Abstract
Software-defined networking (SDN) controllers are quickly maturing to offer greater abstractions and more intuitive programming for network operators seeking to develop their own network applications. Likewise, security-based research within the SDN community is a growing field with SDN-based security solutions becoming an ever-growing commodity. Yet, while these solutions often detect and block clients who violate network policies, they frequently fail to consider how policy enforcements will be revoked or updated once the flagged client addresses the violation for which they were flagged. As a result, no clear path exists for a client’s re-instantiation to the network beyond having the network operator manually remove the policy enforcement or reset the SDN controller. For the network operator, such requirements are tedious and error prone. Additionally, these efforts cost valuable time that could be better utilized for more complex network tasks. Hence, this chapter discusses a security policy transition framework for reducing wait times and automating the revocation of policy enforcements in SDN environments for clients who are approved to rejoin the network.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
This chapter only considers a single controller, though distributed, logically centralized controllers can be used for more robust control options (e.g., fault tolerance, scalability, etc.).
- 2.
Hash tables (Python dictionaries) are Ryuretic’s method for directing network operations.
References
McKeown N (2009) Software-defined networking. INFOCOM Keynote Talk 17(2):30–32
McKeown N, Anderson T, Balakrishnan H, Parulkar G, Peterson L, Rexford J, Turner J (2008) OpenFlow: enabling innovation in campus networks. ACM SIGCOMM Comput Commun Rev 38(2):69–74
Reich J, Monsanto C, Foster N, Rexford J, Walker D (2013) Modular SDN programming with pyretic. Technical report of USENIX
Cox JH Jr, Donovan S, Clark R, Owen H (2016) Ryuretic: a modular framework for RYU. In: IEEE MILCOM2016
Kim H, Benson T, Akella A, Feamster N (2011) The evolution of network configuration: a tale of two campuses. In: Proceedings of the 2011 ACM SIGCOMM conference on Internet measurement conference, Nov 2011. ACM, pp 499–514
Kim H, Reich J, Gupta A, Shahbaz M, Feamster N, Clark R (2015) Kinetic: verifiable dynamic network control. In: 12th USENIX symposium on networked systems design and implementation (NSDI 15), pp 59–72
Tsagkaris et al (2015) Customizable autonomic network management: integrating autonomic network management and software-defined networking. IEEE Veh Technol Mag 10(1):61–68
Cox JH Jr, Clark RJ, Owen HL (2016) Security transition framework for software defined networks. In: Proceedings of the 2016 IEEE the first international workshop on security in NFV-SDN (SNS2016), Nov 2016. IEEE
Cisco, Network management system: best practices white paper. http://www.cisco.com/c/en/us/support/docs/availability/high-availability/15114-NMS-bestpractice.html
Congdon P, Aboba B, Smith A, Zorn G, Roese J (2003) IEEE 802.1 X remote authentication dial in user service (RADIUS) usage guidelines (No. RFC 3580)
ForeScout. https://www.forescout.com/solutions/use-cases/network-access-control/
Wilkins S (2015) A guide to network access control (NAC) solutions, May 2015. http://www.tomsitpro.com/articles/network-access-control-solutions,2-916-2.html
Skip Al, A bridge too far: defeating wired 802.1X with a transparent bridge using Linux. https://www.defcon.org/images/defcon-19/dc-19-presentations/Duckwall/DEFCON-19-Duckwall-Bridge-Too-Far.pdf
Bari MF, Chowdhury SR, Ahmed R, Boutaba R (2013) PolicyCop: an autonomic QoS policy enforcement framework for software defined networks. In: 2013 IEEE SDN for future networks and services (SDN4FNS), Nov 2013. IEEE, pp 1–7
Casado M, Freedman MJ, Pettit J, Luo J, McKeown N, Shenker S (2007) Ethane: taking control of the enterprise. In: ACM SIGCOMM computer communication review, vol 37, no 4, Aug 2017. ACM, pp 1–12
Matias J, Garay J, Mendiola A, Toledo N, Jacob E (2014) FlowNAC: flow-based network access control. In: 2014 third European workshop on software defined networks, Sep 2014. IEEE, pp 79–84
Lighttpd. https://www.lighttpd.net/
Lantz B, Heller B, McKeown N (2010) A network in a laptop: rapid prototyping for software-defined networks. In: Proceedings of the 9th ACM SIGCOMM workshop on hot topics in networks, Oct 2010. ACM, p 19
Cox JH Jr, Ryuretic security policy transition project. https://github.com/Ryuretic/SecRev
Phaal P (2003) Detecting NAT devices using sFlow. http://www.sflow.org/detectNAT
Cox JH Jr, Ryuretic rogue access point detection. https://github.com/Ryuretic/RAP
Trusted Computing Group. https://trustedcomputinggroup.org/work-groups/trusted-network-communications/
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this chapter
Cite this chapter
Cox, J.H., Clark, R.J., Owen, H.L. (2017). A Security Policy Transition Framework for Software-Defined Networks. In: Zhu, S., Scott-Hayward, S., Jacquin, L., Hill, R. (eds) Guide to Security in SDN and NFV. Computer Communications and Networks. Springer, Cham. https://doi.org/10.1007/978-3-319-64653-4_6
Download citation
DOI: https://doi.org/10.1007/978-3-319-64653-4_6
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-64652-7
Online ISBN: 978-3-319-64653-4
eBook Packages: Computer ScienceComputer Science (R0)