TY - GEN
T1 - Contextual, flow-based access control with scalable host-based SDN techniques
AU - Taylor, Curtis R.
AU - Macfarland, Douglas C.
AU - Smestad, Doran R.
AU - Shue, Craig A.
N1 - Publisher Copyright:
© 2016 IEEE.
PY - 2016/7/27
Y1 - 2016/7/27
N2 - Network operators can better understand their networks when armed with a detailed understanding of the network traffic and host activities. Software-defined networking (SDN) techniques have the potential to improve enterprise security, but the current techniques have well-known data plane scalability concerns and limited visibility into the host's operating context. In this work, we provide both detailed host-based context and fine-grained control of network flows by shifting the SDN agent functionality from the network infrastructure into the end-hosts. We allow network operators to write detailed network policy that can discriminate based on user and program information associated with network flows. In doing so, we find our approach scales far beyond the capabilities of OpenFlow switching hardware, allowing each host to create over 25 new flows per second with no practical bound on the number of established flows in the network.
AB - Network operators can better understand their networks when armed with a detailed understanding of the network traffic and host activities. Software-defined networking (SDN) techniques have the potential to improve enterprise security, but the current techniques have well-known data plane scalability concerns and limited visibility into the host's operating context. In this work, we provide both detailed host-based context and fine-grained control of network flows by shifting the SDN agent functionality from the network infrastructure into the end-hosts. We allow network operators to write detailed network policy that can discriminate based on user and program information associated with network flows. In doing so, we find our approach scales far beyond the capabilities of OpenFlow switching hardware, allowing each host to create over 25 new flows per second with no practical bound on the number of established flows in the network.
UR - http://www.scopus.com/inward/record.url?scp=84983268897&partnerID=8YFLogxK
U2 - 10.1109/INFOCOM.2016.7524498
DO - 10.1109/INFOCOM.2016.7524498
M3 - Conference contribution
AN - SCOPUS:84983268897
T3 - Proceedings - IEEE INFOCOM
BT - IEEE INFOCOM 2016 - 35th Annual IEEE International Conference on Computer Communications
PB - Institute of Electrical and Electronics Engineers Inc.
T2 - 35th Annual IEEE International Conference on Computer Communications, IEEE INFOCOM 2016
Y2 - 10 April 2016 through 14 April 2016
ER -