Simplifying Access Control in Enterprise Networks
Cheng Tien Ee and John Lee and Dave Maltz and Scott Shenker and Lakshminarayanan Subramanian
EECS Department, University of California, Berkeley
Technical Report No. UCB/EECS-2007-33
March 11, 2007
http://www2.eecs.berkeley.edu/Pubs/TechRpts/2007/EECS-2007-33.pdf
Today, access control configuration in large enterprise environments is a highly complex process that involves the manual configuration of a wide range of network devices including routers, VLANs and firewalls. Much of this complexity arises from the asynchrony between routing and access control that often requires contorted network topologies that lack redundant paths, have tight pinning of routes, and physical placement of firewalls along the data path to achieve access control.
In this paper, we propose Access Control Routing (ACR), a clean-slate and flexible approach to simplify access control configuration in large-scale enterprise networks. ACR uses a single parameter, class, to couple access control and routing. It requires that each end-host specify its access control policies at the granularity of a class. On the network side, the control plane establishes logical reachability networks for every class, and the data plane explicitly labels each packet with a class based on the source. Unlike traditional access control configuration approaches, ACR can easily adapt to network topology or routing changes and is better suited to handle network failures. ACR eliminates the need for VLANs and also provides the flexibility of automatically routing traffic through arbitrary middle-boxes without physical topology manipulation. Using a software-based router implementation of ACR and access control policies gathered from four large commercial enterprise networks, we show that ACR can easily be adopted in large enterprise environments with little additional performance overhead.
BibTeX citation:
@techreport{Ee:EECS-2007-33, Author= {Ee, Cheng Tien and Lee, John and Maltz, Dave and Shenker, Scott and Subramanian, Lakshminarayanan}, Title= {Simplifying Access Control in Enterprise Networks}, Year= {2007}, Month= {Mar}, Url= {http://www2.eecs.berkeley.edu/Pubs/TechRpts/2007/EECS-2007-33.html}, Number= {UCB/EECS-2007-33}, Abstract= {Today, access control configuration in large enterprise environments is a highly complex process that involves the manual configuration of a wide range of network devices including routers, VLANs and firewalls. Much of this complexity arises from the asynchrony between routing and access control that often requires contorted network topologies that lack redundant paths, have tight pinning of routes, and physical placement of firewalls along the data path to achieve access control. In this paper, we propose Access Control Routing (ACR), a clean-slate and flexible approach to simplify access control configuration in large-scale enterprise networks. ACR uses a single parameter, class, to couple access control and routing. It requires that each end-host specify its access control policies at the granularity of a class. On the network side, the control plane establishes logical reachability networks for every class, and the data plane explicitly labels each packet with a class based on the source. Unlike traditional access control configuration approaches, ACR can easily adapt to network topology or routing changes and is better suited to handle network failures. ACR eliminates the need for VLANs and also provides the flexibility of automatically routing traffic through arbitrary middle-boxes without physical topology manipulation. Using a software-based router implementation of ACR and access control policies gathered from four large commercial enterprise networks, we show that ACR can easily be adopted in large enterprise environments with little additional performance overhead.}, }
EndNote citation:
%0 Report %A Ee, Cheng Tien %A Lee, John %A Maltz, Dave %A Shenker, Scott %A Subramanian, Lakshminarayanan %T Simplifying Access Control in Enterprise Networks %I EECS Department, University of California, Berkeley %D 2007 %8 March 11 %@ UCB/EECS-2007-33 %U http://www2.eecs.berkeley.edu/Pubs/TechRpts/2007/EECS-2007-33.html %F Ee:EECS-2007-33