW - Access control KW - enterprise networks KW - programmable networks AB - Enterprise network security is typically reactive, and it relies heavily on host security and middleboxes. This approach creates complicated interactions between protocols and systems that can cause incorrect behavior and slow response to attacks. We argue that imbuing the network layer with mechanisms for dynamic access control can remedy these ills. We propose Resonance, a system for securing enterprise networks, where the network elements themselves enforce dynamic access control policies based on both flow-level information and real-time alerts. Resonance uses programmable switches to manipulate traffic at lower layers; these switches take actions (e.g., dropping or redirecting traffic) to enforce high-level security policies based on input from both higherlevel security policies and distributed monitoring and inference systems. We describe the design of Resonance, apply it to Georgia Tech's network access control system, show how it can both overcome the current shortcomings and provide new security functions, describe our proposed deployment, and discuss open research questions. JA - Proceedings of the 1st ACM workshop on Research on enterprise networking T3 - WREN '09 PB - ACM CY - New York, NY, USA SN - 978-1-60558-443-0 UR - http://doi.acm.org/10.1145/1592681.1592684 M3 - 10.1145/1592681.1592684 ER - TY - CONF T1 - Fable: A Language for Enforcing User-defined Security Policies T2 - IEEE Symposium on Security and Privacy, 2008. SP 2008 Y1 - 2008 A1 - Swamy,N. A1 - Corcoran,B.J. A1 - Hicks, Michael W. KW - Access control KW - Automata KW - Collaborative work KW - Communication system security KW - Computer languages KW - computer security KW - Data security KW - enforcement policy KW - FABLE KW - Government KW - high-level security goals KW - information flow KW - Information security KW - Language-based security KW - programming languages KW - Programming profession KW - provenance KW - security automata KW - security labels KW - security of data KW - user-defined security policies KW - verified enforcement KW - Web programming language AB - This paper presents FABLE, a core formalism for a programming language in which programmers may specify security policies and reason that these policies are properly enforced. In FABLE, security policies can be expressed by associating security labels with the data or actions they protect. Programmers define the semantics of labels in a separate part of the program called the enforcement policy. FABLE prevents a policy from being circumvented by allowing labeled terms to be manipulated only within the enforcement policy; application code must treat labeled values abstractly. Together, these features facilitate straightforward proofs that programs implementing a particular policy achieve their high-level security goals. FABLE is flexible enough to implement a wide variety of security policies, including access control, information flow, provenance, and security automata. We have implemented FABLE as part of the LINKS web programming language; we call the resulting language SELlNKS. We report on our experience using SELlNKS to build two substantial applications, a wiki and an on-line store, equipped with a combination of access control and provenance policies. To our knowledge, no existing framework enables the enforcement of such a wide variety of security policies with an equally high level of assurance. JA - IEEE Symposium on Security and Privacy, 2008. SP 2008 PB - IEEE SN - 978-0-7695-3168-7 M3 - 10.1109/SP.2008.29 ER - TY - CONF T1 - Managing policy updates in security-typed languages T2 - 19th IEEE Computer Security Foundations Workshop, 2006 Y1 - 2006 A1 - Swamy,N. A1 - Hicks, Michael W. A1 - Tse,S. A1 - Zdancewic,S. KW - Access control KW - Computer languages KW - Data security KW - Database systems KW - dynamic queries KW - dynamic semantics KW - Educational institutions KW - high level languages KW - Information security KW - information-flow policy management KW - Lattices KW - Network servers KW - Operating systems KW - policy update management KW - Robustness KW - role-based security policies KW - RT role-based trust-management framework KW - Rx security-typed programming language KW - security of data KW - statically verified transactions KW - transitive flows AB - This paper presents Rx, a new security-typed programming language with features intended to make the management of information-flow policies more practical. Security labels in Rx, in contrast to prior approaches, are defined in terms of owned roles, as found in the RT role-based trust-management framework. Role-based security policies allow flexible delegation, and our language Rx provides constructs through which programs can robustly update policies and react to policy updates dynamically. Our dynamic semantics use statically verified transactions to eliminate illegal information flows across updates, which we call transitive flows. Because policy updates can be observed through dynamic queries, policy updates can potentially reveal sensitive information. As such, Rx considers policy statements themselves to be potentially confidential information and subject to information-flow metapolicies JA - 19th IEEE Computer Security Foundations Workshop, 2006 PB - IEEE SN - 0-7695-2615-2 M3 - 10.1109/CSFW.2006.17 ER - TY - JOUR T1 - Class-based access control for distributed video-on-demand systems JF - IEEE Transactions on Circuits and Systems for Video Technology Y1 - 2005 A1 - Mundur, Padma A1 - Sood,A. K A1 - Simon,R. KW - Access control KW - Admission control KW - Analytical models KW - blocking performance KW - class-based access control KW - Computational modeling KW - Computer architecture KW - Computer science KW - Distributed control KW - Distributed video-on-demand (VoD) system KW - distributed video-on-demand system KW - multimedia systems KW - multirate service model KW - Performance analysis KW - QoS KW - quality of service KW - request handling policy KW - resource allocation KW - resource capacity KW - telecommunication congestion control KW - threshold-based admission control KW - video on demand AB - The focus of this paper is the analysis of threshold-based