DigitalAngewandte InformatikInstitut ProtectITZeitschriftenartikel
Amar Almaini, A. Al Dubai, I. Romdhani, Martin Schramm, A. Alsarhan
Lightweight edge authentication for software defined networks
Computing (Special Issue), no. 8 August 2020
2020
DOI: 10.1007/s00607-020-00835-4
Abstract anzeigen
OpenFlow is considered as the most known protocol for Software Defined Networking (SDN). The main drawback of OpenFlow is the lack of support of new header definitions, which is required by network operators to apply new packet encapsulations. While SDN’s logically centralized control plane could enhance network security by providing global visibility of the network state, it still has many side effects. The intelligent controllers that orchestrate the dumb switches are overloaded and become prone to failure. Delegating some level of control logic to the edge or, to be precise, the switches can offload the controllers from local state based decisions that do not require global network wide knowledge. Thus, this paper, to the best of our knowledge, is the first to propose the delegation of typical security functions from specialized middleboxes to the data plane. We leverage the opportunities offered by programming protocol-independent packet processors (P4) language to present two authentication techniques to assure that only legitimate nodes are able to access the network. The first technique is the port knocking and the second technique is the One-Time Password. Our experimental results indicate that our proposed techniques improve the network overall availability by offloading the controller as well as reducing the traffic in the network without noticeable negative impact on switches’ performance.
DigitalAngewandte InformatikInstitut ProtectITBeitrag (Sammelband oder Tagungsband)
Amar Almaini, A. Al Dubai, I. Romdhani, Martin Schramm
Delegation of Authentication to the Data Plane in Software Defined Networks
Proceedings of the 18th IEEE International Conference on Ubiquitous Computing and Communications (IUCC 2019) [October 21-23, 2019, Shenyang, China]
2019
DOI: 10.1109/IUCC/DSCI/SmartCNS.2019.00038
Abstract anzeigen
OpenFlow is considered as the most known protocol for Software Defined Networking (SDN). The main drawback of OpenFlow is the lack of support of new header definitions, which is required by network operators to apply new packet encapsulations. While SDN's logically centralized control plane could enhance network security by providing global visibility of the network state, it still has many side effects. The intelligent controllers that orchestrate the dumb switches are overloaded and become prone to failure. Delegating some level of control logic to the switches can offload the controllers from local state based decisions that do not require global network-wide knowledge. Thus, this paper, to the best of our knowledge, is the first to propose the delegation of typical security functions from specialized middleboxes to the data plane. We leverage the opportunities offered by P4 language to implement the functionality of authenticating nodes using port knocking. Our experimental results indicate that our proposed technique improves the network overall availability by offloading the controller as well as reducing the traffic in the network without noticeable negative impact on switches' performance.
DigitalElektrotechnik und MedientechnikInstitut ProtectITBeitrag (Sammelband oder Tagungsband)
Michael Heigl, Laurin Dörr, Amar Almaini, D. Fiala, Martin Schramm
Incident Reaction Based on Intrusion Detections’ Alert Analysis
Proceedings of the 23rd International Conference on Applied Electronics (AE) 2018 (University of West Bohemia, Pilsen, Czech Republic; September 11-12, 2018)
2018
DOI: 10.23919/AE.2018.8501419
Abstract anzeigen
The protection of internetworked systems by cryptographic techniques have crystallized as a fundamental aspect in establishing secure systems. Complementary, detection mechanisms for instance based on Intrusion Detection Systems has established itself as a fundamental part in holistic security eco-systems in the previous years. However, the interpretation of and reaction on detected incidents is still a challenging task. In this paper an incident handling environment with relevant components and exemplary functionality is proposed that involves the processes from the detection of incidents over their analysis to the execution of appropriate reactions. An evaluation of a selection of implemented interacting components using technology such as OpenFlow or Snort generally proofs the concept.