A high-level authorization framework for software-defined networks
| Autor(a) principal: | |
|---|---|
| Data de Publicação: | 2017 |
| Tipo de documento: | Dissertação |
| Idioma: | eng |
| Título da fonte: | Repositório Institucional da UFPE |
| Texto Completo: | https://repositorio.ufpe.br/handle/123456789/25356 |
Resumo: | Network Access Control (NAC) management is a critical task. Misconfigurations may result in vulnerabilities that may compromise the overall network security. Traditional access control setups rely on firewalls, IEEE 802.1x, VLAN, ACL, and LDAP. These approaches work well for stable and small networks and are hard to integrate and configure. Besides, they are inflexible and require per-device and vendor-specific configurations, being error-prone. The Software-Defined Networking (SDN) paradigm overcomes architectural problems of traditional networks, simplifies the network design and operation, and offers new opportunities (programmability, flexibility, dynamicity, and standardization) to manage these issues. Furthermore, SDN reduces the human intervention, which in turn also reduce operational costs and misconfigurations. Despite this, access control management remains a challenge, once managing security policies involves dealing with a large set of access control rules; detection of conflicting policies; defining priorities; delegating rights; reacting to dynamic network states and events. This dissertation explores the use of SDN to mitigate these problems. We present HACFlow, a novel SDN framework for network access control management based on the OrBAC model. HACFlow aims to simplify and automate the NAC management. It allows network operators to govern rights of network entities by defining dynamic, fine-grained, and high-level access control policies. To illustrate the operation of HACFlow we present through a step by step how the main management tasks are executed. Our study case is a Smart City network environment. We conducted many experiments to analyze the scalability and performance of HACFlow, and the results show that it requires a time in the order of milliseconds to execute all the management tasks, even managing many policies. Besides, we compare HACFlow against related approaches. |
| id |
UFPE_168ae604d0244bb25034accb3bca3315 |
|---|---|
| oai_identifier_str |
oai:repositorio.ufpe.br:123456789/25356 |
| network_acronym_str |
UFPE |
| network_name_str |
Repositório Institucional da UFPE |
| repository_id_str |
2221 |
| spelling |
ROSENDO, Danielhttp://lattes.cnpq.br/2535463490686959http://lattes.cnpq.br/7532050172035129KELNER, JudithENDO, Patricia Takako2018-08-02T20:45:49Z2018-08-02T20:45:49Z2017-03-14https://repositorio.ufpe.br/handle/123456789/25356Network Access Control (NAC) management is a critical task. Misconfigurations may result in vulnerabilities that may compromise the overall network security. Traditional access control setups rely on firewalls, IEEE 802.1x, VLAN, ACL, and LDAP. These approaches work well for stable and small networks and are hard to integrate and configure. Besides, they are inflexible and require per-device and vendor-specific configurations, being error-prone. The Software-Defined Networking (SDN) paradigm overcomes architectural problems of traditional networks, simplifies the network design and operation, and offers new opportunities (programmability, flexibility, dynamicity, and standardization) to manage these issues. Furthermore, SDN reduces the human intervention, which in turn also reduce operational