A policy based security architecture for software-defined networks

Research output: Contribution to journalArticleResearchpeer-review

Abstract

As networks expand in size and complexity, they pose greater administrative and management challenges. Software-defined networks (SDNs) offer a promising approach to meeting some of these challenges. In this paper, we propose a policy-driven security architecture for securing end-to-end services across multiple SDN domains. We develop a language-based approach to design security policies that are relevant for securing SDN services and communications. We describe the policy language and its use in specifying security policies to control the flow of information in a multi-domain SDN. We demonstrate the specification of fine-grained security policies based on a variety of attributes, such as parameters associated with users and devices/switches, context information, such as location and routing information, and services accessed in SDN as well as security attributes associated with the switches and controllers in different domains. An important feature of our architecture is its ability to specify path- and flow-based security policies that are significant for securing end-to-end services in SDNs. We describe the design and the implementation of our proposed policy-based security architecture and demonstrate its use in scenarios involving both intra- and inter-domain communications with multiple SDN controllers. We analyze the performance characteristics of our architecture as well as discuss how our architecture is able to counteract various security attacks. The dynamic security policy-based approach and the distribution of corresponding security capabilities intelligently as a service layer that enables flow-based security enforcement and protection of multitude of network devices against attacks are important contributions of this paper.

LanguageEnglish
Article number8453023
Pages897-912
Number of pages16
JournalIEEE Transactions on Information Forensics and Security
Volume14
Issue number4
DOIs
Publication statusPublished - Apr 2019

Fingerprint

Switches
Controllers
Network security
Communication
Specifications

Cite this

@article{a602d78507bb47eaa3eaee82c056d0a9,
title = "A policy based security architecture for software-defined networks",
abstract = "As networks expand in size and complexity, they pose greater administrative and management challenges. Software-defined networks (SDNs) offer a promising approach to meeting some of these challenges. In this paper, we propose a policy-driven security architecture for securing end-to-end services across multiple SDN domains. We develop a language-based approach to design security policies that are relevant for securing SDN services and communications. We describe the policy language and its use in specifying security policies to control the flow of information in a multi-domain SDN. We demonstrate the specification of fine-grained security policies based on a variety of attributes, such as parameters associated with users and devices/switches, context information, such as location and routing information, and services accessed in SDN as well as security attributes associated with the switches and controllers in different domains. An important feature of our architecture is its ability to specify path- and flow-based security policies that are significant for securing end-to-end services in SDNs. We describe the design and the implementation of our proposed policy-based security architecture and demonstrate its use in scenarios involving both intra- and inter-domain communications with multiple SDN controllers. We analyze the performance characteristics of our architecture as well as discuss how our architecture is able to counteract various security attacks. The dynamic security policy-based approach and the distribution of corresponding security capabilities intelligently as a service layer that enables flow-based security enforcement and protection of multitude of network devices against attacks are important contributions of this paper.",
keywords = "Australia, Complexity theory, Computer architecture, Control systems, Inter-domain Security, Protocols, Security, Security Architecture, Security Policies, Software, Software Defined Networking (SDN) Security, inter-domain security, security architecture, security policies, Software defined networking (SDN) security",
author = "Vijay Varadharajan and Kallol Karmakar and Uday Tupakula and Michael Hitchens",
year = "2019",
month = "4",
doi = "10.1109/TIFS.2018.2868220",
language = "English",
volume = "14",
pages = "897--912",
journal = "IEEE Transactions on Information Forensics and Security",
issn = "1556-6013",
publisher = "Institute of Electrical and Electronics Engineers (IEEE)",
number = "4",

}

A policy based security architecture for software-defined networks. / Varadharajan, Vijay; Karmakar, Kallol; Tupakula, Uday; Hitchens, Michael.

In: IEEE Transactions on Information Forensics and Security, Vol. 14, No. 4, 8453023, 04.2019, p. 897-912.

Research output: Contribution to journalArticleResearchpeer-review

TY - JOUR

T1 - A policy based security architecture for software-defined networks

AU - Varadharajan,Vijay

AU - Karmakar,Kallol

AU - Tupakula,Uday

AU - Hitchens,Michael

PY - 2019/4

Y1 - 2019/4

N2 - As networks expand in size and complexity, they pose greater administrative and management challenges. Software-defined networks (SDNs) offer a promising approach to meeting some of these challenges. In this paper, we propose a policy-driven security architecture for securing end-to-end services across multiple SDN domains. We develop a language-based approach to design security policies that are relevant for securing SDN services and communications. We describe the policy language and its use in specifying security policies to control the flow of information in a multi-domain SDN. We demonstrate the specification of fine-grained security policies based on a variety of attributes, such as parameters associated with users and devices/switches, context information, such as location and routing information, and services accessed in SDN as well as security attributes associated with the switches and controllers in different domains. An important feature of our architecture is its ability to specify path- and flow-based security policies that are significant for securing end-to-end services in SDNs. We describe the design and the implementation of our proposed policy-based security architecture and demonstrate its use in scenarios involving both intra- and inter-domain communications with multiple SDN controllers. We analyze the performance characteristics of our architecture as well as discuss how our architecture is able to counteract various security attacks. The dynamic security policy-based approach and the distribution of corresponding security capabilities intelligently as a service layer that enables flow-based security enforcement and protection of multitude of network devices against attacks are important contributions of this paper.

AB - As networks expand in size and complexity, they pose greater administrative and management challenges. Software-defined networks (SDNs) offer a promising approach to meeting some of these challenges. In this paper, we propose a policy-driven security architecture for securing end-to-end services across multiple SDN domains. We develop a language-based approach to design security policies that are relevant for securing SDN services and communications. We describe the policy language and its use in specifying security policies to control the flow of information in a multi-domain SDN. We demonstrate the specification of fine-grained security policies based on a variety of attributes, such as parameters associated with users and devices/switches, context information, such as location and routing information, and services accessed in SDN as well as security attributes associated with the switches and controllers in different domains. An important feature of our architecture is its ability to specify path- and flow-based security policies that are significant for securing end-to-end services in SDNs. We describe the design and the implementation of our proposed policy-based security architecture and demonstrate its use in scenarios involving both intra- and inter-domain communications with multiple SDN controllers. We analyze the performance characteristics of our architecture as well as discuss how our architecture is able to counteract various security attacks. The dynamic security policy-based approach and the distribution of corresponding security capabilities intelligently as a service layer that enables flow-based security enforcement and protection of multitude of network devices against attacks are important contributions of this paper.

KW - Australia

KW - Complexity theory

KW - Computer architecture

KW - Control systems

KW - Inter-domain Security

KW - Protocols

KW - Security

KW - Security Architecture

KW - Security Policies

KW - Software

KW - Software Defined Networking (SDN) Security

KW - inter-domain security

KW - security architecture

KW - security policies

KW - Software defined networking (SDN) security

UR - http://www.scopus.com/inward/record.url?scp=85052821692&partnerID=8YFLogxK

U2 - 10.1109/TIFS.2018.2868220

DO - 10.1109/TIFS.2018.2868220

M3 - Article

VL - 14

SP - 897

EP - 912

JO - IEEE Transactions on Information Forensics and Security

T2 - IEEE Transactions on Information Forensics and Security

JF - IEEE Transactions on Information Forensics and Security

SN - 1556-6013

IS - 4

M1 - 8453023

ER -