P4Filter: A two level defensive mechanism against attacks in SDN using P4

TL;DR

This paper introduces P4Filter, a two-level security mechanism in SDN using P4, combining a dynamic firewall and port knocking to enhance network security against unauthorized access and attacks.

Contribution

The work presents a novel two-level defense mechanism in SDN using P4, integrating dynamic firewall logic and port knocking for improved security.

Findings

Outperforms previous P4-based firewall approaches.

Successfully mitigates specific security attacks.

Effective in blocking unauthorized network access.

Abstract

The advancements in networking technologies have led to a new paradigm of controlling networks, with data plane programmability as a basis. This facility opens up many advantages, such as flexibility in packet processing and better network management, which leads to better security in the network. However, the current literature lacks network security solutions concerning authentication and preventing unauthorized access. In this work, our goal is to avoid attacks in a two level defense mechanism (P4Filter). The first level is a dynamic firewall logic, which blocks packets generated from an unauthorized source. The second level is an authentication mechanism based on dynamic port knocking. The two security levels were tested in a virtual environment with P4 based switches. The packets arriving at the switch from unknown hosts are sent to the controller. The controller maintains an ACL using which it assigns rules for both the levels to allow or drop the packets. For port knocking a new random sequence is generated for every new host. Hosts can only connect using the correct sequence assigned to them.The tests conducted show this approach performs better than the previous P4 based firewall approaches due to two security levels. Moreover, it is successful in mitigating specific security attacks by blocking unauthorized access to the network.