Abstract
Software-defined networking (SDN) is being widely adopted by enterprise networks, whereas providing security features in these next generation networks is a challenge. In this article, we present the main security threats in software-defined networking and we propose AuthFlow, an authentication and access control mechanism based on host credentials. The main contributions of our proposal are threefold: (i) a host authentication mechanism just above the MAC layer in an OpenFlow network, which guarantees a low overhead and ensures a fine-grained access control; (ii) a credential-based authentication to perform an access control according to the privilege level of each host, through mapping the host credentials to the set of flows that belongs to the host; (iii) a new framework for control applications, enabling software-defined network controllers to use the host identity as a new flow field to define forwarding rules. A prototype of the proposed mechanism was implemented on top of POX controller. The results show that AuthFlow denies the access of hosts either without valid credentials or with revoked authorization. Finally, we show that our scheme allows, for each host, different levels of access to network resources according to its credential.
Similar content being viewed by others
Notes
Considering a three-layer SDN model, we identify three API levels: southbound API, east/westbound API, and northbound API. In this model, OpenFlow is an example of southbound API.
FITS is an inter-university testbed network which was developed through a partnership between Brazilian and European institutions. More information on http://www.gta.ufrj.br/fits/.
The nomenclature for supplicant, authenticator, and authentication server is defined by the IEEE 802.1X standard.
For the sake of generality, we call packets for datagrams of all layers.
We consider that credential is the proof of the identity of a host.
The POX controller used in our prototype is a development branch of the controller used in FITS, to support AuthFlow.
For the sake of simplicity, we evaluate a standard page of NoCat captive portal. Available at http://nocat.net.
References
Canini M, Kuznetsov P, Levin D, Schmid S (2015) A distributed and robust SDN control plane for transactional network updates. In: 2015 IEEE conference on computer communications (INFOCOM), pp 190–198. doi:10.1109/INFOCOM.2015.7218382
Cardoso LP, Mattos DMF, Ferraz LHG, Duarte OCMB, Pujolle G (2015) An efficient energy-aware mechanism for virtual machine migration. In: Global information infrastructure and networking symposium (GIIS’15), 2015. IEEE, Guadalajara, pp 1–6
Casado M, Freedman M, Pettit J, Luo J, McKeown N, Shenker S (2007) Ethane: taking control of the enterprise. ACM SIGCOMM Comput Commun Rev 37(4):1–12
Fernandes NC, Moreira MDD, Moraes IM, Ferraz LHG, Couto RS, Carvalho HET, Campista MEM, Costa LHMK, Duarte OCMB (2011) Virtual networks: isolation, performance, and trends. Ann Telecommun 66(5–6):339–355. doi:10.1007/s12243-010-0208-9
Ferraz LHG, Mattos DMF, Duarte OCMB (2014) A two-phase multipathing scheme with genetic algorithm for data center network. In: 2014 IEEE global communications conference (GLOBECOM). Austin
Filasiak R, Grzenda M, Luckner M, Zawistowski P (2014) On the testing of network cyber threat detection methods on spam example. Ann. Telecommun 69(7–8):363–377. doi:10.1007/s12243-013-0412-5
Guenane F, Samet N, Pujolle G, Urien P (2012) A strong authentication for virtual networks using EAP-TLS smart cards. In: Global information infrastructure and networking symposium (GIIS’12), 2012. IEEE, pp 1–6
Heller B, Sherwood R, McKeown N (2012) The controller placement problem. In: Proceedings of the 1st workshop on hot topics in software defined networks, HotSDN’12. ACM, New York, pp 7–12
Hudson DL, Cohen ME (2010) Intelligent agents in home healthcare. Ann Telecommun 65(9–10):593–600. doi:10.1007/s12243-010-0170-6
Kobayashi M, Seetharaman S, Parulkar G, Appenzeller G, Little J, van Reijendam J, Weissmann P, McKeown N (2014) Maturing of OpenFlow and software-defined networking through deployments. Comput Netw 61:151–175. doi:10.1016/j.bjp.2013.10.011. Special issue on Future Internet Testbeds - {Part I}
Kreutz D, Ramos F, Esteves Verissimo P, Esteve Rothenberg C, Azodolmolky S, Uhlig S (2015) Software-defined networking: a comprehensive survey. Proc IEEE 103(1):14–76
Kreutz D, Ramos FM, Verissimo P (2013) Towards secure and dependable software-defined networks. In: Proceedings of the 2nd ACM SIGCOMM workshop on hot topics in software defined networking, HotSDN’13. ACM, New York, pp 55–60
Levin D, Wundsam A, Heller B, Handigol N, Feldmann A (2012) Logically centralized?: state distribution trade-offs in software defined networks. In: Proceedings of the 1st workshop on hot topics in software defined networks, HotSDN’12. ACM, New York, pp 1–6. doi:10.1145/2342441.2342443
Lopez MEA, Duarte OCMB (2015) Providing elasticity to intrusion detection systems in virtualized software defined networks. In: IEEE ICC 2015 - communication and information systems security symposium (ICC’15 (11) CISS), London
Matias J, Jacob E, Toledo N, Astorga J (2011) Towards neutrality in access networks: a NANDO deployment with OpenFlow. In: ACCESS 2011, The 2nd international conference on access networks. Luxembourg, pp 7–12
Mattos DMF, Duarte OCMB (2014) XenFlow: seamless migration primitive and quality of service for virtual networks. In: 2014 IEEE global communications conference (GLOBECOM) . Austin
Moraes IM, Mattos DMF, Ferraz LHG, Campista MEM, Rubinstein MG, Costa LHMK, de Amorim MD, Velloso PB, Duarte OCMB, Pujolle G (2014) FITS: a flexible virtual network testbed architecture. Computer Networks 63:221–237. doi:10.1016/j.bjp.2014.01.002. Special issue on Future Internet Testbeds - Part {II}
Nayak AK, Reimers A, Feamster N, Clark R (2009) Resonance: dynamic access control for enterprise networks. In: Proceedings of the 1st ACM workshop on research on enterprise networking, WREN’09. ACM, New York, pp 11–18
Piedrahita AFM, Rueda S, Mattos DMF, Duarte OCMB (2015) FlowFence: a denial of service defense system for software defined networking. In: Global information infrastructure symposium (GIIS’2015), 2015. IEEE, Guadalajara, pp 1–6
Porras P, Shin S, Yegneswaran V, Fong M, Tyson M, Gu G (2012) A security enforcement kernel for OpenFlow networks. In: Proceedings of the 1st workshop on hot topics in software defined networks, HotSDN’12. ACM, New York, pp 121–126
Ros FJ, Ruiz PM (2015) On reliable controller placements in software-defined networks. Comput Commun. doi:10.1016/j.comcom.2015.09.008. To be published
Shin S, Porras P, Yegneswaran V, Fong M, Gu G, Tyson M (2013) FRESCO: modular composable security services for software-defined networks. In: Proceedings of network and distributed security symposium
Villain B, Ridoux J, Rotrou J, Pujolle G (2014) Mutualized OpenFlow architecture for network access management. In: 2014 IEEE 3rd international conference on cloud networking (CloudNet), pp 413–419
Author information
Authors and Affiliations
Corresponding author
Additional information
This work was sponsored by CNPq, CAPES, and FAPERJ.
Rights and permissions
About this article
Cite this article
Ferrazani Mattos, D.M., Duarte, O.C.M.B. AuthFlow: authentication and access control mechanism for software defined networking. Ann. Telecommun. 71, 607–615 (2016). https://doi.org/10.1007/s12243-016-0505-z
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s12243-016-0505-z