Information Flow Security in Mixed Software-Defined- and Legacy-Networks

The advent of virtualization of network functionality which is heavily driven by Software Defined Networking (SDN) and Network Function Virtualization (NFV) questions traditional network security techniques which were mostly enforced by perimeter gateway firewalls. While simple firewalling like stateless packet filters can often be substituted by using SDN techniques more comprehensive security guarantees as provided by stateful firewalls and filters on the application layer are more challenging to achieve. Additionally, the fine grained flow selection and manipulation abilities of SDN/NFV make it hard and partly impossible to obtain a solution that is purely based on good engineering practices. Without formally verified assertion on the overall network behaviour a degree of security which satisfy the demands in high security environments cannot be achieved. Therefore, we investigate on formal verification techniques for advanced security invariants in SDN/NFV-based networks.


An additional challenge lies in the mixed operation of Software-Defined- and Legacy-Networks. The decentralized character of classical network equipment and protocols like IPv6-Routers or the Spanning Tree Protocol lacks compability with centralized SDN. From a security viewpoint the distributed network state must be securely monitored, analyzed and forced into safe conditions. Existing verification techniques for SDN mostly ignore these difficulties. Thus, we intend to incorporate legacy behaviour in our models to obtain a flexible and realistic coverage of today's and future network operations.


This research is performed in close cooperation with the genua GmbH.


Publications

Anomaly Detection for Distributed IPv6 Firewalls
Claas Lorenz and Bettina Schnor
12th International Conference on Security and Cryptography (SECRYPT)
Colmar, France, July 2015

IPv6 Intrusion Detection System

The transition from the currently used internet protocol version IPv4 to the official successor protocol IPv6 is an important technical requirement for the ongoing development of communication and network infrastructures within the next years. Therefore the security of IPv6 networks is of high social relevance and importance.


The project "IPv6 Intrusion Detection System" is realized in collaboration of "University of Potsdam", "Beuth-Hochschule für Technik", "EANTC" and "Strato AG". It is supported by the German "Federal Ministry of Education and Research".


For further information please visit the project website: www.ipv6-ids.de