TY - GEN
T1 - Challenges and preparedness of SDN-based firewalls
AU - Dixit, Vaibhav Hemant
AU - Kyung, Sukwha
AU - Zhao, Ziming
AU - Doupe, Adam
AU - Shoshitaishvili, Yan
AU - Ahn, Gail-Joon
N1 - Publisher Copyright:
© 2018 Association for Computing Machinery.
PY - 2018/3/14
Y1 - 2018/3/14
N2 - Software-Defined Network (SDN) is a novel architecture created to address the issues of traditional and vertically integrated networks. To increase cost-effectiveness and enable logical control, SDN provides high programmability and centralized view of the network through separation of network traffic delivery (the "data plane") from network configuration (the "control plane"). SDN controllers and related protocols are rapidly evolving to address the demands for scaling in complex enterprise networks. Because of the evolution of modern SDN technologies, production networks employing SDN are prone to several security vulnerabilities. The rate at which SDN frameworks are evolving continues to overtake attempts to address their security issues. According to our study, existing defense mechanisms, particularly SDN-based firewalls, face new and SDN-specific challenges in successfully enforcing security policies in the underlying network. In this paper, we identify problems associated with SDN-based firewalls, such as ambiguous flow path calculations and poor scalability in large networks. We survey existing SDN-based firewall designs and their shortcomings in protecting a dynamically scaling network like a data center. We extend our study by evaluating one such SDN-specific security solution called FlowGuard, and identifying new attack vectors and vulnerabilities. We also present corresponding threat detection techniques and respective mitigation strategies.
AB - Software-Defined Network (SDN) is a novel architecture created to address the issues of traditional and vertically integrated networks. To increase cost-effectiveness and enable logical control, SDN provides high programmability and centralized view of the network through separation of network traffic delivery (the "data plane") from network configuration (the "control plane"). SDN controllers and related protocols are rapidly evolving to address the demands for scaling in complex enterprise networks. Because of the evolution of modern SDN technologies, production networks employing SDN are prone to several security vulnerabilities. The rate at which SDN frameworks are evolving continues to overtake attempts to address their security issues. According to our study, existing defense mechanisms, particularly SDN-based firewalls, face new and SDN-specific challenges in successfully enforcing security policies in the underlying network. In this paper, we identify problems associated with SDN-based firewalls, such as ambiguous flow path calculations and poor scalability in large networks. We survey existing SDN-based firewall designs and their shortcomings in protecting a dynamically scaling network like a data center. We extend our study by evaluating one such SDN-specific security solution called FlowGuard, and identifying new attack vectors and vulnerabilities. We also present corresponding threat detection techniques and respective mitigation strategies.
UR - http://www.scopus.com/inward/record.url?scp=85050403848&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85050403848&partnerID=8YFLogxK
U2 - 10.1145/3180465.3180468
DO - 10.1145/3180465.3180468
M3 - Conference contribution
AN - SCOPUS:85050403848
T3 - SDN-NFVSec 2018 - Proceedings of the 2018 ACM International Workshop on Security in Software Defined Networks and Network Function Virtualization, Co-located with CODASPY 2018
SP - 33
EP - 38
BT - SDN-NFVSec 2018 - Proceedings of the 2018 ACM International Workshop on Security in Software Defined Networks and Network Function Virtualization, Co-located with CODASPY 2018
PB - Association for Computing Machinery, Inc
T2 - 2018 ACM International Workshop on Security in Software Defined Networks and Network Function Virtualization, SDN-NFVSec 2018
Y2 - 21 March 2018
ER -