ROCA: Auto‐resolving overlapping and conflicts in Access Control List policies for Software Defined Networking

Software-defined networking (SDN) allows centralizing and simplifying network management control. It brings a significant flexibility and visibility to networking, but at the same time creates new security challenges. The promise of SDN is the ability to allow networks to keep pace with the speed of change. It allows frequent modifications to the network configuration. However, these changes may introduce misconfigurations by writing inconsistent rules for single flow table or within a multiple open flow switches that need multiple FlowTables to be maintained at the same time. Misconfigurations can arise also between firewalls and FlowTables in OpenFlow-based networks. Problems arising from these misconfigurations are common and have dramatic consequences for networks operations. To avoid such scenarios, mechanisms to prevent these anomalies and inconsistencies are of paramount importance. To address these challenges, the authors present a new method that allows the automatic identification of inter and inter Flowtables anomalies. They also use the Firewall to bring out real misconfigurations.

Download Full-text

Attribute-Guard: Attribute-Based Flow Access Control Framework in Software-Defined Networking

Security and Communication Networks ◽

10.1155/2020/6302739 ◽

2020 ◽

Vol 2020 ◽

pp. 1-18 ◽

Cited By ~ 1

Author(s):

Xianwei Zhu ◽

ChaoWen Chang ◽

Qin Xi ◽

ZhiBin Zuo

Keyword(s):

Access Control ◽

Software Defined Networking ◽

Authentication Protocol ◽

Network Characteristics ◽

Fine Grained ◽

Control Framework ◽

Data Plane ◽

Data Validity ◽

The One ◽

Matching Field

Software-defined networking (SDN) decouples the control plane from the data plane, offering flexible network configuration and management. Because of this architecture, some security features are missing. On the one hand, because the data plane only has the packet forwarding function, it is impossible to effectively authenticate the data validity. On the other hand, OpenFlow can only match based on network characteristics, and it is impossible to achieve fine-grained access control. In this paper, we aim to develop solutions to guarantee the validity of flow in SDN and present Attribute-Guard, a fine-grained access control and authentication scheme for flow in SDN. We design an attribute-based flow authentication protocol to verify the legitimacy of the validity flow. The attribute identifier is used as a matching field to define a forwarding control. The flow matching based on the attribute identifier and the flow authentication protocol jointly implement fine-grained access control. We conduct theoretical analysis and simulation-based evaluation of Attribute-Guard. The results show that Attribute-Guard can efficiently identify and reject fake flow.

Download Full-text

Design of Algorithm for Verifying Correctness of Firewall Access Control List

2020 IEEE 3rd International Conference on Computer and Communication Engineering Technology (CCET) ◽

10.1109/ccet50901.2020.9213149 ◽

2020 ◽

Author(s):

Zhiwen Chen ◽

Weiyan Zhang ◽

Guihua Wang

Keyword(s):

Access Control ◽

Access Control List

Download Full-text

The Simulation of Access Control List (ACLs) Network Security for Frame Relay Network at PT. KAI Palembang

Lontar Komputer Jurnal Ilmiah Teknologi Informasi ◽

10.24843/lkjiti.2019.v10.i01.p06 ◽

2019 ◽

pp. 49

Author(s):

Kurniati Kurniati ◽

Rahmat Novrianda Dasmen

Keyword(s):

Network Security ◽

Access Control ◽

Computer Network ◽

Relay Network ◽

Railway Transportation ◽

Access Control List ◽

Development Life Cycle ◽

Computer Network Security ◽

Packet Tracer ◽

Frame Relay

PT. KAI Palembang is a branch of PT. Kereta Api Indonesia (KAI) Persero located in South Sumatra Province, where PT. KAI Persero is an Indonesian State-Owned Enterprise that organizes railway transportation which provide services including passenger and goods transportation. PT. KAI Palembang has a computer network connected to PT. KAI Persero central is located in Jakarta. Now, PT. KAI Palembang is trying to improve computer network security, where one of them is limiting the access of users who connected to PT. KAI Palembang computer network. This can be done by implementing Access Control Lists (ACLs) and Frame Relay on PT. KAI Palembang computer network. In this research used the Network Development Life Cycle (NDLC) method which has several stages, namely Analysis, Design, Simulation Prototyping, Implementation, Monitoring and Management. This research method is used because the results of this research will be displayed in the Cisco packet tracer simulator. In addition, the results of this research were tested using a ping test between computers to show that the ACLs design had been running well.

Download Full-text