Qiumei Cheng,Chunming Wu,Haifeng Zhou,Yuhang Zhang,Rui Wang,Wei Ruan

DOI: https://doi.org/10.1109/hpcc/smartcity/dss.2018.00149

2018-01-01

Abstract:Guarding the perimeter of cloud-based enterprise networks is a challenge due to massive traffic with dynamic nature. Current firewalls of enterprise networks in cloud are largely based on static security rule configuration or simple rule matching, which makes them inflexible, error-prone and poorly effective, bringing about severe security risks. In this paper, we propose an artificial intelligence-based software-defined networks firewall (AI-SDNF) for solving the above problems. Compared with existing SDN firewalls, AI-SDNF is able to extract and analyze the payload of data packets based on machine learning technologies rather than simply match with flow tables according to several header fields (e.g., source and destination IP/MAC addresses). Considering deciding whether a packet is benign or malicious is able to be formulated as a typical binary classification problem, we employ logistic regression for training an intelligent SDN firewall under supervised machine learning. We implement a prototype of AI-SDNF on the OpenDaylight controller and the OpenStack platform. Based on the prototype, we evaluate its performance and overheads with real dataset. The experimental results indicate that AI-SDNF achieves a relatively high detection accuracy of 96.79% with an average of 0.2ms latency.

Boyang Zhou,Wen Gao,Chunming Wu,Bin Wang,Ming Jiang,Yansong Wang

DOI: https://doi.org/10.1007/978-3-319-13326-3_39

2014-01-01

Abstract:The Software-Defined Networking (SDN) separates the control plane from the data plane to increase the flexibility. In the data plane, the unavailability of data forwarding is a common problem preventing a switch from configuring a new arrival flow into its flow table. When the burst flows arrived at the switch, the flow table can be consumed, causing the unavailability occurred. However, the problem is more complicated than in Internet due to the limited channel bandwidth for detecting the table usage. Hence, we propose a transparent core layer in the controller. The mechanism of the layer improves the availability in such way, configuring switches adapting to arrival patterns of flows to prevent the resource of switch exceeding its limit. This paper introduces the design and mechanisms of the layer as well as their algorithms. We further use a real flow trace from a Internet core router to evaluate the performance of layer. By emulating on on miniNet-HiFi, the results demonstrate that the layer can smooth the burst flows without making the flow table exceeding its size, without the layer, the switch lost 8% ingress flows. Meanwhile, the control throughput is lowered by 25.8% than before.

Yi Shen,Chunming Wu,Qiumei Cheng,Dezhang Kong

DOI: https://doi.org/10.1109/hpcc-smartcity-dss50907.2020.00122

2020-01-01

Abstract:Software-Defined Networking (SDN) is an emerging network platform, which decouples the control and data planes. As the most popular southbound protocol and standard, OpenFlow converts network forwarding policies to rule entries and stores them in the flow table. However, the capacity of the flow table is restricted, which can lead to table-overflow if the space is inefficiently used. In this paper, we propose an adaptive flow table management scheme (AFTM) on the control plane, which combines assigning dynamic timeout and proactive eviction to manage the limited flow table resources. The timeout assignment module and the proactive eviction module are not independent parts but work collaboratively. The timeout assignment module sets suitable timeouts for rule entries according to flow characteristics, so that entries of short-lived flows are quickly removed while entries of flows with large packet intervals are retained. When the table space is insufficient, the proactive eviction module removes rule entries to protect the flow table from table-overflow. In our design, the eviction thresholds and parameters in both modules can be adaptively adjusted according to the network load. Experimental results show that AFTM can effectively manage the flow table resource and reduce the number of packet drop rates by up to 81% compared with existing schemes.

Hamidreza Almasi,Hossein Ajorloo

DOI: https://doi.org/10.48550/arXiv.1610.05062

2017-03-11

Abstract:Presence of a logically centralized controller in software-defined networks enables smart and fine-grained management of network traffic. Generally, traffic management includes measurement, analysis and control of traffic in order to improve resource utilization. This is done by inspecting corresponding performance requirements using metrics such as packet delay, jitter, loss rate and bandwidth utilization from global network view. There has been many works regarding traffic management of software-defined networks and how it could help to efficiently allocate resources. However, the vast majority of these solutions are bounded to indirect information retrieved within the border of ingress and egress switches. This means that the three stage loop of measurement, analysis and control is performed on switches in between this border while the traffic flowing in network originates from applications on end hosts. In this work, we present a framework for incorporating network applications into the task of traffic management using the concept of software-defined networking. We demonstrate how this could help applications to receive desired level of quality of service by implementing a prototype of an API for flow bandwidth reservation using OpenFlow and OVSDB protocols.

