Skip to main content
SpringerLink
Log in
Book cover

International Conference on Security and Privacy in Communication Systems

SecureComm 2017: Security and Privacy in Communication Networks pp 11–31Cite as

SecControl: Bridging the Gap Between Security Tools and SDN Controllers

  • Conference paper
  • First Online:

Abstract

Software-defined networking (SDN) is a promising paradigm to improve network security protections. A lot of security enhancements through SDN have been proposed. However, current SDN-based security solutions can hardly provide sufficient protections in a real SDN network, due to several reasons: (1) they are implemented at either the centralized SDN controllers or the decentralized network devices, which are subject to a performance limitation; (2) their designs are confined by SDN network characteristics and can only provide limited security functions; (3) many solutions have deployment challenges and compatibility issues. In this paper, we propose SecControl, a practical network protection framework combining the existing security tools and SDN technologies, to produce a comprehensive network security solution in an SDN environment. By employing the capabilities of existing security tools, SecControl is able to perceive the real-time security events dynamically and adjust the protected network environment correspondingly. It can be easily extended with various methods for different security threats. With SecControl, we construct a traditional-security-tool-friendly network security solution for software-defined networks. We implement a SecControl prototype with OpenFlow and evaluate its effectiveness and performance. Our experiment shows that SecControl can cooperate with many mainstream security tools and provide effective defense responses over SDN-supported networks.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

References

  1. Open vSwitch. http://openvswitch.org/

  2. RFC4765. The Intrusion Detection Exchange Message Format (IDEMF). https://www.ietf.org/rfc/rfc4765.txt

  3. Balis, B.: HyperFlow: a model of computation, programming approach and enactment engine for complex distributed workflows. Future Comput. Syst. 55, 147–162 (2016)

    Article  Google Scholar 

  4. Batalle, J., Riera, J.F., Escalona, E., Garcia-Espin, J.A.: On the implementation of NFV over an openflow infrastructure: routing function virtualization. In: Future Networks and Services (SDN4FNS), pp. 1–6. IEEE (2013)

    Google Scholar 

  5. Berde, P., Gerola, M., Hart, J., Higuchi, Y., Kobayashi, M., Koide, T., Lantz, B., O’Connor, B., Radoslavov, P., Snow, W., Parulkar, G.M.: ONOS: towards an open, distributed SDN OS. In: Proceedings of the Third Workshop on Hot Topics in Software Defined Networking, HotSDN (2014)

    Google Scholar 

  6. Blum, A., Song, D., Venkataraman, S.: Detection of interactive stepping stones: algorithms and confidence bounds. In: Jonsson, E., Valdes, A., Almgren, M. (eds.) RAID 2004. LNCS, vol. 3224, pp. 258–277. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-30143-1_14

    Chapter  Google Scholar 

  7. Bremler-Barr, A., Harchol, Y., Hay, D.: OpenBox: a software-defined framework for developing, deploying, and managing network functions. In: Proceedings of the 2016 Conference on ACM SIGCOMM. ACM (2016)

    Google Scholar 

  8. Casado, M., Freedman, M.J., Pettit, J., Luo, J., McKeown, N., Shenker, S.: Ethane: taking control of the enterprise. In: SIGCOMM Review (2007)

    Article  Google Scholar 

  9. Casado, M., Garfinkel, T., Akella, A., Freedman, M.J., Boneh, D., McKeown, N., Shenker, S.: SANE: a protection architecture for enterprise networks. In: Proceedings of the 15th Conference on USENIX Security Symposium, vol. 15 (2006)

    Google Scholar 

  10. Cuppens, F., Miège, A.: Alert correlation in a cooperative intrusion detection framework. In: IEEE Symposium on Security and Privacy (2002)

    Google Scholar 

  11. Curtis, A.R., Mogul, J.C., Tourrilhes, J., Yalagandula, P., Sharma, P., Banerjee, S.: DevoFlow: scaling flow management for high-performance networks. In: Proceedings of the ACM SIGCOMM Conference on Applications, Technologies, Architectures, and Protocols for Computer Communications (2011)

