Abstract

The paper describes work in our project funded by the DARPA Dynamic Coalitions program to design, develop, and demonstrate a system for automatically managing security policies in dynamic networks. Specifically, we aim to reduce human involvement in network management by building a practical network reconfiguration system so that simple security policies stated as positive and negative invariants are upheld as the network changes. The focus of this project is a practical tool to help systems administrators verifiably enforce simple multi-layer network security policies. Our key design considerations are computational cost of policy validation and the power of the enforcement primitives. The central component is a policy engine populated by models of network elements and services that validates policies and computes new configuration settings for network elements when they are violated. We instantiate our policy enforcement tool using a monitoring and instrumentation layer that reports network changes as they occur and implements configuration changes computed by the policy engine.