Intent-Driven Security Policy Management for Software-Defined Systems

Ankur Chowdhary, Abdulhakim Sabur, Neha Vadnere, Dijiang Huang

Research output: Contribution to journalArticlepeer-review

Abstract

Different network controllers are utilized in a multi-domain software-defined systems (SDx) to manage the networking resources. However, these controllers operate using a different high-level language (intent). Thus, the admin needs to perform cross-layer translation from the user requirements to the underlying network controller format, increasing human-in-the-loop overhead. There are two primary security and management challenges involved in managing multi-domain controllers. The first challenge is how to design an SDN controller language that can effectively convert human-specified networking policies at the control plane into the network flow rules level at the data plane. The second challenge is how to reduce the complexity of network flow rules conflict checking at the data plane. To address these challenges, we present a new intent-based security policy enforcement solution called INTPOL. First, INTPOL provides a unified intent rules that abstracts the network admin from the underlying network controller’s format. Second, INTPOL develops a networking service solution to use a bounded formal model for network service compliance checking that significantly reduces the complexity of flow rules conflicts checking at the data plane level. Finally, INTPOL is expendable from a single SDN domain to multiple SDN domains and hybrid networks by applying network service function chaining (SFC) for inter-domain policy management.

Original languageEnglish (US)
Pages (from-to)1
Number of pages1
JournalIEEE Transactions on Network and Service Management
DOIs
StateAccepted/In press - 2022
Externally publishedYes

Keywords

  • Bounded Model Checking (BMC)
  • Complexity theory
  • Electronics packaging
  • Model checking
  • Network Invariant Checking
  • Routing
  • Scalability
  • Security
  • Security Policy Management
  • Service Function Chaining
  • Service function chaining
  • Software-defined Networks (SDN)

ASJC Scopus subject areas

  • Computer Networks and Communications
  • Electrical and Electronic Engineering

Fingerprint

Dive into the research topics of 'Intent-Driven Security Policy Management for Software-Defined Systems'. Together they form a unique fingerprint.

Cite this