Information flow control regulates where information is allowed to travel. Flow control mechanisms, such as the network device, use security attributes to control and restrict information flow. Security attributes (a type of metadata) are information about one or more pieces of data. This information is bound to the data and may include information about the data's purpose, creator, origin, or classification.
This control applies to the flow of information within an individual network device. Internal component communication, such as between the network device, router, and IPS, is not included in this control. The network device must restrict information flow within the component to authorized communications. A mechanism to detect and prevent unauthorized communication flow must be configured or provided as part of the system design. If information flow is not enforced based on approved authorizations, unauthorized commands, functionality, or traffic may be allowed to infiltrate security components, causing corruption or other undesirable conditions.
Examples of flow control restrictions include preventing installed applications or functions from accessing security configurations; or preventing unauthorized commands from executing on the network device.
|