Abstract

Software-Defined Network (SDN) is a novel architecture created to address the issues of traditional and vertically integrated networks. To increase cost-effectiveness and enable logical control, SDN provides high programmability and centralized view of the network through separation of network traffic delivery (the "data plane") from network configuration (the "control plane"). SDN controllers and related protocols are rapidly evolving to address the demands for scaling in complex enterprise networks. Because of the evolution of modern SDN technologies, production networks employing SDN are prone to several security vulnerabilities. The rate at which SDN frameworks are evolving continues to overtake attempts to address their security issues. According to our study, existing defense mechanisms, particularly SDN-based firewalls, face new and SDN-specific challenges in successfully enforcing security policies in the underlying network. In this paper, we identify problems associated with SDN-based firewalls, such as ambiguous flow path calculations and poor scalability in large networks. We survey existing SDN-based firewall designs and their shortcomings in protecting a dynamically scaling network like a data center. We extend our study by evaluating one such SDN-specific security solution called FlowGuard, and identifying new attack vectors and vulnerabilities. We also present corresponding threat detection techniques and respective mitigation strategies.

Original languageEnglish (US)
Title of host publicationSDN-NFVSec 2018 - Proceedings of the 2018 ACM International Workshop on Security in Software Defined Networks and Network Function Virtualization, Co-located with CODASPY 2018
PublisherAssociation for Computing Machinery, Inc
Pages33-38
Number of pages6
Volume2018-January
ISBN (Electronic)9781450356350
DOIs
StatePublished - Mar 14 2018
Event2018 ACM International Workshop on Security in Software Defined Networks and Network Function Virtualization, SDN-NFVSec 2018 - Tempe, United States
Duration: Mar 21 2018 → …

Other

Other2018 ACM International Workshop on Security in Software Defined Networks and Network Function Virtualization, SDN-NFVSec 2018
CountryUnited States
CityTempe
Period3/21/18 → …

Fingerprint

Cost effectiveness
Scalability
Controllers
Industry

ASJC Scopus subject areas

  • Computer Science Applications
  • Information Systems
  • Software

Cite this

Dixit, V. H., Kyung, S., Zhao, Z., Doupe, A., Shoshitaishvili, Y., & Ahn, G-J. (2018). Challenges and preparedness of SDN-based firewalls. In SDN-NFVSec 2018 - Proceedings of the 2018 ACM International Workshop on Security in Software Defined Networks and Network Function Virtualization, Co-located with CODASPY 2018 (Vol. 2018-January, pp. 33-38). Association for Computing Machinery, Inc. https://doi.org/10.1145/3180465.3180468

Challenges and preparedness of SDN-based firewalls. / Dixit, Vaibhav Hemant; Kyung, Sukwha; Zhao, Ziming; Doupe, Adam; Shoshitaishvili, Yan; Ahn, Gail-Joon.

SDN-NFVSec 2018 - Proceedings of the 2018 ACM International Workshop on Security in Software Defined Networks and Network Function Virtualization, Co-located with CODASPY 2018. Vol. 2018-January Association for Computing Machinery, Inc, 2018. p. 33-38.

