| | |
Summary: STANFORD HPN TECHNICAL REPORT TR05-HPNG-101700
SANE: A Protection Architecture for Enterprise Networks
Martin Casado, Tal Garfinkel, Aditya Akella
Dan Boneh, Nick McKeown, Scott Shenker
{casado,talg,dabo,nickm}@stanford.edu
aditya@cs.cmu.edu, shenker@icsi.berkeley.edu
Abstract
Connectivity in today's enterprise networks is regulated
by a combination of complex routing and bridging poli-
cies, along with various interdiction mechanisms such as
ACLs, packet filters, and other middleboxes that attempt
to retrofit access control onto an otherwise permissive
Internet architecture. This leads to enterprise networks
that are inflexible, fragile and difficult to manage.
We offer SANE, a protection architecture for enter-
prise networks that overcomes these limitations. By de-
fault, hosts can only contact a logically centralized ref-
erence monitor that hands out capabilities (encrypted
source routes) for services, according to declarative ac-
cess control policies (e.g. Alice can access http-proxy).
|
