Programmable in-network security for context-aware BYOD policies

Qiao Kang, Lei Xue, Adam Morrison, Yuxin Tang, Ang Chen, Xiapu Luo

Research output: Chapter in book / Conference proceedingConference article published in proceeding or bookAcademic researchpeer-review

12 Citations (Scopus)

Abstract

Bring Your Own Device (BYOD) has become the new norm for enterprise networks, but BYOD security remains a top concern. Context-aware security, which enforces access control based on dynamic runtime context, is a promising approach. Recent work has developed SDN solutions to collect device contexts and enforce access control at a central controller. However, the central controller could become a bottleneck and attack target. Processing context signals at the remote controller is also too slow for real-time decision change. We present a new paradigm, programmable in-network security (Poise), which is enabled by the emergence of programmable switches. At the heart of Poise is a novel security primitive, which can be programmed to support a wide range of context-aware policies in hardware. Users of Poise specify concise policies, and Poise compiles them into different configurations of the primitive in P4. Compared with traditional SDN defenses, Poise is resilient to control plane saturation attacks, and it dramatically increases defense agility.

Original languageEnglish
Title of host publicationProceedings of the 29th USENIX Security Symposium
PublisherUSENIX Association
Pages595-612
Number of pages18
ISBN (Electronic)9781939133175
Publication statusPublished - 2020
Event29th USENIX Security Symposium - Virtual, Online
Duration: 12 Aug 202014 Aug 2020

Publication series

NameProceedings of the 29th USENIX Security Symposium

Conference

Conference29th USENIX Security Symposium
CityVirtual, Online
Period12/08/2014/08/20

Keywords

  • BYOD
  • Network Security

ASJC Scopus subject areas

  • Computer Networks and Communications
  • Information Systems
  • Safety, Risk, Reliability and Quality

Cite this