Brew: A Security Policy Analysis Framework for Distributed SDN-Based Cloud Environments

The ease of programmability in Software-Defined Networking (SDN) makes it a great platform implementation of various initiatives that involve application deployment, dynamic topology changes, and decentralized network management in a multi-tenant data center environment. However, implementing security solutions in such an environment is fraught with policy conflicts and consistency issues with the hardness of this problem being affected by the distribution scheme for the SDN controllers. In this paper we present Brew, a security policy analysis framework implemented on an OpenDaylight SDN controller, that has comprehensive conflict detection and resolution modules to ensure that no two flow rules in a distributed SDN-based cloud environment have conflicts at any layer; thereby assuring consistent conflict-free security policy implementation and preventing information leakage. We present techniques for global prioritization of flow rules in a decentralized environment, extend firewall rule conflict classification from a traditional environment to SDN flow rule conflicts by recognizing and classifying conflicts stemming from cross-layer conflicts and provide strategies for unassisted resolution of these conflicts. Alternately, if administrator input is desired to resolve conflicts, a novel visualization scheme is implemented to help the administrators view the conflicts graphically. We demonstrate the correctness, feasibility and scalability of our framework through a proof-of-concept prototype.

[1]  Avishai Wool,et al.  Fang: a firewall analysis engine , 2000, Proceeding 2000 IEEE Symposium on Security and Privacy. S&P 2000.

[2]  David A. Maltz,et al.  Network traffic characteristics of data centers in the wild , 2010, IMC '10.

[3]  Gail-Joon Ahn,et al.  FLOWGUARD: building robust firewalls for software-defined networks , 2014, HotSDN.

[4]  Edward M. Reingold,et al.  Tidier Drawings of Trees , 1981, IEEE Transactions on Software Engineering.

[5]  Chen-Nee Chuah,et al.  FIREMAN: a toolkit for firewall modeling and analysis , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[6]  Mabry Tyson,et al.  A security enforcement kernel for OpenFlow networks , 2012, HotSDN '12.

[7]  Dijiang Huang,et al.  Security policy checking in distributed SDN based clouds , 2016, 2016 IEEE Conference on Communications and Network Security (CNS).

[8]  Yashar Ganjali,et al.  Kandoo: a framework for efficient and scalable offloading of control applications , 2012, HotSDN '12.

[9]  Minlan Yu,et al.  SIMPLE-fying middlebox policy enforcement using SDN , 2013, SIGCOMM.

[10]  Vyas Sekar,et al.  Making middleboxes someone else's problem: network processing as a cloud service , 2012, SIGCOMM '12.

[11]  Bill Cheswick,et al.  Visual analysis of complex firewall configurations , 2012, VizSec '12.

[12]  Tariq Javid,et al.  A layer2 firewall for software defined network , 2014, 2014 Conference on Information Assurance and Cyber Security (CIACS).

[13]  Athanasios V. Vasilakos,et al.  Leveraging software-defined networking for security policy enforcement , 2016, Inf. Sci..

[14]  Yashar Ganjali,et al.  HyperFlow: A Distributed Control Plane for OpenFlow , 2010, INM/WREN.

[15]  He Huang,et al.  IPSec/VPN Security Policy: Correctness, Conflict Detection, and Resolution , 2001, POLICY.

[16]  Gail-Joon Ahn,et al.  FAME: a firewall anomaly management environment , 2010, SafeConfig '10.

[17]  David Eppstein,et al.  Internet packet filter management and rectangle geometry , 2000, SODA '01.

[18]  David Walker,et al.  Composing Software Defined Networks , 2013, NSDI.

[19]  Dianxiang Xu,et al.  Security of Software Defined Networks: A survey , 2015, Comput. Secur..

[20]  Emil C. Lupu,et al.  Conflict Analysis for Management Policies , 1997, Integrated Network Management.

[21]  Sunhee Yang,et al.  Building firewall over the software-defined network controller , 2014, 16th International Conference on Advanced Communication Technology.

[22]  Ehab Al-Shaer,et al.  PolicyVis: Firewall Security Policy Visualization and Inspection , 2007, LISA.

[23]  Dijiang Huang,et al.  SDN based Scalable MTD solution in Cloud Network , 2016, MTD@CCS.

[24]  Yiqi Dai,et al.  Design of the multi-level security network switch system which restricts covert channel , 2011, 2011 IEEE 3rd International Conference on Communication Software and Networks.

[25]  E. Al-Shaer,et al.  Firewall Policy Advisor for anomaly discovery and rule editing , 2003, IFIP/IEEE Eighth International Symposium on Integrated Network Management, 2003..

[26]  Danny Holten,et al.  Hierarchical Edge Bundles: Visualization of Adjacency Relations in Hierarchical Data , 2006, IEEE Transactions on Visualization and Computer Graphics.

[27]  Nora Cuppens-Boulahia,et al.  Complete analysis of configuration rules to guarantee reliable network security policies , 2008, International Journal of Information Security.

[28]  Pavlin Radoslavov,et al.  ONOS: towards an open, distributed SDN OS , 2014, HotSDN.

[29]  Mathieu Bouet,et al.  DISCO: Distributed SDN controllers in a multi-domain environment , 2014, 2014 IEEE Network Operations and Management Symposium (NOMS).

[30]  LeeJeongkeun,et al.  No more middlebox , 2010 .

[31]  Martín Casado,et al.  Applying NOX to the Datacenter , 2009, HotNets.

[32]  Olivier Festor,et al.  Network security through software defined networking: a survey , 2014, IPTComm.

[33]  Mabry Tyson,et al.  FRESCO: Modular Composable Security Services for Software-Defined Networks , 2013, NDSS.

[34]  Xin Huang,et al.  Efficient conflict detection in flow-based virtualized networks , 2012, 2012 International Conference on Computing, Networking and Communications (ICNC).

[35]  Donald R. Morrison,et al.  PATRICIA—Practical Algorithm To Retrieve Information Coded in Alphanumeric , 1968, J. ACM.

[36]  Martín Casado,et al.  Onix: A Distributed Control Platform for Large-scale Production Networks , 2010, OSDI.

[37]  Brighten Godfrey,et al.  VeriFlow: verifying network-wide invariants in real time , 2012, HotSDN '12.

[38]  Avishai Wool,et al.  Firmato: a novel firewall management toolkit , 1999, Proceedings of the 1999 IEEE Symposium on Security and Privacy (Cat. No.99CB36344).