Networking and Internet Architecture

Yunfei Meng,Changbo Ke,Zhiqiu Huang

DOI: https://doi.org/10.1016/j.cose.2024.103850

IF: 5.105

2024-04-19

Computers & Security

Abstract:Software-defined networking (SDN) has been utilized to enforce the security of traditional networks. However, the existing SDN-based security enforcement mechanisms rely heavily on the security policies containing the underlying information of data plane, such as MAC address, IP address or switch ports. These security policies need to be specifically developed by network operators and loaded into the control plane manually. With increasing the scale of underlying network, the existing security policy management mechanisms confront more and more challenges. The security policy transformation for SDN networks is to research how to transform the high-level security policy without containing the underlying information into the practical flow entries used by Openflow switches automatically, thereby implementing the automatic management of security policies. To achieve this objective, we propose a model transformation based security policy automatic management framework for software-defined networking in this paper. Leveraging its functional modules, the framework can solve the problems of how to find a connected path for each access control rule of security policy model (SPM) in data plane, how to transform the connected path into the system model of flow entries, as well as how to generate the practical flow entries according to the system model of flow entries. In order to validate the effectiveness and performance of framework, we implement the framework by leveraging POX controller and Mininet emulator. The experimental results illustrate the framework can transform SPM into practical flow entries, synchronously perceive the modifications caused by cutting down one connected path or changing SPM, and continuously keep the data plane holding the security properties defined by SPM at runtime.

computer science, information systems

Luiza Nacshon,Rami Puzis,Polina Zilberman

DOI: https://doi.org/10.48550/arXiv.1608.03307

2016-12-05

Abstract:OpenFlow is a protocol implementing Software Defined Networking, a new networking paradigm, which segregates packet forwarding and accounting (performed on switches) from the routing decisions and advanced protocols (executed on a central controller). This segregation increases agility and flexibility of a networking infrastructure and reduces its operational expenses. OpenFlow controllers expose standard interfaces to facilitate variety of networking applications. In particular, a monitoring application can use these interfaces to push into the OpenFlow switches rules that collect traffic flow statistics at different aggregation levels. The aggregation level determines the monitoring accuracy and the induced network overhead. In this paper, we propose Floware an OpenFlow application that allows discovery and monitoring of active flows at any required aggregation level. Floware balances the monitoring overhead among many switches in order to reduce its negative effect on network performance. In addition, Floware integrates with monitoring systems based on legacy protocols such as NetFlow. We demonstrate the application with soft switches emulated in Mininet, the Floodlight controller, and the NetFlow Analyzer as a legacy network analysis and intrusion detection system. Evaluation results demonstrate the positive impact of balanced monitoring.

Networking and Internet Architecture

Kai Bu,Kaiwen Zhu,Yi Zheng,Yuanyuan Yang,Yutian Yang,Linfeng Cheng

DOI: https://doi.org/10.1016/j.comnet.2018.10.006

IF: 5.493

2018-01-01

Computer Networks

Abstract:Software-Defined Networking (SDN) has greatly boosted the productivity of data center networking and cloud computing. It introduces a central controller to take over most functions that otherwise reside in distributed forwarding devices. Such a centralized design, however, tends to make the control channel a bottleneck due to bandwidth fatigue. Only when this bottleneck is addressed can SDN greater benefit networking and computing infrastructures. Existing work saves control channel bandwidth at the expense of losing flow visibility. This paper designs and implements FastLane, a framework for bandwidth-efficient yet throughput-boosting SDN flow setup without sacrificing global flow visibility. FastLane informs only one on-path switch of a flow’s forwarding path while switches themselves cooperate to complete flow setup. FastLane thus keeps minimum traffic for flow setup in the control channel and leaves the rest to the data plane. We optimize the switch selection toward minimizing flow setup latency. To leverage the saved bandwidth for setting up more flows and therefore achieving higher throughput, we propose delegating certain flow setups from ingress to en-route switches. We prototype FastLane by modifying FloodLight controller and Open vSwitch. The results demonstrate FastLane’s benefits to higher SDN throughput with limited switching fabric overhead.

