Russell J. Clark

Resonance: dynamic access control for enterprise networks

Enterprise network security is typically reactive, and it relies heavily on host security and middleboxes. This approach creates complicated interactions between protocols and systems that can cause incorrect behavior and slow response to attacks. We argue that imbuing the network layer with mechanisms for dynamic access control can remedy these ills. We propose Resonance, a system for securing enterprise networks, where the network elements themselves enforce dynamic access control policies based on both flow-level information and real-time alerts. Resonance uses programmable switches to manipulate traffic at lower layers; these switches take actions (e.g., dropping or redirecting traffic) to enforce high-level security policies based on input from both higherlevel security policies and distributed monitoring and inference systems. We describe the design of Resonance, apply it to Georgia Techs network access control system, show how it can both overcome the current shortcomings and provide new security functions, describe our proposed deployment, and discuss open research questions.

Learning momentum: online performance enhancement for reactive systems

The authors describe a reactive robotic control system which incorporates aspects of machine learning to improve the systems ability to navigate successfully in unfamiliar environments. This system overcomes limitations of completely reactive systems by exercising online performance enhancement without the need for high-level planning. The goal of the learning system is to give the autonomous robot the ability to adjust the scheme control parameters in an unstructured dynamic environment. The results of a successful implementation that learns to navigate out of a box canyon are presented. This system never resorts to a high-level planner, but instead learns continuously by adjusting gains based on the progress made so far. The system is successful because it is able to improve its performance in reaching a goal in a previously unfamiliar and dynamic world.<<ETX>>

Providing scalable Web service using multicast delivery

The recent growth in use of the World-Wide Web in the Internet has caused a significant increase in the demand placed on Web servers. This increased load results in noticeably longer response times for users. We propose an approach to using multicast in the delivery of Web resources that reduces the load on servers as well as the networks that connect them. We analyze the issues involved in using multicast in the Web, especially those related to routing and addressing. We also discuss the design and implementation of a system based on the existing WWW client and server architecture and the multicast support provided within IP.<<ETX>>

Security issues with the IP multimedia subsystem (IMS)

The IP Multimedia Subsystem (IMS) is the basis for a significant new architecture for mobile applications incorporating voice, video and data services. The IMS is an overlay network on top of IP that uses SIP as the primary signaling mechanism. The IMS presents several new security challenges for both network providers and network users. This paper provides an overview of the IMS architecture and the security challenges that it raises. It is intended as the basis for developing a new set of research objectives around IMS security.

Usage-based dhcp lease time optimization

The Dynamic Host Configuration Protocol (DHCP) is used to dynamically allocate address space to hosts on a local area network. Despite its widespread usage, few studies exist on DHCP usage patterns, and even less is known about the importance of setting the lease time (the time that a client retains ownership over some IP address) to an appropriate value. Lease time can greatly affect the tradeoff between address space utilization and the number of both renewal messages and client session expirations. In this paper, using a DHCP trace for 5 weekdays from the Georgia Tech campus network, we present the largest known study of DHCP utilization. We also explore how various strategies for setting lease times can dramatically reduce the number of renewals and expirations without prohibitively increasing address space utilization.

Multi-protocol architectures as a paradigm for achieving inter-operability

An inclusive approach to achieving heterogeneous system interoperability based on the use of multiprotocol architectures is considered. A detailed description of a framework and model for describing and constructing multiprotocol architectures is given. A case study based on architectures that mix protocols from the OSI and Internet suites is then described. Solutions to the problem of determining which set of protocols to use for a particular communication task are proposed.<<ETX>>

Decoupling policy from configuration in campus and enterprise networks

This paper surveys our ongoing work on the use of software-defined networking to simplify two acute policy problems in campus and enterprise network operations: access control and information flow control. We describe how the current coupling of high-level policy with low-level configuration makes these problems challenging today. We describe the specific policy problems faced by campus and enterprise network operators; illustrate our approach, which leverages recent trends in separating the networks “control plane” from the data plane; and show how this approach can be applied to simplify these two enterprise network management tasks. We also describe our ongoing deployment efforts to build a campus network testbed where trial designs can be deployed and evaluated. We close with a summary of current and future research challenges for solving challenges within enterprise networks within the context of this new paradigm.

D-book: a mobile social networking application for delay tolerant networks

We describe a mobile application for social networking that demonstrates the features of DTN#, a .Net-based implementation of the DTN bundle specification and testbed for research in challenged networks. The application, dubbed D-Book, includes the ability for users to create, modify, and share profiles much like the popular web-based social networking services.

Deploying ATM in a data network: an analysis of SVC requirements

Past and current campus data networks generally utilize connectionless network layer protocols like IP. Future networks are expected to use ATM which provides a connection-oriented service. New ATM switches are coming to market with baseline parameters such as the number of concurrent SVCs supported and the number of call setups possible per second. These parameters will determine the usefulness of this equipment in large campus networks for current applications and topologies. We present an analysis of the effect of these parameters on the ability of a circuit-based network to support the networking requirements of a college campus. We performed this analysis using IP traffic logs from three distinct networks within our campus. We consider four different ATM deployment scenarios and two circuit replacement algorithms. From our analysis we derive expected requirements for SVC setup rates and hold times necessary to support the measured traffic.

Leveraging SDN for ARP security

Insider threats are a growing concern for industry, government, and campus networks. Yet, vulnerabilities inherent in Address Resolution Protocol (ARP) are exploitable by insiders seeking to launch sophisticated attacks on local area networks (LANs). Such attacks, initialized through ARP spoofing, include denial of service, server redirect, and man-in-the-middle attacks. Unfortunately, the current state of the art technologies for detecting and preventing ARP poisoning are tediously complex, slow to detect, and difficult to maintain. However, software defined networking (SDN) enables the implementation of novel security measures that are capable of detecting and eliminating ARP spoofing before it can impact other hosts. Hence, this paper presents Network Flow Guard for ARP (NFGA), an SDN security module that augments simple, MAC-learning, protocols on OpenFlow-enabled switches. NFG works by hashing a hosts physical address with an appropriate IP: port association to deny ARP spoofing at real-time. Moreover, our frameworks key contribution is that it achieves ARP security with minimal intervention by network operators while supporting both dynamic and static port allocations, requiring no changes to the networks topology or protocols, and requiring no client software installation.