Dynamic Flow Isolation

Organization: MIT Lincoln Laboratory
Year: 2018

High-profile cyberattacks in recent years have relied on there being unnecessary connectivity between assets on enterprise networks, which allows an attacker with a small initial foothold to escalate and expand the attack. Dynamic Flow Isolation (DFI) addresses this problem directly by enabling and enforcing policies that allow only minimal network-level connectivity for operations, thwarting an attacker’s attempts to move laterally. DFI provides an innovative solution to this security problem by decoupling how policies are maintained and enforced. It maintains a database of current policy directives that is useful for policy enforcement and auditing who has access to what at a given time. At the same time, DFI uses the software defined networking (SDN) switch to enforce and prioritize its security policies over other SDN controller directives. DFI does this with a novel architecture rather than as a single controller module, which is typical for adding functionality to an SDN. In doing so, DFI mitigates known security limitations of commodity SDN controllers. DFI can improve the security posture of enterprise SDNs by reliably enforcing the principle of least privilege.

For more info: https://www.ll.mit.edu/