research-article

Free Access

A security enforcement kernel for OpenFlow networks

Authors:
Philip Porras

SRI International, Menlo Park, California, USA

SRI International, Menlo Park, California, USA
View Profile

,
Seungwon Shin

Texas A&M University, College Station, Texas, USA

Texas A&M University, College Station, Texas, USA
View Profile

,
Vinod Yegneswaran

SRI International, Menlo Park, California, USA

SRI International, Menlo Park, California, USA
View Profile

,
Martin Fong

SRI International, Menlo Park, California, USA

SRI International, Menlo Park, California, USA
View Profile

,
Mabry Tyson

SRI International, Menlo Park, California, USA

SRI International, Menlo Park, California, USA
View Profile

,
Guofei Gu

Texas A&M University, College Station, Texas, USA

Texas A&M University, College Station, Texas, USA
View Profile

HotSDN '12: Proceedings of the first workshop on Hot topics in software defined networksAugust 2012Pages 121–126https://doi.org/10.1145/2342441.2342466

Published:13 August 2012Publication History

HotSDN '12: Proceedings of the first workshop on Hot topics in software defined networks

Pages 121–126

ABSTRACT

Software-defined networks facilitate rapid and open innovation at the network control layer by providing a programmable network infrastructure for computing flow policies on demand. However, the dynamism of programmable networks also introduces new security challenges that demand innovative solutions. A critical challenge is efficient detection and reconciliation of potentially conflicting flow rules imposed by dynamic OpenFlow (OF) applications. To that end, we introduce FortNOX, a software extension that provides role-based authorization and security constraint enforcement for the NOX OpenFlow controller. FortNOX enables NOX to check flow rule contradictions in real time, and implements a novel analysis algorithm that is robust even in cases where an adversarial OF application attempts to strategically insert flow rules that would otherwise circumvent flow rules imposed by OF security applications. We demonstrate the utility of FortNOX through a prototype implementation and use it to examine performance and efficiency aspects of the proposed framework.

