- Award ID(s):
- 1925550
- PAR ID:
- 10298956
- Date Published:
- Journal Name:
- GLOBECOM 2020 - 2020 IEEE Global Communications Conference
- Page Range / eLocation ID:
- 1 to 6
- Format(s):
- Medium: X
- Sponsoring Org:
- National Science Foundation
More Like this
-
null (Ed.)Software-defined networking (SDN) has emerged as a flexible network architecture for central and programmatic control. Although SDN can improve network security oversight and policy enforcement, ensuring the security of SDN from sophisticated attacks is an ongoing challenge for practitioners. Existing network forensics tools attempt to identify and track such attacks, but holistic causal reasoning across control and data planes remains challenging. We present PicoSDN, a provenance-informed causal observer for SDN attack analysis. PicoSDN leverages fine-grained data and execution partitioning techniques, as well as a unified control and data plane model, to allow practitioners to efficiently determine root causes of attacks and to make informed decisions on mitigating them. We implement PicoSDN on the popular ONOS SDN controller. Our evaluation across several attack case studies shows that PicoSDN is practical for the identification, analysis, and mitigation of SDN attacks.more » « less
-
Summary Design flaws and vulnerabilities inherent to network protocols, devices, and services make Distributed Denial of Service (DDoS) a persisting threat in the cyberspace, despite decades of research efforts in the area. The historical vertical integration of traditional IP networks limited the solution space, forcing researchers to tweak network protocols while maintaining global compatibility and proper service to legitimate flows. The advent of Software‐Defined Networking (SDN) and advances in Programmable Data Planes (PDP) changed the state of affairs and brought novel possibilities to deal with such attacks. In summary, the ability of bringing together network intelligence to a control plane, and offloading flow processing tasks to the forwarding plane, opened up interesting opportunities for network security researchers unlike ever. In this article, we dive into recent research that relies on SDN and PDP to detect, mitigate, and prevent DDoS attacks. Our literature review takes into account the SDN layered view as defined in RFC7426 and focuses on the data, control, and application planes. We follow a systematic methodology to capture related articles and organize them into a taxonomy of DDoS defense mechanisms focusing on three facets:
activity level ,deployment location , andcooperation degree . From the analysis of existing work, we also highlight key research gaps that may foster future research in the field. -
The software-defined networking (SDN) paradigm offers significant flexibility for network operators. However, the SDN community has focused on switch-based implementations, which pose several challenges. First, some may require significant hardware costs to upgrade a network. Further, fine-grained flow control in a switch-based SDN results in well-known, fundamental scalability limitations. These challenges may limit the reach of SDN technologies. In this work, we explore the extent to which host-based SDN agents can achieve feature parity with switch-based SDNs. Prior work has shown the potential of host-based SDNs for security and access control. Our study finds that with appropriate preparation, a host-based agent offers the same capabilities of switch-based SDNs in the remaining key area of traffic engineering, even in a legacy managed-switch network. We find the approach offers comparable performance to switch-based SDNs while eliminating the flow table scalability and cost concerns of switch-based SDN deployments.more » « less
-
The emergency of machine type and ultra-reliable low latency communication is imposing stringent constraints for service provisioning. Addressing such constraints is challenging for network and cloud service providers. As a trending paradigm, software-defined networking (SDN) plays a significant role in future networks and services. However, the classical implementation of the SDN controller has limitations in-terms-of latency and reliability since the controller is decoupled from the forwarding device. Several research works have tried to tackle these challenges by proposing solutions such as Devoflow, DIFANE, and hierarchical and distributed controller deployment. Nonetheless, these approaches are not fully addressing these challenges. This paper tries to address the problem of latency and reliability by proposing a dynamic controller role delegation architecture for forwarding devices. To align with the microservice or multi-agent-based service-based architecture, the role delegation function as a service is proposed. The dynamic role delegation enables to predict and (pre-)installed flow rules in the forwarding devices based on various considerations such as network state, packet type, and service's stringent requirements. The proposed architecture is implemented and evaluated for latency and resiliency performance in comparison to the centralized and distributed deployment of the SDN controller. We used ComNetsEmu, a softwarized network emulation tool, to emulate SDN and NFV (Network Function Virtualization). The result indicated a significant decrease in latency and improved resilience in case of failure, yielding better network performance.more » « less
-
Traditional hardware-based firewall appliances are placed at fixed locations with fixed capacity. Such nature makes them difficult to protect today’s prevailing virtualized environments. Two emerging networking paradigms, Network Function Virtualization (NFV) and Software-Defined Networking (SDN), offer the potential to address these limitations. NFV envisions to implement firewall function as software instance (a.k.a virtual firewall). Virtual firewalls provide great flexibility and elasticity, which are necessary to protect virtualized environments. In this paper, we propose to build an innovative virtual firewall controller, VFW Controller, to enable safe, efficient and costeffective virtual firewall elasticity control. VFW Controller addresses four key challenges with respect to semantic consistency, correct flow update, buffer overflow avoidance, and optimal scaling in virtual firewall scaling. To demonstrate the feasibility of our approach, we implement the core components of VFW Controller on top of NFV and SDN environments. Our experimental results demonstrate that VFW Controller is efficient to provide safe elasticity control of virtual firewalls.more » « less