Brew: A Security Policy Analysis Framework for Distributed SDN-Based Cloud Environments

Sandeep Pisharody, Janakarajan Natarajan, Ankur Chowdhary, Abdullah Alshalan, Dijiang Huang

Research output: Contribution to journalArticle

5 Scopus citations

Abstract

The ease of programmability in Software-Defined Networking (SDN) makes it a great platform implementation of various initiatives that involve application deployment, dynamic topology changes, and decentralized network management in a multi-tenant data center environment. However, implementing security solutions in such an environment is fraught with policy conflicts and consistency issues with the hardness of this problem being affected by the distribution scheme for the SDN controllers. In this paper we present Brew, a security policy analysis framework implemented on an OpenDaylight SDN controller, that has comprehensive conflict detection and resolution modules to ensure that no two flow rules in a distributed SDN-based cloud environment have conflicts at any layer; thereby assuring consistent conflict-free security policy implementation and preventing information leakage. We present techniques for global prioritization of flow rules in a decentralized environment, extend firewall rule conflict classification from a traditional environment to SDN flow rule conflicts by recognizing and classifying conflicts stemming from cross-layer conflicts and provide strategies for unassisted resolution of these conflicts. Alternately, if administrator input is desired to resolve conflicts, a novel visualization scheme is implemented to help the administrators view the conflicts graphically. We demonstrate the correctness, feasibility and scalability of our framework through a proof-of-concept prototype.

Original languageEnglish (US)
Article number7976378
Pages (from-to)1011-1025
Number of pages15
JournalIEEE Transactions on Dependable and Secure Computing
Volume16
Issue number6
DOIs
StatePublished - Nov 1 2019

Keywords

  • Software-defined networks
  • data center network
  • distributed environments
  • flow rule conflicts
  • network security

ASJC Scopus subject areas

  • Electrical and Electronic Engineering

Fingerprint Dive into the research topics of 'Brew: A Security Policy Analysis Framework for Distributed SDN-Based Cloud Environments'. Together they form a unique fingerprint.

  • Cite this