Brew: A Security Policy Analysis Framework for Distributed SDN-Based Cloud Environments

The ease of programmability in Software-Defined Networking (SDN) makes it a great platform implementation of various initiatives that involve application deployment, dynamic topology changes, and decentralized network management in a multi-tenant data center environment. However, implementing security solutions in such an environment is fraught with policy conflicts and consistency issues with the hardness of this problem being affected by the distribution scheme for the SDN controllers. In this paper we present Brew, a security policy analysis framework implemented on an OpenDaylight SDN controller, that has comprehensive conflict detection and resolution modules to ensure that no two flow rules in a distributed SDN-based cloud environment have conflicts at any layer; thereby assuring consistent conflict-free security policy implementation and preventing information leakage. We present techniques for global prioritization of flow rules in a decentralized environment, extend firewall rule conflict classification from a traditional environment to SDN flow rule conflicts by recognizing and classifying conflicts stemming from cross-layer conflicts and provide strategies for unassisted resolution of these conflicts. Alternately, if administrator input is desired to resolve conflicts, a novel visualization scheme is implemented to help the administrators view the conflicts graphically. We demonstrate the correctness, feasibility and scalability of our framework through a proof-of-concept prototype.