Leveraging software-defined networking for security policy enforcement

Network operators employ a variety of security policies for protecting the data and services. However, deploying these policies in traditional network is complicated and security vulnerable due to the distributed network control and lack of standard control protocol. Software-defined network provides an ideal paradigm to address these challenges by separating control plane and data plane, and exploiting the logically centralized control. In this paper, we focus on taking the advantage of software-defined networking for security policies enforcement. We propose a two layer OpenFlow switch topology designed to implement security policies, which considers the limitation of flow table size in a single switch, the complexity of configuring security policies to these switches, and load balance among these switches. Furthermore, we introduce a safe way to update the configuration of these switches one by one for better load balance when traffic distribution changes. Specifically, we model the update process as a path in a graph, in which each node represents a security policy satisfied configuration, and each edge represents a single step of safely update. Based on this model, we design a heuristic algorithm to find an optimal update path in real time. Simulations of the update scheme show that our proposed algorithm is effective and robust under an extensive range of conditions.