A Survey of Securing Networks Using Software Defined Networking
关于使用软件定义的网络来保护网络的调查
Since large amount of individual devices connecting to the networks brings more opportunities for attacks, networks become more distrustful and malicious and faces a “crisis of trust”. To promote the development of 5G network and cooperation between different companies and institutes, more critical and aging infrastructure,such as automation systems, factory equipment, and traffic controls are being brought online,howbeit, without adequate security and safeguards. The potential of 5G network and emerging intelligent individual applications cannot be released without the guarantee of network security.
In computer networks, clients interconnect hosts using network switches and routers, which provide data packet forwarding and routing functionality.Switches transfer data on the same local area network(LAN) segment and routers function as gateways enabling the routing of packets between hosts in different networks.Because both switches and routers run proprietary operating systems and vendor-specific protocols, they need to be configured through cumbersome process that network operators translate high-level network policies into device-specific low-level commands.In the configuration, network operators often manually input commands using command-line or graphical user interfaces.Even though scripts and tools can aid network operators to reduce the operational workload and errors in the configuration process, the painstaking error-prone configuration process requires network administrators to reason carefully about the network. Inflexibility of network configuration is the leading cause of network faults,bugs,and security lapses and makes network management challenging.If we can find the right balance between the use of automation,the situation requirements, the changing state of the network and have a solution providing unified network control,network innovation can get rid of getting stagnated and the Internet ossification phenomenon.
Software Defined Networking(SDN) paradigm can addresses this challenge by separating the packet forwarding functionality of the forwarding devices, known as the data plane, from the control element, known as the control plane.The decoupling enables a new network architecture and switches containing flow tables populated with localized flow rules get reduced to basic packet forwarding devices.To reconfigure a switch to enable a new policy, the controller only needs to modify relevant entries in the flow tables ,consequently, modification may also be done reactively.For example, a specific packet may arrive at the switch, and the controller updates existing flow rules or specifies new ones accordingly in real-time.This new architecture that disassociating forwarding elements from control elements allows for more flexible and effective network management solutions.Compared to a purely distributed control plane, a logically centralized controller not only enables the implementation of consistent policy in a dynamic and scalable manner, but also provides application developers with a unified programmable interface to deploy software and higher level applications.Therefore, network operators no longer need to enforce complex polices manually on individual switches and routers, they can specify high-level declarative policies as a whole on the contrary.When an application runs on the controller, it will be translated and installed in switches in the form of localized flow rules.The controller polls flow statistics from network devices periodically compiling a centralized real-time view of the network state.This state is exposed via open application program interfaces(APIs) allowing developers to automate the control process,enabling dynamic and efficient network management.The ability to view network state in real-time and to programmatically control network behaviour opens up exciting possibilities for network security.
In this manuscript, the authors categorize current SDN-based security research into two branches:the research gearing towards protecting the network and providing security as a service.The consolidation of policies at the central controller enhances consistency of configuration and helps prevent attacks;the centralization of the network state makes it easier to detect intrusions and anomalies, to react in an agile, coherent way, and to isolate or neutralize the attacks.The development of innovative security capabilities that can be instantiated on-the-fly helps offer security as a service for out-tasking to reduce costs and be better adjusting to network fluctuation.These security capabilities need no to be always on, instead, they are selectively invoked as needed for specific traffic flows thereby permitting an elastic cost model for the value-added services.
155-2731-8020