%0 Conference Paper %B Local and Metropolitan Area Networks (LANMAN), 2010 17th IEEE Workshop on %D 2010 %T Decoupling policy from configuration in campus and enterprise networks %A Feamster, Nick %A Nayak,A. %A Kim,Hyojoon %A Clark,R. %A Mundada,Y. %A Ramachandran,A. %A bin Tariq,M. %K Access control %K Business communication %K campus network %K decoupling policy %K enterprise network management tasks %K enterprise network operator %K information flow control %K software defined network %K software radio %K telecommunication network management %K telecommunication security %X This paper surveys our ongoing work on the use of software-defined networking to simplify two acute policy problems in campus and enterprise network operations: access control and information flow control. We describe how the current coupling of high-level policy with low-level configuration makes these problems challenging today. We describe the specific policy problems faced by campus and enterprise network operators; illustrate our approach, which leverages recent trends in separating the network's #x201C;control plane #x201D; from the data plane; and show how this approach can be applied to simplify these two enterprise network management tasks. We also describe our ongoing deployment efforts to build a campus network testbed where trial designs can be deployed and evaluated. We close with a summary of current and future research challenges for solving challenges within enterprise networks within the context of this new paradigm. %B Local and Metropolitan Area Networks (LANMAN), 2010 17th IEEE Workshop on %P 1 - 6 %8 2010/05// %G eng %R 10.1109/LANMAN.2010.5507162 %0 Conference Paper %B Proceedings of the 1st ACM workshop on Research on enterprise networking %D 2009 %T Resonance: dynamic access control for enterprise networks %A Nayak,Ankur Kumar %A Reimers,Alex %A Feamster, Nick %A Clark,Russ %K Access control %K enterprise networks %K programmable networks %X Enterprise network security is typically reactive, and it relies heavily on host security and middleboxes. This approach creates complicated interactions between protocols and systems that can cause incorrect behavior and slow response to attacks. We argue that imbuing the network layer with mechanisms for dynamic access control can remedy these ills. We propose Resonance, a system for securing enterprise networks, where the network elements themselves enforce dynamic access control policies based on both flow-level information and real-time alerts. Resonance uses programmable switches to manipulate traffic at lower layers; these switches take actions (e.g., dropping or redirecting traffic) to enforce high-level security policies based on input from both higherlevel security policies and distributed monitoring and inference systems. We describe the design of Resonance, apply it to Georgia Tech's network access control system, show how it can both overcome the current shortcomings and provide new security functions, describe our proposed deployment, and discuss open research questions. %B Proceedings of the 1st ACM workshop on Research on enterprise networking %S WREN '09 %I ACM %C New York, NY, USA %P 11 - 18 %8 2009/// %@ 978-1-60558-443-0 %G eng %U http://doi.acm.org/10.1145/1592681.1592684 %R 10.1145/1592681.1592684 %0 Conference Paper %B IEEE Symposium on Security and Privacy, 2008. SP 2008 %D 2008 %T Fable: A Language for Enforcing User-defined Security Policies %A Swamy,N. %A Corcoran,B.J. %A Hicks, Michael W. %K Access control %K Automata %K Collaborative work %K Communication system security %K Computer languages %K computer security %K Data security %K enforcement policy %K FABLE %K Government %K high-level security goals %K information flow %K Information security %K Language-based security %K programming languages %K Programming profession %K provenance %K security automata %K security labels %K security of data %K user-defined security policies %K verified enforcement %K Web programming language %X This paper presents FABLE, a core formalism for a programming language in which programmers may specify security policies and reason that these policies are properly enforced. In FABLE, security policies can be expressed by associating security labels with the data or actions they protect. Programmers define the semantics of labels in a separate part of the program called the enforcement policy. FABLE prevents a policy from being circumvented by allowing labeled terms to be manipulated only within the enforcement policy; application code must treat labeled values abstractly. Together, these features facilitate straightforward proofs that programs implementing a particular policy achieve their high-level security goals. FABLE is flexible enough to implement a wide variety of