1 research outputs found
Programmable In-Network Security for Context-aware BYOD Policies
Bring Your Own Device (BYOD) has become the new norm in enterprise networks,
but BYOD security remains a top concern. Context-aware security, which enforces
access control based on dynamic runtime context, holds much promise. Recent
work has developed SDN solutions to collect device context for network-wide
access control in a central controller. However, the central controller poses a
bottleneck that can become an attack target, and processing context changes at
remote software has low agility.
We present a new paradigm, programmable in-network security (Poise), which is
enabled by the emergence of programmable switches. At the heart of Poise is a
novel switch primitive, which can be programmed to support a wide range of
context-aware policies in hardware. Users of Poise specify concise policies,
and Poise compiles them into different instantiations of the security primitive
in P4. Compared to centralized SDN defenses, Poise is resilient to control
plane saturation attacks, and it dramatically increases defense agility