While traditional network security policies have been enforced by manual configuration of individual network components such as router ACLs, firewalls, NATs, and VLANs, emerging enterprise network designs and products support global policies declared over high level abstractions. We further the evolution of simpler and more powerful network security mechanisms by designing, implementing, and testing a flow-based network security policy language and enforcement infrastructure. Our policy language, FSL, expresses basic network access controls, directionality in communication establishment (similar to NAT), network isolation (similar to VLANs), communication paths, and rate limits. FSLsupports modular construction, distributed authorship, and efficient implementation. We have implemented FSL as the primary policy language for NOX, a network-wide control platform, and have deployed it within an operational network for over 10 months. We describe how supporting complex policy objectives and meeting the demanding performance requirements of network-wide policy enforcement have influenced the FSL language design and implementation.
Hinrichs received a B.S. in Computer Science from the University of Illinois at Urbana-Champaign in 2001 and a Ph.D. in Computer Science from Stanford University in 2007. He is currently a postdoctoral researcher at the University of Chicago focusing on Computational Logic, specifically on language design and compilation.