TY - GEN
T1 - Programmable in-network security for context-aware BYOD policies
AU - Kang, Qiao
AU - Xue, Lei
AU - Morrison, Adam
AU - Tang, Yuxin
AU - Chen, Ang
AU - Luo, Xiapu
N1 - Funding Information:
Acknowledgments: We thank our shepherd Adwait Nad-karni, the anonymous reviewers, Vladimir Gurevich, Kuo-Feng Hsu, Dingming Wu, and Jiarong Xing for their insightful comments and suggestions. This work was supported in part by a Hong Kong RGC Project (No. PolyU 152279/16E, CityU C1008-16G) and an NSF grant CNS-1801884.
Publisher Copyright:
© 2020 by The USENIX Association. All Rights Reserved.
Copyright:
Copyright 2020 Elsevier B.V., All rights reserved.
PY - 2020
Y1 - 2020
N2 - Bring Your Own Device (BYOD) has become the new norm for enterprise networks, but BYOD security remains a top concern. Context-aware security, which enforces access control based on dynamic runtime context, is a promising approach. Recent work has developed SDN solutions to collect device contexts and enforce access control at a central controller. However, the central controller could become a bottleneck and attack target. Processing context signals at the remote controller is also too slow for real-time decision change. We present a new paradigm, programmable in-network security (Poise), which is enabled by the emergence of programmable switches. At the heart of Poise is a novel security primitive, which can be programmed to support a wide range of context-aware policies in hardware. Users of Poise specify concise policies, and Poise compiles them into different configurations of the primitive in P4. Compared with traditional SDN defenses, Poise is resilient to control plane saturation attacks, and it dramatically increases defense agility.
AB - Bring Your Own Device (BYOD) has become the new norm for enterprise networks, but BYOD security remains a top concern. Context-aware security, which enforces access control based on dynamic runtime context, is a promising approach. Recent work has developed SDN solutions to collect device contexts and enforce access control at a central controller. However, the central controller could become a bottleneck and attack target. Processing context signals at the remote controller is also too slow for real-time decision change. We present a new paradigm, programmable in-network security (Poise), which is enabled by the emergence of programmable switches. At the heart of Poise is a novel security primitive, which can be programmed to support a wide range of context-aware policies in hardware. Users of Poise specify concise policies, and Poise compiles them into different configurations of the primitive in P4. Compared with traditional SDN defenses, Poise is resilient to control plane saturation attacks, and it dramatically increases defense agility.
KW - BYOD
KW - Network Security
UR - http://www.scopus.com/inward/record.url?scp=85091915004&partnerID=8YFLogxK
M3 - Conference article published in proceeding or book
AN - SCOPUS:85091915004
T3 - Proceedings of the 29th USENIX Security Symposium
SP - 595
EP - 612
BT - Proceedings of the 29th USENIX Security Symposium
PB - USENIX Association
T2 - 29th USENIX Security Symposium
Y2 - 12 August 2020 through 14 August 2020
ER -