A lightweight policy enforcement system for resource protection and management in the SDN-based cloud

Xue Leng, Kaiyu Hou, Yan Chen*, Kai Bu, Libin Song, You Li

*Corresponding author for this work

Research output: Contribution to journalArticlepeer-review

8 Scopus citations

Abstract

SDN-based cloud adopts Software-defined Networking (SDN) to provide network services to the cloud, which allows more flexibility in network management. Meanwhile, the SDN controller provides users and administrators with various APIs to access and manage network resources. However, unauthorized requests, which are either sent from unregistered users or containing malicious operations, cannot be completely defended. Moreover, the correctness of network configuration in the SDN-based cloud cannot be guaranteed. In this paper, we propose SDNKeeper, a generic and fine-grained policy enforcement system for the SDN-based cloud, which can defend against unauthorized attacks and avoid network resource misconfiguration. Besides, a policy language is designed for administrators to define policies based on the attributes of the requester, resource, and environment. These policies will take effect when there are requests accessing the SDN controller via Northbound Interface (NBI). Specifically, SDNKeeper can block unauthorized network access requests outside the controller to protect the resources inside. Compared to other traditional policy-based access control systems, SDNKeeper is application-transparent and lightweight, which makes it easy to implement, deploy, and reconfigure at runtime. Based on the correctness proof of system design and the prototype implementation and evaluation, we conclude that SDNKeeper achieves accurate and efficient access control with insignificant throughput degradation and computational overhead.

Original languageEnglish (US)
Pages (from-to)68-81
Number of pages14
JournalComputer Networks
Volume161
DOIs
StatePublished - Oct 9 2019

Funding

This work is supported in part by the National Key R&D Program of China (2017YFB0801703), and in part by the Key Research and Development Program of Zhejiang Province (2018C01088). A preliminary version of this manuscript has been published in 2018 IEEE/ACM 26th International Symposium on Quality of Service (IWQoS), (Banff, Alberta, Canada, June 4–6, 2018) as a regular paper [1] .

Keywords

  • Access control
  • Network management
  • SDN-based cloud
  • Software-defined networking

ASJC Scopus subject areas

  • Computer Networks and Communications

Fingerprint

Dive into the research topics of 'A lightweight policy enforcement system for resource protection and management in the SDN-based cloud'. Together they form a unique fingerprint.

Cite this