Guangwu Hu,Ke Xu,Jianping Wu

DOI: https://doi.org/10.1109/HPCC.and.EUC.2013.169

2013-01-01

Abstract:Enterprise networks have become increasingly important with the rising number of users accessing their services, which consequently brings challenges in various aspects. Though OpenFlow, the promising scheme for enterprise network control, can provide fine-grained and flow-level control in networks, yet it still has a few undesirable designs in security, scalability and performance. Inspired by many excellent OpenFlow-included studies, we in this paper, propose SuperFlow, a reliable, controlable and scalable architecture for large-scale enterprise networks. It not only inherits the merits of OpenFlow, but also overcomes OpenFlow's limitations by introducing many novel features, including the trustiness between hosts and users based on the compulsory authentication mechanisms, the flexible flow controling upon the well-organized control-rule designing, the scalable architecture considerations in both controller load-balancing and management scales. The prototype experiments also prove that SuperFlow possesses these features with desirable performance.

Jorge López,Charalampos Chatzinakis,Marc Cartigny,Claude Poletti

2023-07-22

Abstract:In recent years, computer networks and telecommunications in general have been shifting paradigms to adopt software-centric approaches. Software Defined Networking (SDN) is one of such paradigms that centralizes control and intelligent applications can be defined on top of this architecture. The latter enables the definition of the network behavior by means of software. In this work, we propose an approach for Flow Admission and Routing under Minimal Security Constraints (FARSec) in Software Defined Networks, where network flows must use links which are at least as secure as their required security level. We prove that FARSec can find feasible paths that respect the minimum level of security for each flow. If the latter is not possible FARSec rejects the flow in order not to compromise its security. We show that the computational complexity of the proposed approach is polynomial. Experimental results with semi-random generated graphs confirm the efficiency and correctness of the proposed approach. Finally, we implement the proposed solution using OpenFlow and ONOS -- an SDN open-source controller. We validate its functionality using an emulated network with various security levels.

Networking and Internet Architecture,Cryptography and Security

HX Duan,JP Wu,X Li

DOI: https://doi.org/10.1109/icon.2000.875800

2001-01-01

Journal of Software

Abstract:This paper focus on the issues of management and throughput of firewalls (or screening routers) applied in transit networks. On the one hand, manual configuration of a large amount of firewalls distributed in many access points can not meet the global security requirements in the open and dynamic environment. On the other hand, the ordinal lookup of filtering rules in each individual firewall results in great decrease of throughput. Aimed at a typical transit network and its security policy requirements, a policy-based access control framework (PACF) is proposed. This framework is based on three levels of abstract access control policy: organizational access control policy (OACP), global access control policy (GACP) and local access control policy (LACP). The GACP, which comes from the results of IDSes and search engines according to OACP, is automatically and dynamically distributed to firewalls as LACPs. Each LACP is then enforced by an individual firewall. Some key algorithms for distribution of GACP and enforcement of LACP are described. A hash-based algorithm is proposed, for lookup of filtering rules in LACP. Under an environment with policy requirements described in this paper the new algorithm reduces the time complexity of lookup from O(N) of the traditional sequential algorithm to O(1), which therefore increases largely the throughput of firewalls.

Xitao Wen,Bo Yang,Yan Chen,Chengchen Hu,Yi Wang,Bin Liu,Xiaolin Chen

DOI: https://doi.org/10.1109/dsn.2016.20

2016-01-01

Abstract:The OpenFlow paradigm embraces third-party development efforts, and therefore suffers from potential attacks that usurp the excessive privileges of control plane applications (apps). Such privilege abuse could lead to various attacks impacting the entire administrative domain. In this paper, we present SDNShield, a permission control system that helps network administrators to express and enforce only the minimum required privileges to individual controller apps. SDNShield achieves this goal through (i) fine-grained SDN permission abstractions that allow accurate representation of app behavior boundary, (ii) automatic security policy reconciliation that incorporates security policies specified by administrators into the requested app permissions, and (iii) a lightweight thread-based controller architecture for controller/app isolation and reliable permission enforcement. Through prototype implementation, we verify its effectiveness against proof-of-concept attacks. Performance evaluation shows that SDNShield introduces negligible runtime overhead.

