Abstract
For a Software Defined Network (SDN), security is an important factor affecting its large-scale deployment. The existing security solutions for SDN mainly focus on the controller itself, which has to handle all the security protection tasks by using the programmability of the network. This will undoubtedly involve a heavy burden for the controller. More devastatingly, once the controller itself is attacked, the entire network will be paralyzed. Motivated by this, this paper proposes a novel security protection architecture for SDN. We design a security service orchestration center in the control plane of SDN, and this center physically decouples from the SDN controller and constructs SDN security services. We adopt virtualization technology to construct a security meta-function library, and propose a dynamic security service composition construction algorithm based on web service composition technology. The rule-combining method is used to combine security meta-functions to construct security services which meet the requirements of users. Moreover, the RETE algorithm is introduced to improve the efficiency of the rule-combining method. We evaluate our solutions in a realistic scenario based on OpenStack. Substantial experimental results demonstrate the effectiveness of our solutions that contribute to achieve the effective security protection with a small burden of the SDN controller.
Highlights
IntroductionWith the rapid development of Internet and network virtualization technology becoming widely used, the traditional network architecture is unable to handle massive network traffic data
With the rapid development of Internet and network virtualization technology becoming widely used, the traditional network architecture is unable to handle massive network traffic data.Traditional network security protection systems lack unified design and deployment, which leads to the exposure of more and more defects, such as security threats on cyberspace, wide variety of network security, and the lack of unified management interface [1].At the same time, the development of network virtualization technology urgently calls for the innovation of network architecture.Software-defined networking (SDN) is an architecture purporting to be dynamic, manageable, cost-effective, and adaptable, seeking to be suitable for the high-bandwidth, dynamic nature of today’s applications [2]
SDN security has drawn intensified concerns from researchers. Their studies have mainly focused on two aspects: (i) improving the traditional network security using SDN [4]; and (ii) improving SDN security itself [5,6]
Summary
With the rapid development of Internet and network virtualization technology becoming widely used, the traditional network architecture is unable to handle massive network traffic data. The former focuses on how SDN brings new solutions to the traditional network security The latter pays more attention to security itself in SDN architecture, which is the concern of this paper. Traditional network security threats such as malicious data flow attack, table manipulation, application software vulnerabilities, confidentiality and availability threats of data management still occur in the context of SDN. This dependence on the controller will aggravate its burden [7]. We propose a novel security protection architecture for SDN and design a security service orchestration center in the control plane of SDN.
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have