ANCHOR

logically centralized security for software-defined networks

Diego Kreutz, Jiangshan Yu, Fernando M.V. Ramos, Paulo Esteves-Verissimo

Research output: Contribution to journalArticleResearchpeer-review

Abstract

Software-defined networking (SDN) decouples the control and data planes of traditional networks, logically centralizing the functional properties of the network in the SDN controller. While this centralization brought advantages such as a faster pace of innovation, it also disrupted some of the natural defenses of traditional architectures against different threats. The literature on SDN has mostly been concerned with the functional side, despite some specific works concerning non-functional properties such as security or dependability. Though addressing the latter in an ad-hoc, piecemeal way may work, it will most likely lead to efficiency and effectiveness problems. We claim that the enforcement of non-functional properties as a pillar of SDN robustness calls for a systemic approach. We further advocate, for its materialization, the reiteration of the successful formula behind SDN: 'logical centralization'. As a general concept, we propose anchor, a subsystem architecture that promotes the logical centralization of non-functional properties. To show the effectiveness of the concept, we focus on security in this article: we identify the current security gaps in SDNs and we populate the architecture middleware with the appropriate security mechanisms in a global and consistent manner. Essential security mechanisms provided by anchor include reliable entropy and resilient pseudo-random generators, and protocols for secure registration and association of SDN devices. We claim and justify in the article that centralizing such mechanisms is key for their effectiveness by allowing us to define and enforce global policies for those properties; reduce the complexity of controllers and forwarding devices; ensure higher levels of robustness for critical services; foster interoperability of the nonfunctional property enforcement mechanisms; and promote the security and resilience of the architecture itself. We discuss design and implementation aspects, and we prove and evaluate our algorithms and mechanisms, including the formalisation of the main protocols and the verification of their core security properties using the Tamarin prover.

Original languageEnglish
Article number8
Number of pages36
JournalACM Transactions on Privacy and Security
Volume22
Issue number2
DOIs
Publication statusPublished - Feb 2019

Keywords

  • Advanced security properties
  • Attack prevention
  • Communications overhead
  • Control plane
  • IDVV
  • Mininet
  • Network device registration and association
  • Non-functional properties
  • Open vSwitch (OVS)
  • OpenFlow
  • Perfect forward secrecy
  • Post-compromise recovery
  • Post-compromise security
  • Post-quantum secure
  • PRG
  • Robust pseudo-random generator
  • Ryu
  • SDN
  • Security
  • Software-defined networking
  • Source of strong entropy

Cite this

Kreutz, Diego ; Yu, Jiangshan ; Ramos, Fernando M.V. ; Esteves-Verissimo, Paulo. / ANCHOR : logically centralized security for software-defined networks. In: ACM Transactions on Privacy and Security. 2019 ; Vol. 22, No. 2.
@article{a1e769b28cc54e0c8d4de43a4b8901d7,
title = "ANCHOR: logically centralized security for software-defined networks",
abstract = "Software-defined networking (SDN) decouples the control and data planes of traditional networks, logically centralizing the functional properties of the network in the SDN controller. While this centralization brought advantages such as a faster pace of innovation, it also disrupted some of the natural defenses of traditional architectures against different threats. The literature on SDN has mostly been concerned with the functional side, despite some specific works concerning non-functional properties such as security or dependability. Though addressing the latter in an ad-hoc, piecemeal way may work, it will most likely lead to efficiency and effectiveness problems. We claim that the enforcement of non-functional properties as a pillar of SDN robustness calls for a systemic approach. We further advocate, for its materialization, the reiteration of the successful formula behind SDN: 'logical centralization'. As a general concept, we propose anchor, a subsystem architecture that promotes the logical centralization of non-functional properties. To show the effectiveness of the concept, we focus on security in this article: we identify the current security gaps in SDNs and we populate the architecture middleware with the appropriate security mechanisms in a global and consistent manner. Essential security mechanisms provided by anchor include reliable entropy and resilient pseudo-random generators, and protocols for secure registration and association of SDN devices. We claim and justify in the article that centralizing such mechanisms is key for their effectiveness by allowing us to define and enforce global policies for those properties; reduce the complexity of controllers and forwarding devices; ensure higher levels of robustness for critical services; foster interoperability of the nonfunctional property enforcement mechanisms; and promote the security and resilience of the architecture itself. We discuss design and implementation aspects, and we prove and evaluate our algorithms and mechanisms, including the formalisation of the main protocols and the verification of their core security properties using the Tamarin prover.",
keywords = "Advanced security properties, Attack prevention, Communications overhead, Control plane, IDVV, Mininet, Network device registration and association, Non-functional properties, Open vSwitch (OVS), OpenFlow, Perfect forward secrecy, Post-compromise recovery, Post-compromise security, Post-quantum secure, PRG, Robust pseudo-random generator, Ryu, SDN, Security, Software-defined networking, Source of strong entropy",
author = "Diego Kreutz and Jiangshan Yu and Ramos, {Fernando M.V.} and Paulo Esteves-Verissimo",
year = "2019",
month = "2",
doi = "10.1145/3301305",
language = "English",
volume = "22",
journal = "ACM Transactions on Privacy and Security",
issn = "2471-2566",
number = "2",

}

ANCHOR : logically centralized security for software-defined networks. / Kreutz, Diego; Yu, Jiangshan; Ramos, Fernando M.V.; Esteves-Verissimo, Paulo.

