Leveraging SDN to enable short-term on-demand security exceptions

James Griffioen; Zongming Fei; Sergio Rivera; Jacob Chappell; Mami Hayashida; Pinyi Shi; Charles Carpenter; Yongwook Song; Bhushan Chitre; Hussamuddin Nasir; Kenneth L. Calvert

Leveraging SDN to enable short-term on-demand security exceptions

James Griffioen
, Zongming Fei
, Sergio Rivera
, Jacob Chappell
, Mami Hayashida
, Pinyi Shi
, Charles Carpenter
, Yongwook Song
, Bhushan Chitre
, Hussamuddin Nasir
, Kenneth L. Calvert

Producción científica: Conference contribution › revisión exhaustiva

3 Citas (Scopus)

Resumen

Network security devices intercept, analyze and act on the traffic moving through the network to enforce security policies. They can have adverse impact on the performance, functionality, and privacy provided by the network. To address this issue, we propose a new approach to network security based on the concept of short-term on-demand security exceptions. The basic idea is to bring network providers and (trusted) users together by (1) implementing coarse-grained security policies in the traditional way using conventional in-band security approaches, and (2) handling special cases policy exceptions in the control plane using user/application-supplied information. By divulging their intent to network providers, trusted users can receive better service. By allowing security exceptions, network providers can focus inspections on general (untrusted) traffic. We describe the design of an on-demand security exception mechanism and demonstrate its utility using a prototype implementation that enables high-speed big-data transfer across campus networks. Our experiments show that the security exception mechanism can improve the throughput of flows by trusted users significantly.

Idioma original	English
Título de la publicación alojada	2019 IFIP/IEEE Symposium on Integrated Network and Service Management, IM 2019
Páginas	13-18
Número de páginas	6
ISBN (versión digital)	9783903176157
Estado	Published - may 16 2019
Evento	2019 IFIP/IEEE Symposium on Integrated Network and Service Management, IM 2019 - Arlington, United States Duración: abr 8 2019 → abr 12 2019

Serie de la publicación

Nombre	2019 IFIP/IEEE Symposium on Integrated Network and Service Management, IM 2019

Conference

Conference	2019 IFIP/IEEE Symposium on Integrated Network and Service Management, IM 2019
País/Territorio	United States
Ciudad	Arlington
Período	4/8/19 → 4/12/19

Nota bibliográfica

Publisher Copyright:
© 2019 IFIP.

Financiación

ACKNOWLEDGMENT The work of Kenneth L. Calvert was supported by the National Science Foundation during his assignment there. The work of other authors was supported in part by the National Science Foundation under Grants ACI-1541380, ACI-1541426, and ACI-1642134. The work of Kenneth L. Calvert was supported by the National Science Foundation during his assignment there. The work of other authors was supported in part by the National Science Foundation under Grants ACI-1541380, ACI-1541426, and ACI-1642134.

Financiadores	Número del financiador
National Science Foundation (NSF)	ACI-1642134, ACI-1541426, ACI-1541380
National Science Foundation (NSF)

ASJC Scopus subject areas

Information Systems and Management
Management Science and Operations Research
Information Systems
Computer Networks and Communications

Otros archivos y enlaces

Citar esto

Griffioen, J., Fei, Z., Rivera, S., Chappell, J., Hayashida, M., Shi, P., Carpenter, C., Song, Y., Chitre, B., Nasir, H., & Calvert, K. L. (2019). Leveraging SDN to enable short-term on-demand security exceptions. En 2019 IFIP/IEEE Symposium on Integrated Network and Service Management, IM 2019 (pp. 13-18). Artículo 8717817 (2019 IFIP/IEEE Symposium on Integrated Network and Service Management, IM 2019).

@inproceedings{92e410aa1113426597f9bf20fcd06885,

title = "Leveraging SDN to enable short-term on-demand security exceptions",

abstract = "Network security devices intercept, analyze and act on the traffic moving through the network to enforce security policies. They can have adverse impact on the performance, functionality, and privacy provided by the network. To address this issue, we propose a new approach to network security based on the concept of short-term on-demand security exceptions. The basic idea is to bring network providers and (trusted) users together by (1) implementing coarse-grained security policies in the traditional way using conventional in-band security approaches, and (2) handling special cases policy exceptions in the control plane using user/application-supplied information. By divulging their intent to network providers, trusted users can receive better service. By allowing security exceptions, network providers can focus inspections on general (untrusted) traffic. We describe the design of an on-demand security exception mechanism and demonstrate its utility using a prototype implementation that enables high-speed big-data transfer across campus networks. Our experiments show that the security exception mechanism can improve the throughput of flows by trusted users significantly.",

keywords = "Middleboxes, Security appliance, Software defined networking, Trusted flows",

author = "James Griffioen and Zongming Fei and Sergio Rivera and Jacob Chappell and Mami Hayashida and Pinyi Shi and Charles Carpenter and Yongwook Song and Bhushan Chitre and Hussamuddin Nasir and Calvert, \{Kenneth L.\}",

note = "Publisher Copyright: {\textcopyright} 2019 IFIP.; 2019 IFIP/IEEE Symposium on Integrated Network and Service Management, IM 2019 ; Conference date: 08-04-2019 Through 12-04-2019",

year = "2019",

month = may,

day = "16",

language = "English",

series = "2019 IFIP/IEEE Symposium on Integrated Network and Service Management, IM 2019",

pages = "13--18",

booktitle = "2019 IFIP/IEEE Symposium on Integrated Network and Service Management, IM 2019",