costs and misconfigurations. Despite this, access control management remains a challenge, once managing security policies involves dealing with a large set of access control rules; detection of conflicting policies; defining priorities; delegating rights; reacting to dynamic network states and events. This dissertation explores the use of SDN to mitigate these problems. We present HACFlow, a novel SDN framework for network access control management based on the OrBAC model. HACFlow aims to simplify and automate the NAC management. It allows network operators to govern rights of network entities by defining dynamic, fine-grained, and high-level access control policies. To illustrate the operation of HACFlow we present through a step by step how the main management tasks are executed. Our study case is a Smart City network environment. We conducted many experiments to analyze the scalability and performance of HACFlow, and the results show that it requires a time in the order of milliseconds to execute all the management tasks, even managing many policies. Besides, we compare HACFlow against related approaches.FACEPEGerenciar o controle de acesso entre recursos (usuários, máquinas, serviços, etc.) em uma rede é uma tarefa crítica. Erros de configuração podem resultar em vulnerabilidades que podem comprometer a segurança da rede como um todo. Em redes tradicionais, esse controle de acesso é implementado através de firewalls, IEEE 802.1x, VLAN, ACL, and LDAP. Estas abordagens funcionam bem em redes menores e estáveis, e são difíceis de configurar e integrar. Além disso, são inflexíveis e requerem configurações individuais e específicas de cada fabricante, sendo propensa à erros. O paradigma de Redes Definidas por Software (SDN) supera os problemas arquiteturais das redes tradicionais, simplifica o projeto e operação da rede, e proporciona novas oportunidades (programabilidade, flexibilidade, dinamicidade, e padronização) para lidar com os problemas enfrentados em redes tradicionais. Apesar das vantagens do SDN, o gerenciamento de políticas de controle de acesso na rede continua sendo uma tarefa difícil. Uma vez que, gerenciar tais políticas envolve lidar com uma grande quantidade de regras; detectar e resolver conflitos; definir prioridades; delegar papéis; e adaptar tais regras de acordo com eventos e mudanças de estado da rede. Esta dissertação explora o paradigma SDN a fim de mitigar tais problemas. Neste trabalho, apresentamos o HACFlow, um framework SDN para gerenciamento de políticas de controle de acesso na rede baseado no modelo OrBAC. HACFlow tem como principal objetivo simplificar e automatizar tal gerenciamento. HACFlow permite que operadores da rede governe os privilégios das entidades da rede através da definição de políticas de controle de acesso dinâmicas, em alto nível, e com alta granularidade. Para ilustrar o funcionamento do HACFlow apresentamos um passo a passo de como as principais tarefas de genrenciamento de controle de acesso são realizadas. Nosso estudo de caso é um ambiente de rede de uma cidade inteligente. Vários experimentos foram realizados a fim de analisar a escalabilidade e performance do HACFlow. Os resultados mostram que o HACFlow requer um tempo na ondem de milissegundos para executar cada uma das tarefas de gerenciamento, mesmo lidando com uma grande quantidade de regras. Além disso, nós comparamos HACFlow com propostas relacionadas existentes na literatura.engUniversidade Federal de PernambucoPrograma de Pos Graduacao em Ciencia da