Switch-Level Network Security

University of Pennsylvania - Distributed Systems Laboratory

Software Defined Networks (SDNs) are an appealing platform for network security applications. However, existing approaches to building security applications on SDNs are not practical because of performance and deployment challenges. Network security applications often need to analyze and process traffic in more advanced ways than SDN data plane implementations, such as OpenFlow, allow. Much of an application ends up running on the centralized controller, which forms an inherent bottleneck. We are researching frameworks that allow security applications to dynamically push parts of their logic down to switches, where application-dependent processing and monitoring can execute closer to the data plane at a rate much closer to line speed. We built a system that leverages switch CPUs (Enabling Practical Software-defined Networking Security Applications with OFX, NDSS 2016), and are now extending our work to support next-generation P4 platforms, such as the Netronome Agilio SmartNICs.

Jonathan M Smith, John Sonchack