PRIMED: community-of-interest-based DDoS mitigation
Proceedings of the 2006 SIGCOMM workshop on Large-scale attack defense
The shunt: an FPGA-based accelerator for network intrusion prevention
Proceedings of the 2007 ACM/SIGDA 15th international symposium on Field programmable gate arrays
Ethane: taking control of the enterprise
Proceedings of the 2007 conference on Applications, technologies, architectures, and protocols for computer communications
CONMan: a step towards network manageability
Proceedings of the 2007 conference on Applications, technologies, architectures, and protocols for computer communications
On the detection and origin identification of mobile worms
Proceedings of the 2007 ACM workshop on Recurring malcode
NOX: towards an operating system for networks
ACM SIGCOMM Computer Communication Review
Securing distributed systems with information flow control
NSDI'08 Proceedings of the 5th USENIX Symposium on Networked Systems Design and Implementation
NetComplex: a complexity metric for networked system designs
NSDI'08 Proceedings of the 5th USENIX Symposium on Networked Systems Design and Implementation
ENAVis: enterprise network activities visualization
LISA'08 Proceedings of the 22nd conference on Large installation system administration conference
NetAuth: supporting user-based network services
SS'08 Proceedings of the 17th conference on Security symposium
Towards systematic design of enterprise networks
CoNEXT '08 Proceedings of the 2008 ACM CoNEXT Conference
Secure and policy-compliant source routing
IEEE/ACM Transactions on Networking (TON)
PLUG: flexible lookup modules for rapid deployment of new protocols in high-speed routers
Proceedings of the ACM SIGCOMM 2009 conference on Data communication
Delegating network security with more information
Proceedings of the 1st ACM workshop on Research on enterprise networking
ROFL: routing as the firewall layer
Proceedings of the 2008 workshop on New security paradigms
Rethinking enterprise network control
IEEE/ACM Transactions on Networking (TON)
Mining policies from enterprise network configuration
Proceedings of the 9th ACM SIGCOMM conference on Internet measurement conference
A systematic approach for evolving VLAN designs
INFOCOM'10 Proceedings of the 29th conference on Information communications
HotOS'09 Proceedings of the 12th conference on Hot topics in operating systems
Onix: a distributed control platform for large-scale production networks
OSDI'10 Proceedings of the 9th USENIX conference on Operating systems design and implementation
ETTM: a scalable fault tolerant network manager
Proceedings of the 8th USENIX conference on Networked systems design and implementation
Tightlip: keeping applications from spilling the beans
NSDI'07 Proceedings of the 4th USENIX conference on Networked systems design & implementation
Tesseract: a 4D network control plane
NSDI'07 Proceedings of the 4th USENIX conference on Networked systems design & implementation
Towards systematic design of enterprise networks
IEEE/ACM Transactions on Networking (TON)
The middlebox manifesto: enabling innovation in middlebox deployment
Proceedings of the 10th ACM Workshop on Hot Topics in Networks
Revisiting traffic anomaly detection using software defined networking
RAID'11 Proceedings of the 14th international conference on Recent Advances in Intrusion Detection
DECOR: a distributed coordinated resource monitoring system
Proceedings of the 2012 IEEE 20th International Workshop on Quality of Service
A safe, efficient update protocol for openflow networks
Proceedings of the first workshop on Hot topics in software defined networks
Fabric: a retrospective on evolving SDN
Proceedings of the first workshop on Hot topics in software defined networks
A security enforcement kernel for OpenFlow networks
Proceedings of the first workshop on Hot topics in software defined networks
Verification of computer switching networks: an overview
ATVA'12 Proceedings of the 10th international conference on Automated Technology for Verification and Analysis
Enterprise Network Packet Filtering for Mobile Cryptographic Identities
International Journal of Handheld Computing Research
B4: experience with a globally-deployed software defined wan
Proceedings of the ACM SIGCOMM 2013 conference on SIGCOMM
AVANT-GUARD: scalable and vigilant switch flow management in software-defined networks
Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security
Queue - Large-Scale Implementations
Strata: scalable high-performance storage on virtualized non-volatile memory
FAST'14 Proceedings of the 12th USENIX conference on File and Storage Technologies
Hi-index | 0.00 |
Connectivity in today's enterprise networks is regulated by a combination of complex routing and bridging policies, along with various interdiction mechanisms such as ACLs, packet filters, and other middleboxes that attempt to retrofit access control onto an otherwise permissive network architecture. This leads to enterprise networks that are inflexible, fragile, and difficult to manage. To address these limitations, we offer SANE, a protection architecture for enterprise networks. SANE defines a single protection layer that governs all connectivity within the enterprise. All routing and access control decisions are made by a logically-centralized server that grants access to services by handing out capabilities (encrypted source routes) according to declarative access control policies (e.g., "Alice can access http server foo"). Capabilities are enforced at each switch, which are simple and only minimally trusted. SANE offers strong attack resistance and containment in the face of compromise, yet is practical for everyday use. Our prototype implementation shows that SANE could be deployed in current networks with only a few modifications, and it can easily scale to networks of tens of thousands of nodes.