ComputacaoUFPEBrasilAttribution-NonCommercial-NoDerivs 3.0 Brazilhttp://creativecommons.org/licenses/by-nc-nd/3.0/br/info:eu-repo/semantics/openAccessRedes de computadoresInternet das coisasA high-level authorization framework for software-defined networksinfo:eu-repo/semantics/publishedVersioninfo:eu-repo/semantics/masterThesismestradoreponame:Repositório Institucional da UFPEinstname:Universidade Federal de Pernambuco (UFPE)instacron:UFPETHUMBNAILDISSERTAÇÃO Daniel Rosendo.pdf.jpgDISSERTAÇÃO Daniel Rosendo.pdf.jpgGenerated Thumbnailimage/jpeg1257https://repositorio.ufpe.br/bitstream/123456789/25356/5/DISSERTA%c3%87%c3%83O%20Daniel%20Rosendo.pdf.jpg2040a6ffb65cad1087b6c69c16f4713aMD55ORIGINALDISSERTAÇÃO Daniel Rosendo.pdfDISSERTAÇÃO Daniel Rosendo.pdfapplication/pdf3709439https://repositorio.ufpe.br/bitstream/123456789/25356/1/DISSERTA%c3%87%c3%83O%20Daniel%20Rosendo.pdfcfcbfd0960c6e9bae38ba5ff1dc7d748MD51CC-LICENSElicense_rdflicense_rdfapplication/rdf+xml; charset=utf-8811https://repositorio.ufpe.br/bitstream/123456789/25356/2/license_rdfe39d27027a6cc9cb039ad269a5db8e34MD52LICENSElicense.txtlicense.txttext/plain; charset=utf-82311https://repositorio.ufpe.br/bitstream/123456789/25356/3/license.txt4b8a02c7f2818eaf00dcf2260dd5eb08MD53TEXTDISSERTAÇÃO Daniel Rosendo.pdf.txtDISSERTAÇÃO Daniel Rosendo.pdf.txtExtracted texttext/plain158649https://repositorio.ufpe.br/bitstream/123456789/25356/4/DISSERTA%c3%87%c3%83O%20Daniel%20Rosendo.pdf.txtb489cd01d653e46397cff990d78b1a9bMD54123456789/253562019-10-26 01:18:51.072oai:repositorio.ufpe.br:123456789/25356TGljZW7Dp2EgZGUgRGlzdHJpYnVpw6fDo28gTsOjbyBFeGNsdXNpdmEKClRvZG8gZGVwb3NpdGFudGUgZGUgbWF0ZXJpYWwgbm8gUmVwb3NpdMOzcmlvIEluc3RpdHVjaW9uYWwgKFJJKSBkZXZlIGNvbmNlZGVyLCDDoCBVbml2ZXJzaWRhZGUgRmVkZXJhbCBkZSBQZXJuYW1idWNvIChVRlBFKSwgdW1hIExpY2Vuw6dhIGRlIERpc3RyaWJ1acOnw6NvIE7Do28gRXhjbHVzaXZhIHBhcmEgbWFudGVyIGUgdG9ybmFyIGFjZXNzw612ZWlzIG9zIHNldXMgZG9jdW1lbnRvcywgZW0gZm9ybWF0byBkaWdpdGFsLCBuZXN0ZSByZXBvc2l0w7NyaW8uCgpDb20gYSBjb25jZXNzw6NvIGRlc3RhIGxpY2Vuw6dhIG7Do28gZXhjbHVzaXZhLCBvIGRlcG9zaXRhbnRlIG1hbnTDqW0gdG9kb3Mgb3MgZGlyZWl0b3MgZGUgYXV0b3IuCl9fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fXwoKTGljZW7Dp2EgZGUgRGlzdHJpYnVpw6fDo28gTsOjbyBFeGNsdXNpdmEKCkFvIGNvbmNvcmRhciBjb20gZXN0YSBsaWNlbsOnYSBlIGFjZWl0w6EtbGEsIHZvY8OqIChhdXRvciBvdSBkZXRlbnRvciBkb3MgZGlyZWl0b3MgYXV0b3JhaXMpOgoKYSkgRGVjbGFyYSBxdWUgY29uaGVjZSBhIHBvbMOtdGljYSBkZSBjb3B5cmlnaHQgZGEgZWRpdG9yYSBkbyBzZXUgZG9jdW1lbnRvOwpiKSBEZWNsYXJhIHF1ZSBjb25oZWNlIGUgYWNlaXRhIGFzIERpcmV0cml6ZXMgcGFyYSBvIFJlcG9zaXTDs3JpbyBJbnN0aXR1Y2lvbmFsIGRhIFVGUEU7CmMpIENvbmNlZGUgw6AgVUZQRSBvIGRpcmVpdG8gbsOjbyBleGNsdXNpdm8gZGUgYXJxdWl2YXIsIHJlcHJvZHV6aXIsIGNvbnZlcnRlciAoY29tbyBkZWZpbmlkbyBhIHNlZ3VpciksIGNvbXVuaWNhciBlL291IGRpc3RyaWJ1aXIsIG5vIFJJLCBvIGRvY3VtZW50byBlbnRyZWd1ZSAoaW5jbHVpbmRvIG8gcmVzdW1vL2Fic3RyYWN0KSBlbSBmb3JtYXRvIGRpZ2l0YWwgb3UgcG9yIG91dHJvIG1laW87CmQpIERlY2xhcmEgcXVlIGF1dG9yaXphIGEgVUZQRSBhIGFycXVpdmFyIG1haXMgZGUgdW1hIGPDs3BpYSBkZXN0ZSBkb2N1bWVudG8gZSBjb252ZXJ0w6otbG8sIHNlbSBhbHRlcmFyIG8gc2V1IGNvbnRlw7pkbywgcGFyYSBxdWFscXVlciBmb3JtYXRvIGRlIGZpY2hlaXJvLCBtZWlvIG91IHN1cG9ydGUsIHBhcmEgZWZlaXRvcyBkZSBzZWd1cmFuw6dhLCBwcmVzZXJ2YcOnw6NvIChiYWNrdXApIGUgYWNlc3NvOwplKSBEZWNsYXJhIHF1ZSBvIGRvY3VtZW50byBzdWJtZXRpZG8gw6kgbyBzZXUgdHJhYmFsaG8gb3JpZ2luYWwgZSBxdWUgZGV0w6ltIG8gZGlyZWl0byBkZSBjb25jZWRlciBhIHRlcmNlaXJvcyBvcyBkaXJlaXRvcyBjb250aWRvcyBuZXN0YSBsaWNlbsOnYS4gRGVjbGFyYSB0YW1iw6ltIHF1ZSBhIGVudHJlZ2EgZG8gZG9jdW1lbnRvIG7Do28gaW5mcmluZ2Ugb3MgZGlyZWl0b3MgZGUgb3V0cmEgcGVzc29hIG91IGVudGlkYWRlOwpmKSBEZWNsYXJhIHF1ZSwgbm8gY2FzbyBkbyBkb2N