Article

SANE: a protection architecture for enterprise networks

Authors:

Scott ShenkerAuthors Info & Claims

USENIX-SS'06: Proceedings of the 15th conference on USENIX Security Symposium - Volume 15

Article No.: 10

Published: 31 July 2006 Publication History

Publisher Site

Abstract

Connectivity in today's enterprise networks is regulated by a combination of complex routing and bridging policies, along with various interdiction mechanisms such as ACLs, packet filters, and other middleboxes that attempt to retrofit access control onto an otherwise permissive network architecture. This leads to enterprise networks that are inflexible, fragile, and difficult to manage.

To address these limitations, we offer SANE, a protection architecture for enterprise networks. SANE defines a single protection layer that governs all connectivity within the enterprise. All routing and access control decisions are made by a logically-centralized server that grants access to services by handing out capabilities (encrypted source routes) according to declarative access control policies (e.g., "Alice can access http server foo"). Capabilities are enforced at each switch, which are simple and only minimally trusted. SANE offers strong attack resistance and containment in the face of compromise, yet is practical for everyday use. Our prototype implementation shows that SANE could be deployed in current networks with only a few modifications, and it can easily scale to networks of tens of thousands of nodes.

Cited By

View all

Kang QXue LMorrison ATang YChen ALuo XCapkun SRoesner F(2020)Programmable in-network security for context-aware BYOD policiesProceedings of the 29th USENIX Conference on Security Symposium10.5555/3489212.3489246(595-612)Online publication date: 12-Aug-2020
https://dl.acm.org/doi/10.5555/3489212.3489246
Paillisse JPortoles MLopez ARodriguez-Natal AIacobacci DLeong JMoreno VCabellos AMaino FHooda SHan DFeldmann A(2020)SD-accessProceedings of the 16th International Conference on emerging Networking EXperiments and Technologies10.1145/3386367.3431288(496-508)Online publication date: 23-Nov-2020
https://dl.acm.org/doi/10.1145/3386367.3431288
Kreutz DYu JRamos FEsteves-Verissimo P(2019)ANCHORACM Transactions on Privacy and Security10.1145/330130522:2(1-36)Online publication date: 26-Feb-2019
https://dl.acm.org/doi/10.1145/3301305
Show More Cited By

Index Terms

SANE: a protection architecture for enterprise networks

Recommendations

PBDM: a flexible delegation model in RBAC
SACMAT '03: Proceedings of the eighth ACM symposium on Access control models and technologies

Role-based access control (RBAC) is recognized as an efficient access control model for large organizations. Most organizations have some business rules related to access control policy. Delegation of authority is among these rules. RBDM0 and RDM2000 ...
A flexible role-based delegation model using characteristics of permissions
DEXA'05: Proceedings of the 16th international conference on Database and Expert Systems Applications

Role-Based Access Control(RBAC) has recently received considerable attention as a promising alternative to traditional discretionary and mandatory access controls.[7] RBAC ensures that only authorized users are given access to protected data or ...
Session-aware rbac administration, delegation, and enforcement with xacml

Comments

Information & Contributors

Information

Published In

USENIX-SS'06: Proceedings of the 15th conference on USENIX Security Symposium - Volume 15

July 2006

33 pages

Publisher

USENIX Association

United States

Publication History

Published: 31 July 2006

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

70
Total Citations
View Citations
11
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 17 Oct 2024

Other Metrics

View Author Metrics

Citations

Cited By

View all

Kang QXue LMorrison ATang YChen ALuo XCapkun SRoesner F(2020)Programmable in-network security for context-aware BYOD policiesProceedings of the 29th USENIX Conference on Security Symposium10.5555/3489212.3489246(595-612)Online publication date: 12-Aug-2020
https://dl.acm.org/doi/10.5555/3489212.3489246
Paillisse JPortoles MLopez ARodriguez-Natal AIacobacci DLeong JMoreno VCabellos AMaino FHooda SHan DFeldmann A(2020)SD-accessProceedings of the 16th International Conference on emerging Networking EXperiments and Technologies10.1145/3386367.3431288(496-508)Online publication date: 23-Nov-2020
https://dl.acm.org/doi/10.1145/3386367.3431288
Kreutz DYu JRamos FEsteves-Verissimo P(2019)ANCHORACM Transactions on Privacy and Security10.1145/330130522:2(1-36)Online publication date: 26-Feb-2019
https://dl.acm.org/doi/10.1145/3301305
Benabbou JElbaamrani KIdboufker N(2019)Security in OpenFlow-based SDN, opportunities and challengesPhotonic Network Communications10.1007/s11107-018-0803-737:1(1-23)Online publication date: 1-Feb-2019
https://dl.acm.org/doi/10.1007/s11107-018-0803-7
Jimson ENisar KHijazi M(2018)The State of the Art of Software Defined Networking SDNInternational Journal of Information Communication Technologies and Human Development10.4018/IJICTHD.201810010410:4(44-60)Online publication date: 1-Oct-2018
https://dl.acm.org/doi/10.4018/IJICTHD.2018100104
Kowohl UEngel FBond RMulvenna MHemmje M(2018)Considering ethics in model view controller architectures in human computer interaction health domainProceedings of the 32nd International BCS Human Computer Interaction Conference10.14236/ewic/HCI2018.178(1-5)Online publication date: 4-Jul-2018
https://dl.acm.org/doi/10.14236/ewic/HCI2018.178
Park YHu HYuan XLi HBarnes TGarcia DHawthorne EPérez-Quiñones M(2018)Enhancing Security Education Through Designing SDN Security Labs in CloudLabProceedings of the 49th ACM Technical Symposium on Computer Science Education10.1145/3159450.3159514(185-190)Online publication date: 21-Feb-2018
https://dl.acm.org/doi/10.1145/3159450.3159514
Shang FLi YFu QWang WFeng JHe L(2018)Distributed controllers multi-granularity security communication mechanism for software-defined networkingComputers and Electrical Engineering10.1016/j.compeleceng.2017.07.00366:C(388-406)Online publication date: 1-Feb-2018
https://dl.acm.org/doi/10.1016/j.compeleceng.2017.07.003
Kaur NSingh AKumar NSrivastava SShekhawat RGaur MElci AVaidya JMakarevich OPoet ROrgun MDhaka VBohra MSingh VBabenko LSheykhkanloo NRahnama B(2017)Performance impact of topology poisoning attack in SDN and its countermeasureProceedings of the 10th International Conference on Security of Information and Networks10.1145/3136825.3136881(179-184)Online publication date: 13-Oct-2017
https://dl.acm.org/doi/10.1145/3136825.3136881
Meier RGugelmann DVanbever L(2017)iTAPProceedings of the Symposium on SDN Research10.1145/3050220.3050232(102-114)Online publication date: 3-Apr-2017
https://dl.acm.org/doi/10.1145/3050220.3050232
Show More Cited By

Abstract

Cited By

Index Terms

Recommendations

PBDM: a flexible delegation model in RBAC

A flexible role-based delegation model using characteristics of permissions

Session-aware rbac administration, delegation, and enforcement with xacml

Comments

Information

Published In

Sponsors

Publisher

Publication History

Qualifiers

Contributors

Other Metrics

Bibliometrics

Article Metrics

Other Metrics

Citations

Cited By

View options

Figures

Other

Share

Share this Publication link

Share on social media

Affiliations