FRESCO: Modular Composable Security Services for Software-Defined Networks

OpenFlow is an open standard that has gained tremendous interest in the last few years within the network community. It is an embodiment of the software-defined networking paradigm, in which higher-level flow routing decisions are derived from a control layer that, unlike classic network switch implementations, is separated from the data handling layer. The central attraction to this paradigm is that by decoupling the control logic from the closed and proprietary implementations of traditional network switch infrastructure, researchers can more easily design and distribute innovative flow handling and network control algorithms. Indeed, we also believe that OpenFlow can, in time, prove to be one of the more impactful technologies to drive a variety of innovations in network security. OpenFlow could offer a dramatic simplification to the way we design and integrate complex network security applications into large networks. However, to date there remains a stark paucity of compelling OpenFlow security applications. In this paper, we introduce FRESCO, an OpenFlow security application development framework designed to facilitate the rapid design, and modular composition of OF-enabled detection and mitigation modules. FRESCO, which is itself an OpenFlow application, offers a Click-inspired [19] programming framework that enables security researchers to implement, share, and compose together, many different security detection and mitigation modules. We demonstrate the utility of FRESCO through the implementation of several well-known security defenses as OpenFlow security services, and use them to examine various performance and efficiency aspects of our proposed framework.

[1]  Martín Casado,et al.  Ethane: taking control of the enterprise , 2007, SIGCOMM '07.

[2]  Ehab Al-Shaer,et al.  Network configuration in a box: towards end-to-end verification of network reachability and security , 2009, 2009 17th IEEE International Conference on Network Protocols.

[3]  Alex X. Liu Formal Verification of Firewall Policies , 2008, 2008 IEEE International Conference on Communications.

[4]  Obi Akonjang,et al.  SANE: A Protection Architecture For Enterprise Networks , 2007 .

[5]  Martín Casado,et al.  Onix: A Distributed Control Platform for Large-scale Production Networks , 2010, OSDI.

[6]  Alan L. Cox,et al.  Maestro: A System for Scalable OpenFlow Control , 2010 .

[7]  Rob Sherwood,et al.  Can the Production Network Be the Testbed? , 2010, OSDI.

[8]  Hervé Debar,et al.  The Intrusion Detection Message Exchange Format (IDMEF) , 2007, RFC.

[9]  Hari Balakrishnan,et al.  Fast portscan detection using sequential hypothesis testing , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.

[10]  Marco Canini,et al.  A NICE Way to Test OpenFlow Applications , 2012, NSDI.

[11]  George Varghese,et al.  Header Space Analysis: Static Checking for Networks , 2012, NSDI.

[12]  Tal Garfinkel,et al.  SANE: A Protection Architecture for Enterprise Networks , 2006, USENIX Security Symposium.

[13]  Brighten Godfrey,et al.  VeriFlow: verifying network-wide invariants in real time , 2012, HotSDN '12.

[14]  Matthew M. Williamson,et al.  Implementing and Testing a Virus Throttle , 2003, USENIX Security Symposium.

[15]  David Walker,et al.  Frenetic: a network programming language , 2011, ICFP.

[16]  Guofei Gu,et al.  BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection , 2008, USENIX Security Symposium.

[17]  David A. Basin,et al.  Firewall Conformance Testing , 2005, TestCom.

[18]  Vinod Yegneswaran,et al.  BotHunter: Detecting Malware Infection Through IDS-Driven Dialog Correlation , 2007, USENIX Security Symposium.

[19]  Nick Feamster,et al.  Procera: a language for high-level reactive network control , 2012, HotSDN '12.

[20]  Ehab Al-Shaer,et al.  Openflow random host mutation: transparent moving target defense using software defined networking , 2012, HotSDN '12.

[21]  Sujata Banerjee,et al.  DevoFlow: cost-effective flow management for high performance enterprise networks , 2010, Hotnets-IX.

[22]  Vern Paxson,et al.  On the Adaptive Real-Time Detection of Fast-Propagating Network Worms , 2007, DIMVA.

[23]  Martín Casado,et al.  NOX: towards an operating system for networks , 2008, CCRV.

[24]  David Walker,et al.  Consistent updates for software-defined networks: change you can believe in! , 2011, HotNets-X.

[25]  Aditya Akella,et al.  Extensible and Scalable Network Monitoring Using OpenSAFE , 2010, INM/WREN.

[26]  Hong Yan,et al.  A clean slate 4D approach to network control and management , 2005, CCRV.

[27]  Syed Ali Khayam,et al.  Accuracy improving guidelines for network anomaly detection systems , 2011, Journal in Computer Virology.

[28]  Nick McKeown,et al.  OpenFlow: enabling innovation in campus networks , 2008, CCRV.

[29]  Russell J. Clark,et al.  Resonance: dynamic access control for enterprise networks , 2009, WREN '09.

[30]  Eddie Kohler,et al.  The Click modular router , 1999, SOSP.

[31]  Syed Ali Khayam,et al.  Revisiting Traffic Anomaly Detection Using Software Defined Networking , 2011, RAID.

[32]  Albert G. Greenberg,et al.  On static reachability analysis of IP networks , 2005, Proceedings IEEE 24th Annual Joint Conference of the IEEE Computer and Communications Societies..

[33]  Mohamed G. Gouda,et al.  Diverse Firewall Design , 2004, IEEE Transactions on Parallel and Distributed Systems.

[34]  Michael K. Reiter,et al.  Are Your Hosts Trading or Plotting? Telling P2P File-Sharing and Bots Apart , 2010, 2010 IEEE 30th International Conference on Distributed Computing Systems.

[35]  Ehab Al-Shaer,et al.  FlowChecker: configuration analysis and verification of federated openflow infrastructures , 2010, SafeConfig '10.

[36]  Mabry Tyson,et al.  A security enforcement kernel for OpenFlow networks , 2012, HotSDN '12.

[37]  Paul Hudak,et al.  Nettle: Functional Reactive Programming for OpenFlow Networks , 2010 .

[38]  Ehab Al-Shaer,et al.  An Automated Framework for Validating Firewall Policy Enforcement , 2007, Eighth IEEE International Workshop on Policies for Distributed Systems and Networks (POLICY'07).

[39]  Vyas Sekar,et al.  A Multi-Resolution Approach forWorm Detection and Containment , 2006, International Conference on Dependable Systems and Networks (DSN'06).