tailieunhanh - A Security Enforcement Kernel for OpenFlow Networks

An organization must provide individuals with an opportunity to choose (opt out) if and how the personal information they provide is used or disclosed to third parties, if such use is not compatible with the original purpose for which the information was collected. Individuals must be provided with clear, readily available, and affordable mechanisms to exercise this option. When information is sensitive, such as medical and health information, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, or information concerning the sexual behavior of the individual, the individual must be given the opportunity to specifically affirm (opt in) that the information. | A Security Enforcement Kernel for OpenFlow Networks Phillip Porrast Seungwon Shin Vinod Yegneswarant Martin Fongt Mabry Tysont Guofei Gu 1 SRI International Texas A M University porras vinod mwfong @ swshin guofei @ @ ABSTRACT Software-defined networks facilitate rapid and open innovation at the network control layer by providing a programmable network infrastructure for computing flow policies on demand. However the dynamism of programmable networks also introduces new security challenges that demand innovative solutions. A critical challenge is efficient detection and reconciliation of potentially conflicting flow rules imposed by dynamic OpenFlow OF applications. To that end we introduce FortNOX a software extension that provides role-based authorization and security constraint enforcement for the NOX OpenFlow controller. FortNOX enables NoX to check flow rule contradictions in real time and implements a novel analysis algorithm that is robust even in cases where an adversarial OF application attempts to strategically insert flow rules that would otherwise circumvent flow rules imposed by OF security applications. We demonstrate the utility of FortNOX through a prototype implementation and use it to examine performance and efficiency aspects of the proposed framework. Categories and Subject Descriptors COMPUTER-COMMUNICATION NETWORKS Internetworking General Terms Software-Defined Networking Security Keywords OpenFlow Security Policy Enforcement 1. INTRODUCTION Dynamic network orchestration driven by the benefits for elasticity of server and desktop virtualization delivers computing resources and network services on demand spawned and recycled in reaction to network service requests. Frameworks such as OpenFlow OF which embrace the paradigm of highly programmable switch infrastructures 14 compute optimal flow routing rules Permission to make digital or hard copies of all or part of this work for personal or .