Towards Safe and Optimal Network Designs Based on Network Security Requirements

Network security requirements are generally regarded once network topology is implemented. In particular, once firewalls are emplaced to filter network traffic between different Local Area Networks (LANs). This commun approach may lead to critical situations: First, machines that should not communicate could belong to a same LAN where the network traffics do not pass through the firewall for being filtered. Often overwhelmed by the complexity of security requirements and the growth of networks, network administrators are struggling to resolve such design faults while ensuring not to cause further vulnerabilities. Second, according to network security policy, the required number of LANs, and therefore the number, range and thus, the cost required for both network and security equipments, can be much more reduced than that originally proposed by the network administrator. In this paper, we present an automatic approach that consists on proposing a network topology which is both safe and optimal by taking into account the network security policy, given in a high-level language. The safety property ensures that every prohibited traffic has to cross the firewall to be filtered. The optimal property allows to deduce the necessary and sufficient resources (Sub networks, network switches, firewalls range) to be used. To our best knowledge, such problematic has not been explored in previous works, despite the importance of these challenges. Our method has been implemented using Graph Coloring Theory. The first results are very promising. Experiment conducted on large-scale networks demonstrate the efficiency and the scalability of our approach.