A Practical Runtime Security Policy Transformation Framework for Software Defined Networks

TL;DR

This paper presents a practical framework for automatically transforming high-level security policies into flow entries in SDN networks, addressing scalability and management challenges.

Contribution

It introduces a formal method and a runtime framework for security policy transformation in SDN, validated through experiments with POX and Mininet.

Findings

Framework effectively automates policy transformation

Validated with experimental setup showing feasibility

Addresses scalability issues in SDN security management

Abstract

Software-defined networking (SDN) has been widely utilized to enforce the security of traditional networks, thereby promoting the process of transforming traditional networks into SDN networks. However, SDN-based security enforcement mechanisms rely heavily on the security policies containing the underlying information of data plane. With increasing the scale of underlying network, the current security policy management mechanism will confront more and more challenges. The security policy transformation for SDN networks is to research how to transform the high-level security policy without containing the underlying information of data plane into the practical flow entries used by the OpenFlow switches automatically, thereby implementing the automation of security policy management. Based on this insight, a practical runtime security policy transformation framework is proposed in this paper. First of all, we specify the security policies used by SDN networks as a system model of security policy (SPM). From the theoretical level, we establish the system model for SDN network and propose a formal method to transform SPM into the system model of flow entries automatically. From the practical level, we propose a runtime security policy transformation framework to solve the problem of how to find a connected path for each relationship of SPM in the data plane, as well as how to generate the practical flow entries according to the system model of flow entries. In order to validate the feasibility and effectiveness of the framework, we set up an experimental system and implement the framework with POX controller and Mininet emulator.