SDNSOC: Object Oriented SDN Framework

The cloud networks managed by SDN can have multi-tier policy and rule conflicts. The application plane can have conflicting user-defined policies, and the infrastructure layer can have OpenFlow rules conflicting with each other. There is no scalable, and, automated programming framework to detect and resolve multi-tier conflicts in SDN-based cloud networks. We present an object-oriented programming framework - SDN Security Operation Center (SDNSOC), which handles policy composition at application plane, flow rule conflict detection and resolution at the control plane. We follow the design principles of object-oriented paradigm such as code-re-utilization, methods abstraction, aggregation for the implementation of SDNSOC on a multi-tenant cloud network. The key benefits obtained using this approach are (i) The network administrator is abstracted from complex-implementation details of SFC. The end-to-end policy composition of different network functions is handled by an object-oriented framework in an automated fashion. We achieve 37% lower latency in SFC composition compared to nearest competitors - SICS and PGA. (ii) Policy conflict detection between the existing traffic rules and incoming traffic is handled by SDNSOC in a scalable manner. The solution scales well on a large cloud network., and 18% faster security policy conflict detection on a cloud network with 100k OpenFlow rules compared to similar works - Brew, and Flowguard.

[1]  Gail-Joon Ahn,et al.  Science DMZ: SDN based secured cloud testbed , 2017, 2017 IEEE Conference on Network Function Virtualization and Software Defined Networks (NFV-SDN).

[2]  Ying Zhang,et al.  PGA: Using Graphs to Express and Automatically Reconcile Network Policies , 2015, Comput. Commun. Rev..

[3]  Dijiang Huang,et al.  Security policy checking in distributed SDN based clouds , 2016, 2016 IEEE Conference on Communications and Network Security (CNS).

[4]  Brighten Godfrey,et al.  VeriFlow: verifying network-wide invariants in real time , 2012, HotSDN '12.

[5]  Omar Santos,et al.  Cisco ASA: All-in-One Firewall, IPS, and VPN Adaptive Security Appliance , 2005 .

[6]  Gail-Joon Ahn,et al.  FLOWGUARD: building robust firewalls for software-defined networks , 2014, HotSDN.

[7]  Mabry Tyson,et al.  A security enforcement kernel for OpenFlow networks , 2012, HotSDN '12.

[8]  George Varghese,et al.  Header Space Analysis: Static Checking for Networks , 2012, NSDI.

[9]  Mabry Tyson,et al.  FRESCO: Modular Composable Security Services for Software-Defined Networks , 2013, NDSS.

[10]  Dijiang Huang,et al.  Software-Defined Networking and Security , 2018 .

[11]  George Varghese,et al.  Usenix Association 10th Usenix Symposium on Networked Systems Design and Implementation (nsdi '13) 99 Real Time Network Policy Checking Using Header Space Analysis , 2022 .

[12]  Minlan Yu,et al.  FlowTags: enforcing network-wide policies in the presence of dynamic middlebox actions , 2013, HotSDN '13.

[13]  Dijiang Huang,et al.  Brew: A Security Policy Analysis Framework for Distributed SDN-Based Cloud Environments , 2019, IEEE Transactions on Dependable and Secure Computing.

[14]  David Eppstein,et al.  Internet packet filter management and rectangle geometry , 2000, SODA '01.

[15]  Thomas D. Nadeau,et al.  Problem Statement for Service Function Chaining , 2015, RFC.

[16]  David Walker,et al.  Frenetic: a network programming language , 2011, ICFP.

[17]  Sylvia Ratnasamy,et al.  A Survey of Enterprise Middlebox Deployments , 2012 .

[18]  Kuang-Ching Wang,et al.  Poster: On the Safety and Efficiency of Virtual Firewall Elasticity Control , 2017, SACMAT.

[19]  Xin Li,et al.  SICS: Secure In-Cloud Service Function Chaining , 2016, ArXiv.