A Taxonomy-based Approach for Security in Software-Defined Networking

Software Defined Networking (SDN) promises to abstract hardware and hard-wired network topologies in favor of programmable dynamic infrastructures. However, especially features like multi-tenancy require for new ways to ensure that access to critical network resources are restricted to trusted applications and users. The challenge here is that these entities are not necessarily known at the time of planning and setup, but are rather added dynamically to the network at runtime. Controlling access to northbound interfaces of SDN controllers thus requires for new ways to express access control policies which are able to cope with this degree of complexity and abstraction. We thus introduce a taxonomy-based policy engine, which allows the definition of fine-grained security policies based on a first-order logic description of the network environment. We describe the taxonomy structure and show how it can be used in a Prolog-based policy engine to protect a secure SDN northbound interface developed in previous work. By evaluating the implementation in a virtual SDN environment, we found the performance overhead of our approach to be tolerable.