| Title | SENAD: Securing Network Application Deployment in Software Defined Networks |
| Publication Type | Conference Paper |
| Year of Publication | 2018 |
| Authors | Tseng, Yuchia, Nait-Abdesselam, Farid, Khokhar, Ashfaq |
| Conference Name | 2018 IEEE International Conference on Communications (ICC) |
| Keywords | Access Control, APC, app-to-control threats, application plane controller, authorisation, Authorization, command injection attacks, composability, Computer architecture, Computer crashes, computer network management, computer network security, data plane controller, DPC, dubbed SENAD, malicious command injection, Metrics, network application deployment, network management, network programmability, OpenFlow entries, process control, pubcrawl, Resiliency, resource exhaustion attack, resource isolation, Runtime, SDN architecture, SDN controller, Software, software defined networking, Software Defined Networks, telecommunication control, telecommunication network management |
| Abstract | The Software Defined Networks (SDN) paradigm, often referred to as a radical new idea in networking, promises to dramatically simplify network management by enabling innovation through network programmability. However, notable security issues, such as app-to-control threats, remain a significant concern that impedes SDN from being widely adopted. To cope with those app-to-control threats, this paper proposes a solution to securely deploy valid network applications while protecting the SDN controller against the injection of the malicious application. This problem is mitigated by proposing a novel SDN architecture, dubbed SENAD, which splits the well-known SDN controller into: (1) a data plane controller (DPC), and (2) an application plane controller (APC), to secure this latter by design. The role of the DPC is dedicated for interpreting the network rules into OpenFlow entries and maintaining the communication with the data plane. The role of the APC, however, is to provide a secured runtime for deploying the network applications, including authentication, access control, resource isolation, control, and monitoring applications. We show that this approach can easily shield against any deny of service, caused for instance by the resource exhaustion attack or the malicious command injection, that is caused by the co-existence of a malicious application on the controller's runtime. The evaluation of our architecture shows that the packet\_in messages take less than 5 ms to be delivered from the data plane to the application plane on the long range. |
| DOI | 10.1109/ICC.2018.8422405 |
| Citation Key | tseng_senad:_2018 |
SENAD: Securing Network Application Deployment in Software Defined Networks