Abstract
Software-defined networking (SDN) is a promising paradigm to improve network security protections. A lot of security enhancements through SDN have been proposed. However, current SDN-based security solutions can hardly provide sufficient protections in a real SDN network, due to several reasons: (1) they are implemented at either the centralized SDN controllers or the decentralized network devices, which are subject to a performance limitation; (2) their designs are confined by SDN network characteristics and can only provide limited security functions; (3) many solutions have deployment challenges and compatibility issues. In this paper, we propose SecControl, a practical network protection framework combining the existing security tools and SDN technologies, to produce a comprehensive network security solution in an SDN environment. By employing the capabilities of existing security tools, SecControl is able to perceive the real-time security events dynamically and adjust the protected network environment correspondingly. It can be easily extended with various methods for different security threats. With SecControl, we construct a traditional-security-tool-friendly network security solution for software-defined networks. We implement a SecControl prototype with OpenFlow and evaluate its effectiveness and performance. Our experiment shows that SecControl can cooperate with many mainstream security tools and provide effective defense responses over SDN-supported networks.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
Open vSwitch. http://openvswitch.org/
RFC4765. The Intrusion Detection Exchange Message Format (IDEMF). https://www.ietf.org/rfc/rfc4765.txt
Balis, B.: HyperFlow: a model of computation, programming approach and enactment engine for complex distributed workflows. Future Comput. Syst. 55, 147–162 (2016)
Batalle, J., Riera, J.F., Escalona, E., Garcia-Espin, J.A.: On the implementation of NFV over an openflow infrastructure: routing function virtualization. In: Future Networks and Services (SDN4FNS), pp. 1–6. IEEE (2013)
Berde, P., Gerola, M., Hart, J., Higuchi, Y., Kobayashi, M., Koide, T., Lantz, B., O’Connor, B., Radoslavov, P., Snow, W., Parulkar, G.M.: ONOS: towards an open, distributed SDN OS. In: Proceedings of the Third Workshop on Hot Topics in Software Defined Networking, HotSDN (2014)
Blum, A., Song, D., Venkataraman, S.: Detection of interactive stepping stones: algorithms and confidence bounds. In: Jonsson, E., Valdes, A., Almgren, M. (eds.) RAID 2004. LNCS, vol. 3224, pp. 258–277. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-30143-1_14
Bremler-Barr, A., Harchol, Y., Hay, D.: OpenBox: a software-defined framework for developing, deploying, and managing network functions. In: Proceedings of the 2016 Conference on ACM SIGCOMM. ACM (2016)
Casado, M., Freedman, M.J., Pettit, J., Luo, J., McKeown, N., Shenker, S.: Ethane: taking control of the enterprise. In: SIGCOMM Review (2007)
Casado, M., Garfinkel, T., Akella, A., Freedman, M.J., Boneh, D., McKeown, N., Shenker, S.: SANE: a protection architecture for enterprise networks. In: Proceedings of the 15th Conference on USENIX Security Symposium, vol. 15 (2006)
Cuppens, F., Miège, A.: Alert correlation in a cooperative intrusion detection framework. In: IEEE Symposium on Security and Privacy (2002)
Curtis, A.R., Mogul, J.C., Tourrilhes, J., Yalagandula, P., Sharma, P., Banerjee, S.: DevoFlow: scaling flow management for high-performance networks. In: Proceedings of the ACM SIGCOMM Conference on Applications, Technologies, Architectures, and Protocols for Computer Communications (2011)
Debar, H., Wespi, A.: Aggregation and correlation of intrusion-detection alerts. In: Lee, W., Mé, L., Wespi, A. (eds.) RAID 2001. LNCS, vol. 2212, pp. 85–103. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-45474-8_6
Dixit, A.A., Hao, F., Mukherjee, S., Lakshman, T.V., Kompella, R.R.: ElastiCon: an elastic distributed SDN controller. In: Proceedings of the 10th ACM/IEEE Symposium on Architectures for Networking and Communications Systems (2014)
Egilmez, H.E., Dane, S.T., Bagci, K.T., Tekalp, A.M.: OpenQoS: an OpenFlow controller design for multimedia delivery with end-to-end quality of service over software-defined networks. In: Asia-Pacific Signal and Information Processing Association Annual Summit and Conference, APSIPA (2012)
Gember-Jacobson, A. Viswanathan, R., Prakash, C., Grandl, R., Khalid, J., Das, S., Akella, A.: OpenNF: enabling innovation in network function control. In: ACM SIGCOMM Computer Communication Review (2015)
