Securing the Software Defined Network Control Layer

Software-defined networks (SDNs) pose both an opportunity and challenge to the network security community. The opportunity lies in the ability of SDN applications to express intelligent and agile threat mitigation logic against hostile flows, without the need for specialized inline hardware. However, the SDN community lacks a secure control-layer to manage the interactions between the application layer and the switch infrastructure (the data plane). There are no available SDN controllers that provide the key security features, trust models, and policy mediation logic, necessary to deploy multiple SDN applications into a highly sensitive computing environment. We propose the design of security extensions at the control layer to provide the security management and arbitration of conflicting flow rules that arise when multiple applications are deployed within the same network. We present a prototype of our design as a Security Enhanced version of the widely used OpenFlow Floodlight Controller, which we call SE-Floodlight. SE-Floodlight extends Floodlight with a security-enforcement kernel (SEK) layer, whose functions are also directly applicable to other OpenFlow controllers. The SEK adds a unique set of secure application management features, including an authentication service, role-based authorization, a permission model for mediating all configuration change requests to the data-plane, inline flow-rule conflict resolution, and a security audit service. We demonstrate the robustness and scalability of our system implementation through both a comprehensive functionality assessment and a performance evaluation that illustrates its sub-linear scaling properties.

[1]  David Erickson,et al.  The beacon openflow controller , 2013, HotSDN '13.

[2]  Gail-Joon Ahn,et al.  FLOWGUARD: building robust firewalls for software-defined networks , 2014, HotSDN.

[3]  Min Zhu,et al.  B4: experience with a globally-deployed software defined wan , 2013, SIGCOMM.

[4]  Albert G. Greenberg,et al.  The nature of data center traffic: measurements & analysis , 2009, IMC '09.

[5]  Nick McKeown,et al.  OpenFlow: enabling innovation in campus networks , 2008, CCRV.

[6]  Nick McKeown,et al.  I Know What Your Packet Did Last Hop: Using Packet Histories to Troubleshoot Networks , 2014, NSDI.

[7]  Obi Akonjang,et al.  SANE: A Protection Architecture For Enterprise Networks , 2007 .

[8]  Rob Sherwood,et al.  Can the Production Network Be the Testbed? , 2010, OSDI.

[9]  Vinod Yegneswaran,et al.  BotHunter: Detecting Malware Infection Through IDS-Driven Dialog Correlation , 2007, USENIX Security Symposium.

[10]  Nick Feamster,et al.  Detecting BGP configuration faults with static analysis , 2005 .

[11]  Minlan Yu,et al.  SIMPLE-fying middlebox policy enforcement using SDN , 2013, SIGCOMM.

[12]  Marco Canini,et al.  A NICE Way to Test OpenFlow Applications , 2012, NSDI.

[13]  Albert G. Greenberg,et al.  On static reachability analysis of IP networks , 2005, Proceedings IEEE 24th Annual Joint Conference of the IEEE Computer and Communications Societies..

[14]  Ehab Al-Shaer,et al.  An Automated Framework for Validating Firewall Policy Enforcement , 2007, Eighth IEEE International Workshop on Policies for Distributed Systems and Networks (POLICY'07).

[15]  Scott Shenker,et al.  Ethane: taking control of the enterprise , 2007, SIGCOMM.

[16]  Sujata Banerjee,et al.  DevoFlow: cost-effective flow management for high performance enterprise networks , 2010, Hotnets-IX.

[17]  Minlan Yu,et al.  FlowTags: enforcing network-wide policies in the presence of dynamic middlebox actions , 2013, HotSDN '13.

[18]  David Walker,et al.  Consistent updates for software-defined networks: change you can believe in! , 2011, HotNets-X.

[19]  Martín Casado,et al.  NOX: towards an operating system for networks , 2008, CCRV.

[20]  Brent Byunghoon Kang,et al.  Rosemary: A Robust, Secure, and High-performance Network Operating System , 2014, CCS.

[21]  David A. Basin,et al.  Firewall Conformance Testing , 2005, TestCom.

[22]  Ehab Al-Shaer,et al.  FlowChecker: configuration analysis and verification of federated openflow infrastructures , 2010, SafeConfig '10.

[23]  Anja Feldmann,et al.  OFRewind: Enabling Record and Replay Troubleshooting for Networks , 2011, USENIX Annual Technical Conference.

[24]  Alan L. Cox,et al.  Maestro: A System for Scalable OpenFlow Control , 2010 .

[25]  Brighten Godfrey,et al.  VeriFlow: verifying network-wide invariants in real time , 2012, HotSDN '12.

[26]  Nick McKeown,et al.  Where is the debugger for my software-defined network? , 2012, HotSDN '12.

[27]  Hong Yan,et al.  A clean slate 4D approach to network control and management , 2005, CCRV.

[28]  Mabry Tyson,et al.  A security enforcement kernel for OpenFlow networks , 2012, HotSDN '12.

[29]  Mabry Tyson,et al.  FRESCO: Modular Composable Security Services for Software-Defined Networks , 2013, NDSS.

[30]  Ehab Al-Shaer,et al.  Network configuration in a box: towards end-to-end verification of network reachability and security , 2009, 2009 17th IEEE International Conference on Network Protocols.

[31]  Vinod Yegneswaran,et al.  AVANT-GUARD: scalable and vigilant switch flow management in software-defined networks , 2013, CCS.

[32]  Alex X. Liu Formal Verification of Firewall Policies , 2008, 2008 IEEE International Conference on Communications.

[33]  Russell J. Clark,et al.  Resonance: dynamic access control for enterprise networks , 2009, WREN '09.

[34]  Nick Feamster,et al.  A slick control plane for network middleboxes , 2013, HotSDN '13.

[35]  George Varghese,et al.  Header Space Analysis: Static Checking for Networks , 2012, NSDI.