nach oben

Annals of Telecommunications

Erschienen in:

28.03.2016

AuthFlow: authentication and access control mechanism for software defined networking

verfasst von: Diogo Menezes Ferrazani Mattos, Otto Carlos Muniz Bandeira Duarte

Erschienen in: Annals of Telecommunications | Ausgabe 11-12/2016

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

Software-defined networking (SDN) is being widely adopted by enterprise networks, whereas providing security features in these next generation networks is a challenge. In this article, we present the main security threats in software-defined networking and we propose AuthFlow, an authentication and access control mechanism based on host credentials. The main contributions of our proposal are threefold: (i) a host authentication mechanism just above the MAC layer in an OpenFlow network, which guarantees a low overhead and ensures a fine-grained access control; (ii) a credential-based authentication to perform an access control according to the privilege level of each host, through mapping the host credentials to the set of flows that belongs to the host; (iii) a new framework for control applications, enabling software-defined network controllers to use the host identity as a new flow field to define forwarding rules. A prototype of the proposed mechanism was implemented on top of POX controller. The results show that AuthFlow denies the access of hosts either without valid credentials or with revoked authorization. Finally, we show that our scheme allows, for each host, different levels of access to network resources according to its credential.

Vorheriger Artikel An elastic intrusion detection system for software networks

Nächster Artikel Cloudlet- and NFV-based carrier Wi-Fi architecture for a wider range of services

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Considering a three-layer SDN model, we identify three API levels: southbound API, east/westbound API, and northbound API. In this model, OpenFlow is an example of southbound API.

FITS is an inter-university testbed network which was developed through a partnership between Brazilian and European institutions. More information on http://www.gta.ufrj.br/fits/.

The nomenclature for supplicant, authenticator, and authentication server is defined by the IEEE 802.1X standard.

For the sake of generality, we call packets for datagrams of all layers.

http://hostap.epitest.fi/hostapd/.

We consider that credential is the proof of the identity of a host.

The POX controller used in our prototype is a development branch of the controller used in FITS, to support AuthFlow.

For the sake of simplicity, we evaluate a standard page of NoCat captive portal. Available at http://nocat.net.

Canini M, Kuznetsov P, Levin D, Schmid S (2015) A distributed and robust SDN control plane for transactional network updates. In: 2015 IEEE conference on computer communications (INFOCOM), pp 190–198. doi:10.1109/INFOCOM.2015.7218382

Cardoso LP, Mattos DMF, Ferraz LHG, Duarte OCMB, Pujolle G (2015) An efficient energy-aware mechanism for virtual machine migration. In: Global information infrastructure and networking symposium (GIIS’15), 2015. IEEE, Guadalajara, pp 1–6

Casado M, Freedman M, Pettit J, Luo J, McKeown N, Shenker S (2007) Ethane: taking control of the enterprise. ACM SIGCOMM Comput Commun Rev 37(4):1–12CrossRef

Fernandes NC, Moreira MDD, Moraes IM, Ferraz LHG, Couto RS, Carvalho HET, Campista MEM, Costa LHMK, Duarte OCMB (2011) Virtual networks: isolation, performance, and trends. Ann Telecommun 66(5–6):339–355. doi:10.1007/s12243-010-0208-9 CrossRef

Ferraz LHG, Mattos DMF, Duarte OCMB (2014) A two-phase multipathing scheme with genetic algorithm for data center network. In: 2014 IEEE global communications conference (GLOBECOM). Austin

Filasiak R, Grzenda M, Luckner M, Zawistowski P (2014) On the testing of network cyber threat detection methods on spam example. Ann. Telecommun 69(7–8):363–377. doi:10.1007/s12243-013-0412-5 CrossRef

Guenane F, Samet N, Pujolle G, Urien P (2012) A strong authentication for virtual networks using EAP-TLS smart cards. In: Global information infrastructure and networking symposium (GIIS’12), 2012. IEEE, pp 1–6

Heller B, Sherwood R, McKeown N (2012) The controller placement problem. In: Proceedings of the 1st workshop on hot topics in software defined networks, HotSDN’12. ACM, New York, pp 7–12

Hudson DL, Cohen ME (2010) Intelligent agents in home healthcare. Ann Telecommun 65(9–10):593–600. doi:10.1007/s12243-010-0170-6 CrossRef

10.

