Known as Ethane, the simple-to-define access policies are maintained in one place, and implemented consistently along a network datapath, and no user, switch or end-host has more information than it needs.
Today corporate networks typically allow open communication by default, which makes implementing effective security and privacy rules an onerous task for network administrators.
A first implementation of Ethane was built and deployed in Fall of 2006. The deployment consisted of one controller, 19 switches and it managed the traffic from over 300 wired hosts and many more wireless. The switches were built on both wireless and wired platforms and in hardware.
Currently, Stanford researchers are working on the second version of Ethane which they say will have better policy language support and a more feature-rich datapath supporting more diverse techniques such as NAC, MAC hiding and end-to-end L2 isolation.
The second pilot network is being deployed and tested this summer.
Ultimately, it is Stanford's goal to make high fan-out Ethane switches and controller available to other institutions, researchers said.
The trick behind the Ethane design is that all complex features, including routing, naming, policy declaration and security checks are performed by a central controller (rather than in the switches as is done today).
Each flow on the network must first get permission from the controller which verifies that the communication is permissible by the network policy.
If the controller allows a flow, it computes a route for the flow to take, and adds an entry for that flow in each of the switches along the path, according to Stanford's Website.With all complex function subsumed by the controller, switches in Ethane are reduced to managed flow tables whose entries can only be populated by the controller (which it does after each successful permission check).
This allows a very simple design for Ethane switches using only SRAM (no power-hungry TCAMS) and a little bit of logic, the Website states.
Tal Garfinkel, a Ph.D graduate student in Stanford University's computer science department recently talked with Network World and said: "I think our work on redesigning the enterprise network with security in mind (SANE/Ethane) points to some important ideas that hopefully will gain greater traction in the coming years.
Such as implementing fine-grain, centrally managed access controls at the level of users and end-hosts, and using strongly authenticated network endpoints for doing access control, instead of the mess of IP and MAC-level ACLs that we have today.
"Ethane is funded by the Stanford Clean Slate Project, an ambitious undertaking that proposes to build a new Internet from the ground up.
The point of Stanford's efforts is not that the Internet is broken they say, just that it has become ossified in the face of emerging security threats and novel applications, researchers said. Cisco Systems, Deutsche Telekom and NEC are also taking part in the research.
The researchers say their work closely complements two projects under way at the National Science Foundation. The first, called GENI, for Global Environment for Network Innovations, aims to build a nationwide programmable platform for research in network architectures.
Stanford researchers will present their update at the school's Hot Chips symposium Aug. 19-21 at Stanford's Memorial Auditorium.