MLSNet: A Policy Complying Multilevel Security Framework for Software Defined Networking

by   Stefan Achleitner, et al.

Ensuring that information flowing through a network is secure from manipulation and eavesdropping by unauthorized parties is an important task for network administrators. Many cyber attacks rely on a lack of network-level information flow controls to successfully compromise a victim network. Once an adversary exploits an initial entry point, they can eavesdrop and move laterally within the network (e.g., scan and penetrate internal nodes) to further their malicious goals. In this paper, we propose a novel multilevel security (MLS) framework to enforce a secure inter-node information flow policy within the network and therein vastly reduce the attack surface available to an adversary who has penetrated it. In contrast to prior work on multilevel security in computer networks which relied on enforcing the policy at network endpoints, we leverage the centralization of software-defined networks (SDNs) by moving the task to the controller and providing this service transparently to all nodes in the network. Our framework, MLSNet, formalizes the generation of a policy compliant network configuration (i.e., set of flow rules on the SDN switches) as network optimization problems, with the objectives of (1) maximizing the number of flows satisfying all security constraints and (2) minimizing the security cost of routing any remaining flows to guarantee availability. We demonstrate that MLSNet can securely route flows that satisfy the security constraints (e.g., >80 route the remaining flows with a minimal security cost.


Software defined networking flow admission and routing under minimal security constraints

In recent years, computer networks and telecommunications in general hav...

A Practical Runtime Security Policy Transformation Framework for Software Defined Networks

Software-defined networking (SDN) has been widely utilized to enforce th...

A Taxonomy for Attack Patterns on Information Flows in Component-Based Operating Systems

We present a taxonomy and an algebra for attack patterns on component-ba...

Only Connect, Securely

The lattice model proposed by Denning in her seminal work provided secur...

Secure Time-Sensitive Software-Defined Networking in Vehicles

Current designs of future In-Vehicle Networks (IVN) prepare for switched...

SUPC: SDN enabled Universal Policy Checking in Cloud Network

Multi-tenant cloud networks have various security and monitoring service...

Strategies for Integrating Controls Flows in Software-Defined In-Vehicle Networks and Their Impact on Network Security

Current In-Vehicle Networks (IVNs) connect Electronic Control Units (ECU...

Please sign up or login with your details

Forgot password? Click here to reset