ABSTRACT
Software-defined networks facilitate rapid and open innovation at the network control layer by providing a programmable network infrastructure for computing flow policies on demand. However, the dynamism of programmable networks also introduces new security challenges that demand innovative solutions. A critical challenge is efficient detection and reconciliation of potentially conflicting flow rules imposed by dynamic OpenFlow (OF) applications. To that end, we introduce FortNOX, a software extension that provides role-based authorization and security constraint enforcement for the NOX OpenFlow controller. FortNOX enables NOX to check flow rule contradictions in real time, and implements a novel analysis algorithm that is robust even in cases where an adversarial OF application attempts to strategically insert flow rules that would otherwise circumvent flow rules imposed by OF security applications. We demonstrate the utility of FortNOX through a prototype implementation and use it to examine performance and efficiency aspects of the proposed framework.
Supplemental Material
- E. Al-Shaer and S. Al-Haj. FlowChecker: Configuration Analysis and Verification of Federated Openflow Infrastructures. In Proceedings of the 3rd ACM SafeConfig Workshop, 2010. Google ScholarDigital Library
- E. Al-shaer, W. Marrero, A. El-atawy, and K. Elbadawi. Network Configuration in A Box: Towards End-to-End Verification of Network Reachability and Security. In Proceedings of the IEEE International Conference on Network Protocols, 2009.Google Scholar
- Z. Cai, A. L. Cox, and T. E. Ng. Maestro: A System for Scalable OpenFlow Control. In Rice University Technical Report, 2010.Google Scholar
- M. Canini, D. Venzano, P. Peresini, D. Kostic, and J. Rexford. A NICE Way to Test OpenFlow Applications. In Proceedings of the Symposium on Network Systems Design and Implementation, 2012. Google ScholarDigital Library
- M. Casado, M. J. Freedman, J. Pettit, J. Luo, N. McKeown, and S. Shenker. Ethane: Taking Control of the Enterprise. In Proceedings of ACM SIGCOMM, 2007. Google ScholarDigital Library
- M. Casado, T. Garfinkel, M. Freedman, A. Akella, D. Boneh, N. McKeowon, and S. Shenker. SANE: A Protection Architecture for Enterprise Networks. In Proceedings of the Usenix Security Symposium, 2006. Google ScholarDigital Library
- A. El-atawy, T. Samak, Z. Wali, E. Al-shaer, F. Lin, C. Pham, and S. Li. An Automated Framework for Validating Firewall Policy Enforcement. Technical report, 2007.Google Scholar
- N. Feamster and H. Balakrishnan. Detecting BGP Configuration Faults with Static Analysis. In Proceedings of the Usenix Symposium on Network Systems Design and Implementation, 2005. Google ScholarDigital Library
- A. Greenberg, G. Hjalmtysson, D. A. Maltz, A. Myers, J. Rexford, G. Xie, H. Yan, J. Zhan, and H. Zhang. A Clean Slate 4D Approach to Network Control and Management. In Proceedings of ACM Computer Communications Review, 2005. Google ScholarDigital Library
- N. Gude, T. Koponen, J. Pettit, B. Pfaff, M. Casado, N. McKeown, and S. Shenker. NOX: Towards an Operating System for Networks. In Proceedings of ACM Computer Communications Review, July 2008. Google ScholarDigital Library
- P. Kazemian, G. Varghese, and N. McKeown. Header Space Analysis: Static Checking for Networks. In Proceedings of the Symposium on Network Systems Design and Implementation, 2012. Google ScholarDigital Library
- A. Khurshid, W. Zhou, M. Caesar, and P. B. Godfrey. VeriFlow: Verifying Network-Wide Invariants in Real Time. In Proceedings of ACM Sigcomm HotSDN Workshop, 2012. Google ScholarDigital Library
- A. Liu. Formal Verification of Firewall Policies. In Proceedings of the International Conference on Communications (ICC), 2008.Google ScholarCross Ref
- N. McKeown, T. Anderson, H. Balakrishnan, G. Parulkar, L. Peterson, J. Rexford, S. Shenker, and J. Turner. OpenFlow: Enabling Innovation in Campus Networks. In Proceedings of ACM Computer Communications Review, April 2008. Google ScholarDigital Library
- J. C. Mogul, J. Tourrilhes, P. Yalagandula, P. Sharma, A. R. Curtis, and S. Banerjee. DevoFlow: Cost-effective Flow Management for High Performance Enterprise Networks. In Proceedings of the 10th ACM Workshop on Hot Topics in Networks (HotNets), 2010. Google ScholarDigital Library
- A. Nayak, A. Reimers, N. Feamster, and R. Clark. Resonance: Dynamic Access Control for Enterprise Networks. In Proceedings of the 1st ACM SIGCOMM WREN Workshop, 2009. Google ScholarDigital Library
- OpenFlow. OpenFlow 1.1.0 Specification. http://www.openflow.org/documents/openflow-spec-v1.1.0.pdf.Google Scholar
- OpenFlowHub. BEACON. http//www.openflowhub.org/display/Beacon.Google Scholar
- M. Reitblatt, N. Foster, J. Rexford, and D. Walker. Consistent Update for Software-Defined Networks: Change You Can Believe In! In Proceedings of the ACM Workshop on Hot Topics in Networks, 2011. Google ScholarDigital Library
- S. Sanfilippo. HPing home page. http://www.hping.org.Google Scholar
- D. Senn, D. Basin, and G. Caronni. Firewall Conformance Testing. In Proceedings of the IFIP TestCom, 2005. Google ScholarDigital Library
- R. Sherwood, G. Gibb, K.-K. Yap, G. Appenzeller, M. Casado, N. McKeown, and G. Parulkar. Can the Production Network Be the Testbed. In Proceedings of the Usenix Symposium on Operating System Design and Implementation (OSDI), 2010. Google ScholarDigital Library
- G. Xie, J. Zhan, D. Maltz, H. Zhang, A. Greenberg, G. Hjalmtysson, and J. Rexford. On Static Reachability Analysis of IP Networks. In Proceeding of IEEE INFOCOM, 2005.Google ScholarCross Ref
Index Terms
- A security enforcement kernel for OpenFlow networks
Recommendations
Towards a Security-Enhanced Firewall Application for OpenFlow Networks
Cyberspace Safety and SecurityAbstractSoftware-Defined Networking (SDN), which offers programmers network-wide visibility and direct control over the underlying switches from a logically-centralized controller, not only has a huge impact on the development of current networks, but ...
Performance Analysis of SDN/OpenFlow Controllers: POX Versus Floodlight
Software-Defined Networking (SDN) is an emerging network architecture that is adaptable, dynamic, cost-effective, and manageable. The SDN architecture is a form of network virtualization where the network controlling functions and forwarding functions ...
Policy enforcement in traditional non-SDN networks
AbstractMiddleboxes are widely used in modern networks for a variety of network functions in cybersecurity, performance enhancement, and monitoring. Middlebox policy enforcement is however complex and tedious with unreliable manual re-...
Comments