论文标题
P4Filter:使用P4的两级防御机制,以防止SDN发动攻击
P4Filter: A two level defensive mechanism against attacks in SDN using P4
论文作者
论文摘要
网络技术的进步导致了控制网络的新范式,并以数据平面的可编程作为基础。该设施打开了许多优势,例如数据包处理中的灵活性和更好的网络管理,从而可以在网络中获得更好的安全性。但是,当前的文献缺乏有关身份验证和防止未经授权访问的网络安全解决方案。在这项工作中,我们的目标是避免以两级防御机制(P4Filter)的攻击。第一级是动态防火墙逻辑,它阻止了未经授权源生成的数据包。第二级是基于动态端口敲门的身份验证机制。这两个安全级别在具有基于P4的开关的虚拟环境中进行了测试。从未知主机到达开关的数据包发送到控制器。控制器使用ACL维护ACL,它为两个级别分配规则以允许或丢弃数据包。对于端口,为每个新主机生成了一个新的随机序列。主机只能使用分配给他们的正确序列连接。进行的测试表明,由于两个安全级别,该方法的性能比以前基于P4的防火墙方法更好。此外,它通过阻止未经授权的网络访问来成功缓解特定的安全攻击。
The advancements in networking technologies have led to a new paradigm of controlling networks, with data plane programmability as a basis. This facility opens up many advantages, such as flexibility in packet processing and better network management, which leads to better security in the network. However, the current literature lacks network security solutions concerning authentication and preventing unauthorized access. In this work, our goal is to avoid attacks in a two level defense mechanism (P4Filter). The first level is a dynamic firewall logic, which blocks packets generated from an unauthorized source. The second level is an authentication mechanism based on dynamic port knocking. The two security levels were tested in a virtual environment with P4 based switches. The packets arriving at the switch from unknown hosts are sent to the controller. The controller maintains an ACL using which it assigns rules for both the levels to allow or drop the packets. For port knocking a new random sequence is generated for every new host. Hosts can only connect using the correct sequence assigned to them.The tests conducted show this approach performs better than the previous P4 based firewall approaches due to two security levels. Moreover, it is successful in mitigating specific security attacks by blocking unauthorized access to the network.
