Security policy checking in distributed SDN based clouds

Separation of network control from devices in Software Defined Network (SDN) allows for centralized implementation and management of security policies in a cloud computing environment. The ease of programmability also makes SDN a great platform implementation of various initiatives that involve application deployment, dynamic topology changes, and decentralized network management in a multi-tenant data center environment. Dynamic change of network topology, or host reconfiguration in such networks might require corresponding changes to the flow rules in the SDN based cloud environment. Verifying adherence of these new flow policies in the environment to the organizational security policies and ensuring a conflict free environment is especially challenging. In this paper, we extend the work on rule conflicts from a traditional environment to an SDN environment, introducing a new classification to describe conflicts stemming from cross-layer conflicts. Our framework ensures that in any SDN based cloud, flow rules do not have conflicts at any layer; thereby ensuring that changes to the environment do not lead to unintended consequences. We demonstrate the correctness, feasibility and scalability of our framework through a proof-of-concept prototype.

[1]  Ehab Al-Shaer,et al.  Firewall Policy Advisor for Anomaly Discovery and Rule Editing , 2003, Integrated Network Management.

[2]  Tariq Javid,et al.  A layer2 firewall for software defined network , 2014, 2014 Conference on Information Assurance and Cyber Security (CIACS).

[3]  Nick McKeown,et al.  Algorithms for packet classification , 2001, IEEE Netw..

[4]  George Varghese,et al.  Header Space Analysis: Static Checking for Networks , 2012, NSDI.

[5]  Janet Aisbett,et al.  Strengthening the Role of ICT in Development , 2008 .

[6]  Ehab Al-Shaer,et al.  Conflict classification and analysis of distributed firewall policies , 2005, IEEE Journal on Selected Areas in Communications.

[7]  Emil C. Lupu,et al.  Conflicts in Policy-Based Distributed Systems Management , 1999, IEEE Trans. Software Eng..

[8]  Gail-Joon Ahn,et al.  FLOWGUARD: building robust firewalls for software-defined networks , 2014, HotSDN.

[9]  Mabry Tyson,et al.  A security enforcement kernel for OpenFlow networks , 2012, HotSDN '12.

[10]  Fred B. Schneider,et al.  Least Privilege and More , 2003, IEEE Secur. Priv..

[11]  Emil C. Lupu,et al.  Conflict Analysis for Management Policies , 1997, Integrated Network Management.

[12]  David Walker,et al.  Composing Software Defined Networks , 2013, NSDI.

[13]  Sunhee Yang,et al.  Building firewall over the software-defined network controller , 2014, 16th International Conference on Advanced Communication Technology.

[14]  Mabry Tyson,et al.  FRESCO: Modular Composable Security Services for Software-Defined Networks , 2013, NDSS.

[15]  Xin Huang,et al.  Efficient conflict detection in flow-based virtualized networks , 2012, 2012 International Conference on Computing, Networking and Communications (ICNC).

[16]  Donald R. Morrison,et al.  PATRICIA—Practical Algorithm To Retrieve Information Coded in Alphanumeric , 1968, J. ACM.

[17]  David Eppstein,et al.  Internet packet filter management and rectangle geometry , 2000, SODA '01.

[18]  K. J. Poornaselvan,et al.  Efficient IP lookup algorithm , 2007 .

[19]  Brighten Godfrey,et al.  VeriFlow: verifying network-wide invariants in real time , 2012, HotSDN '12.

[20]  Avishai Wool,et al.  Firmato: A novel firewall management toolkit , 2004, TOCS.

[21]  Minlan Yu,et al.  Enforcing Network-Wide Policies in the Presence of Dynamic Middlebox Actions using FlowTags , 2014, NSDI.

[22]  He Huang,et al.  IPSec/VPN Security Policy: Correctness, Conflict Detection, and Resolution , 2001, POLICY.