Semantic Security Methods for Software-Defined Networks

Software-defined networking is a promising technology for constructing communication networks where the network management is the software that configures network devices. This contrasts with the traditional point of view where the network behaviour is updated by manual configuration uploading to devices under control. The software controller allows dynamic routing configuration inside the net depending on the quality of service. However, there must be a proof that ensures that every network flow is secure, for example, we can define security policy as follows: confidential nodes can not send data to the public segment of the network. The paper shows how this problem can be solved by using a semantic security model. We propose a method that allows us to construct semantics that captures necessary security properties the network must follow. This involves the specification that states allowed and forbidden network flows. The specification is then modeled as a decision tree that may be reduced. We use the decision tree for semantic construction that captures security requirements. The semantic can be implemented as a module of the controller software so the correctness of the control plane of the network can be ensured on-the-fly.

1. Sabelfeld A, Myers A.C., “Language-Based Information-Flow Security”, IEEE Journal on Selected Areas in Communications, 2003, № 21, 5–19.

2. Smeliansky R.L., “SDN for Network Security”, Proc. of Int. Conf. "Modern Networking Technologies (MoNeTec), 2014, 86–95.

3. Casado M., Foster N., Guha A., “Abstractions for Software-Defined Networks”, Communications of the ACM, 57:10 (2014), 86–95.

4. Foster N., Freedman M.J., Monasanto Ch., Rexford J., Story A., Walker D., “Splendid Isolation: A Slice Abstraction for Software-Defined Networks”, CM Int. Conf. on Functional Programming, 2011, 279—291.

5. McKeown N., Anderson T., Balakrishnan H., Parulkar G., Kozen D., Peterson L., Rexford J., Shenker S., Turner J., “OpenFlow: Enabling Innovation in Campus Networks”, SIGCOMM Computer Communications Review, 38:2 (2008), 69–74.

6. Antoshina E.Ju., Nikitin E.S., Chalyy D.Ju., Sokolov V.A., “End-to-end Information Flow Security Model for Software-Defined Networks”, Modeling and Analysis of Information Systems, 22:6 (2015), 735–749.