Abstract
With an average network size approaching 8000 servers, data-center networks need scalable security-state monitoring solutions. Using Attack Graph (AG) to identify possible attack paths and network risks is a common approach. However, existing AG generation approaches suffer from the state-space explosion issue. The size of AG increases exponentially as the number of services and vulnerabilities increases. To address this issue, we propose a network segmentation-based scalable security state management framework, called S3, which applies a divide-and-conquer approach to create multiple small-scale AGs (i.e., sub-AGs) by partitioning a large network into manageable smaller segments, and then merge them to establish the entire AG for the whole system. S3 utilizes SDN-based distributed firewall (DFW) for managing service reachability among different network segments. Therefore, it avoids reconstructing the entire system-level AG due to the dependencies among vulnerabilities.
Our experimental analysis shows that S3 (i) reduces AG generation and analysis complexity by reducing AG's density compared to existing AG-based solutions; (ii) utilizes SDN-based DFW to provide a granular security management framework, by incorporating security policies at the level of individual hosts and segments. In effect, S3 helps in limiting targeted slow and low attacks involving lateral movement.