Defining Security Policy in Distributed Environments using Network Views

Abstract

Existing networking technologies are primarily focused on functionality, not security. Consequently, requirements of these technologies, such as fixed network topologies, lead to rigid architectures that fail to enable the network access control requirements of current and future computing environments. We propose the creation of a novel primitive called network views that allows a physical or virtual host to have a different set of accessible peers, regardless of network address or topological placement of those peers. We seek to explore and characterize the utility and practicality of network views in different network environments, ranging from traditional LANs to multi-site, multi-tenant networks such as those emerging in cloud and cellular networks. Our proposed design combines concepts from software-defined networking (SDN), operating systems access control, and distributed consensus protocols. Through these efforts, we seek to provide a new security foundation for the growing security needs of both public and private sector network operations.