1,239 research outputs found
Routing-Verification-as-a-Service (RVaaS): Trustworthy Routing Despite Insecure Providers
Computer networks today typically do not provide any mechanisms to the users
to learn, in a reliable manner, which paths have (and have not) been taken by
their packets. Rather, it seems inevitable that as soon as a packet leaves the
network card, the user is forced to trust the network provider to forward the
packets as expected or agreed upon. This can be undesirable, especially in the
light of today's trend toward more programmable networks: after a successful
cyber attack on the network management system or Software-Defined Network (SDN)
control plane, an adversary in principle has complete control over the network.
This paper presents a low-cost and efficient solution to detect misbehaviors
and ensure trustworthy routing over untrusted or insecure providers, in
particular providers whose management system or control plane has been
compromised (e.g., using a cyber attack). We propose
Routing-Verification-as-a-Service (RVaaS): RVaaS offers clients a flexible
interface to query information relevant to their traffic, while respecting the
autonomy of the network provider. RVaaS leverages key features of
OpenFlow-based SDNs to combine (passive and active) configuration monitoring,
logical data plane verification and actual in-band tests, in a novel manner
A Security Authentication Protocol for Trusted Domains in an Autonomous Decentralized System
abstract: Software Defined Network (SDN) architecture has been widely used in various application domains. Aiming at the authentication and security issues of SDN architecture in autonomous decentralized system (ADS) applications, securing the mutual trust among the autonomous controllers, we combine trusted technology and SDN architecture, and we introduce an authentication protocol based on SDN architecture without any trusted third party between trusted domains in autonomous systems. By applying BAN predicate logic and AVISPA security analysis tool of network interaction protocol, we can guarantee protocol security and provide complete safety tests. Our work fills the gap of mutual trust between different trusted domains and provides security foundation for interaction between different trusted domains.View the article as published at http://journals.sagepub.com/doi/10.1155/2016/532794
ANCHOR: logically-centralized security for Software-Defined Networks
While the centralization of SDN brought advantages such as a faster pace of
innovation, it also disrupted some of the natural defenses of traditional
architectures against different threats. The literature on SDN has mostly been
concerned with the functional side, despite some specific works concerning
non-functional properties like 'security' or 'dependability'. Though addressing
the latter in an ad-hoc, piecemeal way, may work, it will most likely lead to
efficiency and effectiveness problems. We claim that the enforcement of
non-functional properties as a pillar of SDN robustness calls for a systemic
approach. As a general concept, we propose ANCHOR, a subsystem architecture
that promotes the logical centralization of non-functional properties. To show
the effectiveness of the concept, we focus on 'security' in this paper: we
identify the current security gaps in SDNs and we populate the architecture
middleware with the appropriate security mechanisms, in a global and consistent
manner. Essential security mechanisms provided by anchor include reliable
entropy and resilient pseudo-random generators, and protocols for secure
registration and association of SDN devices. We claim and justify in the paper
that centralizing such mechanisms is key for their effectiveness, by allowing
us to: define and enforce global policies for those properties; reduce the
complexity of controllers and forwarding devices; ensure higher levels of
robustness for critical services; foster interoperability of the non-functional
property enforcement mechanisms; and promote the security and resilience of the
architecture itself. We discuss design and implementation aspects, and we prove
and evaluate our algorithms and mechanisms, including the formalisation of the
main protocols and the verification of their core security properties using the
Tamarin prover.Comment: 42 pages, 4 figures, 3 tables, 5 algorithms, 139 reference
Automatic Intent-Based Secure Service Creation Through a Multilayer SDN Network Orchestration
Growing traffic demands and increasing security awareness are driving the
need for secure services. Current solutions require manual configuration and
deployment based on the customer's requirements. In this work, we present an
architecture for an automatic intent-based provisioning of a secure service in
a multilayer - IP, Ethernet, and optical - network while choosing the
appropriate encryption layer using an open-source software-defined networking
(SDN) orchestrator. The approach is experimentally evaluated in a testbed with
commercial equipment. Results indicate that the processing impact of secure
channel creation on a controller is negligible. As the time for setting up
services over WDM varies between technologies, it needs to be taken into
account in the decision-making process.Comment: Parts of the presented work has received funding from the European
Commission within the H2020 Research and Innovation Programme, under grant
agreeement n.645127, project ACIN
- …