Challenges and Preparedness of SDN-based Firewalls
Title | Challenges and Preparedness of SDN-based Firewalls |
Publication Type | Conference Paper |
Year of Publication | 2018 |
Authors | Dixit, Vaibhav Hemant, Kyung, Sukwha, Zhao, Ziming, Doupé, Adam, Shoshitaishvili, Yan, Ahn, Gail-Joon |
Conference Name | Proceedings of the 2018 ACM International Workshop on Security in Software Defined Networks & Network Function Virtualization |
Publisher | ACM |
Conference Location | New York, NY, USA |
ISBN Number | 978-1-4503-5635-0 |
Keywords | Access Control, composability, conflict detection, Conflict Resolution, control plane, data center networks, data centers, data plane, firewalls, flow control, header space analysis, Human Behavior, Metrics, network manageability, Network security, OpenFlow, OpenFlow protocol, privacy, pubcrawl, Resiliency, sdn based firewall, Security and Privacy, software defined networking, surveys and overviews, virtualization privacy, Vulnerability Management |
Abstract | Software-Defined Network (SDN) is a novel architecture created to address the issues of traditional and vertically integrated networks. To increase cost-effectiveness and enable logical control, SDN provides high programmability and centralized view of the network through separation of network traffic delivery (the "data plane") from network configuration (the "control plane"). SDN controllers and related protocols are rapidly evolving to address the demands for scaling in complex enterprise networks. Because of the evolution of modern SDN technologies, production networks employing SDN are prone to several security vulnerabilities. The rate at which SDN frameworks are evolving continues to overtake attempts to address their security issues. According to our study, existing defense mechanisms, particularly SDN-based firewalls, face new and SDN-specific challenges in successfully enforcing security policies in the underlying network. In this paper, we identify problems associated with SDN-based firewalls, such as ambiguous flow path calculations and poor scalability in large networks. We survey existing SDN-based firewall designs and their shortcomings in protecting a dynamically scaling network like a data center. We extend our study by evaluating one such SDN-specific security solution called FlowGuard, and identifying new attack vectors and vulnerabilities. We also present corresponding threat detection techniques and respective mitigation strategies. |
URL | http://doi.acm.org/10.1145/3180465.3180468 |
DOI | 10.1145/3180465.3180468 |
Citation Key | dixit_challenges_2018 |
- network manageability
- Vulnerability Management
- virtualization privacy
- surveys and overviews
- software defined networking
- security and privacy
- sdn based firewall
- Resiliency
- pubcrawl
- privacy
- OpenFlow protocol
- OpenFlow
- network security
- Access Control
- Metrics
- Human behavior
- header space analysis
- flow control
- firewalls
- data plane
- data centers
- data center networks
- control plane
- Conflict Resolution
- conflict detection
- composability