SRI Logo
About Us|R and D Divisions|Careers|Newsroom|Contact Us|SRI Home
  SRI Logo

Securing the Software-Defined Network Control Layer
 by Dr. Steven Cheung, Martin Fong, Phillip Porras, Keith Skinner & Dr. Vinod Yegneswaran.

Proceedings of the 2015 Network and Distributed System Security Symposium (NDSS).
San Diego, California.
February 8-11, 2015.

Software-defined networks (SDNs) pose both an opportunity and challenge to the network security community. The opportunity lies in the ability of SDN applications to express intelligent and agile threat mitigation logic against hostile flows, without the need for specialized inline hardware. However, the SDN community lacks a {\em secure control-layer} to manage the interactions between the application layer and the switch infrastructure (the data plane). There are no available SDN controllers that provide the key security features, trust models, and policy mediation logic, necessary to deploy multiple SDN applications into a highly sensitive computing environment. We propose the design of security extensions at the control layer to provide the security management and arbitration of conflicting flow rules that arise when multiple applications are deployed within the same network. We present a prototype of our design as a Security Enhanced version of the widely used OpenFlow Floodlight Controller, which we call {\em SE-Floodlight}. SE-Floodlight extends Floodlight with a security-enforcement kernel (SEK) layer, whose functions are also directly applicable to other OpenFlow controllers. The SEK adds a unique set of secure application management features, including an authentication service, role-based authorization, a permission model for mediating all configuration change requests to the data-plane, inline flow-rule conflict resolution, and a security audit service. We demonstrate the robustness and scalability of our system implementation through both a comprehensive functionality assessment and a performance evaluation that illustrates its sub-linear scaling properties.
BibTEX Entry
  author = {Phillip Porras and Steven Cheung and Martin Fong and Keith Skinner and Vinod Yegneswaran},
  title = {{Securing the Software-Defined Network Control Layer}},
  booktitle = {Proceedings of the 2015 Network and Distributed System Security Symposium (NDSS)},
  year = {2015},
  month = {February}
Available from NDSS.


About Us  |  R&D Divisions  |  Careers  |  Newsroom  |  Contact Us
© 2023 SRI International 333 Ravenswood Avenue, Menlo Park, CA 94025-3493
SRI International is an independent, nonprofit corporation. Privacy policy