A clean slate 4D approach to network control and management
ACM SIGCOMM Computer Communication Review
Detecting BGP configuration faults with static analysis
NSDI'05 Proceedings of the 2nd conference on Symposium on Networked Systems Design & Implementation - Volume 2
SANE: a protection architecture for enterprise networks
USENIX-SS'06 Proceedings of the 15th conference on USENIX Security Symposium - Volume 15
Ethane: taking control of the enterprise
Proceedings of the 2007 conference on Applications, technologies, architectures, and protocols for computer communications
OpenFlow: enabling innovation in campus networks
ACM SIGCOMM Computer Communication Review
NOX: towards an operating system for networks
ACM SIGCOMM Computer Communication Review
Resonance: dynamic access control for enterprise networks
Proceedings of the 1st ACM workshop on Research on enterprise networking
FlowChecker: configuration analysis and verification of federated openflow infrastructures
Proceedings of the 3rd ACM workshop on Assurable and usable security configuration
DevoFlow: cost-effective flow management for high performance enterprise networks
Hotnets-IX Proceedings of the 9th ACM SIGCOMM Workshop on Hot Topics in Networks
Can the production network be the testbed?
OSDI'10 Proceedings of the 9th USENIX conference on Operating systems design and implementation
Consistent updates for software-defined networks: change you can believe in!
Proceedings of the 10th ACM Workshop on Hot Topics in Networks
TestCom'05 Proceedings of the 17th IFIP TC6/WG 6.1 international conference on Testing of Communicating Systems
Header space analysis: static checking for networks
NSDI'12 Proceedings of the 9th USENIX conference on Networked Systems Design and Implementation
A NICE way to test openflow applications
NSDI'12 Proceedings of the 9th USENIX conference on Networked Systems Design and Implementation
VeriFlow: verifying network-wide invariants in real time
Proceedings of the first workshop on Hot topics in software defined networks
VeriFlow: verifying network-wide invariants in real time
nsdi'13 Proceedings of the 10th USENIX conference on Networked Systems Design and Implementation
Towards secure and dependable software-defined networks
Proceedings of the second ACM SIGCOMM workshop on Hot topics in software defined networking
A balance of power: expressive, analyzable controller programming
Proceedings of the second ACM SIGCOMM workshop on Hot topics in software defined networking
Towards a secure controller platform for openflow applications
Proceedings of the second ACM SIGCOMM workshop on Hot topics in software defined networking
OpenFlow vulnerability assessment
Proceedings of the second ACM SIGCOMM workshop on Hot topics in software defined networking
Proceedings of the Twelfth ACM Workshop on Hot Topics in Networks
Tierless programming and reasoning for software-defined networks
NSDI'14 Proceedings of the 11th USENIX Conference on Networked Systems Design and Implementation
Hi-index | 0.00 |
Software-defined networks facilitate rapid and open innovation at the network control layer by providing a programmable network infrastructure for computing flow policies on demand. However, the dynamism of programmable networks also introduces new security challenges that demand innovative solutions. A critical challenge is efficient detection and reconciliation of potentially conflicting flow rules imposed by dynamic OpenFlow (OF) applications. To that end, we introduce FortNOX, a software extension that provides role-based authorization and security constraint enforcement for the NOX OpenFlow controller. FortNOX enables NOX to check flow rule contradictions in real time, and implements a novel analysis algorithm that is robust even in cases where an adversarial OF application attempts to strategically insert flow rules that would otherwise circumvent flow rules imposed by OF security applications. We demonstrate the utility of FortNOX through a prototype implementation and use it to examine performance and efficiency aspects of the proposed framework.