Pushing Enterprise Security Down the Network Stack
MetadataShow full item record
Network security is typically reactive: Networks provide connectivity and subsequently alter this connectivity according to various security policies, as implemented in middleboxes, or at higher layers. This approach gives rise to complicated interactions between protocols and systems that can cause incorrect behavior and slow response to attacks. In this paper, we propose a proactive approach to securing networks, whereby security-related actions (e.g., dropping or redirecting traffic) are embedded into the network fabric itself, leaving only a fixed set of actions to higher layers. We explore this approach in the context of network access control. Our design uses programmable switches to manipulate traffic at lower layers; these switches interact with policy and monitoring at higher layers. We apply our approach to Georgia Tech’s network access control system, show how the new design can both overcome the current shortcomings and provide new security functions, describe our proposed deployment, and discuss open research questions.