A Formal Approach to Secure the Segmentation and Configuration of Dynamic Networks
| dc.contributor.advisor | Ridha, Khedri | |
| dc.contributor.author | Alabbad, Mohammed | |
| dc.contributor.department | Computing and Software | en_US |
| dc.date.accessioned | 2021-03-11T20:00:59Z | |
| dc.date.available | 2021-03-11T20:00:59Z | |
| dc.date.issued | 2021 | |
| dc.description.abstract | Network segmentation and layered protection are critical strategies used in building and designing secure networks. Although they are recommended by security practitioners and agencies, they are defined vaguely and lack precise formal treatment. Implementing these strategies might be achievable for a small network with few resources; however, it is nearly an impossible task for a large network with a large number of resources and complex policies. The challenge is even harder for dynamic networks, where resources frequently join and leave the network. This case requires an adaptive approach for maintaining the implementation of these strategies. In this thesis, we provide a formalism for the strategies of layered protection and network segmentation. The formalism is based on Product Family Algebra (PFA) and guarded commands. We use this formalism to assess whether a network satisfies these strategies. Furthermore, we articulate two implementation schemes for the layered protection strategy. Moreover, based on the introduced formalism, we propose two algorithms for structuring and configuring robust and secure networks. We then extend the formalism and the algorithms to handle networks with several entry points, where each entry point is intended to give access to a certain subnetwork. We employ the algorithms for the dynamic configuration and governance of Software Defined Networks (SDN). In addition to SDN data and control planes, we propose a plane in charge of the configuration and governance of SDN data planes. We call it the Dynamic Configuration and Governance (DCG) plane and it is intended to give agility to dynamic networks. Moreover, we propose and assess three architectures that use the DCG plane. The assessment results identify an architecture that is suitable for dynamic networks and another for networks that are more stable regarding changes to policy and network topology. The formalism presented in this thesis provides an automatic and adaptive approach for the segmentation and configuration of networks. It takes into consideration the security requirements of local resources as well as the global security situation. It constitutes a foundational framework for automated security solutions applicable to computer networks that use any type of connecting technology or topology. | en_US |
| dc.description.degree | Doctor of Philosophy (PhD) | en_US |
| dc.description.degreetype | Thesis | en_US |
| dc.identifier.uri | http://hdl.handle.net/11375/26250 | |
| dc.language.iso | en | en_US |
| dc.title | A Formal Approach to Secure the Segmentation and Configuration of Dynamic Networks | en_US |
| dc.type | Thesis | en_US |