Visible to the public Challenges and Preparedness of SDN-based Firewalls

TitleChallenges and Preparedness of SDN-based Firewalls
Publication TypeConference Paper
Year of Publication2018
AuthorsDixit, Vaibhav Hemant, Kyung, Sukwha, Zhao, Ziming, Doupé, Adam, Shoshitaishvili, Yan, Ahn, Gail-Joon
Conference NameProceedings of the 2018 ACM International Workshop on Security in Software Defined Networks & Network Function Virtualization
PublisherACM
Conference LocationNew York, NY, USA
ISBN Number978-1-4503-5635-0
KeywordsAccess Control, composability, conflict detection, Conflict Resolution, control plane, data center networks, data centers, data plane, firewalls, flow control, header space analysis, Human Behavior, Metrics, network manageability, Network security, OpenFlow, OpenFlow protocol, privacy, pubcrawl, Resiliency, sdn based firewall, Security and Privacy, software defined networking, surveys and overviews, virtualization privacy, Vulnerability Management
Abstract

Software-Defined Network (SDN) is a novel architecture created to address the issues of traditional and vertically integrated networks. To increase cost-effectiveness and enable logical control, SDN provides high programmability and centralized view of the network through separation of network traffic delivery (the "data plane") from network configuration (the "control plane"). SDN controllers and related protocols are rapidly evolving to address the demands for scaling in complex enterprise networks. Because of the evolution of modern SDN technologies, production networks employing SDN are prone to several security vulnerabilities. The rate at which SDN frameworks are evolving continues to overtake attempts to address their security issues. According to our study, existing defense mechanisms, particularly SDN-based firewalls, face new and SDN-specific challenges in successfully enforcing security policies in the underlying network. In this paper, we identify problems associated with SDN-based firewalls, such as ambiguous flow path calculations and poor scalability in large networks. We survey existing SDN-based firewall designs and their shortcomings in protecting a dynamically scaling network like a data center. We extend our study by evaluating one such SDN-specific security solution called FlowGuard, and identifying new attack vectors and vulnerabilities. We also present corresponding threat detection techniques and respective mitigation strategies.

URLhttp://doi.acm.org/10.1145/3180465.3180468
DOI10.1145/3180465.3180468
Citation Keydixit_challenges_2018