Kobayashi M, Seetharaman S, Parulkar G, Appenzeller G, Little J, van Reijendam J, Weissmann P, McKeown N (2014) Maturing of OpenFlow and software-defined networking through deployments. Comput Netw 61:151–175. doi:10.1016/j.bjp.2013.10.011. Special issue on Future Internet Testbeds - {Part I}CrossRef

11.

Kreutz D, Ramos F, Esteves Verissimo P, Esteve Rothenberg C, Azodolmolky S, Uhlig S (2015) Software-defined networking: a comprehensive survey. Proc IEEE 103(1):14–76CrossRef

12.

Kreutz D, Ramos FM, Verissimo P (2013) Towards secure and dependable software-defined networks. In: Proceedings of the 2nd ACM SIGCOMM workshop on hot topics in software defined networking, HotSDN’13. ACM, New York, pp 55–60

13.

Levin D, Wundsam A, Heller B, Handigol N, Feldmann A (2012) Logically centralized?: state distribution trade-offs in software defined networks. In: Proceedings of the 1st workshop on hot topics in software defined networks, HotSDN’12. ACM, New York, pp 1–6. doi:10.1145/2342441.2342443

14.

Lopez MEA, Duarte OCMB (2015) Providing elasticity to intrusion detection systems in virtualized software defined networks. In: IEEE ICC 2015 - communication and information systems security symposium (ICC’15 (11) CISS), London

15.

Matias J, Jacob E, Toledo N, Astorga J (2011) Towards neutrality in access networks: a NANDO deployment with OpenFlow. In: ACCESS 2011, The 2nd international conference on access networks. Luxembourg, pp 7–12

16.

Mattos DMF, Duarte OCMB (2014) XenFlow: seamless migration primitive and quality of service for virtual networks. In: 2014 IEEE global communications conference (GLOBECOM) . Austin

17.

Moraes IM, Mattos DMF, Ferraz LHG, Campista MEM, Rubinstein MG, Costa LHMK, de Amorim MD, Velloso PB, Duarte OCMB, Pujolle G (2014) FITS: a flexible virtual network testbed architecture. Computer Networks 63:221–237. doi:10.1016/j.bjp.2014.01.002. Special issue on Future Internet Testbeds - Part {II}CrossRef

18.

Nayak AK, Reimers A, Feamster N, Clark R (2009) Resonance: dynamic access control for enterprise networks. In: Proceedings of the 1st ACM workshop on research on enterprise networking, WREN’09. ACM, New York, pp 11–18

19.

Piedrahita AFM, Rueda S, Mattos DMF, Duarte OCMB (2015) FlowFence: a denial of service defense system for software defined networking. In: Global information infrastructure symposium (GIIS’2015), 2015. IEEE, Guadalajara, pp 1–6

20.

Porras P, Shin S, Yegneswaran V, Fong M, Tyson M, Gu G (2012) A security enforcement kernel for OpenFlow networks. In: Proceedings of the 1st workshop on hot topics in software defined networks, HotSDN’12. ACM, New York, pp 121–126

21.

Ros FJ, Ruiz PM (2015) On reliable controller placements in software-defined networks. Comput Commun. doi:10.1016/j.comcom.2015.09.008. To be published

22.

Shin S, Porras P, Yegneswaran V, Fong M, Gu G, Tyson M (2013) FRESCO: modular composable security services for software-defined networks. In: Proceedings of network and distributed security symposium

23.

Villain B, Ridoux J, Rotrou J, Pujolle G (2014) Mutualized OpenFlow architecture for network access management. In: 2014 IEEE 3rd international conference on cloud networking (CloudNet), pp 413–419

Titel: AuthFlow: authentication and access control mechanism for software defined networking
verfasst von: Diogo Menezes Ferrazani Mattos
Otto Carlos Muniz Bandeira Duarte
Publikationsdatum: 28.03.2016
Verlag: Springer Paris
Erschienen in: Annals of Telecommunications / Ausgabe 11-12/2016
Print ISSN: 0003-4347
Elektronische ISSN: 1958-9395
DOI: https://doi.org/10.1007/s12243-016-0505-z

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft"

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Weitere Artikel der Ausgabe 11-12/2016

Cloudlet- and NFV-based carrier Wi-Fi architecture for a wider range of services

SDI: a multi-domain SDN mechanism for fine-grained inter-domain routing

Traffic offloading techniques for 5G cellular: a three-tiered SDN architecture

An experimental feasibility study on applying SDN technology to disaster-resilient wide area networks

Network function virtualization: through the looking-glass

Study of I/Q imbalances in QAM communication systems adopting multi-antenna receivers