A Formal Approach To Network Segmentation

Network segmentation or compartmentalization, and layered protection are two strategies that are critical in building a secure network. In the literature, layered protection has been formalized and termed as the Defence in Depth (DD) strategy. However, network segmentation has been described vaguely, and without any formal approach, thus making the secure design of large networks unwieldy. In this paper, we formally define network segmentation using a formalism based on product family algebra and guarded commands. Then we pro pose two algorithms that take a set of resources and their access control policies as input and output a robust network topology and the policies of its firewalls. The firewall policies are computed based on the network segmentation formalism and are strategically placed in the network to achieve DD. Further, we use the proposed algorithms to build Software Defined Networks (SDN) and discuss its use in dynamic networks and Internet of Things. (c) 2021 Elsevier Ltd. All rights reserved.