Pushing Enterprise Security Down the Network Stack

Network security is typically reactive: Networks provide connectivity and subsequently alter this connectivity accord- ing to various security policies, as implemented in middle- boxes, or at higher layers. This approach gives rise to com- plicated interactions between protocols and systems that can cause incorrect behavior and slow response to attacks. In this paper, we propose a proactive approach to securing net- works, whereby security-related actions (e.g., dropping or redirecting traffic) are embedded into the network fabric it- self, leaving only a fixed set of actions to higher layers. We explore this approach in the context of network access con- trol. Our design uses programmable switches to manipulate traffic at lower layers; these switches interact with policy and monitoring at higher layers. We apply our approach to Georgia Tech's network access control system, show how the new design can both overcome the current shortcomings and provide new security functions, describe our proposed deployment, and discuss open research questions.