    Google Scholar 

  12. Debar, H., Wespi, A.: Aggregation and correlation of intrusion-detection alerts. In: Lee, W., Mé, L., Wespi, A. (eds.) RAID 2001. LNCS, vol. 2212, pp. 85–103. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-45474-8_6

    Chapter  MATH  Google Scholar 

  13. Dixit, A.A., Hao, F., Mukherjee, S., Lakshman, T.V., Kompella, R.R.: ElastiCon: an elastic distributed SDN controller. In: Proceedings of the 10th ACM/IEEE Symposium on Architectures for Networking and Communications Systems (2014)

    Google Scholar 

  14. Egilmez, H.E., Dane, S.T., Bagci, K.T., Tekalp, A.M.: OpenQoS: an OpenFlow controller design for multimedia delivery with end-to-end quality of service over software-defined networks. In: Asia-Pacific Signal and Information Processing Association Annual Summit and Conference, APSIPA (2012)

    Google Scholar 

  15. Gember-Jacobson, A. Viswanathan, R., Prakash, C., Grandl, R., Khalid, J., Das, S., Akella, A.: OpenNF: enabling innovation in network function control. In: ACM SIGCOMM Computer Communication Review (2015)

    Google Scholar 

  16. Gude, N., Koponen, T., Pettit, J., Pfaff, B., Casado, M., McKeown, N., Shenker, S.: NOX: towards an operating system for networks. Comput. Commun. Rev. 38(3), 105–110 (2008)

    Article  Google Scholar 

  17. Handigol, N., Seetharaman, S., Flajslik, M., McKeown, N., Johari, R.: Plug-n-Serve: load-balancing web traffic using OpenFlow. In: ACM SIGCOMM Demo (2009)

    Google Scholar 

  18. Heller, B., Seetharaman, S., Mahadevan, P., Yiakoumis, Y., Sharma, P., Banerjee, S., McKeown, N.: ElasticTree: saving energy in data center networks. In: Proceedings of the 7th USENIX Symposium, NSDI (2010)

    Google Scholar 

  19. Hu, H., Han, W., Ahn, G., Zhao, Z.: FlowGuard: building robust firewalls for software-defined networks. In: Proceedings of the Third Workshop on Hot Topics in Software Defined Networking, HotSDN (2014)

    Google Scholar 

  20. Kim, H., Feamster, N.: Improving network management with software defined networking. IEEE Commun. Mag. 51(2), 114–119 (2013)

    Article  Google Scholar 

  21. Krishnamurthy, A., Chandrabose, S.P., Gember-Jacobson, A.: Pratyaastha: an efficient elastic distributed SDN control plane. In: Proceedings of the Third Workshop on Hot Topics in Software Defined Networking, HotSDN (2014)

    Google Scholar 

  22. Lantz, B., Heller, B., McKeown, N.: A network in a laptop: rapid prototyping for software-defined networks. In: Proceedings of the 9th ACM Workshop on Hot Topics in Networks, HotNets (2010)

    Google Scholar 

  23. Mahajan, R., Wattenhofer, R.: On consistent updates in software defined networks. In: Twelfth ACM Workshop on Hot Topics in Networks, HotNets-XII (2013)

    Google Scholar 

  24. Mccauley, J.: POX: a Python-based OpenFlow controller (2014). http://www.noxrepo.org/pox/about-pox/

  25. Mehdi, S.A., Khalid, J., Khayam, S.A.: Revisiting traffic anomaly detection using software defined networking. In: Sommer, R., Balzarotti, D., Maier, G. (eds.) RAID 2011. LNCS, vol. 6961, pp. 161–180. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-23644-0_9

    Chapter  Google Scholar 

  26. Miller, D., Harris, S., Harper, A., VanDyke, S., Blask, C.: Security Information and Event Management (SIEM) Implementation. McGraw Hill Professional, New York (2010)