Mudassar Hussain,Rashid Amin,Rahma Gantassi,Asma Hassan Alshehri,Jaroslav Frnda,Syed Mohsan Raza

DOI: https://doi.org/10.1038/s41598-024-65721-x

2024-06-28

Abstract:Software-defined networking (SDN) is a pioneering network paradigm that strategically decouples the control plane from the data and management planes, thereby streamlining network administration. SDN's centralized network management makes configuring access control list (ACL) policies easier, which is important as these policies frequently change due to network application needs and topology modifications. Consequently, this action may trigger modifications at the SDN controller. In response, the controller performs computational tasks to generate updated flow rules in accordance with modified ACL policies and installs flow rules at the data plane. Existing research has investigated reactive flow rules installation that changes in ACL policies result in packet violations and network inefficiencies. Network management becomes difficult due to deleting inconsistent flow rules and computing new flow rules per modified ACL policies. The proposed solution efficiently handles ACL policy change phenomena by automatically detecting ACL policy change and accordingly detecting and deleting inconsistent flow rules along with the caching at the controller and adding new flow rules at the data plane. A comprehensive analysis of both proactive and reactive mechanisms in SDN is carried out to achieve this. To facilitate the evaluation of these mechanisms, the ACL policies are modeled using a 5-tuple structure comprising Source, Destination, Protocol, Ports, and Action. The resulting policies are then translated into a policy implementation file and transmitted to the controller. Subsequently, the controller utilizes the network topology and the ACL policies to calculate the necessary flow rules and caches these flow rules in hash table in addition to installing them at the switches. The proposed solution is simulated in Mininet Emulator using a set of ACL policies, hosts, and switches. The results are presented by varying the ACL policy at different time instances, inter-packet delay and flow timeout value. The simulation results show that the reactive flow rule installation performs better than the proactive mechanism with respect to network throughput, packet violations, successful packet delivery, normalized overhead, policy change detection time and end-to-end delay. The proposed solution, designed to be directly used on SDN controllers that support the Pyretic language, provides a flexible and efficient approach for flow rule installation. The proposed mechanism can be employed to facilitate network administrators in implementing ACL policies. It may also be integrated with network monitoring and debugging tools to analyze the effectiveness of the policy change mechanism.

Muxi Yan,Jasson Casey,Prithviraj Shome,Alex Sprintson,Andrew Sutton

DOI: https://doi.org/10.48550/arXiv.1509.04745

2015-09-16

Abstract:Software Defined Networking (SDN) drastically changes the meaning and process of designing, building, testing, and operating networks. The current support for wireless net- working in SDN technologies has lagged behind its development and deployment for wired networks. The purpose of this work is to bring principled support for wireless access networks so that they can receive the same level of programmability as wireline interfaces. Specifically we aim to integrate wireless protocols into the general SDN framework by proposing a new set of abstractions in wireless devices and the interfaces to manipulate them. We validate our approach by implementing our design as an extension of an existing OpenFlow data plane and deploying it in an IEEE 802.11 access point. We demonstrate the viability of software-defined wireless access networks by developing and testing a wireless handoff application. The results of the exper- iment show that our framework is capable of providing new capabilities in an efficient manner.

Networking and Internet Architecture

Wenmao LIU,Xiaofeng QIU,Pengcheng CHEN,Xutao WEN,Xinxin HE,Dongsheng WANG,Jun LI

DOI: https://doi.org/10.3778/j.issn.1673-9418.1407061

2015-01-01

Abstract:Current OpenFlow specifications provide limited access to packet details, making it inefficient to deploy security applications. Moreover, current security solutions become less flexible as software defined-networking (SDN) develops. This paper proposes a distributed software-defined security architecture (SDSA), which offloads heavy security processing from SDN controller to a dedicated security controller and security APPs, providing both flow and packet level protections against various attacks in the SDN and virtual environment. This paper gives the global view and knowledge of flows, IaaS assets and devices, which can make accurate decisions and ensures devices to execute security rules instantly. The architecture simplifies security device logic greatly by separating security data and control planes, the detection and protection are automated with standardized control messages, making the secu-rity reaction fast. The experiments demonstrate that SDSA can detect DoS attack, port scan and abnormal high traffic with low cost and little overhead.

