research-article

Public Access

Removing the Reliance on Perimeters for Security using Network Views

Authors:

Cristina Nita-Rotaru,

Bradley ReavesAuthors Info & Claims

SACMAT '22: Proceedings of the 27th ACM on Symposium on Access Control Models and Technologies

Pages 151 - 162

https://doi.org/10.1145/3532105.3535029

Published: 08 June 2022 Publication History

PDF eReader

Abstract

Traditional enterprise security relies on network perimeters to define and enforce network security policies. Emerging application-focused Zero Trust architectures attempt to address this long-standing challenge by moving business applications to the cloud and performing enhanced identity and access control checks within a web gateway. However, these solutions ignore the security needs of workstations, development servers, and device management interfaces. In this work, we propose Network Views (abbrev. NetViews) for least-privilege network access control where each host has a different, limited view of the other hosts and services within a network. We present an SDN-based design and demonstrate that our implementation has network latency and throughput comparable to baseline reactive forwarding. We further provide an optimization for multi-connection flows that significantly reduces both redundant access control checks and forwarding state storage in switches. As such, NetViews provides a practical primitive for removing the reliance on security perimeters within enterprise networks.

Supplementary Material

MP4 File (FinalSACMAT2022.mp4)

While application-based Zero Trust architectures help enterprises secure their business applications by moving them to the cloud, they ignore the importance of securing the on-premises network environment that remains. This paper has introduced a novel paradigm for enterprise network security called Network Views where each host has a different ?view? of what other hosts and services exist in the network. This fine-grained least-privilege approach to network access control can significantly reduce lateral movement by attackers, even if user credentials have been compromised. NetViews builds on NIST?s Next Generation Access Control to pro- vide a dynamic and scalable policy model that supports the needs of large enterprises. We propose a multi-connection optimization that eliminates unnecessary first-packet latencies and significantly reduces TCAM requirements for SDN switches.

Download
431.36 MB

MP4 File (FinalSACMAT2022.mp4)

Download
431.36 MB

References

[1]

R. A. Addad, D. L. C. Dutra, M. Bagaa, T. Taleb, H. Flinck, and M. Namane. 2018. Benchmarking the ONOS Intent Interfaces to Ease 5G Service Management. In Proceedings of the IEEE Global Communications Conference (GLOBECOM).

Abstract

Supplementary Material

References

Cited By

Index Terms

Recommendations

MSNetViews: Geographically Distributed Management of Enterprise Network Security Policy

On network operating system security

On network operating system security

Comments

Information

Published In

Sponsors

Publisher

Publication History

Permissions

Check for updates

Badges

Author Tags

Qualifiers

Funding Sources

Conference

Acceptance Rates

Contributors

Other Metrics

Bibliometrics

Article Metrics

Other Metrics

Citations

Cited By

View options

PDF

eReader

Login options

Full Access

Share

Share this Publication link

Share on social media

Affiliations