A lightweight policy enforcement system for resource protection and management in the SDN-based cloud

Abstract SDN-based cloud adopts Software-defined Networking (SDN) to provide network services to the cloud, which allows more flexibility in network management. Meanwhile, the SDN controller provides users and administrators with various APIs to access and manage network resources. However, unauthorized requests, which are either sent from unregistered users or containing malicious operations, cannot be completely defended. Moreover, the correctness of network configuration in the SDN-based cloud cannot be guaranteed. In this paper, we propose SDNKeeper, a generic and fine-grained policy enforcement system for the SDN-based cloud, which can defend against unauthorized attacks and avoid network resource misconfiguration. Besides, a policy language is designed for administrators to define policies based on the attributes of the requester, resource, and environment. These policies will take effect when there are requests accessing the SDN controller via Northbound Interface (NBI). Specifically, SDNKeeper can block unauthorized network access requests outside the controller to protect the resources inside. Compared to other traditional policy-based access control systems, SDNKeeper is application-transparent and lightweight, which makes it easy to implement, deploy, and reconfigure at runtime. Based on the correctness proof of system design and the prototype implementation and evaluation, we conclude that SDNKeeper achieves accurate and efficient access control with insignificant throughput degradation and computational overhead.

[1]  Ying Zhang,et al.  PGA: Using Graphs to Express and Automatically Reconcile Network Policies , 2015, Comput. Commun. Rev..

[2]  Mabry Tyson,et al.  A security enforcement kernel for OpenFlow networks , 2012, HotSDN '12.

[3]  Marco Pistore,et al.  NuSMV 2: An OpenSource Tool for Symbolic Model Checking , 2002, CAV.

[4]  Colin Scott,et al.  Troubleshooting blackbox SDN control software with minimal causal sequences , 2015, SIGCOMM.

[5]  Minseok Lee,et al.  A home cloud-based home network auto-configuration using SDN , 2015, 2015 IEEE 12th International Conference on Networking, Sensing and Control.

[6]  RajaniKanth Aluvalu,et al.  A Survey on Access Control Models in Cloud Computing , 2015 .

[7]  Rakesh Bobba,et al.  Towards SDN enabled network control delegation in clouds , 2013, 2013 43rd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN).

[8]  Mingwei Xu,et al.  Security Policy Violations in SDN Data Plane , 2018, IEEE/ACM Transactions on Networking.

[9]  Hong Xu,et al.  An Efficient Online Algorithm for Dynamic SDN Controller Assignment in Data Center Networks , 2017, IEEE/ACM Transactions on Networking.

[10]  Elisa Bertino,et al.  LTEInspector: A Systematic Approach for Adversarial Testing of 4G LTE , 2018, NDSS.

[11]  Wolfgang Kellerer,et al.  Towards a Cost Optimal Design for a 5G Mobile Core Network Based on SDN and NFV , 2017, IEEE Transactions on Network and Service Management.

[12]  Emil C. Lupu,et al.  An Adaptive Policy-Based Framework for Network Services Management , 2003, Journal of Network and Systems Management.

[13]  M. Aramudhan,et al.  Survey on access control issues in cloud computing , 2016, 2016 International Conference on Emerging Trends in Engineering, Technology and Science (ICETETS).

[14]  Allan C. Rubens,et al.  Remote Authentication Dial In User Service (RADIUS) , 2000, RFC.

[15]  Minlan Yu,et al.  NIMBUS: cloud-scale attack detection and mitigation , 2015, SIGCOMM.

[16]  Zhi Liu,et al.  Troubleshooting blackbox SDN control software with minimal causal sequences , 2014 .

[17]  Madjid Merabti,et al.  An access control model for cloud computing , 2014, J. Inf. Secur. Appl..

[18]  Vijay Varadharajan,et al.  A Policy-Based Security Architecture for Software-Defined Networks , 2018, IEEE Transactions on Information Forensics and Security.

[19]  Andrea Westerinen,et al.  Policy Core Information Model - Version 1 Specification , 2001, RFC.

[20]  Sandra Scott-Hayward,et al.  Design and deployment of secure, robust, and resilient SDN controllers , 2015, Proceedings of the 2015 1st IEEE Conference on Network Softwarization (NetSoft).

[21]  A. Neeraja,et al.  Licensed under Creative Commons Attribution Cc by Improving Network Management with Software Defined Networking , 2022 .

[22]  Yustus Eko Oktian,et al.  Secure your Northbound SDN API , 2015, 2015 Seventh International Conference on Ubiquitous and Future Networks.

[23]  Muhammad Hanif Durad,et al.  A simple security policy enforcement system for an institution using SDN controller , 2018, 2018 15th International Bhurban Conference on Applied Sciences and Technology (IBCAST).

[24]  Curtis R. Taylor,et al.  Contextual, flow-based access control with scalable host-based SDN techniques , 2016, IEEE INFOCOM 2016 - The 35th Annual IEEE International Conference on Computer Communications.

[25]  Gail-Joon Ahn,et al.  FLOWGUARD: building robust firewalls for software-defined networks , 2014, HotSDN.

[26]  Lei Xu,et al.  Attacking the Brain: Races in the SDN Control Plane , 2017, USENIX Security Symposium.

[27]  Vincenzo Mancuso,et al.  An SDN-Based Network Architecture for Extremely Dense Wireless Networks , 2013, 2013 IEEE SDN for Future Networks and Services (SDN4FNS).

[28]  Dinesh C. Verma,et al.  Simplifying network administration using policy-based management , 2002, IEEE Netw..

[29]  Weili Han,et al.  A survey on policy languages in network and security management , 2012, Comput. Networks.

[30]  Yustus Eko Oktian,et al.  OAuthkeeper: An Authorization Framework for Software Defined Network , 2017, Journal of Network and Systems Management.

[31]  Anja Feldmann,et al.  Incremental SDN deployment in enterprise networks , 2013, Conference on Applications, Technologies, Architectures, and Protocols for Computer Communication.

[32]  Kostas Pentikousis,et al.  Software-Defined Networking (SDN): Layers and Architecture Terminology , 2015, RFC.

[33]  Chen Liang,et al.  Participatory networking: an API for application control of SDNs , 2013, SIGCOMM.

[34]  Bo Yang,et al.  SDNShield: Reconciliating Configurable Application Permissions for SDN App Markets , 2016, 2016 46th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN).

[35]  Abdul Raouf Khan,et al.  ACCESS CONTROL IN CLOUD COMPUTING ENVIRONMENT , 2012 .

[36]  Victor Fajardo,et al.  Diameter Base Protocol , 2003, RFC.

[37]  Adrian Perrig,et al.  Fleet: defending SDNs from malicious administrators , 2014, HotSDN.

[38]  Mohsine Eleuldj,et al.  OpenStack: Toward an Open-source Solution for Cloud Computing , 2012 .

[39]  Christian Banse,et al.  A Secure Northbound Interface for SDN Applications , 2015, 2015 IEEE Trustcom/BigDataSE/ISPA.

[40]  Fang Hao,et al.  Towards an elastic distributed SDN controller , 2013, HotSDN '13.

[41]  Ghassan O. Karame,et al.  Access control for SDN controllers , 2014, HotSDN.

[42]  Kai Bu,et al.  SDNKeeper: Lightweight Resource Protection and Management System for SDN-Based Cloud , 2018, 2018 IEEE/ACM 26th International Symposium on Quality of Service (IWQoS).

[43]  Anees Shaikh,et al.  Meridian: an SDN platform for cloud network services , 2013, IEEE Communications Magazine.