TY - GEN
T1 - Security policy checking in distributed SDN based clouds
AU - Pisharody, Sandeep
AU - Chowdhary, Ankur
AU - Huang, Dijiang
N1 - Publisher Copyright:
© 2016 IEEE.
Copyright:
Copyright 2017 Elsevier B.V., All rights reserved.
PY - 2017/2/21
Y1 - 2017/2/21
N2 - Separation of network control from devices in Software Defined Network (SDN) allows for centralized implementation and management of security policies in a cloud computing environment. The ease of programmability also makes SDN a great platform implementation of various initiatives that involve application deployment, dynamic topology changes, and decentralized network management in a multi-tenant data center environment. Dynamic change of network topology, or host reconfiguration in such networks might require corresponding changes to the flow rules in the SDN based cloud environment. Verifying adherence of these new flow policies in the environment to the organizational security policies and ensuring a conflict free environment is especially challenging. In this paper, we extend the work on rule conflicts from a traditional environment to an SDN environment, introducing a new classification to describe conflicts stemming from cross-layer conflicts. Our framework ensures that in any SDN based cloud, flow rules do not have conflicts at any layer; thereby ensuring that changes to the environment do not lead to unintended consequences. We demonstrate the correctness, feasibility and scalability of our framework through a proof-of-concept prototype.
AB - Separation of network control from devices in Software Defined Network (SDN) allows for centralized implementation and management of security policies in a cloud computing environment. The ease of programmability also makes SDN a great platform implementation of various initiatives that involve application deployment, dynamic topology changes, and decentralized network management in a multi-tenant data center environment. Dynamic change of network topology, or host reconfiguration in such networks might require corresponding changes to the flow rules in the SDN based cloud environment. Verifying adherence of these new flow policies in the environment to the organizational security policies and ensuring a conflict free environment is especially challenging. In this paper, we extend the work on rule conflicts from a traditional environment to an SDN environment, introducing a new classification to describe conflicts stemming from cross-layer conflicts. Our framework ensures that in any SDN based cloud, flow rules do not have conflicts at any layer; thereby ensuring that changes to the environment do not lead to unintended consequences. We demonstrate the correctness, feasibility and scalability of our framework through a proof-of-concept prototype.
UR - http://www.scopus.com/inward/record.url?scp=84998544057&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84998544057&partnerID=8YFLogxK
U2 - 10.1109/CNS.2016.7860466
DO - 10.1109/CNS.2016.7860466
M3 - Conference contribution
AN - SCOPUS:84998544057
T3 - 2016 IEEE Conference on Communications and Network Security, CNS 2016
SP - 19
EP - 27
BT - 2016 IEEE Conference on Communications and Network Security, CNS 2016
PB - Institute of Electrical and Electronics Engineers Inc.
T2 - 2016 IEEE Conference on Communications and Network Security, CNS 2016
Y2 - 17 October 2016 through 19 October 2016
ER -