SDN-based Security Services using Interface to

Network Security Functions

Jinyong Kim∗, Mahdi Daghmehchi Firoozjaei∗, Jaehoon (Paul) Jeong†, Hyoungshick Kim∗, and Jung-Soo Park‡

∗ Department of Computer Science & Engineering, Sungkyunkwan University, Republic of Korea† Department of Interaction Science, Sungkyunkwan University, Republic of Korea

‡ Electronics and Telecommunications Research Institute, Republic of Korea

Email: {wlsdyd0930,mdaghmechi,pauljeong,hyoung}@skku.edu, pjs@etri.re.kr

Abstract—This paper proposes a framework for securityservices using Software-Defined Networking (SDN) and Interfaceto Network Security Functions (I2NSF). It specifies requirementsfor such a framework for security services based on networkvirtualization. It describes two representative security systems,such as (i) centralized firewall system and (ii) DDoS-attackmitigation system. For each service, this paper discusses thelimitations of existing systems and presents a possible SDN-basedsystem to protect network resources by controlling suspicious anddangerous network traffic.

I. INTRODUCTION

Software-Defined Networking (SDN) is a set of techniquesthat enables users to directly program, orchestrate, control,and manage network resources through software (e.g., SDNapplications). It relocates the control of network resources toa dedicated network element, namely SDN controller. TheSDN controller uses interfaces for the network resourcesand arbitrates the control of network resources in a log-ically centralized manner. It also manages and configuresthe distributed network resources and provides the abstractedview of the network resources for the SDN applications. TheSDN application can customize and automate the operations(including management) of the abstracted network resourcesin a programmable manner via the interfaces [1]–[5].

Due to the increase of sophisticated network attacks,the legacy security services become difficult to cope withsuch network attacks in an autonomous manner. SDN hasbeen introduced to make networks more controllable andmanageable, and this SDN technology will be promising toautonomously deal with such network attacks in a promptmanner. By this trend, this paper describes a framework,objectives, and requirements to support the protection ofnetwork resources through SDN-based security services usinga common interface to Network Security Functions (NSF) [6].It uses an interface to NSF (I2NSF) for such SDN-basedsecurity services that are performed on virtual machinesthrough network functions virtualization [7]. Also, this paperaddresses the challenges of the existing systems for securityservices. As feasible solutions to handle these challenges, thispaper proposes two use cases of the security services, suchas centralized firewall system and centralized DDoS-attackmitigation system.

For the centralized firewall system, this paper raises limita-tions in legacy firewalls in terms of flexibility and administra-tion costs. Since in many cases, access control management forfirewall is manually performed, it is difficult to add the access

control policy rules corresponding to new network attacks in aprompt and autonomous manner. Thus, this situation requiresexpensive administration costs. This paper introduces a usecase of SDN-based firewall system to overcome these lim-itations. For the centralized DDoS-attack mitigation system,this paper raises limitations in legacy DDoS-attack mitigationtechniques in terms of flexibility and administration costs.Since in many cases, network configuration for the mitigationis manually performed, it is difficult to dynamically config-ure network devices to limit and control suspicious networktraffic for DDoS attacks. This paper introduces a use caseof SDN-based DDoS-attack mitigation system to provide anautonomous and prompt configuration for suspicious networktraffic. Note that this paper is the enhanced version of ourprevious paper [5] and IETF Internet draft [8] on SDN-basedsecurity services.

The rest of this paper is organized as follows: Section IIformulates our SDN-based security services. Section III sug-gests two representative SDN-based security services. Sec-tion IV addresses challenging research issues. We finallyconclude this paper along with future work in Section V.

II. OVERVIEW

This section describes a referenced architecture to supportSDN- based security services, such as centralized firewallsystem and centralized DDoS-attack mitigation system. Also,it describes a framework for SDN-based security servicesusing I2NSF.

