Taking in-network security to the next level with software-defined networking

The original design of the Internet did not take network security aspects into consideration, instead it aimed to facilitate the process of information exchange between network end-hosts. Consequently, many protocols that are now part of the Internet infrastructure expose a set of vulnerabilities that can be exploited by adversaries. To reduce these vulnerabilities, several security approaches were introduced as a form of add-ons to the existing Internet architecture. However, these approaches have their drawbacks such as lack of centralized control and automation, hardware dependencies, etc. In this thesis, to address these drawbacks, Software Defined Networking (SDN) is considered as a candidate to be used for developing security applications because of the features it provides such as network-visibility, centralized management and control. Although the SDN architecture provides features that can aid in the process of network security, it has some deficiencies when it comes to be used for network security, some of which are: single controller, tightly coupled monitoring and control functions. To address these deficiencies, several architectural requirements are derived to adapt the SDN architecture for security use cases. Furthermore, an Orchestrator-based architecture that utilizes Network Monitoring and SDN Control functions is proposed and employed to develop security applications for mitigating against several attacks such as: Address Resolution Protocol (ARP) Spoong / Cache Poisoning, Denial of Service (DoS), and Domain Name System (DNS) Amplification. Moreover, to demonstrate the behavior of proposed security applications and architecture, each application is tested and validated. Finally, the performance implications of the proposed architecture are discussed.