Infrastructure-Based Access Policy Enforcement Using Software-Defined Networks
This thesis describes a method to enhance network security using software defined networks. Standard networks use perimeter-based defenses to block attackers from gaining access to internal systems. A key problem with standard networks is that once a malicious entity has gained access to the network, they are often able to freely move throughout the network and to attack internal systems with impunity. This problem can be mitigated by placing defenses such as firewalls between machines on the network, but this approach requires significant resources and constant maintenance. If the network infrastructure itself is leveraged as a defense by individualizing the visibility of the network for each user according to their roles and permissions, then the resulting network will eliminate most or all of the actions attackers would take to monitor and attack the network from the inside. This type of defense requires identifying the sources of communication, enforcing global permissions, and dynamically updating the user’s view of the network.