A policy-based security architecture for software defined networks

Varadharajan, Vijay; Karmakar, Kallol; Tupakula, Uday; Hitchens, Michael

Title: A policy-based security architecture for software defined networks
Creator: Varadharajan, Vijay; Karmakar, Kallol; Tupakula, Uday; Hitchens, Michael
Relation: IEEE Transactions on Information Forensics and Security Vol. 14, Issue 4, p. 897-912
Publisher Link: http://dx.doi.org/10.1109/TIFS.2018.2868220
Publisher: Institute of Electrical and Electronics Engineers (IEEE)
Resource Type: journal article
Date: 2019
Description: As networks expand in size and complexity, they pose greater administrative and management challenges. Software Defined Networks (SDN) offer a promising approach to meeting some of these challenges. In this paper, we propose a policy driven security architecture for securing end to end services across multiple SDN domains. We develop a language based approach to design security policies that are relevant for securing SDN services and communications. We describe the policy language and its use in specifying security policies to control the flow of information in a multi-domain SDN. We demonstrate the specification of fine grained security policies based on a variety of attributes such as parameters associated with users and devices/switches, context information such as location and routing information, and services accessed in SDN as well as security attributes associated with the switches and Controllers in different domains. An important feature of our architecture is its ability to specify path and flow based security policies, which are significant for securing end to end services in SDNs. We describe the design and the implementation of our proposed policy based security architecture and demonstrate its use in scenarios involving both intra and inter-domain communications with multiple SDN Controllers. We analyse the performance characteristics of our architecture as well as discuss how our architecture is able to counteract various security attacks. The dynamic security policy based approach and the distribution of corresponding security capabilities intelligently as a service layer that enable flow based security enforcement and protection of multitude of network devices against attacks are important contributions of this paper.
Subject: security; protocols; computer architecture; software; control systems; Australia; complexity theory
Identifier: http://hdl.handle.net/1959.13/1414572
Identifier: uon:36774
Identifier: ISSN:1556-6013
Rights: © 2019 IEEE. Personal use of this material is permitted. Permission from IEEE must be obtained for all other uses, in any current or future media, including reprinting/republishing this material for advertising or promotional purposes, creating new collective works, for resale or redistribution to servers or lists, or reuse of any copyrighted component of this work in other works.
Language: eng
Full Text
Reviewed

Hits: 1635
Visitors: 1699
Downloads: 136

		Thumbnail	File	Description	Size	Format
View Details Download			ATTACHMENT02	Author final version	1000 KB	Adobe Acrobat PDF	View Details Download