Enabling security functions with SDN: A feasibility study

Software-defined networking (SDN) is being strongly considered as the next promising networking platform, and studies regarding SDN have been actively conducted accordingly. However, the security of SDN remains undefined and unknown when considering the enhancement of network security in SDN. In this paper, we verify whether SDN can enhance network security. Specifically, the idea of enabling security functions with diverse SDN features is explored thoroughly. In order to elucidate the feasibility of SDN-based security functions, we implement four types of security functions with SDN in Floodlight applications: (i) in-line mode security functions (e.g. firewalls and IPS), (ii) passive mode security functions (e.g. IDS), (iii) network anomaly detection functions (e.g. scan and DDoS detector), and (iv) advanced security functions (e.g. stateful firewall and reflector networks). Furthermore, we focus on discovering issues that might arise throughout the implementation of SDN-based security applications and discuss how these issues can be addressed. In order to appropriately prove the feasibility of the SDN-based security applications, we evaluate our Floodlight applications in real testbeds that consist of SDN-enabled switches and a number of physical hosts.