TY - JOUR
T1 - Intent-Driven Security Policy Management for Software-Defined Systems
AU - Chowdhary, Ankur
AU - Sabur, Abdulhakim
AU - Vadnere, Neha
AU - Huang, Dijiang
N1 - Funding Information:
The research work is funded by Naval Research Lab N0017319-1-G002 and the National Science Foundation U.S. DGE-1723440 and OAC-1642031.
Publisher Copyright:
© 2004-2012 IEEE.
PY - 2022/12/1
Y1 - 2022/12/1
N2 - Different network controllers are utilized in a multi-domain software-defined systems (SDx) to manage the networking resources. However, these controllers operate using a different high-level language (intent). Thus, the admin needs to perform cross-layer translation from the user requirements to the underlying network controller format, increasing human-in-the-loop overhead. There are two primary security and management challenges involved in managing multi-domain controllers. The first challenge is how to design an SDN controller language that can effectively convert human-specified networking policies at the control plane into the network flow rules level at the data plane. The second challenge is how to reduce the complexity of network flow rules conflict checking at the data plane. To address these challenges, we present a new intent-based security policy enforcement solution called INTPOL. First, INTPOL provides a unified intent rules that abstracts the network admin from the underlying network controller's format. Second, INTPOL develops a networking service solution to use a bounded formal model for network service compliance checking that significantly reduces the complexity of flow rules conflicts checking at the data plane level. Finally, INTPOL is expendable from a single SDN domain to multiple SDN domains and hybrid networks by applying network service function chaining (SFC) for inter-domain policy management.
AB - Different network controllers are utilized in a multi-domain software-defined systems (SDx) to manage the networking resources. However, these controllers operate using a different high-level language (intent). Thus, the admin needs to perform cross-layer translation from the user requirements to the underlying network controller format, increasing human-in-the-loop overhead. There are two primary security and management challenges involved in managing multi-domain controllers. The first challenge is how to design an SDN controller language that can effectively convert human-specified networking policies at the control plane into the network flow rules level at the data plane. The second challenge is how to reduce the complexity of network flow rules conflict checking at the data plane. To address these challenges, we present a new intent-based security policy enforcement solution called INTPOL. First, INTPOL provides a unified intent rules that abstracts the network admin from the underlying network controller's format. Second, INTPOL develops a networking service solution to use a bounded formal model for network service compliance checking that significantly reduces the complexity of flow rules conflicts checking at the data plane level. Finally, INTPOL is expendable from a single SDN domain to multiple SDN domains and hybrid networks by applying network service function chaining (SFC) for inter-domain policy management.
KW - Software-defined networks (SDN)
KW - bounded model checking (BMC)
KW - network invariant checking
KW - security policy management
KW - service function chaining
UR - http://www.scopus.com/inward/record.url?scp=85132769472&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85132769472&partnerID=8YFLogxK
U2 - 10.1109/TNSM.2022.3183591
DO - 10.1109/TNSM.2022.3183591
M3 - Article
AN - SCOPUS:85132769472
SN - 1932-4537
VL - 19
SP - 5208
EP - 5223
JO - IEEE Transactions on Network and Service Management
JF - IEEE Transactions on Network and Service Management
IS - 4
ER -