I like to keep up with what’s happening in the universities, and so I have a lot of research papers crossing my desk from time to time. Most don’t linger on their way to the circular file, at best making me nostalgic for graduate school days where R&D meant “relax and dream” (a phrase indelibly linked in my mind with Dave Cutler for some reason). But I digress. Recently a paper out of Stanford from last fall’s Usenix got my attention. At first glance I put it in the “interesting-but-impractical” category, it seeming to marry something like Radia Perlman’s rbridges with a “security plane” that supplies a policy decision for every connection. This policy server runs not distributed out on the switches, where conventional wisdom would put it, but on a central server where it can bottleneck everybody trying to use the network. Furthermore, it supplies a policy decision by giving each allowed connection a source route through the network and can’t possibly scale, much less support broadcast. But if people I respect like Nick McKeown and Dan Boneh weren’t embarrassed to put their names on it, it had to be worth a second read.
The grandly named “Secure Architecture for the Networked Enterprise” (SANE), aka ETHANE, actually makes a lot of sense in more ways than one. First of all, it is about time for a fresh new way of looking at LAN security. As I have said before and continue to say, policy is the problem, and SANE addresses policy head on. Secondly, looking at the ETHANE presentations and reading through the papers, a lot of thorny issues have been thought through (although some of the more difficult, rhyming with “forklift,” seem to be conveniently swept aside). But they claim to have a software prototype running on PCs, which is a promising start (personally I would have used multi-threaded programmable data plane processors and more caching, but you have to start with what you have). Finally, some of the advantages pointed out (hide topology from endpoints, single point of trust instead of the proliferation of trust in today’s retrofit solutions, addresses that can’t be spoofed) really resonate to a security guy.
This research represents the first good example I have seen of how to build security right into the network infrastructure, maybe even a breakthrough. I’ve seen lots of “overlay” proposals and products that try to leverage today’s switched infrastructure investments – put everyone in their own private VLAN and bring them up to some humongous security blade, use out-of-band NAC products that dynamically reconfigure port VLANs on switches, isolate classes of users with IPsec overlays, even the in-line transparent security bridges that companies like Nevis sell, which I personally believe are the best alternative available for today’s LANs – but none represent long-term strategies that really integrate security into the infrastructure. And everyone who has just paid for their switch upgrade wants to put off acknowledging the 800 pound forklift entering the room for as long as possible.
Eventually today’s NAC will evolve into a “secure network fabric,” as some people have already pointed out. Who knows, maybe in the future, networks will look a lot more like SANE than we are ready to think, and we’ll look back on today’s LANs as insecure dinosaurs.
Joseph Tardo, Ph.D.
Comments