    Google Scholar 

  27. Mukherjee, B., Heberlein, L.T., Levitt, K.N.: Network intrusion detection. IEEE Netw. 8, 26–41 (1994)

    Article  Google Scholar 

  28. Nicolett, M., Kavanagh, K.M.: Magic quadrant for security information and event management. Gartner RAS Core Reasearch Note, May 2009 (2011)

    Google Scholar 

  29. Pfaff, B., Pettit, J., Amidon, K., Casado, M., Koponen, T., Shenker, S.: Extending networking into the virtualization layer. In: Eight ACM Workshop on Hot Topics in Networks (HotNets-VIII) (2009)

    Google Scholar 

  30. Phemius, K., Bouet, M., Leguay, J.: DISCO: distributed multi-domain SDN controllers. In: IEEE Network Operations and Management Symposium (2014)

    Google Scholar 

  31. Porras, P., Shin, S., Yegneswaran, V., Fong, M., Tyson, M., Gu, G.: A security enforcement kernel for OpenFlow networks. In: Proceedings of the First Workshop on Hot Topics in Software Defined Networks. ACM (2012)

    Google Scholar 

  32. Shin, S., Porras, P.A., Yegneswaran, V., Fong, M.W., Gu, G., Tyson, M.: FRESCO: modular composable security services for software-defined networks. In: 20th Annual Network and Distributed System Security Symposium, NDSS (2013)

    Google Scholar 

  33. Shin, S., Yegneswaran, V., Porras, P.A., Gu, G.: AVANT-GUARD: scalable and vigilant switch flow management in software-defined networks. In: ACM SIGSAC Conference on Computer and Communications Security, CCS (2013)

    Google Scholar 

  34. Sonchack, J., Aviv, A.J., Keller, E., Smith, J.M.: Enabling practical software-defined networking security applications with OFX. In: 23th Annual Network and Distributed System Security Symposium, NDSS (2013)

    Google Scholar 

  35. Wang, R., Butnariu, D., Rexford, J.: OpenFlow-based server load balancing gone wild. In: USENIX Workshop on Hot Topics in Management of Internet Cloud, and Enterprise Networks and Services, Hot-ICE (2011)

    Google Scholar 

  36. Yin, H., Liu, X., Min, G., Lin, C.: Content delivery networks: a bridge between emerging applications and future IP networks. IEEE Netw. 24(4), 52–56 (2010)

    Article  Google Scholar 

Download references

Acknowledgments

This work was supported in part by The Penn State Fund for Innovation.

Author information

Authors and Affiliations

  1. College of Information Sciences and Technology, The Pennsylvania State University, University Park, PA, 16802, USA

    Li Wang & Dinghao Wu

Authors
  1. Li Wang
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Dinghao Wu
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Dinghao Wu .

Editor information

Editors and Affiliations

  1. Wilfrid Laurier University, Waterloo, Ontario, Canada

    Xiaodong Lin

  2. University of New Brunswick, Fredericton, New Brunswick, Canada

    Ali Ghorbani

  3. University at Buffalo, Buffalo, New York, USA

    Kui Ren

  4. Pennsylvania State University, Philadelphia, Pennsylvania, USA

    Sencun Zhu

  5. Anhui Normal University, Wuhu, China

    Aiqing Zhang

Rights and permissions

Reprints and permissions

Copyright information

© 2018 ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Wang, L., Wu, D. (2018). SecControl: Bridging the Gap Between Security Tools and SDN Controllers. In: Lin, X., Ghorbani, A., Ren, K., Zhu, S., Zhang, A. (eds) Security and Privacy in Communication Networks. SecureComm 2017. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 239. Springer, Cham. https://doi.org/10.1007/978-3-319-78816-6_2

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-78816-6_2

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-78815-9

  • Online ISBN: 978-3-319-78816-6

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation