S3: A DFW-based Scalable Security State Analysis Framework for Large-Scale Data Center Networks

With an average network size approaching 8000 servers, data-center networks need scalable security-state monitoring solutions. Using Attack Graph (AG) to identify possible attack paths and a network risk is a common approach. However,existing AG generation approaches suffer from the state-space explosion issue. The size of AG increases exponentially as the number of services and vulnerabilities increase. To address this issue, we propose a network segmentation-based scalable security state management framework, called S3, which applies a divide-and-conquer approach to create multiple small-scale AGs (i.e., sub-AGs) by partitioning a large net-work into manageable smaller segments, and then merge them to establish the entire AG for the whole system. S3 utilizes SDN-based distributed firewall(DFW) for managing service reachability among different network segments. Therefore, it avoids reconstructing the entire system-level AG due to the dependencies among vulnerabilities.A series of experimentations are conducted to demonstrates that S3 (i) reduces AG generation and analysis complexity by reducing AG’s density compared to existing AG-based solutions; (ii) utilizes SDN-based DFW to provide a granular security management framework, by incorporating security policies at the level of individual hosts and segments.Therefore, S3 helps in limiting targeted slow and low attacks involving lateral movement.