Securing Enterprise Networks using Traffic Tainting
Enterprise networks must control information flow to prevent data leaks, the spread of malware, and insider threats. Existing defenses focus on securing or controlling information flow on a single host; these methods do not track and control information flow across the network. This paper presents the design, implementation, and evaluation of Pedigree, a system for tracking and controlling information flow in a network. Pedigree relies on a small trusted component on the host to assist with tracking the provenance of network traffic and annotating traffic with taints, but leaving enforcement to devices in the network. Pedigree has two parts: A tagger on the host annotates network traffic with information about the "taints" that the sending process has acquired; and arbiters, which take actions based on the traffic's taints and the enterprise network's security policy. We have implemented Pedigree's tagger as a Linux kernel module and the arbiter using OpenFlow-enabled switches. Our evaluation shows that Pedigree can defend against these attacks without significant overhead at the host or the filtering device.
Publications
Securing Enterprise Networks using Traffic Tainting, in submission.
People
Yogesh Mundada
Anirudh Ramachandran
Mukarram bin Tariq
Nick Feamster
