A lightweight policy enforcement system for resource protection and management in the SDN-based cloud

SDN-based cloud adopts Software-defined Networking (SDN) to provide network services to the cloud, which allows more flexibility in network management. Meanwhile, the SDN controller provides users and administrators with various APIs to access and manage network resources. However, unauthorized requests, which are either sent from unregistered users or containing malicious operations, cannot be completely defended. Moreover, the correctness of network configuration in the SDN-based cloud cannot be guaranteed. In this paper, we propose SDNKeeper, a generic and fine-grained policy enforcement system for the SDN-based cloud, which can defend against unauthorized attacks and avoid network resource misconfiguration. Besides, a policy language is designed for administrators to define policies based on the attributes of the requester, resource, and environment. These policies will take effect when there are requests accessing the SDN controller via Northbound Interface (NBI). Specifically, SDNKeeper can block unauthorized network access requests outside the controller to protect the resources inside. Compared to other traditional policy-based access control systems, SDNKeeper is application-transparent and lightweight, which makes it easy to implement, deploy, and reconfigure at runtime. Based on the correctness proof of system design and the prototype implementation and evaluation, we conclude that SDNKeeper achieves accurate and efficient access control with insignificant throughput degradation and computational overhead.