Jordi Paillisse,Marc Portoles,Albert Lopez,Alberto Rodriguez-Natal,David Iacobacci,Johnson Leong,Victor Moreno,Albert Cabellos,Fabio Maino,Sanjay Hooda

DOI: https://doi.org/10.48550/arXiv.2010.15236

2021-02-20

Abstract:Enterprise Networks, over the years, have become more and more complex trying to keep up with new requirements that challenge traditional solutions. Just to mention one out of many possible examples, technologies such as Virtual LANs (VLANs) struggle to address the scalability and operational requirements introduced by Internet of Things (IoT) use cases. To keep up with these challenges we have identified four main requirements that are common across modern enterprise networks: (i) scalable mobility, (ii) endpoint segmentation, (iii) simplified administration, and (iv) resource optimization. To address these challenges we designed SDA (Software Defined Access), a solution for modern enterprise networks that leverages Software-Defined Networking (SDN) and other state of the art techniques. In this paper we present the design, implementation and evaluation of SDA. Specifically, SDA: (i) leverages a combination of an overlay approach with an event-driven protocol (LISP) to dynamically adapt to traffic and mobility patterns while preserving resources, and (ii) enforces dynamic endpoint groups for scalable segmentation with low operational burden. We present our experience with deploying SDA in two real-life scenarios: an enterprise campus, and a large warehouse with mobile robots. Our evaluation shows that SDA, when compared with traditional enterprise networks, can (i) reduce overall data plane forwarding state up to 70% thanks to a reactive protocol using a centralized routing server, and (ii) reduce by an order of magnitude the handover delays in scenarios of massive mobility with respect to other approaches. Finally, we discuss lessons learned while deploying and operating SDA, and possible optimizations regarding the use of an event-driven protocol and group-based segmentation.

Networking and Internet Architecture

Bo Chen,Liang Liu,Huadong Ma

DOI: https://doi.org/10.1109/jiot.2020.2989361

IF: 10.6

2020-10-01

IEEE Internet of Things Journal

Abstract:Information-centric networking (ICN) is regarded as a promising architecture for Internet of Things (ICN-IoT) and access control is one of the critical problems to enable secure ICN-IoT. This article proposes high efficient access control (HAC), a high efficient access control system for ICN-IoT. Specifically, HAC enables access control via an elaborate designed hierarchical key tree (HKT) mechanism based on the hierarchical naming scheme of ICN. The proposed HKT contains the hierarchical authority information and allow users to locally derive the key according to their needs, thus greatly decreasing the overhead in IoT's many-to-many communication scenario. To ensure the security and efficiency of HKT, we further propose a level-oriented ciphertext policy attribute-based encryption (LOCP-ABE) algorithm such that users can only obtain the authority level according to their attributes, and also utilize the ICN's receiver-driven model and the in-network caching mechanism to speed up the distribution efficiency. Moreover, an attribute-based command verification mechanism is used to improve the efficiency of command verification for resource-constrained and isolated IoT edge. We evaluate the proposed HAC by theoretical security analysis and real-world experiments. The theoretical analysis proves that the proposed HAC is secure and experiment results show that HAC can greatly improve the access control efficiency in ICN-IoT compared with the state of the art.

computer science, information systems,telecommunications,engineering, electrical & electronic

Duan Haixin,Wu Jianping,Li Xing

2001-01-01

Abstract:Efforts of this paper focus on the issues about management and throughput of firewalls (or screening routers) applied in transit networks. On the one hand, manual configuration of large amount of firewalls distributed in many access points can not meet the global security requirements in the open and dynamic environment. On the other hand, the ordinal lookup of filtering rules in each individual firewall results in great decrease of throughput. Aimed at a typical transit network and its security policy requirements, a policy-based access control framework (PACF) is proposed in this paper. This framework is based on three levels of abstract access control policy: organizational access control policy (OACP), global access control policy (GACP) and local access control policy (LACP). The GACP, which comes from the results of IDSes and search engines according to OACP, is automatically and dynamically distributed to firewalls as LACPs. Each LACP is then enforced by an individual firewall. Some key algorithms for distribution of GACP and enforcement of LACP are described. A hash-based algorithm is proposed, for lookup of filtering rules in LACP. Under the environment with policy requirements described in this paper, the new algorithm reduces the time complexity of lookup from O (N) of traditional sequential algorithm to O (1), which therefore increases largely the throughput of firewalls.

