A High-level Authorization Framework for Software-Defined Networks
Abstract
Enterprise network managers need to control the access to their network resources and protect them from malicious users. Current Network Access Control (NAC) solutions rely on approaches, such as firewalls, VLAN, ACL, and LDAP that are inflexible and require per-device and vendor-specific configurations, being error-prone. Besides, misconfigurations may result in vulnerabilities that could compromise the overall network security. Managing security policies involve dealing with many access control rules, conflicting policies, rule priorities, right delegation, dynamics of the network, etc. This work presents HACFlow, a novel, autonomic, and policy-based framework for access control management in OpenFlow networks. HACFlow simplifies and automates the network management allowing network operators to govern rights of network entities by defining dynamic, fine-grained, and high-level access control policies. We analyzed the performance of HACFlow and compared it against related approaches.
References
Aschoff, R., Rosendo, D., Machado, M., Santos, A., and Sadok, D. (2017). A network access control solution combining orbac and sdn. In Integrated Network and Service Management (IM), 2017 IFIP/IEEE Symposium on, pages 483–489. IEEE.
Foster, N., Harrison, R., Freedman, M. J., Monsanto, C., Rexford, J., Story, A., and Walker, D. (2011). Frenetic: A network programming language. In ACM Sigplan Notices, volume 46, pages 279–291. ACM.
Kreutz, D., Ramos, F. M., Verissimo, P. E., Rothenberg, C. E., Azodolmolky, S., and Uhlig, S. (2015). Software-dened networking: A comprehensive survey. Proceedings of the IEEE, 103(1):14–76.
Lara, A. and Ramamurthy, B. (2016). Opensec: Policy-based security using softwaredened networking. IEEE Transactions on Network and Service Management, 13(1):30– 42.
Liu, J., Li, Y., Wang, H., Jin, D., Su, L., Zeng, L., and Vasilakos, T. (2016). Leveraging software-dened networking for security policy enforcement. Information Sciences, 327:288–299.
Matias, J., Garay, J., Mendiola, A., Toledo, N., and Jacob, E. (2014). Flownac: Flowbased network access control. In 2014 Third European Workshop on Software Dened Networks, pages 79–84. IEEE.
ONF (2014). The new norm for networks, Software-dened networking: https://www.opennetworking.org. White Paper.
Rosendo, D., Endo, P. T., Sadok, D., and Kelner, J. (2017). An autonomic and policy-based authorization framework for openow networks. In Network and Service Management (CNSM), 2017 13th International Conference on, pages 1–5. IEEE.
Shin, S., Porras, P. A., Yegneswaran, V., Fong, M. W., Gu, G., and Tyson, M. (2013). Fresco: Modular composable security services for software-dened networks. In NDSS.
Sicari, S., Rizzardi, A., Grieco, L. A., and Coen-Porisini, A. (2015). Security, privacy and trust in internet of things: The road ahead. Computer Networks, 76:146–164.
TR-516, O. (2015). Framework for SDN: Scope and Requirements. https://www.opennetworking.org. Version 1.0. Last access: December, 2016.
Wickboldt, J. A., De Jesus, W. P., Isolani, P. H., Both, C. B., Rochol, J., and Granville, L. Z. (2015). Software-dened networking: management requirements and challenges. IEEE Communications Magazine, 53(1):278–285.
