Towards Secure SDN Policy Management

Software-Defined Networking (SDN) has emerged as a novel network architectural model that facilitates management of large-scale networks, enables efficient network virtualization and scalable network multi-tenancy. Centralized network controllers, an important component in the SDN paradigm, deploy on the data plane devices network policies from several independent sources, defined based on a global network view. While this approach allows to efficiently manage network connectivity and reduce the time and cost of deploying new configurations, it also increases the risk for errors -- either introduced by accident, through a combination with previous policies, or by a motivated adversary. In this position paper we review the state of the art for network policy verification for SDN deployments, identify existing challenges and outline a secure framework for network policy management in SDN deployments. Combined with existing work on cloud platform and storage security, this will contribute towards creating secure and trusted cloud deployments.

[1]  Nicolae Paladi,et al.  Domain based storage protection with secure access control for the cloud , 2014, SCC '14.

[2]  Brighten Godfrey,et al.  Debugging the data plane with anteater , 2011, SIGCOMM.

[3]  Albert G. Greenberg,et al.  On static reachability analysis of IP networks , 2005, Proceedings IEEE 24th Annual Joint Conference of the IEEE Computer and Communications Societies..

[4]  Martín Casado,et al.  NOX: towards an operating system for networks , 2008, CCRV.

[5]  Brent Byunghoon Kang,et al.  Rosemary: A Robust, Secure, and High-performance Network Operating System , 2014, CCS.

[6]  Nicolae Paladi,et al.  Trusted Geolocation-Aware Data Placement in Infrastructure Clouds , 2014, 2014 IEEE 13th International Conference on Trust, Security and Privacy in Computing and Communications.

[7]  Nick Feamster,et al.  Detecting BGP configuration faults with static analysis , 2005 .

[8]  Ehab Al-Shaer,et al.  Modeling and verification of IPSec and VPN security policies , 2005, 13TH IEEE International Conference on Network Protocols (ICNP'05).

[9]  Martín Casado,et al.  Onix: A Distributed Control Platform for Large-scale Production Networks , 2010, OSDI.

[10]  Hong Yan,et al.  A clean slate 4D approach to network control and management , 2005, CCRV.

[11]  Nicolae Paladi,et al.  “One of our hosts in another country”: Challenges of data geolocation in cloud storage , 2014, 2014 4th International Conference on Wireless Communications, Vehicular Technology, Information Theory and Aerospace & Electronic Systems (VITAE).

[12]  Zuoning Yin,et al.  Towards understanding bugs in open source router software , 2010, CCRV.

[13]  Mabry Tyson,et al.  FRESCO: Modular Composable Security Services for Software-Defined Networks , 2013, NDSS.

[14]  Martín Casado,et al.  Abstractions for software-defined networks , 2014, Commun. ACM.

[15]  Martín Casado,et al.  Ethane: taking control of the enterprise , 2007, SIGCOMM '07.

[16]  Mabry Tyson,et al.  A security enforcement kernel for OpenFlow networks , 2012, HotSDN '12.

[17]  George Varghese,et al.  Header Space Analysis: Static Checking for Networks , 2012, NSDI.

[18]  Tal Garfinkel,et al.  SANE: A Protection Architecture for Enterprise Networks , 2006, USENIX Security Symposium.

[19]  Min Zhu,et al.  B4: experience with a globally-deployed software defined wan , 2013, SIGCOMM.

[20]  Marco Canini,et al.  A NICE Way to Test OpenFlow Applications , 2012, NSDI.

[21]  Vinod Yegneswaran,et al.  Securing the Software Defined Network Control Layer , 2015, NDSS.

[22]  Brighten Godfrey,et al.  VeriFlow: verifying network-wide invariants in real time , 2012, HotSDN '12.

[23]  Michael Schapira,et al.  VeriCon: towards verifying controller programs in software-defined networks , 2014, PLDI.

[24]  Russell J. Clark,et al.  Resonance: dynamic access control for enterprise networks , 2009, WREN '09.

[25]  Jia Wang,et al.  Finding a needle in a haystack: pinpointing significant BGP routing changes in an IP network , 2005, NSDI.

[26]  Ram Dantu,et al.  Forwarding and Control Element Separation (ForCES) Framework , 2004, RFC.

[27]  Ratul Mahajan,et al.  Understanding BGP misconfiguration , 2002, SIGCOMM '02.

[28]  Nicolae Paladi,et al.  Trusted Launch of Virtual Machine Instances in Public IaaS Environments , 2012, ICISC.