Fig. 1 shows a framework for SDN-based security services.As shown in the figure, applications for security services(e.g., firewall and DDoS-attack mitigator) run through theinteraction with an SDN controller [1], [2]. When an ad-ministrator enforces security policies for the security servicesthrough an application interface, the SDN controller generatesthe corresponding access control policy rules (or networkconfiguration) to meet such security policies in an autonomousand prompt manner. According to the generated access con-trol policy rules, the network resources, such as switchesand routers, take an action to mitigate network attacks, forexample, dropping packets with suspicious patterns. Fig. 2shows a framework to support SDN-based security servicesusing I2NSF [6]. As shown in Fig. 2, client and applicationgateway (AppGW) can use security services with their high-level security policies through security controller. Securitycontroller calls function-level security services via CapabilityLayer Interface, which are performed by security applications,

526978-1-4673-7116-2/15/$31.00 ©2015 IEEE ICTC 2015

Mu

lti-

La

ye

r M

an

ag

em

en

t F

un

cti

on

s Security Applications(Firewall & DDoS-Attack Mitigator)

Application Support

Orchestration

Abstraction

Control Support

Data Transport and

Processing

Application Layer

SDN Control Layer

Resource Layer

Resource-Control Interface

Application-Control Interface

Fig. 1. High-level Architecture for SDN-based Security Services

Fig. 2. A Framework for SDN-based Security Service using I2NSF

running on top of virtual machines through NFV [7]. The se-curity application asks SDN controller to perform its requiredsecurity functions on switches under the supervision of SDNcontroller. Finally, SDN controller sets up forwarding rulesfor the security services on switches via SDN SouthboundInterface. The capability interface between security controllerand security applications can be implemented by NetworkConfiguration Protocol [9] with a data modeling languagecalled YANG [10] that describes function-level security ser-vices.

A. Objectives

We have the following objectives for SDN-based securityservices:

1) Prompt reaction to new network attacks: SDN-basedsecurity services should allow private networks todefend themselves against new sophisticated networkattacks.

2) Autonomous defense from network attacks: SDN-based security services should identify the categoryof network attack (e.g., worms and DDoS attacks)and take counteraction for the defense without theintervention of network administrators.

3) Network-load-aware resource allocation: SDN-basedsecurity services should measure the overhead ofresources for security services and dynamically se-lect resources considering the load balance for themaximum network performance.

B. Requirements

SDN-based security services provide dynamic and flexiblenetwork resource management to mitigate network attacks,such as malicious traffic and DDoS attacks. In order to sup-port this capability, the requirements for SDN-based securityservices are described as follows:

1) SDN-based security services are required to supportthe programmability of network resources to mitigatenetwork attacks.

2) SDN-based security services are required to supportthe orchestration of network resources and SDNapplications to mitigate network attacks.

3) SDN-based security services are required to providean application interface allowing the management ofaccess control policies in an autonomous and promptmanner.

4) SDN-based security services are required to providea resource-control interface for control of networkresources to mitigate network attacks.

5) SDN-based security services are required to providethe logically centralized control of network resourcesto mitigate network attacks.

III. EXAMPLES OF SDN-BASED SECURITY SERVICES

This section introduces two representative security servicesbased on SDN: (i) centralized firewall system and (ii) central-ized DDoS-attack mitigation system.

Fig. 3. Procedure of firewall operation in our centralized firewall system

A. Centralized Firewall System

For the centralized firewall system, a centralized networkfirewall can manage each network resources and firewallrules can be managed flexibly by a centralized server. Thecentralized network firewall manages each switch and firewallrules can be added or deleted dynamically. Fig. 3 shows the

527

procedure of firewall operations in our centralized firewallsystem as follows:

1) The application asks for security services with high-level security policies to Security Controller viaService Layer Interface (e.g., RESTCONF).

2) Security Controller calls function-level security ser-vices via Capability Layer Interface (e.g., NET-CONF/YANG).

3) Security Applications (e.g., firewall and web filter)tells SDN Controller its required security services(i.e., security functions) via Northbound Interface(e.g., NETCONF/YANG).

