Tim Hinrichs, Natasha Gude, Martin Casado, John C. Mitchell, Scott Shenker
Citation
Tim Hinrichs, Natasha Gude, Martin Casado, John C. Mitchell, Scott Shenker. "Expressing and Enforcing Flow-Based Network Security Policies". Talk or presentation, 11, November, 2008.
Abstract
While traditional network security policies have been enforced by manual configuration of individual network components such as router ACLs, firewalls, NATs and VLANs, emerging enterprise network designs and products support global policies declared over high level abstractions. We further the evolution of simpler and more powerful network security mechanisms by designing, implementing, and testing a flow-based network security policy language and enforcement infrastructure. Our policy language, FSL, expresses basic network access controls, directionality in communication establishment (similar to NAT), network isolation (similar to VLANs), communication paths, and rate limits. FSL supports modular construction, distributed authorship, and efficient implementation. We have implemented FSL as the primary policy language for NOX, a network-wide control platform, and have deployed it within an operational network for over 10 months. We describe how supporting complex policy objectives and meeting the demanding performance requirements of network-wide policy enforcement have influenced the FSL language design and implementation.
Electronic downloads
- 16%20-%20Hinrichs.ppt · application/vnd.ms-powerpoint · 1156 kbytes
| Citation formats |
- HTML
Tim Hinrichs, Natasha Gude, Martin Casado, John C. Mitchell, Scott Shenker. <a href="http://www.truststc.org/pubs/487.html" ><i>Expressing and Enforcing Flow-Based Network Security Policies</i></a>, Talk or presentation, 11, November, 2008.
- Plain text
Tim Hinrichs, Natasha Gude, Martin Casado, John C. Mitchell, Scott Shenker. "Expressing and Enforcing Flow-Based Network Security Policies". Talk or presentation, 11, November, 2008.
- BibTeX
@presentation{HinrichsGudeCasadoMitchellShenker08_ExpressingEnforcingFlowBasedNetworkSecurityPolicies, author = {Tim Hinrichs and Natasha Gude and Martin Casado and John C. Mitchell and Scott Shenker}, title = {Expressing and Enforcing Flow-Based Network Security Policies}, day = {11}, month = {November}, year = {2008}, abstract = {While traditional network security policies have been enforced by manual configuration of individual network components such as router ACLs, firewalls, NATs and VLANs, emerging enterprise network designs and products support global policies declared over high level abstractions. We further the evolution of simpler and more powerful network security mechanisms by designing, implementing, and testing a flow-based network security policy language and enforcement infrastructure. Our policy language, FSL, expresses basic network access controls, directionality in communication establishment (similar to NAT), network isolation (similar to VLANs), communication paths, and rate limits. FSL supports modular construction, distributed authorship, and efficient implementation. We have implemented FSL as the primary policy language for NOX, a network-wide control platform, and have deployed it within an operational network for over 10 months. We describe how supporting complex policy objectives and meeting the demanding performance requirements of network-wide policy enforcement have influenced the FSL language design and implementation. }, URL = {http://www.truststc.org/pubs/487.html} }
Posted by Jessica Gamble on 23 Jan 2009.
For additional information, see the
Publications FAQ or
contact webmaster at www truststc org.
Notice: This material is presented to ensure timely dissemination of scholarly and technical work. Copyright and all rights therein are retained by authors or by other copyright holders. All persons copying this information are expected to adhere to the terms and constraints invoked by each author's copyright.