research-article

A Framework for Managing User-defined Security Policies to Support Network Security Functions

Authors:

Jaehoon Paul Jeong,

Hyoungshick KimAuthors Info & Claims

IMCOM '18: Proceedings of the 12th International Conference on Ubiquitous Information Management and Communication

Article No.: 85, Pages 1 - 8

https://doi.org/10.1145/3164541.3164569

Published: 05 January 2018 Publication History

Abstract

Network Functions Virtualization (NFV) and Software Defined Networking (SDN) make it easier for security administrators to manage security policies on a network system. However, it is still challenging to map high-level security policies defined by users into low-level security policies that can be applied to network security devices. To address this problem, we introduce a framework for effectively managing user-defined security policies for network security functions based on standard interfaces that are currently being standardized in an IETF working group. To show the feasibility of the proposed framework, we implemented a prototype based on the RESTCONF protocol and showed that the proposed framework can be applied in real-world scenarios for network separation, DDoS mitigation and ransomeware prevention.

References

[1]

Narmeen Zakaria Bawany, Jawwad A Shamsi, and Khaled Salah. 2017. DDoS Attack Detection and Mitigation Using SDN: Methods, Practices, and Solutions. Arabian Journal for Science and Engineering 42, 2 (2017), 425--441.

[2]

Andy Bierman, Martin Bjorklund, and Kent Watsen. 2017. RESTCONF Protocol. RFC 8040. https://tools.ietf.org/html/rfc8040.txt

[3]

M Bjorklund. 2010. YANG-A data modeling language for the Network Configuration Protocol (NETCONF). RFC 6020. https://tools.ietf.org/html/rfc6020.txt

[4]

Krzysztof Cabaj and Wojciech Mazurczyk. 2016. Using software-defined networking for ransomware mitigation: the case of cryptowall. IEEE Network 30, 6 (2016), 14--20.

Digital Library

[5]

Rob Enns, Martin Bjorklund, and Juergen Schoenwaelder. 2011. Network Configuration Protocol (NETCONF). RFC 6241. https://tools.ietf.org/html/rfc6241.txt

[6]

ETSI. {n. d.}. Industry Specification Group for NFV. http://www.etsi.org/technologies-clusters/technologies/689-network-functions-virtualisation. ({n. d.}). Online; accessed 2017.

[7]

Mahdi Daghmehchi Firoozjaei, Jaehoon Paul Jeong, Hoon Ko, and Hyoungshick Kim. 2017. Security challenges with network functions virtualization. Future Generation Computer Systems 67, 2 (2017), 315--324.

[8]

James B Fraley and James Cannady. 2016. Enhanced detection of advanced malicious software. In Proceeding of the 7th IEEE Annual Ubiquitous Computing, Electronics & Mobile Communication Conference.

[9]

Joel M Halpern and John Strassner. 2017. Generic Policy Data Model for Simplified Use of Policy Abstractions (SUPA). IETF Internet-Draft draft-ietf-supa-generic-policy-data-model-04. https://www.ietf.org/id/draft-ietf-supa-generic-policy-data-model-04.txt

[10]

Ahmed Hassan and Waleed Bahgat. 2009. A framework for translating a high level security policy into low level security mechanisms. In Proceeding of the 7th IEEE/ACS International Conference on Computer Systems and Applications.

[11]

Hassan Hawilo, Abdallah Shami, Maysam Mirahmadi, and Rasool Asal. 2014. NFV: state of the art, challenges, and implementation in next generation mobile networks (vEPC). IEEE Network 28, 6 (2014), 18--26.

[12]

IETF. {n. d.}. Interface to Network Security Functions (I2NSF) Working Group. http://datatracker.ietf.org/wg/i2nsf/charter/. ({n. d.}). Online; accessed 2017.

[13]

Xiao Liu, Brett Holden, and Dinghao Wu. 2017. Automated Synthesis of Access Control Lists. In Proceeding of the 3rd IEEE International Conference on Software Security and Assurance.

[14]

Edward Lopez, Diego Lopez, Linda Dunbar, John Strassner, and Rakesh Kumar. 2017. Framework for Interface to Network Security Functions. IETF Internet-Draft draft-ietf-i2nsf-framework-07. https://www.ietf.org/id/draft-ietf-i2nsf-framework-07.txt

[15]

A Mayoral, Ricard Vilalta, Raul Muñoz, Ramon Casellas, Ricardo Martínez, and J Vilchez. 2014. Integrated IT and network orchestration using OpenStack, OpenDaylight and active stateful PCE for intra and inter data center connectivity. In Proceedings of the 40th IEEE European Conference on Optical Communication.

[16]

Jan Medved, Robert Varga, Anton Tkacik, and Ken Gray. 2014. Opendaylight: Towards a model-driven SDN controller architecture. In Proceeding of the 15th IEEE International Symposium on a World of Wireless Mobile and Multimedia Networks.