security policies, including access control, information flow, provenance, and security automata. We have implemented FABLE as part of the LINKS web programming language; we call the resulting language SELlNKS. We report on our experience using SELlNKS to build two substantial applications, a wiki and an on-line store, equipped with a combination of access control and provenance policies. To our knowledge, no existing framework enables the enforcement of such a wide variety of security policies with an equally high level of assurance. %B IEEE Symposium on Security and Privacy, 2008. SP 2008 %I IEEE %P 369 - 383 %8 2008/05/18/22 %@ 978-0-7695-3168-7 %G eng %R 10.1109/SP.2008.29 %0 Conference Paper %B 19th IEEE Computer Security Foundations Workshop, 2006 %D 2006 %T Managing policy updates in security-typed languages %A Swamy,N. %A Hicks, Michael W. %A Tse,S. %A Zdancewic,S. %K Access control %K Computer languages %K Data security %K Database systems %K dynamic queries %K dynamic semantics %K Educational institutions %K high level languages %K Information security %K information-flow policy management %K Lattices %K Network servers %K Operating systems %K policy update management %K Robustness %K role-based security policies %K RT role-based trust-management framework %K Rx security-typed programming language %K security of data %K statically verified transactions %K transitive flows %X This paper presents Rx, a new security-typed programming language with features intended to make the management of information-flow policies more practical. Security labels in Rx, in contrast to prior approaches, are defined in terms of owned roles, as found in the RT role-based trust-management framework. Role-based security policies allow flexible delegation, and our language Rx provides constructs through which programs can robustly update policies and react to policy updates dynamically. Our dynamic semantics use statically verified transactions to eliminate illegal information flows across updates, which we call transitive flows. Because policy updates can be observed through dynamic queries, policy updates can potentially reveal sensitive information. As such, Rx considers policy statements themselves to be potentially confidential information and subject to information-flow metapolicies %B 19th IEEE Computer Security Foundations Workshop, 2006 %I IEEE %P 13 pp.-216 - 13 pp.-216 %8 2006/// %@ 0-7695-2615-2 %G eng %R 10.1109/CSFW.2006.17 %0 Journal Article %J IEEE Transactions on Circuits and Systems for Video Technology %D 2005 %T Class-based access control for distributed video-on-demand systems %A Mundur, Padma %A Sood,A. K %A Simon,R. %K Access control %K Admission control %K Analytical models %K blocking performance %K class-based access control %K Computational modeling %K Computer architecture %K Computer science %K Distributed control %K Distributed video-on-demand (VoD) system %K distributed video-on-demand system %K multimedia systems %K multirate service model %K Performance analysis %K QoS %K quality of service %K request handling policy %K resource allocation %K resource capacity %K telecommunication congestion control %K threshold-based admission control %K video on demand %X The focus of this paper is the analysis of threshold-based admission control policies for distributed video-on-demand (VoD) systems. Traditionally, admission control methods control access to a resource based on the resource capacity. We have extended that concept to include the significance of an arriving request to the VoD system by enforcing additional threshold restrictions in the admission control process on request classes deemed less significant. We present an analytical model for computing blocking performance of the VoD system under threshold-based admission control. Extending the same methodology to a distributed VoD architecture we show through simulation that the threshold performance conforms to the analytical model. We also show that threshold-based analysis can work in conjunction with other request handling policies and are useful for manipulating the VoD performance since we are able to distinguish between different request classes based on their merit. Enforcing threshold restrictions with the option of downgrading blocked requests in a multirate service environment results in improved performance at the same time providing different levels of quality of service (QoS). In fact, we show that the downgrade option combined with threshold restrictions is a powerful tool for manipulating an incoming request mix over which we have no control into a workload that the VoD system can handle. %B IEEE Transactions on Circuits and Systems for Video Technology %V 15 %P 844 - 853 %8 2005/07// %@ 1051-8215 %G eng %N 7 %R 10.1109/TCSVT.2005.848351 %0 Journal Article %J IEEE Communications Magazine %D 2000 %T Secure quality of service handling: SQoSH %A Alexander,D. S %A Arbaugh, William A. %A Keromytis,A. D %A Muir,S. %A Smith,J. M %K Acceleration %K Access control %K active networks %K ALIEN active loader %K Clocks %K Computer network management %K cryptographic credentials %K cryptography %K customized networking services %K Data security %K Data structures %K denial-of-service attacks %K interfaces %K Kernel %K loaded modules %K network resources %K network traffic %K open signaling %K packet switching %K Piglet lightweight device kernel %K programmable network element %K programmable network infrastructures %K Programming profession %K Proposals %K quality of service %K remote invocation %K resource control %K restricted control of quality of service %K SANE %K scheduling %K scheduling discipline %K secure active network environment architecture %K secure quality of service handling %K security infrastructure %K security risks %K SQoSH %K SwitchWare architecture %K telecommunication security %K tuning knobs %K virtual clock %X Proposals for programmable network infrastructures, such as active networks and open signaling, provide programmers with access to network resources and data structures. The motivation for providing these interfaces is accelerated introduction of new services, but exposure of the interfaces introduces many new security risks. We describe some of the security issues raised by active networks. We then describe our secure active network environment (SANE) architecture. SANE was designed as a security infrastructure for active networks, and was implemented in the SwitchWare architecture. SANE restricts the actions that loaded modules can perform by restricting the resources that can be named; this is further extended to remote invocation by means of cryptographic credentials. SANE can be extended to support restricted control of quality of service in a programmable network element. The Piglet lightweight device kernel provides a “virtual clock” type of scheduling discipline for network traffic, and exports several tuning knobs with which the clock can be adjusted. The ALIEN active loader provides safe access to these knobs to modules that operate on the network element. Thus, the proposed SQoSH architecture is able to provide safe, secure access to network resources, while allowing these resources to be managed by end users needing customized networking services. A desirable consequence of SQoSH's integration of access control and resource control is that a large class of denial-of-service attacks, unaddressed solely with access control and cryptographic protocols, can now be prevented %B IEEE Communications Magazine %V 38 %P 106 - 112 %8 2000/04// %@ 0163-6804 %G eng %N 4 %R 10.1109/35.833566 %0 Journal Article %J IEEE Communications Magazine %D 1998 %T Safety and security of programmable network infrastructures %A Alexander,S. %A Arbaugh, William A. %A Keromytis,A. D %A Smith,J. M %K Access control %K error protection %K IP networks %K Multicast protocols %K network architecture %K network operating systems %K network service model %K operating system %K Power system dynamics %K Power system modeling %K Power system reliability %K programmable languages %K programmable network infrastructures %K programming languages %K Proposals %K Protection %K reliability properties %K Safety %K Secure Active Network Environment %K Security %K security of data %K service creation %K service providers %K Switches %K telecommunication computing %K telecommunication network reliability %K Web and internet services %X Safety and security are two reliability properties of a system. A “safe” system provides protection against errors of trusted users, while a “secure” system protects against errors introduced by untrusted users. There is considerable overlap between mechanisms to support each property. Requirements for rapid service creation have stimulated the development of programmable network infrastructures, where end users or service providers can customize the properties of a network infrastructure while it continues to operate. A central concern of potential users of such systems is their reliability and, most specifically, their safety and security. In this article we explain the impact the network service model and architecture have on safety and security, and provide a model with which policies can be translated into restrictions of a general system. We illustrate these ideas with the Secure Active Network Environment (SANE) architecture, which provides a means of controlling access to the functions provided by any programmable infrastructure %B IEEE Communications Magazine %V 36 %P 84 - 92 %8 1998/10// %@ 0163-6804 %G eng %N 10 %R 10.1109/35.722141