1bWVudG8gc3VibWV0aWRvIGNvbnRlciBtYXRlcmlhbCBkbyBxdWFsIG7Do28gZGV0w6ltIG9zIGRpcmVpdG9zIGRlCmF1dG9yLCBvYnRldmUgYSBhdXRvcml6YcOnw6NvIGlycmVzdHJpdGEgZG8gcmVzcGVjdGl2byBkZXRlbnRvciBkZXNzZXMgZGlyZWl0b3MgcGFyYSBjZWRlciDDoApVRlBFIG9zIGRpcmVpdG9zIHJlcXVlcmlkb3MgcG9yIGVzdGEgTGljZW7Dp2EgZSBhdXRvcml6YXIgYSB1bml2ZXJzaWRhZGUgYSB1dGlsaXrDoS1sb3MgbGVnYWxtZW50ZS4gRGVjbGFyYSB0YW1iw6ltIHF1ZSBlc3NlIG1hdGVyaWFsIGN1am9zIGRpcmVpdG9zIHPDo28gZGUgdGVyY2Vpcm9zIGVzdMOhIGNsYXJhbWVudGUgaWRlbnRpZmljYWRvIGUgcmVjb25oZWNpZG8gbm8gdGV4dG8gb3UgY29udGXDumRvIGRvIGRvY3VtZW50byBlbnRyZWd1ZTsKZykgU2UgbyBkb2N1bWVudG8gZW50cmVndWUgw6kgYmFzZWFkbyBlbSB0cmFiYWxobyBmaW5hbmNpYWRvIG91IGFwb2lhZG8gcG9yIG91dHJhIGluc3RpdHVpw6fDo28gcXVlIG7Do28gYSBVRlBFLMKgZGVjbGFyYSBxdWUgY3VtcHJpdSBxdWFpc3F1ZXIgb2JyaWdhw6fDtWVzIGV4aWdpZGFzIHBlbG8gcmVzcGVjdGl2byBjb250cmF0byBvdSBhY29yZG8uCgpBIFVGUEUgaWRlbnRpZmljYXLDoSBjbGFyYW1lbnRlIG8ocykgbm9tZShzKSBkbyhzKSBhdXRvciAoZXMpIGRvcyBkaXJlaXRvcyBkbyBkb2N1bWVudG8gZW50cmVndWUgZSBuw6NvIGZhcsOhIHF1YWxxdWVyIGFsdGVyYcOnw6NvLCBwYXJhIGFsw6ltIGRvIHByZXZpc3RvIG5hIGFsw61uZWEgYykuCg==Repositório InstitucionalPUBhttps://repositorio.ufpe.br/oai/requestattena@ufpe.bropendoar:22212019-10-26T04:18:51Repositório Institucional da UFPE - Universidade Federal de Pernambuco (UFPE)false |
| dc.title.pt_BR.fl_str_mv |
A high-level authorization framework for software-defined networks |
| title |
A high-level authorization framework for software-defined networks |
| spellingShingle |
A high-level authorization framework for software-defined networks ROSENDO, Daniel Redes de computadores Internet das coisas |
| title_short |
A high-level authorization framework for software-defined networks |
| title_full |
A high-level authorization framework for software-defined networks |
| title_fullStr |
A high-level authorization framework for software-defined networks |
| title_full_unstemmed |
A high-level authorization framework for software-defined networks |
| title_sort |
A high-level authorization framework for software-defined networks |
| author |
ROSENDO, Daniel |
| author_facet |
ROSENDO, Daniel |
| author_role |
author |
| dc.contributor.authorLattes.pt_BR.fl_str_mv |
http://lattes.cnpq.br/2535463490686959 |
| dc.contributor.advisorLattes.pt_BR.fl_str_mv |
http://lattes.cnpq.br/7532050172035129 |
| dc.contributor.author.fl_str_mv |
ROSENDO, Daniel |
| dc.contributor.advisor1.fl_str_mv |
KELNER, Judith |
| dc.contributor.advisor-co1.fl_str_mv |
ENDO, Patricia Takako |
| contributor_str_mv |
KELNER, Judith ENDO, Patricia Takako |
| dc.subject.por.fl_str_mv |
Redes de computadores Internet das coisas |
| topic |
Redes de computadores Internet das coisas |
| description |
Network Access Control (NAC) management is a critical task. Misconfigurations may result in vulnerabilities that may compromise the overall network security. Traditional access control setups rely on firewalls, IEEE 802.1x, VLAN, ACL, and LDAP. These approaches work well for stable and small networks and are hard to integrate and configure. Besides, they are inflexible and require per-device and vendor-specific configurations, being error-prone. The Software-Defined Networking (SDN) paradigm overcomes architectural problems of traditional networks, simplifies the network design and operation, and offers new opportunities (programmability, flexibility, dynamicity, and standardization) to manage these issues. Furthermore, SDN reduces the human intervention, which in turn also reduce operational costs and misconfigurations. Despite this, access control management remains a