الفهرس | Only 14 pages are availabe for public view |
Abstract Software Defined Network (SDN) is a modern paradigm in networking which adds programmability to traditional networks. Moreover, it reduces hardware cost by decoupling control plane from data plane in network devices. SDN facilitates network provisioning, manageability, services agility, and automation. In SDN networks, only one centralized control plane exists. This control plane consists of the Network Operating System (NOS), which is also called SDN controller, and a set of network applications. Network policies are enacted by implemented network applications and network users (network instances) through northbound Application Programming Interfaces (APIs) on the top of SDN controller. The SDN controller is responsible for translating network policies to flow rules. Then, these flow rules are installed in SDN network devices (data plane) through well-defined southbound APIs. Unfortunately, previous implementations of northbound APIs in current SDN controllers aren’t equipped with a security layer. Moreover, flow rules can be installed with spoofed addresses in SDN network devices. Indeed, any network instance in the control plane can configure network policies and access network resources upon knowing their Uniform Resource Locator (URL). Malicious rules could be inserted to make conflict with existing rules. Due to the variation of flow rules generation sources in control plane and missing of northbound interface security layer in the existing SDN controllers. These challenges are a security concern that can be used to exploit network policies. In this research, a northbound API security framework, called TokenGuard, along with a rule verification algorithm are proposed. TokenGuard aims to authenticate, authorize, and account network instances based on dynamic access token sequences. These sequences are generated based on the standard chaotic logistic map function to protect SDN controller from replay attacks using stolen access tokens. In addition, rules verification algorithm is proposed to protect against rules insertion conflict with ABSTRACT IV spoofed addresses in dynamic network topologies. The proposed algorithm transforms physical and logical addresses in flow rules to their corresponding position entries and uses a HashMap database as a way for storing them. These position entries are updated upon network topology changes based on a proposed tracking algorithm implemented at SDN controller with the help of DHCP and link discovery services. Next, a verification process is invoked to detect rules conflict whenever a new rule is inserted. Extensive simulations show that the proposed TokenGuard framework and rules verification algorithm add negligible overhead in SDN controllers compared with standard security protocol (OAuth2). In addition, they protect against unauthorized instance access attempts and rules insertion conflict with spoofed addresses respectively. Moreover, the proposed work enables hosts mobility with correct tracking to apply the corresponding security policies. Security policies are implemented with different permission levels in mind to control resources accessibility. |