Supplemental Material

hotsdn-iv-03-asecurityenforcementkernelforopenflownetworks.mp4

mp4

41.8 MB

Download

References

E. Al-Shaer and S. Al-Haj. FlowChecker: Configuration Analysis and Verification of Federated Openflow Infrastructures. In Proceedings of the 3rd ACM SafeConfig Workshop, 2010. Google ScholarDigital Library
E. Al-shaer, W. Marrero, A. El-atawy, and K. Elbadawi. Network Configuration in A Box: Towards End-to-End Verification of Network Reachability and Security. In Proceedings of the IEEE International Conference on Network Protocols, 2009.Google Scholar
Z. Cai, A. L. Cox, and T. E. Ng. Maestro: A System for Scalable OpenFlow Control. In Rice University Technical Report, 2010.Google Scholar
M. Canini, D. Venzano, P. Peresini, D. Kostic, and J. Rexford. A NICE Way to Test OpenFlow Applications. In Proceedings of the Symposium on Network Systems Design and Implementation, 2012. Google ScholarDigital Library
M. Casado, M. J. Freedman, J. Pettit, J. Luo, N. McKeown, and S. Shenker. Ethane: Taking Control of the Enterprise. In Proceedings of ACM SIGCOMM, 2007. Google ScholarDigital Library
M. Casado, T. Garfinkel, M. Freedman, A. Akella, D. Boneh, N. McKeowon, and S. Shenker. SANE: A Protection Architecture for Enterprise Networks. In Proceedings of the Usenix Security Symposium, 2006. Google ScholarDigital Library
A. El-atawy, T. Samak, Z. Wali, E. Al-shaer, F. Lin, C. Pham, and S. Li. An Automated Framework for Validating Firewall Policy Enforcement. Technical report, 2007.Google Scholar
N. Feamster and H. Balakrishnan. Detecting BGP Configuration Faults with Static Analysis. In Proceedings of the Usenix Symposium on Network Systems Design and Implementation, 2005. Google ScholarDigital Library
A. Greenberg, G. Hjalmtysson, D. A. Maltz, A. Myers, J. Rexford, G. Xie, H. Yan, J. Zhan, and H. Zhang. A Clean Slate 4D Approach to Network Control and Management. In Proceedings of ACM Computer Communications Review, 2005. Google ScholarDigital Library
N. Gude, T. Koponen, J. Pettit, B. Pfaff, M. Casado, N. McKeown, and S. Shenker. NOX: Towards an Operating System for Networks. In Proceedings of ACM Computer Communications Review, July 2008. Google ScholarDigital Library
P. Kazemian, G. Varghese, and N. McKeown. Header Space Analysis: Static Checking for Networks. In Proceedings of the Symposium on Network Systems Design and Implementation, 2012. Google ScholarDigital Library
A. Khurshid, W. Zhou, M. Caesar, and P. B. Godfrey. VeriFlow: Verifying Network-Wide Invariants in Real Time. In Proceedings of ACM Sigcomm HotSDN Workshop, 2012. Google ScholarDigital Library
A. Liu. Formal Verification of Firewall Policies. In Proceedings of the International Conference on Communications (ICC), 2008.Google ScholarCross Ref
N. McKeown, T. Anderson, H. Balakrishnan, G. Parulkar, L. Peterson, J. Rexford, S. Shenker, and J. Turner. OpenFlow: Enabling Innovation in Campus Networks. In Proceedings of ACM Computer Communications Review, April 2008. Google ScholarDigital Library
J. C. Mogul, J. Tourrilhes, P. Yalagandula, P. Sharma, A. R. Curtis, and S. Banerjee. DevoFlow: Cost-effective Flow Management for High Performance Enterprise Networks. In Proceedings of the 10th ACM Workshop on Hot Topics in Networks (HotNets), 2010. Google ScholarDigital Library
A. Nayak, A. Reimers, N. Feamster, and R. Clark. Resonance: Dynamic Access Control for Enterprise Networks. In Proceedings of the 1st ACM SIGCOMM WREN Workshop, 2009. Google ScholarDigital Library
OpenFlow. OpenFlow 1.1.0 Specification. http://www.openflow.org/documents/openflow-spec-v1.1.0.pdf.Google Scholar
OpenFlowHub. BEACON. http//www.openflowhub.org/display/Beacon.Google Scholar
M. Reitblatt, N. Foster, J. Rexford, and D. Walker. Consistent Update for Software-Defined Networks: Change You Can Believe In! In Proceedings of the ACM Workshop on Hot Topics in Networks, 2011. Google ScholarDigital Library
S. Sanfilippo. HPing home page. http://www.hping.org.Google Scholar
D. Senn, D. Basin, and G. Caronni. Firewall Conformance Testing. In Proceedings of the IFIP TestCom, 2005. Google ScholarDigital Library
R. Sherwood, G. Gibb, K.-K. Yap, G. Appenzeller, M. Casado, N. McKeown, and G. Parulkar. Can the Production Network Be the Testbed. In Proceedings of the Usenix Symposium on Operating System Design and Implementation (OSDI), 2010. Google ScholarDigital Library
G. Xie, J. Zhan, D. Maltz, H. Zhang, A. Greenberg, G. Hjalmtysson, and J. Rexford. On Static Reachability Analysis of IP Networks. In Proceeding of IEEE INFOCOM, 2005.Google ScholarCross Ref

Index Terms

A security enforcement kernel for OpenFlow networks
1. Networks
  1. Network components
    1. Intermediate nodes
      1. Routers

Recommendations

Towards a Security-Enhanced Firewall Application for OpenFlow Networks
Cyberspace Safety and Security
Abstract
Software-Defined Networking (SDN), which offers programmers network-wide visibility and direct control over the underlying switches from a logically-centralized controller, not only has a huge impact on the development of current networks, but ...
Read More
Performance Analysis of SDN/OpenFlow Controllers: POX Versus Floodlight

Software-Defined Networking (SDN) is an emerging network architecture that is adaptable, dynamic, cost-effective, and manageable. The SDN architecture is a form of network virtualization where the network controlling functions and forwarding functions ...
Read More
Policy enforcement in traditional non-SDN networks
Abstract
Middleboxes are widely used in modern networks for a variety of network functions in cybersecurity, performance enhancement, and monitoring. Middlebox policy enforcement is however complex and tedious with unreliable manual re-...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
HotSDN '12: Proceedings of the first workshop on Hot topics in software defined networks
August 2012
142 pages
ISBN:9781450314770
DOI:10.1145/2342441
Program Chairs:
Nick Feamster
University of Maryland
,
Jennifer Rexford
Princeton University
Copyright © 2012 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 13 August 2012
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
openflow
policy enforcement
security
Qualifiers
- research-article
Conference

Acceptance Rates
Overall Acceptance Rate88of198submissions,44%
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 373
  Total Citations
  View Citations
- 2,982
  Total Downloads
- Downloads (Last 12 months)174
- Downloads (Last 6 weeks)29
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

A security enforcement kernel for OpenFlow networks

HotSDN '12: Proceedings of the first workshop on Hot topics in software defined networks

ABSTRACT

Supplemental Material

References

Cited By

Index Terms

Recommendations

Towards a Security-Enhanced Firewall Application for OpenFlow Networks

Performance Analysis of SDN/OpenFlow Controllers: POX Versus Floodlight

Policy enforcement in traditional non-SDN networks