TY - GEN
T1 - Automatically correcting networks with NEAT
AU - Zhou, Wenxuan
AU - Croft, Jason
AU - Liu, Bingzhe
AU - Ang, Elaine
AU - Caesar, Matthew
N1 - Publisher Copyright:
© Proceedings of NSDI 2010: 7th USENIX Symposium on Networked Systems Design and Implementation. All rights reserved.
PY - 2018
Y1 - 2018
N2 - Configuring and maintaining an enterprise network is a challenging and error-prone process. Administrators often need to consider security policies from a variety of sources such as regulatory requirements, industry standards, and mitigating attack vectors. Erroneous configuration or network application could violet crucial policies, and result in costly data breaches and intrusions. Relying on humans to discover and troubleshoot violations is slow and prone to error, considering the speed at which new attack vectors propagate and the increasing network dynamics, partly an effect of SDN. To address this problem, we present NEAt, a system analogous to a smartphone's autocorrect feature that enables on-the-fly repair to policy-violating updates. It does so by modifying the forwarding behavior of updates to automatically repair violations of policies such as reachability, service chaining, and segmentation. NEAt takes as input a set of administrator-defined high-level policies, and formulates these policies as directed graphs. Sitting between an SDN controller and the forwarding devices, NEAt intercepts updates proposed by SDN applications. If an update violates a policy, NEAt transforms the update into one that complies with the policy. Unlike domain-specific languages or synthesis platforms, NEAt allows enterprise networks to leverage the advanced functionality of SDN applications while simultaneously achieving strong, automated enforcement of general policies. Based on a prototype implementation and experimentation using Mininet and operation trace of a large enterprise network we demonstrate that NEAt achieves promising performance in real-time bug-fixing.
AB - Configuring and maintaining an enterprise network is a challenging and error-prone process. Administrators often need to consider security policies from a variety of sources such as regulatory requirements, industry standards, and mitigating attack vectors. Erroneous configuration or network application could violet crucial policies, and result in costly data breaches and intrusions. Relying on humans to discover and troubleshoot violations is slow and prone to error, considering the speed at which new attack vectors propagate and the increasing network dynamics, partly an effect of SDN. To address this problem, we present NEAt, a system analogous to a smartphone's autocorrect feature that enables on-the-fly repair to policy-violating updates. It does so by modifying the forwarding behavior of updates to automatically repair violations of policies such as reachability, service chaining, and segmentation. NEAt takes as input a set of administrator-defined high-level policies, and formulates these policies as directed graphs. Sitting between an SDN controller and the forwarding devices, NEAt intercepts updates proposed by SDN applications. If an update violates a policy, NEAt transforms the update into one that complies with the policy. Unlike domain-specific languages or synthesis platforms, NEAt allows enterprise networks to leverage the advanced functionality of SDN applications while simultaneously achieving strong, automated enforcement of general policies. Based on a prototype implementation and experimentation using Mininet and operation trace of a large enterprise network we demonstrate that NEAt achieves promising performance in real-time bug-fixing.
UR - http://www.scopus.com/inward/record.url?scp=85066055551&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85066055551&partnerID=8YFLogxK
M3 - Conference contribution
AN - SCOPUS:85066055551
T3 - Proceedings of the 15th USENIX Symposium on Networked Systems Design and Implementation, NSDI 2018
SP - 595
EP - 608
BT - Proceedings of the 15th USENIX Symposium on Networked Systems Design and Implementation, NSDI 2018
PB - USENIX Association
T2 - 15th USENIX Symposium on Networked Systems Design and Implementation, NSDI 2018
Y2 - 9 April 2018 through 11 April 2018
ER -