A lightweight policy enforcement system for resource protection and management in the SDN-based cloud

Xue Leng, Kaiyu Hou, Yan Chen*, Kai Bu, Libin Song, You Li

*Corresponding author for this work

Research output: Contribution to journalArticle

Abstract

SDN-based cloud adopts Software-defined Networking (SDN) to provide network services to the cloud, which allows more flexibility in network management. Meanwhile, the SDN controller provides users and administrators with various APIs to access and manage network resources. However, unauthorized requests, which are either sent from unregistered users or containing malicious operations, cannot be completely defended. Moreover, the correctness of network configuration in the SDN-based cloud cannot be guaranteed. In this paper, we propose SDNKeeper, a generic and fine-grained policy enforcement system for the SDN-based cloud, which can defend against unauthorized attacks and avoid network resource misconfiguration. Besides, a policy language is designed for administrators to define policies based on the attributes of the requester, resource, and environment. These policies will take effect when there are requests accessing the SDN controller via Northbound Interface (NBI). Specifically, SDNKeeper can block unauthorized network access requests outside the controller to protect the resources inside. Compared to other traditional policy-based access control systems, SDNKeeper is application-transparent and lightweight, which makes it easy to implement, deploy, and reconfigure at runtime. Based on the correctness proof of system design and the prototype implementation and evaluation, we conclude that SDNKeeper achieves accurate and efficient access control with insignificant throughput degradation and computational overhead.

Original languageEnglish (US)
Pages (from-to)68-81
Number of pages14
JournalComputer Networks
Volume161
DOIs
StatePublished - Oct 9 2019

Fingerprint

Access control
Controllers
Network management
Application programming interfaces (API)
Interfaces (computer)
Software defined networking
Systems analysis
Throughput
Control systems
Degradation

Keywords

  • Access control
  • Network management
  • SDN-based cloud
  • Software-defined networking

ASJC Scopus subject areas

  • Computer Networks and Communications

Cite this

Leng, Xue ; Hou, Kaiyu ; Chen, Yan ; Bu, Kai ; Song, Libin ; Li, You. / A lightweight policy enforcement system for resource protection and management in the SDN-based cloud. In: Computer Networks. 2019 ; Vol. 161. pp. 68-81.
@article{5cb5c4309219468a9e3d52f658ad5ebc,
title = "A lightweight policy enforcement system for resource protection and management in the SDN-based cloud",
abstract = "SDN-based cloud adopts Software-defined Networking (SDN) to provide network services to the cloud, which allows more flexibility in network management. Meanwhile, the SDN controller provides users and administrators with various APIs to access and manage network resources. However, unauthorized requests, which are either sent from unregistered users or containing malicious operations, cannot be completely defended. Moreover, the correctness of network configuration in the SDN-based cloud cannot be guaranteed. In this paper, we propose SDNKeeper, a generic and fine-grained policy enforcement system for the SDN-based cloud, which can defend against unauthorized attacks and avoid network resource misconfiguration. Besides, a policy language is designed for administrators to define policies based on the attributes of the requester, resource, and environment. These policies will take effect when there are requests accessing the SDN controller via Northbound Interface (NBI). Specifically, SDNKeeper can block unauthorized network access requests outside the controller to protect the resources inside. Compared to other traditional policy-based access control systems, SDNKeeper is application-transparent and lightweight, which makes it easy to implement, deploy, and reconfigure at runtime. Based on the correctness proof of system design and the prototype implementation and evaluation, we conclude that SDNKeeper achieves accurate and efficient access control with insignificant throughput degradation and computational overhead.",
keywords = "Access control, Network management, SDN-based cloud, Software-defined networking",
author = "Xue Leng and Kaiyu Hou and Yan Chen and Kai Bu and Libin Song and You Li",
year = "2019",
month = "10",
day = "9",
doi = "10.1016/j.comnet.2019.05.022",
language = "English (US)",
volume = "161",
pages = "68--81",
journal = "Computer Networks",
issn = "1389-1286",
publisher = "Elsevier",

}

A lightweight policy enforcement system for resource protection and management in the SDN-based cloud. / Leng, Xue; Hou, Kaiyu; Chen, Yan; Bu, Kai; Song, Libin; Li, You.

In: Computer Networks, Vol. 161, 09.10.2019, p. 68-81.

Research output: Contribution to journalArticle

TY - JOUR

T1 - A lightweight policy enforcement system for resource protection and management in the SDN-based cloud

AU - Leng, Xue

AU - Hou, Kaiyu

AU - Chen, Yan

AU - Bu, Kai

AU - Song, Libin

AU - Li, You

PY - 2019/10/9

Y1 - 2019/10/9

N2 - SDN-based cloud adopts Software-defined Networking (SDN) to provide network services to the cloud, which allows more flexibility in network management. Meanwhile, the SDN controller provides users and administrators with various APIs to access and manage network resources. However, unauthorized requests, which are either sent from unregistered users or containing malicious operations, cannot be completely defended. Moreover, the correctness of network configuration in the SDN-based cloud cannot be guaranteed. In this paper, we propose SDNKeeper, a generic and fine-grained policy enforcement system for the SDN-based cloud, which can defend against unauthorized attacks and avoid network resource misconfiguration. Besides, a policy language is designed for administrators to define policies based on the attributes of the requester, resource, and environment. These policies will take effect when there are requests accessing the SDN controller via Northbound Interface (NBI). Specifically, SDNKeeper can block unauthorized network access requests outside the controller to protect the resources inside. Compared to other traditional policy-based access control systems, SDNKeeper is application-transparent and lightweight, which makes it easy to implement, deploy, and reconfigure at runtime. Based on the correctness proof of system design and the prototype implementation and evaluation, we conclude that SDNKeeper achieves accurate and efficient access control with insignificant throughput degradation and computational overhead.

AB - SDN-based cloud adopts Software-defined Networking (SDN) to provide network services to the cloud, which allows more flexibility in network management. Meanwhile, the SDN controller provides users and administrators with various APIs to access and manage network resources. However, unauthorized requests, which are either sent from unregistered users or containing malicious operations, cannot be completely defended. Moreover, the correctness of network configuration in the SDN-based cloud cannot be guaranteed. In this paper, we propose SDNKeeper, a generic and fine-grained policy enforcement system for the SDN-based cloud, which can defend against unauthorized attacks and avoid network resource misconfiguration. Besides, a policy language is designed for administrators to define policies based on the attributes of the requester, resource, and environment. These policies will take effect when there are requests accessing the SDN controller via Northbound Interface (NBI). Specifically, SDNKeeper can block unauthorized network access requests outside the controller to protect the resources inside. Compared to other traditional policy-based access control systems, SDNKeeper is application-transparent and lightweight, which makes it easy to implement, deploy, and reconfigure at runtime. Based on the correctness proof of system design and the prototype implementation and evaluation, we conclude that SDNKeeper achieves accurate and efficient access control with insignificant throughput degradation and computational overhead.

KW - Access control

KW - Network management

KW - SDN-based cloud

KW - Software-defined networking

UR - http://www.scopus.com/inward/record.url?scp=85067429508&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85067429508&partnerID=8YFLogxK

U2 - 10.1016/j.comnet.2019.05.022

DO - 10.1016/j.comnet.2019.05.022

M3 - Article

AN - SCOPUS:85067429508

VL - 161

SP - 68

EP - 81

JO - Computer Networks

JF - Computer Networks

SN - 1389-1286

ER -