SDS-based security service orchestration

1. Orchestration system architecture

Fig.1 the system architecture

       The entire system is divided into three layers: application layer, control layer, data layer, then the main modules in each layer will be introduced.

The application layer is presented directly to the user, including the APP Store platform and the Orchestration Engine. APP Store is mainly responsible for managing all kinds of security applications. In addition to providing technical support for downloading, storing and creating all secure applications, the APP Store can also recommend orchestration services to users and generate orchestration policies.

Orchestration Engine is responsible for orchestration policies resolution and orchestration jobs execution. The Orchestration Engine is composed of several modules including Policy Resolution Module, Security Job Scheduler Module, Orchestration Service Templates Module and Service Driver Module. In the control plane, the orchestration function is achieved within the security controller. The main function of the security controller in the orchestration processes is scheduling the orchestration tasks. It receives the information of the security job from the Orchestration Engine, and collects the information of security resources to support the security resource scheduling algorithm. Then security commands are issued to the elected devices.

The control layer is the core of the overall system architecture, mainly including the SDN controller and security controller. The security controller manages the virtualized or traditional security devices through the southbound interface and distributes security policies and commands to the security devices and obtain the relevant data, status and security logs of the security devices. The security controller interacts with all kinds of secure APPs through northbound interfaces to implement security application collaboration and defend against different types of attacks. In the westbound interface, the security controller obtains information such as the flow data and the network topology through the SDN network controller, and delivers the service function chaining policy through the SDN controller to steer network traffic. The network controller maintains the topology information of the underlying network based on the OpenFlow protocol, implements the selection of the traffic path and the delivery of the OpenFlow flow table.

The data layer is composed of network devices, virtual or physical security devices and hosts. The data layer or infrastructure layer is mainly used for data forwarding, packet analysis and traffic filtering.

2. the orchestration of IDS and Firewall

We present an orchestration scenario to illustrate and test the orchestration capability of the SC-SDS architecture. In this scenario, we chose the orchestration of IDS and Firewall. We imagine that consumers bought a security service of monitoring the target host to detect whether the target host is invaded. Once the intrusion is detected by the IDS, the consumers’ host will be protected by Firewall automatically.

We first introduce the modules in security controller used in orchestration processes.

SFC policy interface module

This module is used to resolve a SFC policy from the application layer. And it maps the SFC policy into the actual system components along with the actual network topology by installing a series of flow rules into a sequence of switches. Finally the flows are forwarded according to the SFC policy.

SFC policy checking module

In the underlying network, the flows are not always forwarded according to the SFC policies in complex SDN network environment when the flow rules installed by other applications change the expected path of SFC policies. We call these flow rules installed by these applications “conflict flow rules” and the expected path of a SFC policy “SFC path”. The following is an example.  Suppose a user defines a high level SFC policy to steer the flow to go through Firewall, Intrusion Prevention System (IPS) and Web Application Firewall (WAF) by installing a series of flow rules into the switches. The flows are not correctly forwarded according to the SFC policy when flow rules installed by the other applications which has higher priority and different action intersects with the flows that SFC policies steer.

This module is used to check the enforcement of SFC policy. If the underlying network forwarding behaviors are not compliant with the SFC policy, it will store all conflict flow rules. the network administrator can reconfigure the network policy according to the conflict flow rules.

orchestration processes

Process 1: In APP Store (a web interface), the user issues a orchestration policy of IDS and Firewall. Then the policy, a simplified playbook of orchestration, is transferred to the orchestration engine. In the orchestration engine, the orchestration policy is resolved and the security resource orchestration scenario is built in the Policy Resolution Module. According to the orchestration scenario, the security job is produced in the Security Job Driver Module, which is on the basis of orchestration service templates offered by the Orchestration Service Templates Module. Then the information of the security job is issued to the Security Controller through the Service Driver Module.

Process 2: The security controller receives the information of the security job. The security resource scheduler module elects the optimal device according to the resource scheduling algorithm and the registration information of the security devices, and then issues the command of scheduling. The service function chaining(SFC) policy interface module receives the SFC policy from orchestration engine. Then it creates flow rules according to the traffic pattern and the location of security devices and these flow rules will be installed into the switches through SDN controller.

Process 3: In security controller, the service function chaining policy checking module will check the SFC policy. If the flows are not correctly forwarded according to the SFC policy, the service function chaining policy checking module will return all conflict flow rules. Then the network administrator can reconfigure the network policy according to the conflict flow rules.