Jin, Cheng2018-05-102018-05-102018-03https://hdl.handle.net/11299/196518University of Minnesota Ph.D. dissertation. March 2018. Major: Computer Science. Advisor: Zhi-Li Zhang. 1 computer file (PDF); xii, 102 pages.Past decades have seen ever more devices connected to the Internet and new networked services created. Demands for networks -- whether campus or enterprise networks that support most of our daily work activities or data center networks that power today's cloud services such as web, email, social media, music or video streaming services -- have seen rapid growth. Managing and securing these networks with growing size and complexity have become a daunting task, as today's networks are primarily "manually" managed by network operators. This task is further compounded by lack of effective tools for network configurations and monitoring systems to provide visibility as to what is going on inside a network. This thesis studies existing network management approaches and identifies their limitations. We develop new network management frameworks -- in particular, leveraging emerging networking technologies -- to assist network operators and users in better managing and securing networks. We specifically focus on three key management tasks: diagnosing security policy misconfigurations, enhancing routing flexibility, and gaining on-demand flow visibility for better network control. First, we study security group (i.e., the primary means for cloud customers to configure security policies to protect their virtual machine instances from attacks) configurations and usage by customers in a public cloud platform based on real-world datasets. Motivated by the results and insights obtained from this measurement study, we develop a cloud security group analysis system which helps cloud customers diagnose potential misconfigurations and provides suggestions to refine security group configurations. Second, we propose a novel framework for incremental and graceful transition from legacy networks to Software-Defined Networking (SDN) networks in stages by gradually replacing legacy devices with SDN-enabled devices as needed and as budgets allow. Hence, network operators can gracefully experiment with SDN networks to gain experience and build confidence while minimizing service disruption. More importantly, operators can enjoy the benefits as fully deployed SDN networks. We design and build a novel unified network management controller that exerts SDN-like, fine-grained routing control over both SDN-enabled and legacy switches in hybrid networks. Third, with the goal of obtaining on-demand visibility as to monitor "who is talking to whom", we propose clairvoyant networks to provide visibility for any network flow at any time with low cost. Clairvoyant networks are partially programmable -- they require as few as one SDN switch -- and rely on a specialized network controller that controls paths through both the SDN and legacy networks. Our proposed clairvoyant controller allows operators to define what to see, where to see, and how to see; then enables/disables the specified flows' visibility in a task scheduler, within milliseconds. In summary, this thesis studies the management of enterprise and data center networks. Our developed systems are capable of: i) helping operators and users understand and diagnose security policy configurations; ii) providing unified routing control to enable incremental and graceful transition from legacy networks to SDN networks; and iii) gaining on-demand flow visibility for better network control.enCloud SecurityNetwork ManagementNetwork VisibilitySoftware Defined NetworkingThesis or Dissertation