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Dixit, VH, Kyung, S, Zhao, Z, Doupe, A, Shoshitaishvili, Y & Ahn, G-J 2018, Challenges and preparedness of SDN-based firewalls. in SDN-NFVSec 2018 - Proceedings of the 2018 ACM International Workshop on Security in Software Defined Networks and Network Function Virtualization, Co-located with CODASPY 2018. vol. 2018-January, Association for Computing Machinery, Inc, pp. 33-38, 2018 ACM International Workshop on Security in Software Defined Networks and Network Function Virtualization, SDN-NFVSec 2018, Tempe, United States, 3/21/18. https://doi.org/10.1145/3180465.3180468
Dixit VH, Kyung S, Zhao Z, Doupe A, Shoshitaishvili Y, Ahn G-J. Challenges and preparedness of SDN-based firewalls. In SDN-NFVSec 2018 - Proceedings of the 2018 ACM International Workshop on Security in Software Defined Networks and Network Function Virtualization, Co-located with CODASPY 2018. Vol. 2018-January. Association for Computing Machinery, Inc. 2018. p. 33-38 https://doi.org/10.1145/3180465.3180468
Dixit, Vaibhav Hemant ; Kyung, Sukwha ; Zhao, Ziming ; Doupe, Adam ; Shoshitaishvili, Yan ; Ahn, Gail-Joon. / Challenges and preparedness of SDN-based firewalls. SDN-NFVSec 2018 - Proceedings of the 2018 ACM International Workshop on Security in Software Defined Networks and Network Function Virtualization, Co-located with CODASPY 2018. Vol. 2018-January Association for Computing Machinery, Inc, 2018. pp. 33-38
@inproceedings{78f2e25afc8a43ee84d18ee2fe58ed16,
title = "Challenges and preparedness of SDN-based firewalls",
abstract = "Software-Defined Network (SDN) is a novel architecture created to address the issues of traditional and vertically integrated networks. To increase cost-effectiveness and enable logical control, SDN provides high programmability and centralized view of the network through separation of network traffic delivery (the {"}data plane{"}) from network configuration (the {"}control plane{"}). SDN controllers and related protocols are rapidly evolving to address the demands for scaling in complex enterprise networks. Because of the evolution of modern SDN technologies, production networks employing SDN are prone to several security vulnerabilities. The rate at which SDN frameworks are evolving continues to overtake attempts to address their security issues. According to our study, existing defense mechanisms, particularly SDN-based firewalls, face new and SDN-specific challenges in successfully enforcing security policies in the underlying network. In this paper, we identify problems associated with SDN-based firewalls, such as ambiguous flow path calculations and poor scalability in large networks. We survey existing SDN-based firewall designs and their shortcomings in protecting a dynamically scaling network like a data center. We extend our study by evaluating one such SDN-specific security solution called FlowGuard, and identifying new attack vectors and vulnerabilities. We also present corresponding threat detection techniques and respective mitigation strategies.",
author = "Dixit, {Vaibhav Hemant} and Sukwha Kyung and Ziming Zhao and Adam Doupe and Yan Shoshitaishvili and Gail-Joon Ahn",
year = "2018",
month = "3",
day = "14",
doi = "10.1145/3180465.3180468",
language = "English (US)",
volume = "2018-January",
pages = "33--38",
booktitle = "SDN-NFVSec 2018 - Proceedings of the 2018 ACM International Workshop on Security in Software Defined Networks and Network Function Virtualization, Co-located with CODASPY 2018",
publisher = "Association for Computing Machinery, Inc",

}

TY - GEN

T1 - Challenges and preparedness of SDN-based firewalls

AU - Dixit, Vaibhav Hemant

AU - Kyung, Sukwha

AU - Zhao, Ziming

AU - Doupe, Adam

AU - Shoshitaishvili, Yan

AU - Ahn, Gail-Joon

PY - 2018/3/14

Y1 - 2018/3/14

N2 - Software-Defined Network (SDN) is a novel architecture created to address the issues of traditional and vertically integrated networks. To increase cost-effectiveness and enable logical control, SDN provides high programmability and centralized view of the network through separation of network traffic delivery (the "data plane") from network configuration (the "control plane"). SDN controllers and related protocols are rapidly evolving to address the demands for scaling in complex enterprise networks. Because of the evolution of modern SDN technologies, production networks employing SDN are prone to several security vulnerabilities. The rate at which SDN frameworks are evolving continues to overtake attempts to address their security issues. According to our study, existing defense mechanisms, particularly SDN-based firewalls, face new and SDN-specific challenges in successfully enforcing security policies in the underlying network. In this paper, we identify problems associated with SDN-based firewalls, such as ambiguous flow path calculations and poor scalability in large networks. We survey existing SDN-based firewall designs and their shortcomings in protecting a dynamically scaling network like a data center. We extend our study by evaluating one such SDN-specific security solution called FlowGuard, and identifying new attack vectors and vulnerabilities. We also present corresponding threat detection techniques and respective mitigation strategies.

AB - Software-Defined Network (SDN) is a novel architecture created to address the issues of traditional and vertically integrated networks. To increase cost-effectiveness and enable logical control, SDN provides high programmability and centralized view of the network through separation of network traffic delivery (the "data plane") from network configuration (the "control plane"). SDN controllers and related protocols are rapidly evolving to address the demands for scaling in complex enterprise networks. Because of the evolution of modern SDN technologies, production networks employing SDN are prone to several security vulnerabilities. The rate at which SDN frameworks are evolving continues to overtake attempts to address their security issues. According to our study, existing defense mechanisms, particularly SDN-based firewalls, face new and SDN-specific challenges in successfully enforcing security policies in the underlying network. In this paper, we identify problems associated with SDN-based firewalls, such as ambiguous flow path calculations and poor scalability in large networks. We survey existing SDN-based firewall designs and their shortcomings in protecting a dynamically scaling network like a data center. We extend our study by evaluating one such SDN-specific security solution called FlowGuard, and identifying new attack vectors and vulnerabilities. We also present corresponding threat detection techniques and respective mitigation strategies.

UR - http://www.scopus.com/inward/record.url?scp=85050403848&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85050403848&partnerID=8YFLogxK

U2 - 10.1145/3180465.3180468

DO - 10.1145/3180465.3180468

M3 - Conference contribution

VL - 2018-January

SP - 33

EP - 38

BT - SDN-NFVSec 2018 - Proceedings of the 2018 ACM International Workshop on Security in Software Defined Networks and Network Function Virtualization, Co-located with CODASPY 2018

PB - Association for Computing Machinery, Inc

ER -