TY - JOUR
T1 - A lightweight policy enforcement system for resource protection and management in the SDN-based cloud
AU - Leng, Xue
AU - Hou, Kaiyu
AU - Chen, Yan
AU - Bu, Kai
AU - Song, Libin
AU - Li, You
PY - 2019/10/9
Y1 - 2019/10/9
N2 - SDN-based cloud adopts Software-defined Networking (SDN) to provide network services to the cloud, which allows more flexibility in network management. Meanwhile, the SDN controller provides users and administrators with various APIs to access and manage network resources. However, unauthorized requests, which are either sent from unregistered users or containing malicious operations, cannot be completely defended. Moreover, the correctness of network configuration in the SDN-based cloud cannot be guaranteed. In this paper, we propose SDNKeeper, a generic and fine-grained policy enforcement system for the SDN-based cloud, which can defend against unauthorized attacks and avoid network resource misconfiguration. Besides, a policy language is designed for administrators to define policies based on the attributes of the requester, resource, and environment. These policies will take effect when there are requests accessing the SDN controller via Northbound Interface (NBI). Specifically, SDNKeeper can block unauthorized network access requests outside the controller to protect the resources inside. Compared to other traditional policy-based access control systems, SDNKeeper is application-transparent and lightweight, which makes it easy to implement, deploy, and reconfigure at runtime. Based on the correctness proof of system design and the prototype implementation and evaluation, we conclude that SDNKeeper achieves accurate and efficient access control with insignificant throughput degradation and computational overhead.
AB - SDN-based cloud adopts Software-defined Networking (SDN) to provide network services to the cloud, which allows more flexibility in network management. Meanwhile, the SDN controller provides users and administrators with various APIs to access and manage network resources. However, unauthorized requests, which are either sent from unregistered users or containing malicious operations, cannot be completely defended. Moreover, the correctness of network configuration in the SDN-based cloud cannot be guaranteed. In this paper, we propose SDNKeeper, a generic and fine-grained policy enforcement system for the SDN-based cloud, which can defend against unauthorized attacks and avoid network resource misconfiguration. Besides, a policy language is designed for administrators to define policies based on the attributes of the requester, resource, and environment. These policies will take effect when there are requests accessing the SDN controller via Northbound Interface (NBI). Specifically, SDNKeeper can block unauthorized network access requests outside the controller to protect the resources inside. Compared to other traditional policy-based access control systems, SDNKeeper is application-transparent and lightweight, which makes it easy to implement, deploy, and reconfigure at runtime. Based on the correctness proof of system design and the prototype implementation and evaluation, we conclude that SDNKeeper achieves accurate and efficient access control with insignificant throughput degradation and computational overhead.
KW - Access control
KW - Network management
KW - SDN-based cloud
KW - Software-defined networking
UR - http://www.scopus.com/inward/record.url?scp=85067429508&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85067429508&partnerID=8YFLogxK
U2 - 10.1016/j.comnet.2019.05.022
DO - 10.1016/j.comnet.2019.05.022
M3 - Article
AN - SCOPUS:85067429508
SN - 1389-1286
VL - 161
SP - 68
EP - 81
JO - Computer Networks
JF - Computer Networks
ER -