challenge, once managing security policies involves dealing with a large set of access control rules; detection of conflicting policies; defining priorities; delegating rights; reacting to dynamic network states and events. This dissertation explores the use of SDN to mitigate these problems. We present HACFlow, a novel SDN framework for network access control management based on the OrBAC model. HACFlow aims to simplify and automate the NAC management. It allows network operators to govern rights of network entities by defining dynamic, fine-grained, and high-level access control policies. To illustrate the operation of HACFlow we present through a step by step how the main management tasks are executed. Our study case is a Smart City network environment. We conducted many experiments to analyze the scalability and performance of HACFlow, and the results show that it requires a time in the order of milliseconds to execute all the management tasks, even managing many policies. Besides, we compare HACFlow against related approaches. |
| publishDate |
2017 |
| dc.date.issued.fl_str_mv |
2017-03-14 |
| dc.date.accessioned.fl_str_mv |
2018-08-02T20:45:49Z |
| dc.date.available.fl_str_mv |
2018-08-02T20:45:49Z |
| dc.type.status.fl_str_mv |
info:eu-repo/semantics/publishedVersion |
| dc.type.driver.fl_str_mv |
info:eu-repo/semantics/masterThesis |
| format |
masterThesis |
| status_str |
publishedVersion |
| dc.identifier.uri.fl_str_mv |
https://repositorio.ufpe.br/handle/123456789/25356 |
| url |
https://repositorio.ufpe.br/handle/123456789/25356 |
| dc.language.iso.fl_str_mv |
eng |
| language |
eng |
| dc.rights.driver.fl_str_mv |
Attribution-NonCommercial-NoDerivs 3.0 Brazil http://creativecommons.org/licenses/by-nc-nd/3.0/br/ info:eu-repo/semantics/openAccess |
| rights_invalid_str_mv |
Attribution-NonCommercial-NoDerivs 3.0 Brazil http://creativecommons.org/licenses/by-nc-nd/3.0/br/ |
| eu_rights_str_mv |
openAccess |
| dc.publisher.none.fl_str_mv |
Universidade Federal de Pernambuco |
| dc.publisher.program.fl_str_mv |
Programa de Pos Graduacao em Ciencia da Computacao |
| dc.publisher.initials.fl_str_mv |
UFPE |
| dc.publisher.country.fl_str_mv |
Brasil |
| publisher.none.fl_str_mv |
Universidade Federal de Pernambuco |
| dc.source.none.fl_str_mv |
reponame:Repositório Institucional da UFPE instname:Universidade Federal de Pernambuco (UFPE) instacron:UFPE |
| instname_str |
Universidade Federal de Pernambuco (UFPE) |
| instacron_str |
UFPE |
| institution |
UFPE |
| reponame_str |
Repositório Institucional da UFPE |
| collection |
Repositório Institucional da UFPE |
| bitstream.url.fl_str_mv |
https://repositorio.ufpe.br/bitstream/123456789/25356/5/DISSERTA%c3%87%c3%83O%20Daniel%20Rosendo.pdf.jpg https://repositorio.ufpe.br/bitstream/123456789/25356/1/DISSERTA%c3%87%c3%83O%20Daniel%20Rosendo.pdf https://repositorio.ufpe.br/bitstream/123456789/25356/2/license_rdf https://repositorio.ufpe.br/bitstream/123456789/25356/3/license.txt https://repositorio.ufpe.br/bitstream/123456789/25356/4/DISSERTA%c3%87%c3%83O%20Daniel%20Rosendo.pdf.txt |
| bitstream.checksum.fl_str_mv |
2040a6ffb65cad1087b6c69c16f4713a cfcbfd0960c6e9bae38ba5ff1dc7d748 e39d27027a6cc9cb039ad269a5db8e34 4b8a02c7f2818eaf00dcf2260dd5eb08 b489cd01d653e46397cff990d78b1a9b |
| bitstream.checksumAlgorithm.fl_str_mv |
MD5 MD5 MD5 MD5 MD5 |
| repository.name.fl_str_mv |
Repositório Institucional da UFPE - Universidade Federal de Pernambuco (UFPE) |
| repository.mail.fl_str_mv |
attena@ufpe.br |
| _version_ |
1802310819734618112 |