Programmable In-Network Security for Context-aware BYOD Policies
This addresses security concerns in enterprise BYOD networks by enabling more agile and resilient context-aware access control, representing a new paradigm rather than an incremental improvement.
The paper tackles the bottleneck and low agility of centralized SDN controllers for context-aware BYOD security by introducing Poise, a programmable in-network security paradigm using programmable switches, which increases defense agility and resilience to attacks.
Bring Your Own Device (BYOD) has become the new norm in enterprise networks, but BYOD security remains a top concern. Context-aware security, which enforces access control based on dynamic runtime context, holds much promise. Recent work has developed SDN solutions to collect device context for network-wide access control in a central controller. However, the central controller poses a bottleneck that can become an attack target, and processing context changes at remote software has low agility. We present a new paradigm, programmable in-network security (Poise), which is enabled by the emergence of programmable switches. At the heart of Poise is a novel switch primitive, which can be programmed to support a wide range of context-aware policies in hardware. Users of Poise specify concise policies, and Poise compiles them into different instantiations of the security primitive in P4. Compared to centralized SDN defenses, Poise is resilient to control plane saturation attacks, and it dramatically increases defense agility.