In: ACM Transactions on Privacy and Security, Vol. 22, No. 2, 8, 02.2019.

Research output: Contribution to journalArticleResearchpeer-review

TY - JOUR

T1 - ANCHOR

T2 - logically centralized security for software-defined networks

AU - Kreutz, Diego

AU - Yu, Jiangshan

AU - Ramos, Fernando M.V.

AU - Esteves-Verissimo, Paulo

PY - 2019/2

Y1 - 2019/2

N2 - Software-defined networking (SDN) decouples the control and data planes of traditional networks, logically centralizing the functional properties of the network in the SDN controller. While this centralization brought advantages such as a faster pace of innovation, it also disrupted some of the natural defenses of traditional architectures against different threats. The literature on SDN has mostly been concerned with the functional side, despite some specific works concerning non-functional properties such as security or dependability. Though addressing the latter in an ad-hoc, piecemeal way may work, it will most likely lead to efficiency and effectiveness problems. We claim that the enforcement of non-functional properties as a pillar of SDN robustness calls for a systemic approach. We further advocate, for its materialization, the reiteration of the successful formula behind SDN: 'logical centralization'. As a general concept, we propose anchor, a subsystem architecture that promotes the logical centralization of non-functional properties. To show the effectiveness of the concept, we focus on security in this article: we identify the current security gaps in SDNs and we populate the architecture middleware with the appropriate security mechanisms in a global and consistent manner. Essential security mechanisms provided by anchor include reliable entropy and resilient pseudo-random generators, and protocols for secure registration and association of SDN devices. We claim and justify in the article that centralizing such mechanisms is key for their effectiveness by allowing us to define and enforce global policies for those properties; reduce the complexity of controllers and forwarding devices; ensure higher levels of robustness for critical services; foster interoperability of the nonfunctional property enforcement mechanisms; and promote the security and resilience of the architecture itself. We discuss design and implementation aspects, and we prove and evaluate our algorithms and mechanisms, including the formalisation of the main protocols and the verification of their core security properties using the Tamarin prover.

AB - Software-defined networking (SDN) decouples the control and data planes of traditional networks, logically centralizing the functional properties of the network in the SDN controller. While this centralization brought advantages such as a faster pace of innovation, it also disrupted some of the natural defenses of traditional architectures against different threats. The literature on SDN has mostly been concerned with the functional side, despite some specific works concerning non-functional properties such as security or dependability. Though addressing the latter in an ad-hoc, piecemeal way may work, it will most likely lead to efficiency and effectiveness problems. We claim that the enforcement of non-functional properties as a pillar of SDN robustness calls for a systemic approach. We further advocate, for its materialization, the reiteration of the successful formula behind SDN: 'logical centralization'. As a general concept, we propose anchor, a subsystem architecture that promotes the logical centralization of non-functional properties. To show the effectiveness of the concept, we focus on security in this article: we identify the current security gaps in SDNs and we populate the architecture middleware with the appropriate security mechanisms in a global and consistent manner. Essential security mechanisms provided by anchor include reliable entropy and resilient pseudo-random generators, and protocols for secure registration and association of SDN devices. We claim and justify in the article that centralizing such mechanisms is key for their effectiveness by allowing us to define and enforce global policies for those properties; reduce the complexity of controllers and forwarding devices; ensure higher levels of robustness for critical services; foster interoperability of the nonfunctional property enforcement mechanisms; and promote the security and resilience of the architecture itself. We discuss design and implementation aspects, and we prove and evaluate our algorithms and mechanisms, including the formalisation of the main protocols and the verification of their core security properties using the Tamarin prover.

KW - Advanced security properties

KW - Attack prevention

KW - Communications overhead

KW - Control plane

KW - IDVV

KW - Mininet

KW - Network device registration and association

KW - Non-functional properties

KW - Open vSwitch (OVS)

KW - OpenFlow

KW - Perfect forward secrecy

KW - Post-compromise recovery

KW - Post-compromise security

KW - Post-quantum secure

KW - PRG

KW - Robust pseudo-random generator

KW - Ryu

KW - SDN

KW - Security

KW - Software-defined networking

KW - Source of strong entropy

UR - http://www.scopus.com/inward/record.url?scp=85062371265&partnerID=8YFLogxK

U2 - 10.1145/3301305

DO - 10.1145/3301305

M3 - Article

VL - 22

JO - ACM Transactions on Privacy and Security

JF - ACM Transactions on Privacy and Security

SN - 2471-2566

IS - 2

M1 - 8

ER -