Tennison: A Distributed SDN Framework for Scalable Network Security

Despite the relative maturity of the Internet, the computer networks of today are still susceptible to attack. The necessary distributed nature of networks for wide area connectivity has traditionally led to high cost and complexity in designing and implementing secure networks. With the introduction of software-defined networks (SDNs) and network functions virtualization, there are opportunities for efficient network threat detection and protection. SDN’s global view provides a means of monitoring and defense across the entire network. However, current SDN-based security systems are limited by a centralized framework that introduces significant control plane overhead, leading to the saturation of vital control links. In this paper, we introduce TENNISON, a novel distributed SDN security framework that combines the efficiency of SDN control and monitoring with the resilience and scalability of a distributed system. TENNISON offers effective and proportionate monitoring and remediation, compatibility with widely available networking hardware, support for legacy networks, and a modular and extensible distributed design. We demonstrate the effectiveness and capabilities of the TENNISON framework through the use of four attack scenarios. These highlight multiple levels of monitoring, rapid detection, and remediation, and provide a unique insight into the impact of multiple controllers on network attack detection at scale.

[1]  JongWon Kim,et al.  Suspicious Flow Forwarding for Multiple Intrusion Detection Systems on Software-Defined Networks , 2016, IEEE Network.

[2]  Harsha V. Madhyastha,et al.  FlowSense: Monitoring Network Utilization with Zero Measurement Cost , 2013, PAM.

[3]  T. N. Vijaykumar,et al.  Hydra: Leveraging functional slicing for efficient distributed SDN controllers , 2016, 2017 9th International Conference on Communication Systems and Networks (COMSNETS).

[4]  Vinod Yegneswaran,et al.  Athena: A Framework for Scalable Anomaly Detection in Software-Defined Networks , 2017, 2017 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN).

[5]  Sujata Banerjee,et al.  DevoFlow: scaling flow management for high-performance networks , 2011, SIGCOMM.

[6]  Alex C. Snoeren,et al.  Inside the Social Network's (Datacenter) Network , 2015, Comput. Commun. Rev..

[7]  Mounir Hamdi,et al.  FlowCover: Low-cost flow monitoring scheme in software defined networks , 2014, 2014 IEEE Global Communications Conference.

[8]  Fang Hao,et al.  UMON: flexible and fine grained traffic monitoring in open vSwitch , 2015, CoNEXT.

[9]  Minlan Yu,et al.  Enforcing Network-Wide Policies in the Presence of Dynamic Middlebox Actions using FlowTags , 2014, NSDI.

[10]  Jesse Gross,et al.  Geneve: Generic Network Virtualization Encapsulation , 2020, RFC.

[11]  Yashar Ganjali,et al.  Kandoo: a framework for efficient and scalable offloading of control applications , 2012, HotSDN '12.

[12]  Sakir Sezer,et al.  A Survey of Security in Software Defined Networks , 2016, IEEE Communications Surveys & Tutorials.

[13]  Rakesh Kumar,et al.  Framework for Interface to Network Security Functions , 2018, RFC.

[14]  W. Buck,et al.  MININET , 1979, Prax. Inf.verarb. Kommun..

[15]  Srinivasan Seshan,et al.  PSI: Precise Security Instrumentation for Enterprise Networks , 2017, NDSS.

[16]  Adam J. Aviv,et al.  Enabling Practical Software-defined Networking Security Applications with OFX , 2016, NDSS.

[17]  Shunzheng Yu,et al.  CIPA: A collaborative intrusion prevention architecture for programmable network and SDN , 2016, Comput. Secur..

[18]  Fang Hao,et al.  Towards an elastic distributed SDN controller , 2013, HotSDN '13.

[19]  Basil S. Maglaris,et al.  Combining OpenFlow and sFlow for an effective and scalable anomaly detection and mitigation mechanism on SDN environments , 2014, Comput. Networks.

[20]  Monia Ghobadi,et al.  OpenTM: Traffic Matrix Estimator for OpenFlow Networks , 2010, PAM.

[21]  Mabry Tyson,et al.  FRESCO: Modular Composable Security Services for Software-Defined Networks , 2013, NDSS.

[22]  Vinod Yegneswaran,et al.  AVANT-GUARD: scalable and vigilant switch flow management in software-defined networks , 2013, CCS.

[23]  Marco Casassa-Mont,et al.  SDN 4 S : Software Defined Networking for Security , 2017 .

[24]  Sandra Scott-Hayward,et al.  Design and deployment of secure, robust, and resilient SDN controllers , 2015, Proceedings of the 2015 1st IEEE Conference on Network Softwarization (NetSoft).

[25]  Minlan Yu,et al.  FlowRadar: A Better NetFlow for Data Centers , 2016, NSDI.

[26]  Kensuke Fukuda,et al.  SDN-Mon: Fine-Grained Traffic Monitoring Framework in Software-Defined Networks , 2017, J. Inf. Process..

[27]  David A. Maltz,et al.  Network traffic characteristics of data centers in the wild , 2010, IMC '10.

[28]  Tal Garfinkel,et al.  SANE: A Protection Architecture for Enterprise Networks , 2006, USENIX Security Symposium.

[29]  Chu-Sing Yang,et al.  Network Monitoring in Software-Defined Networking: A Review , 2018, IEEE Systems Journal.

[30]  Kenzi Watanabe,et al.  Design and Evaluation of a Proxy-Based Monitoring System for OpenFlow Networks , 2016, TheScientificWorldJournal.

[31]  Thomas Gamer,et al.  Collaborative anomaly-based detection of large-scale internet attacks , 2012, Comput. Networks.

[32]  Carlos Pignataro,et al.  Network Service Header (NSH) , 2018, RFC.

[33]  Chen-Nee Chuah,et al.  OpenMeasure: Adaptive flow measurement & inference with online learning in SDN , 2016, 2016 IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS).

[34]  Pavlin Radoslavov,et al.  ONOS: towards an open, distributed SDN OS , 2014, HotSDN.

[35]  Kpatcha M. Bayarou,et al.  OrchSec: An orchestrator-based architecture for enhancing network-security using Network Monitoring and SDN Control functions , 2014, 2014 IEEE Network Operations and Management Symposium (NOMS).

[36]  Paolo Giaccone,et al.  Scalability of ONOS reactive forwarding applications in ISP networks , 2017, Comput. Commun..

[37]  Raouf Boutaba,et al.  PayLess: A low cost network monitoring framework for Software Defined Networks , 2014, 2014 IEEE Network Operations and Management Symposium (NOMS).

[38]  JongWon Kim,et al.  Suspicious traffic sampling for intrusion detection in software-defined networks , 2016, Comput. Networks.

[39]  Fernando A. Kuipers,et al.  OpenNetMon: Network monitoring in OpenFlow Software-Defined Networks , 2014, 2014 IEEE Network Operations and Management Symposium (NOMS).

[40]  Scott Shenker,et al.  SCL: Simplifying Distributed SDN Control Planes , 2017, NSDI.