PDF

Description

Today, access control configuration in large enterprise environments is a highly complex process that involves the manual configuration of a wide range of network devices including routers, VLANs and firewalls. Much of this complexity arises from the asynchrony between routing and access control that often requires contorted network topologies that lack redundant paths, have tight pinning of routes, and physical placement of firewalls along the data path to achieve access control.

In this paper, we propose Access Control Routing (ACR), a clean-slate and flexible approach to simplify access control configuration in large-scale enterprise networks. ACR uses a single parameter, class, to couple access control and routing. It requires that each end-host specify its access control policies at the granularity of a class. On the network side, the control plane establishes logical reachability networks for every class, and the data plane explicitly labels each packet with a class based on the source. Unlike traditional access control configuration approaches, ACR can easily adapt to network topology or routing changes and is better suited to handle network failures. ACR eliminates the need for VLANs and also provides the flexibility of automatically routing traffic through arbitrary middle-boxes without physical topology manipulation. Using a software-based router implementation of ACR and access control policies gathered from four large commercial enterprise networks, we show that ACR can easily be adopted in large enterprise environments with little additional performance overhead.

Details

Title
Simplifying Access Control in Enterprise Networks
Creator
Subramanian, Lakshminarayanan, Author
Shenker, Scott, Author
Ee, Cheng Tien, Author
Lee, John, Author
Maltz, Dave, Author
EECS Department, University of California, Publisher
Published
2007-03-11
Full Collection Name
Electrical Engineering & Computer Sciences Technical Reports
Other Identifiers
EECS-2007-33
Type
Text
Format
technical reports
Extent
17 p
Archive
The Engineering Library
Usage Statement
Researchers may make free and open use of the UC Berkeley Library’s digitized public domain materials. However, some materials in our online collections may be protected by U.S. copyright law (Title 17, U.S.C.). Use or reproduction of materials protected by copyright beyond that allowed by fair use (Title 17, U.S.C. § 107) requires permission from the copyright owners. The use or reproduction of some materials may also be restricted by terms of University of California gift or purchase agreements, privacy and publicity rights, or trademark law. Responsibility for determining rights status and permissibility of any use or reproduction rests exclusively with the researcher. To learn more or make inquiries, please see our permissions policies (https://www.lib.berkeley.edu/about/permissions-policies).
Collection

Files

Statistics

from
to
Export
Download Full History