}

Griffioen, J , Fei, Z, Rivera, S, Chappell, J, Hayashida, M, Shi, P, Carpenter, C, Song, Y, Chitre, B, Nasir, H & Calvert, KL 2019, Leveraging SDN to enable short-term on-demand security exceptions. En 2019 IFIP/IEEE Symposium on Integrated Network and Service Management, IM 2019., 8717817, 2019 IFIP/IEEE Symposium on Integrated Network and Service Management, IM 2019, pp. 13-18, 2019 IFIP/IEEE Symposium on Integrated Network and Service Management, IM 2019, Arlington, United States, 4/8/19.

Leveraging SDN to enable short-term on-demand security exceptions. / Griffioen, James ; Fei, Zongming; Rivera, Sergio et al.
2019 IFIP/IEEE Symposium on Integrated Network and Service Management, IM 2019. 2019. p. 13-18 8717817 (2019 IFIP/IEEE Symposium on Integrated Network and Service Management, IM 2019).

Producción científica: Conference contribution › revisión exhaustiva

TY - GEN

T1 - Leveraging SDN to enable short-term on-demand security exceptions

AU - Griffioen, James

AU - Fei, Zongming

AU - Rivera, Sergio

AU - Chappell, Jacob

AU - Hayashida, Mami

AU - Shi, Pinyi

AU - Carpenter, Charles

AU - Song, Yongwook

AU - Chitre, Bhushan

AU - Nasir, Hussamuddin

AU - Calvert, Kenneth L.

PY - 2019/5/16

Y1 - 2019/5/16

N2 - Network security devices intercept, analyze and act on the traffic moving through the network to enforce security policies. They can have adverse impact on the performance, functionality, and privacy provided by the network. To address this issue, we propose a new approach to network security based on the concept of short-term on-demand security exceptions. The basic idea is to bring network providers and (trusted) users together by (1) implementing coarse-grained security policies in the traditional way using conventional in-band security approaches, and (2) handling special cases policy exceptions in the control plane using user/application-supplied information. By divulging their intent to network providers, trusted users can receive better service. By allowing security exceptions, network providers can focus inspections on general (untrusted) traffic. We describe the design of an on-demand security exception mechanism and demonstrate its utility using a prototype implementation that enables high-speed big-data transfer across campus networks. Our experiments show that the security exception mechanism can improve the throughput of flows by trusted users significantly.

AB - Network security devices intercept, analyze and act on the traffic moving through the network to enforce security policies. They can have adverse impact on the performance, functionality, and privacy provided by the network. To address this issue, we propose a new approach to network security based on the concept of short-term on-demand security exceptions. The basic idea is to bring network providers and (trusted) users together by (1) implementing coarse-grained security policies in the traditional way using conventional in-band security approaches, and (2) handling special cases policy exceptions in the control plane using user/application-supplied information. By divulging their intent to network providers, trusted users can receive better service. By allowing security exceptions, network providers can focus inspections on general (untrusted) traffic. We describe the design of an on-demand security exception mechanism and demonstrate its utility using a prototype implementation that enables high-speed big-data transfer across campus networks. Our experiments show that the security exception mechanism can improve the throughput of flows by trusted users significantly.

KW - Middleboxes

KW - Security appliance

KW - Software defined networking

KW - Trusted flows

UR - https://www.scopus.com/pages/publications/85067076480

UR - https://www.scopus.com/pages/publications/85067076480#tab=citedBy

M3 - Conference contribution

AN - SCOPUS:85067076480

T3 - 2019 IFIP/IEEE Symposium on Integrated Network and Service Management, IM 2019

SP - 13

EP - 18

BT - 2019 IFIP/IEEE Symposium on Integrated Network and Service Management, IM 2019

T2 - 2019 IFIP/IEEE Symposium on Integrated Network and Service Management, IM 2019

Y2 - 8 April 2019 through 12 April 2019

ER -

Leveraging SDN to enable short-term on-demand security exceptions

Resumen

Serie de la publicación

Conference

Nota bibliográfica

Financiación

ASJC Scopus subject areas

Otros archivos y enlaces

Huella

Citar esto