admission control policies for distributed video-on-demand (VoD) systems. Traditionally, admission control methods control access to a resource based on the resource capacity. We have extended that concept to include the significance of an arriving request to the VoD system by enforcing additional threshold restrictions in the admission control process on request classes deemed less significant. We present an analytical model for computing blocking performance of the VoD system under threshold-based admission control. Extending the same methodology to a distributed VoD architecture we show through simulation that the threshold performance conforms to the analytical model. We also show that threshold-based analysis can work in conjunction with other request handling policies and are useful for manipulating the VoD performance since we are able to distinguish between different request classes based on their merit. Enforcing threshold restrictions with the option of downgrading blocked requests in a multirate service environment results in improved performance at the same time providing different levels of quality of service (QoS). In fact, we show that the downgrade option combined with threshold restrictions is a powerful tool for manipulating an incoming request mix over which we have no control into a workload that the VoD system can handle. VL - 15 SN - 1051-8215 CP - 7 M3 - 10.1109/TCSVT.2005.848351 ER - TY - JOUR T1 - Secure quality of service handling: SQoSH JF - IEEE Communications Magazine Y1 - 2000 A1 - Alexander,D. S A1 - Arbaugh, William A. A1 - Keromytis,A. D A1 - Muir,S. A1 - Smith,J. M KW - Acceleration KW - Access control KW - active networks KW - ALIEN active loader KW - Clocks KW - Computer network management KW - cryptographic credentials KW - cryptography KW - customized networking services KW - Data security KW - Data structures KW - denial-of-service attacks KW - interfaces KW - Kernel KW - loaded modules KW - network resources KW - network traffic KW - open signaling KW - packet switching KW - Piglet lightweight device kernel KW - programmable network element KW - programmable network infrastructures KW - Programming profession KW - Proposals KW - quality of service KW - remote invocation KW - resource control KW - restricted control of quality of service KW - SANE KW - scheduling KW - scheduling discipline KW - secure active network environment architecture KW - secure quality of service handling KW - security infrastructure KW - security risks KW - SQoSH KW - SwitchWare architecture KW - telecommunication security KW - tuning knobs KW - virtual clock AB - Proposals for programmable network infrastructures, such as active networks and open signaling, provide programmers with access to network resources and data structures. The motivation for providing these interfaces is accelerated introduction of new services, but exposure of the interfaces introduces many new security risks. We describe some of the security issues raised by active networks. We then describe our secure active network environment (SANE) architecture. SANE was designed as a security infrastructure for active networks, and was implemented in the SwitchWare architecture. SANE restricts the actions that loaded modules can perform by restricting the resources that can be named; this is further extended to remote invocation by means of cryptographic credentials. SANE can be extended to support restricted control of quality of service in a programmable network element. The Piglet lightweight device kernel provides a “virtual clock” type of scheduling discipline for network traffic, and exports several tuning knobs with which the clock can be adjusted. The ALIEN active loader provides safe access to these knobs to modules that operate on the network element. Thus, the proposed SQoSH architecture is able to provide safe, secure access to network resources, while allowing these resources to be managed by end users needing customized networking services. A desirable consequence of SQoSH's integration of access control and resource control is that a large class of denial-of-service attacks, unaddressed solely with access control and cryptographic protocols, can now be prevented VL - 38 SN - 0163-6804 CP - 4 M3 - 10.1109/35.833566 ER - TY - JOUR T1 - Safety and security of programmable network infrastructures JF - IEEE Communications Magazine Y1 - 1998 A1 - Alexander,S. A1 - Arbaugh, William A. A1 - Keromytis,A. D A1 - Smith,J. M KW - Access control KW - error protection KW - IP networks KW - Multicast protocols KW - network architecture KW - network operating systems KW - network service model KW - operating system KW - Power system dynamics KW - Power system modeling KW - Power system reliability KW - programmable languages KW - programmable network infrastructures KW - programming languages KW - Proposals KW - Protection KW - reliability properties KW - Safety KW - Secure Active Network Environment KW - Security KW - security of data KW - service creation KW - service providers KW - Switches KW - telecommunication computing KW - telecommunication network reliability KW - Web and internet services AB - Safety and security are two reliability properties of a system. A “safe” system provides protection against errors of trusted users, while a “secure” system protects against errors introduced by untrusted users. There is considerable overlap between mechanisms to support each property. Requirements for rapid service creation have stimulated the development of programmable network infrastructures, where end users or service providers can customize the properties of a network infrastructure while it continues to operate. A central concern of potential users of such systems is their reliability and, most specifically, their safety and security. In this article we explain the impact the network service model and architecture have on safety and security, and provide a model with which policies can be translated into restrictions of a general system. We illustrate these ideas with the Secure Active Network Environment (SANE) architecture, which provides a means of controlling access to the functions provided by any programmable infrastructure VL - 36 SN - 0163-6804 CP - 10 M3 - 10.1109/35.722141 ER -