Security Policy Checking for Distributed Software Defined Networking (SDN)
Separation of network control from devices in Software Defined Networking (SDN) allows for centralized implementation and management of security policies in a cloud computing environment. The ease of programmability in SDN makes it a great platform implementation of various initiatives that involve application deployment, dynamic topology changes, and decentralized network management in a multi-tenant data center environment. However, implementing security solutions in such an environment is fraught with policy conflicts and consistency issues with the hardness of this problem being affected by the distribution scheme for the SDN controllers.
Researchers at Arizona State University have developed a security policy analysis framework is implemented on an OpenDaylight SDN controller that has comprehensive conflict detection and resolution modules to ensure that no two flow rules in a distributed SDN-based cloud environment have conflicts at any layer. This assures consistent conflict-free security policy implementation and preventing information leakage. Techniques are described for global prioritization of flow rules in a decentralized environment, for extending firewall rule conflict classification from a traditional environment to SDN flow rule conflicts by recognizing and classifying conflicts stemming from cross-layer conflicts, and providing strategies for unassisted resolution of these conflicts. Alternately, if administrator input is desired to resolve conflicts, a visualization scheme is implemented to help the administrators view the conflicts graphically.