Defining Security Policy in Distributed Environments using Network Views

Abstract

Traditional communications technologies for enterprise and government networks rely on firewalls at gateways for network access control. As a result, hosts connected within internal networks are allowed to communicate with one another without mediation. This threat model is insufficient as computing continues to progress towards multi-tenant environments including cloud data centers and 5G networks. Simultaneously, cloud data centers have begun connecting multiple geographically distant sites with dedicated links, effectively creating large, multi-site internal networks. In the face of this multi-site, multi-tenant evolution of what was formerly the LAN setting, there is a growing need for sophisticated network access control. This proposal seeks to aid network operators in flexibly defining network access control policy in both small and geographically distributed environments through the creation of a novel primitivecalled ~network views,~ which combines concepts from software-defined networking (SDN), operating systems access control, and distributed consensus protocols. The network views abstraction separates security from IP address assignment, which is often an artifact of the physical location ofa host. In doing so, it provides a flexible access control specification that mediates communication within internal networks, not just at its perimeter. Furthermore, by spanning network views across multiple sites, and even across multiple network operators, the proposed work will enable new security and functional capabilities that will meet the growing demands of multi-site cloud, enterprise, and 5G environments. We leverage software-defined networking and distributed consensus protocols to enable such flexible security and functional capabilities, while ensuring consistency of policy across multiple sites, mitigating impact of multiple tenants sharing the same infrastructure, and preventing adversarial tenants from exploiting race conditions to circumvent policy enforcement. The network views abstraction will allow DoD organizations to define network access control policy that protects workstations, servers, and IoT devices wherever they reside, whether it be on a private government network, a public cloud, or directly connected to the cellular network.

Document Details

Document Type

DoD Grant Award

Publication Date

Dec 16, 2019

Source ID

N000142012696

Entities

Tags