New Network Zoning Architecture

Network zoning has long been recognized as the cornerstone of secure network operation and management, which logically partitions network and information assets into disjoint segments depending on their security requirements and policies. Today, most enterprise networks have built a multi-layered hierarchy realized with thousands of network zones to minimize the attack surface and protect assets from unauthorized access. The sophisticated zone structure and its dynamicity make network administration tedious, time-consuming, and labor-intensive. Furthermore, transferring security-sensitive data between zones in different physical locations over the public Internet remains a great challenge; security information is lost in transit, requiring additional authentication.

Simplified zone structure with a new concept, Transit Zone.

Prof. Adrian Perrig and his research group have introduced a novel network zoning architecture, Mondrian, that secures inter-zone communication while enabling scalable cryptographic-key management and flexible network zone migration. With a new concept called Inter-domain Transit Zone, a large patch panel that allows parallel connection of multiple zones, Mondrian flattens the hierarchically-complex zone structure into a simple horizontal structure, significantly improving manageability. In conjunction with SCION, Mondrian also enables cryptographically protected packet forwarding for inter-domain zone transition thanks to Internet-scale key management empowered by DRKey.

If you are interested, the full paper and the conference video are available online.