Delegating network security with more information

Authors:
Jad Naous;Ryan Stutsman;David Mazieres;Nick McKeown;Nickolai Zeldovich
Affiliations:
Stanford University, Stanford, CA, USA;Stanford University, Stanford, CA, USA;Stanford University, Stanford, CA, USA;Stanford University, Stanford, CA, USA;MIT CSAIL, Cambridge, MA, USA
Venue:
Proceedings of the 1st ACM workshop on Research on enterprise networking
Year:
2009

Citing 7
Cited 2

Implementing a distributed firewall

Proceedings of the 7th ACM conference on Computer and communications security
A clean slate 4D approach to network control and management

ACM SIGCOMM Computer Communication Review
SANE: a protection architecture for enterprise networks

USENIX-SS'06 Proceedings of the 15th conference on USENIX Security Symposium - Volume 15
Ethane: taking control of the enterprise

Proceedings of the 2007 conference on Applications, technologies, architectures, and protocols for computer communications
OpenFlow: enabling innovation in campus networks

ACM SIGCOMM Computer Communication Review
Securing distributed systems with information flow control

NSDI'08 Proceedings of the 5th USENIX Symposium on Networked Systems Design and Implementation
A policy-aware switching layer for data centers

Proceedings of the ACM SIGCOMM 2008 conference on Data communication

NetQuery: a knowledge plane for reasoning about network properties

Proceedings of the ACM SIGCOMM 2011 conference
Participatory networking

Hot-ICE'12 Proceedings of the 2nd USENIX conference on Hot Topics in Management of Internet, Cloud, and Enterprise Networks and Services

Quantified Score

Hi-index	0.00

Visualization

Abstract

Network security is gravitating towards more centralized control. Strong centralization places a heavy burden on the administrator who has to manage complex security policies and be able to adapt to users' requests. To be able to cope, the administrator needs to delegate some control back to end-hosts and users, a capability that is missing in today's networks. Delegation makes administrators less of a bottleneck when policy needs to be modified and allows network administration to follow organizational lines. To enable delegation, we propose ident++ - a simple protocol to request additional information from end-hosts and networks on the path of a flow. ident++ allows users and end-hosts to participate in network security enforcement by providing information that the administrator might not have or rules to be enforced on their behalf. In this paper we describe ident++ and how it provides delegation and enables flexible and powerful policies.