Gude, N., Koponen, T., Pettit, J., Pfaff, B., Casado, M., McKeown, N., Shenker, S.: NOX: towards an operating system for networks. Comput. Commun. Rev. 38(3), 105–110 (2008)
Handigol, N., Seetharaman, S., Flajslik, M., McKeown, N., Johari, R.: Plug-n-Serve: load-balancing web traffic using OpenFlow. In: ACM SIGCOMM Demo (2009)
Heller, B., Seetharaman, S., Mahadevan, P., Yiakoumis, Y., Sharma, P., Banerjee, S., McKeown, N.: ElasticTree: saving energy in data center networks. In: Proceedings of the 7th USENIX Symposium, NSDI (2010)
Hu, H., Han, W., Ahn, G., Zhao, Z.: FlowGuard: building robust firewalls for software-defined networks. In: Proceedings of the Third Workshop on Hot Topics in Software Defined Networking, HotSDN (2014)
Kim, H., Feamster, N.: Improving network management with software defined networking. IEEE Commun. Mag. 51(2), 114–119 (2013)
Krishnamurthy, A., Chandrabose, S.P., Gember-Jacobson, A.: Pratyaastha: an efficient elastic distributed SDN control plane. In: Proceedings of the Third Workshop on Hot Topics in Software Defined Networking, HotSDN (2014)
Lantz, B., Heller, B., McKeown, N.: A network in a laptop: rapid prototyping for software-defined networks. In: Proceedings of the 9th ACM Workshop on Hot Topics in Networks, HotNets (2010)
Mahajan, R., Wattenhofer, R.: On consistent updates in software defined networks. In: Twelfth ACM Workshop on Hot Topics in Networks, HotNets-XII (2013)
Mccauley, J.: POX: a Python-based OpenFlow controller (2014). http://www.noxrepo.org/pox/about-pox/
Mehdi, S.A., Khalid, J., Khayam, S.A.: Revisiting traffic anomaly detection using software defined networking. In: Sommer, R., Balzarotti, D., Maier, G. (eds.) RAID 2011. LNCS, vol. 6961, pp. 161–180. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-23644-0_9
Miller, D., Harris, S., Harper, A., VanDyke, S., Blask, C.: Security Information and Event Management (SIEM) Implementation. McGraw Hill Professional, New York (2010)
Mukherjee, B., Heberlein, L.T., Levitt, K.N.: Network intrusion detection. IEEE Netw. 8, 26–41 (1994)
Nicolett, M., Kavanagh, K.M.: Magic quadrant for security information and event management. Gartner RAS Core Reasearch Note, May 2009 (2011)
Pfaff, B., Pettit, J., Amidon, K., Casado, M., Koponen, T., Shenker, S.: Extending networking into the virtualization layer. In: Eight ACM Workshop on Hot Topics in Networks (HotNets-VIII) (2009)
Phemius, K., Bouet, M., Leguay, J.: DISCO: distributed multi-domain SDN controllers. In: IEEE Network Operations and Management Symposium (2014)
Porras, P., Shin, S., Yegneswaran, V., Fong, M., Tyson, M., Gu, G.: A security enforcement kernel for OpenFlow networks. In: Proceedings of the First Workshop on Hot Topics in Software Defined Networks. ACM (2012)
Shin, S., Porras, P.A., Yegneswaran, V., Fong, M.W., Gu, G., Tyson, M.: FRESCO: modular composable security services for software-defined networks. In: 20th Annual Network and Distributed System Security Symposium, NDSS (2013)
Shin, S., Yegneswaran, V., Porras, P.A., Gu, G.: AVANT-GUARD: scalable and vigilant switch flow management in software-defined networks. In: ACM SIGSAC Conference on Computer and Communications Security, CCS (2013)
Sonchack, J., Aviv, A.J., Keller, E., Smith, J.M.: Enabling practical software-defined networking security applications with OFX. In: 23th Annual Network and Distributed System Security Symposium, NDSS (2013)
Wang, R., Butnariu, D., Rexford, J.: OpenFlow-based server load balancing gone wild. In: USENIX Workshop on Hot Topics in Management of Internet Cloud, and Enterprise Networks and Services, Hot-ICE (2011)
Yin, H., Liu, X., Min, G., Lin, C.: Content delivery networks: a bridge between emerging applications and future IP networks. IEEE Netw. 24(4), 52–56 (2010)
Acknowledgments
This work was supported in part by The Penn State Fund for Innovation.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering
About this paper
Cite this paper
Wang, L., Wu, D. (2018). SecControl: Bridging the Gap Between Security Tools and SDN Controllers. In: Lin, X., Ghorbani, A., Ren, K., Zhu, S., Zhang, A. (eds) Security and Privacy in Communication Networks. SecureComm 2017. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 239. Springer, Cham. https://doi.org/10.1007/978-3-319-78816-6_2
Download citation
DOI: https://doi.org/10.1007/978-3-319-78816-6_2
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-78815-9
Online ISBN: 978-3-319-78816-6
eBook Packages: Computer ScienceComputer Science (R0)