4) SDN Controller installs new rules (e.g., drop packetswith the suspicious pattern) for the security servicesinto Switches via Southbound Interfae (e.g., NET-CONF/YANG).

Fig. 4. Procedure for SDN-based Firewall Filtering

For the above centralized firewall system, the existing SDNprotocols can be used through NETCONF/YANG between thefirewall application and switches [1], [2], [4], [11]. Fig. 4shows the procedure for SDN-based Firewall Filtering asfollows:

1) Client and Server make a session by using NET-CONF/YANG.

2) Client configures the firewall table of Server to blockspecific IP addresses.

3) Server (i.e., security application in the virtual ma-chine) asks firewall filtering to be set up in NetworkSwitch through SDN Controller.

4) After the configuration of the firewall table, packetsfrom an attacker are dropped down.

Legacy firewalls have some challenges such as the expen-sive cost, performance, management of access control, estab-lishment of policy, and packet-based access mechanism. Theproposed framework can resolve these challenges through theabove centralized firewall system based on SDN as follows.

• Cost: The cost of adding firewalls manually tonetwork resources such as routers, gateways, andswitches is substantial due to the reason that weneed to add firewall on each network resource. Tosolve this, each network resource can be managedcentrally such that a single firewall is manipulatedby a centralized server.

• Performance: The performance of firewalls is oftenslower than the link speed of their network interfaces.Every network resource needs to check firewall rulesaccording to network conditions. Firewalls can be

adaptively deployed, depending on network condi-tions in our framework.

• The management of access control: Since there maybe hundreds of network resources in an administerednetwork, the dynamic management of access controlfor security services like firewall is a challenge. In ourframework, firewall rules can be dynamically addedfor new network attacks by the centralized server.

• The establishment of policy: Policy should be es-tablished for each network resource. However, itis difficult to describe what flows are permitted ordenied within a specific organization network undermanagement. Thus, a centralized view is helpful todetermine security policies for such a network.

• Packet-based access mechanism: Packet-based accessmechanism is not enough in practice since the basicunit of access control is usually users or applications.Therefore, application-level rules can be defined andadded to the firewall system through the centralizedserver.

B. Centralized DDoS-attack Mitigation System

Fig. 5. Procedure of DDoS-attack mitigation operation in our centralizedDDoS-attack mitigation system

For the centralized DDoS-attack mitigation system, aDDoS-attack mitigation system can add, delete or modify therules to each switch. The centralized DDoS-attack mitigationsystem defends the servers against DDoS attacks outside theprivate network, that is, from the public network. Fig. 5 showsthe procedure of DDoS-attack mitigation operations in ourcentralized DDoS-attack mitigation system as follows:

1) Switch1 periodically reports the inter-arrival patternof incoming packets to SDN Controller.

2) SDN Controller forwards the inter-arrival pattern toan appropriate security service application, such asDDoS-Attack Mitigator.

3) DDoS-Attack Mitigator analyzes the reported patternfor the flow.

4) If DDoS-Attack Mitigator regards the pattern as aDDoS attack, it computes a packet dropping prob-

528

ability corresponding to suspiciousness level andreports this DDoS-attack flow to SDN Controller.

5) SDN Controller installs new rules into switches (e.g.,forward packets with the suspicious inter-arrival pat-tern with a dropping probability).

6) The suspicious flow’s packets are randomly droppedby switches with the dropping probability.

The servers are categorized into stateless servers (e.g.,DNS servers) and stateful servers (e.g., web servers). In aDDoS-attack mitigation system in a private network, switchesare configured in multi-levels (having a hierarchy of switches)to provide the dynamic defense lines against a variety of DDoSattacks. The centralized DDoS-attack mitigation system hasthe same challenges with the centralized firewall system, asdiscussed in Section III-A.

IV. RESEARCH ISSUES

In this section, we discuss further research issues for SDN-based security services. We have the following research issues:

• To prevent the unauthorized control of switches, asecure and authenticated channel between SDN con-troller and switches should be established. That is, weneed to consider a proper key management for securecommunication between them.