[17]

Henry Nunoo-Mensah, Emmanuel Kofi Akowuah, and Kwame Osei Boateng. 2014. A Review of Opensource Network Access Control (NAC) Tools for Enterprise Educational Networks. International Journal of Computer Applications 106, 6 (2014), 28--33.

[18]

Sanghak Oh, Eunsoo Kim, Jaehoon Paul Jeong, Hoon Ko, and Hyoungshick Kim. 2017. A flexible architecture for orchestrating network security functions to support high-level security policies. In Proceeding of the 11th ACM International Conference on Ubiquitous Information Management and Communication.

Digital Library

[19]

Ben Pfaff, Justin Pettit, Keith Amidon, Martin Casado, Teemu Koponen, and Scott Shenker. 2009. Extending Networking into the Virtualization Layer. In Proceeding of the 8th ACM Workshop on Hot Topics in Networks.

[20]

Ben Pfaff, Justin Pettit, Teemu Koponen, Ethan J Jackson, Andy Zhou, Jarno Rajahalme, Jesse Gross, Alex Wang, Joe Stringer, Pravin Shelar, Keith Amidon, and Martín Casado. 2015. The Design and Implementation of Open vSwitch. In Proceeding of the 12th USENIX Symposium on Networked Systems Design and Implementation.

Digital Library

[21]

Kumar Rakesh, Lohiya Anil, Qi Dave, Bitar Nabil, Palislamovic Senad, and Xia Liang. 2017. Client Interface for Security Controller: A Framework for Security Policy Requirements. IETF Internet-Draft draft-kumar-i2nsf-client-facing-interface-req-03. https://www.ietf.org/id/draft-ietf-i2nsf-client-facing-interface-req-03.txt

[22]

Seungwon Shin, Lei Xu, Sungmin Hong, and Guofei Gu. 2016. Enhancing Network Security through Software Defined Networking (SDN). In Proceeding of the 25th IEEE International Conference on Computer Communication and Networks.

Cited By

Maleh YQasmaoui YEl Gholami KSadqi YMounir S(2022)A comprehensive survey on SDN security: threats, mitigations, and future directionsJournal of Reliable Intelligent Environments10.1007/s40860-022-00171-89:2(201-239)Online publication date: 8-Feb-2022
https://doi.org/10.1007/s40860-022-00171-8

Index Terms

A Framework for Managing User-defined Security Policies to Support Network Security Functions
1. Networks

Recommendations

A flexible architecture for orchestrating network security functions to support high-level security policies
IMCOM '17: Proceedings of the 11th International Conference on Ubiquitous Information Management and Communication

Network Functions Virtualization (NFV) has provided a new way to design and deploy network security services, but it may fail to build a practically useful ecosystem that seamlessly integrates network security services if there is no standard interface ...
A Scenario-Based Test Case Generation Framework for Security Policies
CIS '09: Proceedings of the 2009 International Conference on Computational Intelligence and Security - Volume 01

Security policy system is critical to the security sensitive implementation systems. To increase confidence in the correctness of the security policies, policy developers can conduct policy testing to ensure security policies are correctly implemented ...
Security policy compliance with violation management
FMSE '07: Proceedings of the 2007 ACM workshop on Formal methods in security engineering

A security policy of an information system is a set of security requirements that correspond to permissions, prohibitions and obligations to execute some actions when some contextual conditions are satisfied. Traditional approaches consider that the ...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

IMCOM '18: Proceedings of the 12th International Conference on Ubiquitous Information Management and Communication

January 2018

628 pages

ISBN:9781450363853

DOI:10.1145/3164541

Copyright © 2018 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

In-Cooperation

SKKU: SUNGKYUNKWAN UNIVERSITY

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 05 January 2018

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Conference

IMCOM '18

IMCOM '18: The 12th International Conference on Ubiquitous Information Management and Communication

January 5 - 7, 2018

Langkawi, Malaysia

Acceptance Rates

IMCOM '18 Paper Acceptance Rate 100 of 255 submissions, 39%;

Overall Acceptance Rate 213 of 621 submissions, 34%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

1
Total Citations
View Citations
170
Total Downloads

Downloads (Last 12 months)9
Downloads (Last 6 weeks)1

Reflects downloads up to 12 Aug 2024

Other Metrics

View Author Metrics

Citations

Cited By

Maleh YQasmaoui YEl Gholami KSadqi YMounir S(2022)A comprehensive survey on SDN security: threats, mitigations, and future directionsJournal of Reliable Intelligent Environments10.1007/s40860-022-00171-89:2(201-239)Online publication date: 8-Feb-2022
https://doi.org/10.1007/s40860-022-00171-8

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents