A Policy based Security Architecture for Software Defined Networks

by   Vijay Varadharajan, et al.

As networks expand in size and complexity, they pose greater administrative and management challenges. Software Defined Networks (SDN) offer a promising approach to meeting some of these challenges. In this paper, we propose a policy driven security architecture for securing end to end services across multiple SDN domains. We develop a language based approach to design security policies that are relevant for securing SDN services and communications. We describe the policy language and its use in specifying security policies to control the flow of information in a multi-domain SDN. We demonstrate the specification of fine grained security policies based on a variety of attributes such as parameters associated with users and devices/switches, context information such as location and routing information, and services accessed in SDN as well as security attributes associated with the switches and Controllers in different domains. An important feature of our architecture is its ability to specify path and flow based security policies, which are significant for securing end to end services in SDNs. We describe the design and the implementation of our proposed policy based security architecture and demonstrate its use in scenarios involving both intra and inter-domain communications with multiple SDN Controllers. We analyse the performance characteristics of our architecture as well as discuss how our architecture is able to counteract various security attacks. The dynamic security policy based approach and the distribution of corresponding security capabilities intelligently as a service layer that enable flow based security enforcement and protection of multitude of network devices against attacks are important contributions of this paper.


page 10

page 12

page 16


A Practical Runtime Security Policy Transformation Framework for Software Defined Networks

Software-defined networking (SDN) has been widely utilized to enforce th...

Do we have the time for IRM?: Service denial attacks and SDN-based defences

Distributed sensor networks such as IoT deployments generate large quant...

SUPC: SDN enabled Universal Policy Checking in Cloud Network

Multi-tenant cloud networks have various security and monitoring service...

Gargoyle: A Network-based Insider Attack Resilient Framework for Organizations

`Anytime, Anywhere' data access model has become a widespread IT policy ...

SDN Architecture and Southbound APIs for IPv6 Segment Routing Enabled Wide Area Networks

The SRv6 architecture (Segment Routing based on IPv6 data plane) is a pr...

Towards a General-Purpose Dynamic Information Flow Policy

Noninterference offers a rigorous end-to-end guarantee for secure propag...

ANCHOR: logically-centralized security for Software-Defined Networks

While the logical centralization of functional properties of the network...

Please sign up or login with your details

Forgot password? Click here to reset