End-to-end frameworks for the specification, learning and enforcement of network-wide access control in Zero-Trust Network Architectures

Zero-Trust Architecture (ZTA) redefines traditional network security by treating both internal and external networks as potentially compromised. Unlike perimeter-based models, ZTA enforces strict, least-privilege access controls throughout the network, permitting only essential communication flows aligned with each entity's objectives. However, ZTA adoption faces significant hurdles: unclear communication requirements among diverse network components lead to overly permissive policies, existing frameworks lack efficient mechanisms for defining granular policies, and insufficient insights into benign network behavior complicate policy abuse detection. Additionally, leveraging powerful programmable data planes to delegate expensive control plane operations, such as stateful access control, is challenging, as administrators must write programs for individual programmable switches and orchestrate control plane support at runtime.

This dissertation tackles these challenges through several key contributions. First, we present the NEUTRON policy framework, which automates the entire process of specifying, managing, testing, and deploying least-privilege access control policies. NEUTRON utilizes a flexible, graph-based method to define and share intricate, fine-grained network security policies, easing the administrative burden by enabling policy pattern sharing across organizations. The NEUTRON policy generator produces comprehensive network-wide security policies, and by treating security policies as software, it introduces novel approaches to policy verification and impact analysis. We developed the Security Policy Regression Tool (SPRT), which employs our innovative Ruleset Aggregation Algorithm to perform scalable verification of network-wide security policies and efficiently compute and visualize the impacts of policy changes.

To address the issue of unclear communication requirements from various applications or devices, we introduce ZT-SDN, an automated framework for learning and enforcing network access control within Software-Defined Networks (SDN). ZT-SDN gathers data from the underlying network and models network transactions as graphs, with nodes representing entities and directed edges representing transactions identified by different protocol stacks. Using unsupervised learning, ZT-SDN extracts transaction patterns by analyzing message distribution and data transmission behavior. It then generates accurate access control rules and infers strong associations between them, enabling proactive rule deployment in forwarding devices. We show that ZT-SDN effectively detects anomalous network accesses and abuses of permitted network flows while demonstrating performance improvements and robustness against changing network conditions.

Finally, to harness the power of data plane programmability for ZTA, we introduce ZT-XPN, a comprehensive framework for enforcing zero-trust principles in programmable networks. ZT-XPN integrates SDN with programmable data planes to enable fine-grained, per-request access control across the network. The framework consists of three key components: (1) a graph-based policy specification tool for defining precise endpoint and protocol-level control; (2) a back-end compiler integrated with the ONOS SDN controller, automating data plane program generation and orchestrating control plane operations; and (3) a runtime management system for continuous policy enforcement and monitoring. ZT-XPN eliminates the need for manual data program composition and control plane orchestration, providing an automated, scalable approach to enforcing least-privilege access control in dynamic network environments. We evaluate ZT-XPN in an SDN environment with varying network scales, and we demonstrate its effectiveness in policy enforcement. We also show performance improvements in traditional packet forwarding and firewall implementations.