The advancements in networking technologies have led to a new paradigm of controlling networks, with data plane programmability as a basis. This facility opens up many advantages, such as flexibility in packet processing and better network management, which leads to better security in the network. However, the current literature lacks network security solutions concerning authentication and preventing unauthorized access. In this work, our goal is to avoid attacks in a two level defense mechanism (P4Filter). The first level is a dynamic firewall logic, which blocks packets generated from an unauthorized source. The second level is an authentication mechanism based on dynamic port knocking. The two security levels were tested in a virtual environment with P4 based switches. The packets arriving at the switch from unknown hosts are sent to the controller. The controller maintains an ACL using which it assigns rules for both the levels to allow or drop the packets. For port knocking a new random sequence is generated for every new host. Hosts can only connect using the correct sequence assigned to them.The tests conducted show this approach performs better than the previous P4 based firewall approaches due to two security levels. Moreover, it is successful in mitigating specific security attacks by blocking unauthorized access to the network.
翻译:网络技术的进步导致了控制网络的新模式, 以数据平面编程性为基础。 这个设施打开了许多优势, 比如软件包处理的灵活性和更好的网络管理, 从而使得网络安全得到改善。 但是, 当前文献缺乏关于认证和防止未经授权访问的网络安全解决方案 。 在这项工作中, 我们的目标是避免在两个级别的防御机制( P4Filter) 中发生攻击 。 第一层是动态防火墙逻辑, 将来自未经授权来源的包封封在其中。 第二层是基于动态端口的认证机制。 两个安全级别在虚拟环境中用基于 P4 的开关测试了两个安全级别。 从未知主机到达的软件包被发送到控制器中。 控制器保持了控制器, 它为两个级别指定了允许或放弃软件包的规则 。 对于每个新主机主端, 启动新的随机序列时只能使用分配给它们的正确顺序连接。 所进行的测试显示这个方法比前两个安全级别基于 P4 的防火墙方法要好。 此外, 控制器成功地通过阻止未经授权进入网络来减轻特定的安全攻击 。