Visible to the public SDN Security Plane: An Architecture for Resilient Security Services

TitleSDN Security Plane: An Architecture for Resilient Security Services
Publication TypeConference Paper
Year of Publication2016
AuthorsHussein, A., Elhajj, I. H., Chehab, A., Kayssi, A.
Conference Name2016 IEEE International Conference on Cloud Engineering Workshop (IC2EW)
ISBN Number978-1-5090-3684-4
KeywordsAgent, centralised control, centralized control, Computer architecture, Computer crime, computer network performance evaluation, computer network security, control plane, control systems, data packet forwarding, data plane, DDoS Attack Prevention, DDoS Attacks, IP networks, network communications, network performance, network security features, OpenFlow, Ports (Computers), Proposals, pubcrawl, real-time user-defined security, remotely controlled network, Resiliency, Resilient Security Architectures, resilient security services architecture, SDN, SDN controller, SDN security design, SDN security plane, SDN switches, Security plane, security-related data exchange, software defined networking, telecommunication control, telecommunication switching, third party agent, third party software module

Software Defined Networking (SDN) is the new promise towards an easily configured and remotely controlled network. Based on Centralized control, SDN technology has proved its positive impact on the world of network communications from different aspects. Security in SDN, as in traditional networks, is an essential feature that every communication system should possess. In this paper, we propose an SDN security design approach, which strikes a good balance between network performance and security features. We show how such an approach can be used to prevent DDoS attacks targeting either the controller or the different hosts in the network, and how to trace back the source of the attack. The solution lies in introducing a third plane, the security plane, in addition to the data plane, which is responsible for forwarding data packets between SDN switches, and parallel to the control plane, which is responsible for rule and data exchange between the switches and the SDN controller. The security plane is designed to exchange security-related data between a third party agent on the switch and a third party software module alongside the controller. Our evaluation shows the capability of the proposed system to enforce different levels of real-time user-defined security with low overhead and minimal configuration.

Citation Keyhussein_sdn_2016