• Inherently, a centralized server (i.e., SDN controller)will suffer from a single point of failure and/or com-promise. Without the protection of SDN controller, itis not possible to deploy SDN-based security services.

• To support the SDN-based security services, we needto consider changes in the existing SDN switches andprotocols. For example, deep packet inspection shouldbe provided in SDN switches to reduce performancedegradation.

• In theory, SDN seems a reasonable architecture toprovide centralized security services. However, whenwe consider many switches and hosts, the communi-cation between SDN controller and switches becomesa potential bottleneck, so the scalability issue shouldbe addressed.

• To support security services in an autonomous andscalable fashion, switches should have some intel-ligence to perform decision-making for security at-tacks. Thus, it is an important issue that how muchintelligence switches should have in terms of perfor-mance and autonomy.

• Efficient interfaces to network security functionsshould be implemented by NETCONF/YANG innetwork virtualization environments such that SDNswitches can be fast configured according to requiredsecurity services. This is possible by the efficientinterface between Security Controller and SDN Con-troller.

V. CONCLUSION

In this paper, we proposed a framework for securityservices based on Software-Defined Networking and Interfaceto Network Security Functions. Based on this framework, we

suggested two representative security services, such as firewalland DDoS-attack mitigator. As future work, we will developour proposed framework in Mininet [12] and investigate othersecurity services, such as encryption/decryption, junk mailfiltering, and anti-spam service.

ACKNOWLEDGMENT

This research was supported by Basic Science ResearchProgram through the National Research Foundation of Korea(NRF) funded by the Ministry of Science, ICT & Future Plan-ning (2014006438). This work was also partly supported bythe ICT R&D program of MKE/KEIT [10041244, SmartTV2.0 Software Platform] and MSIP/IITP [R0166-15-1041, Stan-dard Development of Network Security based SDN]. Note thatJaehoon (Paul) Jeong is the corresponding author.

REFERENCES

[1] Recommendation ITU-T Y.3300, “Framework of Software-DefinedNetworking,” ITU-T, Jun. 2014.

[2] Open Networking Foundation, “SDN Architecture,” ONF, Jun. 2014.

[3] H. Kim and N. Feamster, “Improving Network Management with Soft-ware Defined Networking,” IEEE Communications Magazine, vol. 51,no. 2, pp. 114–119, Feb. 2013.

[4] Open Networking Foundation, “OpenFlow Switch Specification (Ver-sion 1.4.0),” ONF, Oct. 2013.

[5] J. Jeong, H. Kim, and J. Park, “A Framework for Security Servicesbased on Software-Defined Networking,” DC2, Mar. 2015.

[6] E. Lopez, D. Lopez, L. Dunbar, X. Zhuang, J. Parrott, R. Krishnan, andS. Durbha, “Framework for Interface to Network Security Functions,”IETF draft-merged-i2nsf-framework-02, Jun. 2015.

[7] ETSI-NFV, “Network Functions Virtualisation (NFV) ; ArchitecturalFramework,” ETSI, Oct. 2013.

[8] J. Jeong, H. Kim, and J. Park, “Requirements for Security Servicesbased on Software-Defined Networking,” IETF draft-jeong-i2nsf-sdn-

security-services-02, Jul. 2015.

[9] R. Enns, M. Bjorklund, J. Schoenwaelder, and A. Bierman, “NetworkConfiguration Protocol (NETCONF),” IETF RFC 6241, Jun. 2011.

[10] M. Bjorklund, “YANG - A Data Modeling Language for the NetworkConfiguration Protocol (NETCONF),” IETF RFC 6020, Oct. 2010.

[11] M. Boucadair and C. Jacquenet, “Software-Defined Networking: APerspective from within a Service Provider Environment,” RFC 7149,Mar. 2014.

[12] Mininet, “An instant virtual network on your laptop,” http://mininet.org.

529