Object Oriented Policy Conflict Checking Framework in Cloud Networks (OOPC)

Abstract

Software-Defined Networking (SDN) provides a programmable framework for multi-tenant cloud network management and orchestration. The end-to-end packet processing induced by virtual network functions (VNFs) like stateless firewall, load balancer, intrusion detection, and prevention system (IDPS) in a network involves the processing of network traffic through security policies matching the traffic pattern defined in security rules of individual VNF. The conflicting rules in terms of traffic match and conflicting actions can lead to a) violation of security requirements (authentication and authorization bypass) b) mission requirements - the presence of redundant rules (increased latency, reduced throughput). We present a new object-oriented policy conflict detection and resolution framework (OOPC), which analyzes the rule dependency relationships between the rules of heterogeneous virtual network functions (VNFs) and creates a VNF-Graph. The rules are analyzed using object-oriented dependencies between the address space and actions of VNF rules. OOPC utilizes a compact VNF-Graph, which leads to a reduction in search complexity when analyzing new security policies. Our security policy composition in our framework OOPC achieves 37 percent lower latency in policy graph composition than previous work. The proposed solution performs 20 percent faster security policy conflict detection on a cloud network with 60k OpenFlow rules than prior frameworks that serve a similar purpose.