A Framework For Integrating Security Services into Software-Defined Networks

Abstract

penflow may in time prove to be one of the more impactful technologies to drive a variety of innovations in network security. It could offer a dramatic simplification to the way we design and integrate complex network security applications into large networks. In particular, OpenFlow offers researchers with an unprecedented singular point of control over network flow routing decisions across the data planes of all OF-enabled network components. Using OpenFlow, security services can implement far more complex logic than simply halting or forwarding a flow. Such applications can incorporate stateful flow rule production logic to implement complex quarantine procedures, or dynamic connection migration functions that can redirect malicious network flows in ways not easily perceived by the attacker. Flow-based security detection algorithms can also be redesigned as OF security apps, but implemented more concisely and deployed more efficiently. However, to date there remains a stark paucity of compelling OpenFlow security applications. Our research team is actively engaged in several projects to help accelerate new research in OpenFlow-enabled network defense. Our latest research result [10] introduces FRESCO, an OpenFlow security application development framework that facilitates the rapid design and modular composition of OF-enabled detection and mitigation modules. Inspired by the Click router architecture [6] and Click’s modular scripting interface, FRESCO abstracts key data access and security directive controls, fostering a more rapid and collaborative environment for security-focused developers. FRESCO’s scripting language enables the linking of modules through data sharing and event triggering. Further, FRESCO provides an API