Our goal is to develop and implement a clean-slate network architecture in which protection is a fundamental design goal. Specifically, decisions about whether or not to permit flows will be made by devices that can reliably determine both the origin and the intent of the traffic. In contrast to current techniques, which attempt to infer the meaning of traffic from ad hoc and error-prone packet-inspection heuristics, we propose shifting the burden to the sender to demonstrate why a given flow should be allowed. The result will improve security by enforcing far more precise policies. It will also address a growing functionality problem, that the heuristics applied by today's protection mechanisms often break legitimate applications.

Our program of research has two parts. First, we address the question of protection within a single, private network--such as a university, enterprise, or government institution. Intra-network security is a notorious weakness in today's protection mechanisms, which tend to focus on perimeter security. We propose a theoretical architecture SANE along with a practical instantiation which we call Ethane in which a logically centralized entity controls all network resources and allows the minimal set of communication paths necessary for applications to work.

The second part addresses the public setting--communications that cross administrative boundaries. We outline a similar set of principles as part of a protection architecture called InSANE. InSANE extends the principles behind SANE to settings with multiple, generally cooperative but mutually distrustful organizations.

Clean-Slate Security Architecture (SANE)

SANE is a clean-slate a protection architecture for enterprise networks. SANE defines a single protection layer that governs all connectivity within the network. All routing and access control decisions are made by a logically-centralized server that grants access to services by handing out capabilities (encrypted source routes) according to declarative access control policies (e.g., ``Alice can access http server foo''). Capabilities are enforced at each switch, which are simple and only minimally trusted. More information is available in the following paper (html) or (pdf).

Ethane is a backwards compatible NAC (Network Access Control) architecture and a practical instantiation of SANE. Like SANE, Ethane uses simple-to-define access policies maintained in one place, and implemented consistently along a network datapath. And no user, switch or end-host has more information than it absolutely needs. Ethane differs from SANE in that, rather than using encrypted source routes, all connectivity is explicitly set up as flows in the network. We are currently developing an Ethane network in both hardware and software. More information is available at the Ethane project page.

Internet Security (inSANE)

Unlike private networks, the public Internet does not have a central administrator, nor does it have a "security policy". Users accessing public servers are often not required to be authenticated, and flows on the public Internet can easily impact each other. Nevertheless, the control offered by SANE is attractive to many of the problems facing the public Internet today. We wish to extend SANE-like security features across organizational boundaries to the broader Internet.

Further details of this portion of our research will be posted shortly.

Project Members

Principle Investigators: Graduate Students:


This work si funded by NSF under a grant from the FIND program (2006), and from the Disruptive Technology Office (DTO) from the NICIAR program (2006).

SANE/inSANE: Designing Secure Networks from the Ground-Up