Vijay Varadharajan,Kallol Karmakar,Uday Tupakula,Michael Hitchens

DOI: https://doi.org/10.48550/arXiv.1806.02053

2018-06-06

Abstract:As networks expand in size and complexity, they pose greater administrative and management challenges. Software Defined Networks (SDN) offer a promising approach to meeting some of these challenges. In this paper, we propose a policy driven security architecture for securing end to end services across multiple SDN domains. We develop a language based approach to design security policies that are relevant for securing SDN services and communications. We describe the policy language and its use in specifying security policies to control the flow of information in a multi-domain SDN. We demonstrate the specification of fine grained security policies based on a variety of attributes such as parameters associated with users and devices/switches, context information such as location and routing information, and services accessed in SDN as well as security attributes associated with the switches and Controllers in different domains. An important feature of our architecture is its ability to specify path and flow based security policies, which are significant for securing end to end services in SDNs. We describe the design and the implementation of our proposed policy based security architecture and demonstrate its use in scenarios involving both intra and inter-domain communications with multiple SDN Controllers. We analyse the performance characteristics of our architecture as well as discuss how our architecture is able to counteract various security attacks. The dynamic security policy based approach and the distribution of corresponding security capabilities intelligently as a service layer that enable flow based security enforcement and protection of multitude of network devices against attacks are important contributions of this paper.

Cryptography and Security

Kai Bu

DOI: https://doi.org/10.1109/INFCOMW.2015.7179433

2015-01-01

Abstract:Software-Defined Networking (SDN) has greatly enriched the flexibility of network management. It introduces a central controller to take over most network functions that otherwise reside in distributed forwarding devices. Such a centralized design, however, tends to make control channel a bottleneck due to bandwidth fatigue. Existing work saves control channel bandwidth at the expense of losing visibility of most or mice flows. This paper proposes FastLane, a framework for bandwidth-efficient SDN flow setup without sacrificing global flow visibility. FastLane advocates that the controller inform only a flow's ingress switch of the flow's forwarding path while switches themselves cooperate to complete flow setup. This way, FastLane keeps minimum traffic for flow setup in control channel and leaves the rest to data plane. The analytical results validate FastLane's higher bandwidth efficiency over traditional SDN, especially for relatively long forwarding paths. For a 3-switch path, FastLane can already save more than a half of bandwidth. The saved bandwidth can embrace more flow setups and thus reduces flow latency.

Benfeng Chen,Zhizhong Tan,Wenyong Wang,Yan Liu,Tai Io San,Mudi Xu,Lei Wang,Shan Chen,Sou Wang Fong,Jing Feng

DOI: https://doi.org/10.3390/app14135593

2024-06-27

Applied Sciences

Abstract:In the current context of rapid Internet of Things (IoT) and cloud computing technology development, the Single Packet Authorization (SPA) protocol faces increasing challenges, such as security threats from Distributed Denial of Service (DDoS) attacks. To address these issues, we propose the Advanced Network-Hiding Access Control (AHAC) framework, designed to enhance security by reducing network environment exposure and providing secure access methods. AHAC introduces an independent control surface as the access proxy service and combines it with a noise generation mechanism for encrypted access schemes, replacing the traditional RSA signature method used in SPA protocols. This framework significantly improves system security, reduces computational costs, and enhances key verification efficiency. The AHAC framework addresses several limitations inherent in SPA: users need to know the IP address of resources in advance, exposing the resource address to potential attacks; SPA’s one-way authentication mechanism is insufficient for multi-level authentication in dynamic environments; deploying the knocking module and protected resources on the same host can lead to resource exhaustion and service unavailability under heavy loads; and SPA often uses high-overhead encryption algorithms like RSA2048. To counter these limitations, AHAC separates the Port Knocking module from the access control module, supports mutual authentication, and implements an extensible two-way communication mechanism. It also employs ECC and ECDH algorithms, enhancing security while reducing computational costs. We conducted extensive experiments to validate AHAC’s performance, high availability, extensibility, and compatibility. The experiments compared AHAC with traditional SPA in terms of time cost and performance.

Computer Science,Engineering