Access control for network management

ion will also support better automation. Current network technologies leave too much room for human error. Some tasks, such as adding a new airline or shop, may be repeated many times and should become routine; dependencies with local implementation detail must be better hidden to make this simple and dependable. The main driver in day-to-day operations is cost. The air transport industry operates on tight margins; in Heathrow’s case the operator is heavily indebted following a takeover and was forced to divest other London airports by the competition authorities. Investments in new technologies will only happen if there is an unavoidable regulatory mandate, or to save money. 4.3 Hierarchical design Our detailed threat model therefore assumes physical compromise of devices, along with associated attacks that can be done by having physical access. It follows that some devices (the ones ‘in the field’) are unsafe. Once an attacker gains physical access to a 4.3. HIERARCHICAL DESIGN 79 device, he can open, modify, remove, or replace it. It is reasonable to say a number of switches are compromised at a given time, and sometimes controllers at the bottom of the hierarchy are compromised too (since they are deployed near switches). We also assume the communication channels connecting an unsecured switch to be insecure. If an attacker can get access to a device, he also has access to its cabling. Imagine an ISP needing to change a switch at a customer’s site by ordering the equipment from a contractor. There is no guarantee of security at any of the steps from factory and shipping company to contractors and subcontractors and eventually to the customer. Even the customer may modify the equipment if there is incentive to do so. It is not just a matter of occasional access by secret policemen at points of presence in less well-governed countries; recent Edward Snowden files reveal that NSA tampered with Cisco supply chain of hardware exported to other countries. In a time of conflict, the opportunity would exist for an opponent who had taken over one of the routers to use it to cause havoc, by inserting false rules, or removing and replacing legitimate ones, and thus generally disrupting the switching fabric. If a network has a thousand routers and any one of them can disrupt it, as is the case today, then an attacker need compromise a few routers for the whole network to become vulnerable.