As the technology is advanced, challenges are also increased proportionally. As the network access and usage is increased the challenges of distribution of the appropriate content and resources to the end user are also proportionally increasing. As the computing devices are in a wider range, requirements of the end user are also in a wider range, it needs a detailed evaluation of the contemporary networking approaches made available today.
Software Defined Networks
Software Defined Networking is anew networking approaches that to manage the services of the network, through higher-level functionality abstraction, by the network administrator. The functionality can be achieved through system decoupling and makes appropriate decisions of where to send the traffic from control plane, the system underlying and let the traffic to forward towards the data plane or to the targeted destination. The function of the SDN is more associated with the OpenFlow protocol for communicating with the elements of network plan, however, OpenFlow has not been a single solution for many companies, because of the emergence of many new different techniques.
The architecture of the SDN is based on the OpenFlow protocol, as a foundational element to build the proposed solution. So, the architecture has the following characteristics.
Administrators will be enabled to abstract the control from forwarding and allow the flow of the network wide traffic, dynamically, based on the dynamically changing traffic needs.
- Directly Programmable
Administrator can program the network control directly, as forwarding functions can be very well decoupled.
- Centrally Managed
Network intelligence is centralized, logically in the SDN controllers that are software based and allows maintaining network global view that appears to engines for policy and applications as a switch that is logical and single.
- Open Standards-based and vendor-neutral
The network operations and network design are simplified, when these are implemented through the open standards, because SDN controllers are provided, instead of the vendor-specific, multiple devices and protocols.
- Programmatically Configured
The network manages would be able to configure secure, optimize and manage the network resources easily and quickly through automated and dynamic SDN programs that can even be written by themselves, as the programs are independent of the proprietary software.
The new SDN architecture is developed to manage the needs of the traffic resulted from the explosion of the server virtualization, cloud services advent and mobile devices and related content and the relative trends to drive the networking industry and help re-examining the architectures of the traditional network. The present or current networks are built with Ethernet switches tiers and hierarchical that is arranged in a structure of a tree. This design is suitable for the networks of the client-server models. However, this is a static architecture that is poorly suitable to the present the needs of the dynamic computing and computing storage resulted from the enterprise campuses, data centres and carrier environment. The software defined networking has the following benefits to the processes, organizations.
Managing the New Traffic Patterns
The new traffic patterns of today within the enterprise data centre are now compatible with the software defined network. Today’s changing traffic patterns of the network of the users are capable to be managed by the new networking approach. Users pushing the access to the new applications and corporate content from various mobile computing devices that connects at any point of time or anytime are the new demands and now easier and compatible with the SDN. The additional traffic that has been developing across the WAN (Wide Area Network) is resulting, as the new utility computing model that includes public cloud, private cloud or hybrid of both, by the enterprise data centre managers.
Easier Consumerization of IT
The job of the information technology is now easier to fulfil the demands of the increasing employing of the mobile computing devices, like notebooks, tablets, smartphones for accessing the corporate data and accommodate these computing devices. The fulfilment is done in a fine-grained manner and the intellectual data and corporate data can be well protected and meet the mandates of the compliance.
Rising Cloud Services
Enterprises can now result in growth of the devices, by embracing the cloud services, both private and public. The needs of the business units of the enterprises now can have agility for accessing the infrastructure, access applications and the resources of IT, on demand. The intention and planning of IT for cloud services can now be done in the increased security, auditing requirements, compliance. The elastic scaling of storage, resources of network, computing can now enable self-servicing provisioning, either in public or private cloud.
More Bandwidth for Big Data
The requirements and demands of today’s mega data sets or big data with parallel processing over the servers connecting each other can be fulfilled with the software defined networks. Demand for the additional capacity of the network in the data centre can be fulfilled by the SDN.
Figure: software defined networking architecture high level overview
The architecture of the SDN has the following components.
SDN applications communicate their requirements of the networks and the respective desired behaviour of network toe the controller of the SND, explicitly, programmatically, directly, through NBI (Northbound Interface). It consists of NBI drivers and SDN Application logic. They expose another layer of control of the abstracted control, so that higher level NBIs are offered through the NBI agents.
SDN controller is vital part of the architecture and is centralized logically. It acts as an in charge of
- Translating the requirements received from the application layer of SDN towards the data paths
- Providing the applications of the SDN with a network abstract view that include the events and statistics. Every SDN controller has SDN control logic, NBI agents, CDPI (Control to Data-Plane Interface) driver.
SDN Data path
SDN Data path is a vital component that acts as a logical network device and helps exposing visibility and controls the advertised forwarding and capabilities of data processing.
Control to Data-Plane Interface stands as an interface between the SDN path and controller.
Northbound Interface works as interface between the SDN controllers and applications.
Impact on IT Staff
- Lower operating and hardware costs
- Improved uptime
- Improved planning and management
- Tighter security
Policy Based Network Management
Policy Based network Management stands to be a new technology that is capable of simplifying the tedious and complex tasks related to the distributed system and network management. It enables the network administrator to deploy the policies to manage various distributed or network system aspects in simplified and flexible manner. The policies in turn govern the behaviour of the network and processing. Policies are the rules that are independent from the technology. They aim at enhancement of the managed devices’ hard-coded functionality by introducing the interpreted logic that changes dynamically, without changing the implementations underlying. It allows programmability to some extent, without the need for operation interruption of managed system.
The architecture of the policy based management consists of the following four functional elements,
- PDP – Policy Decision Point
- PMT – Policy Management Tool
- PEP – Policy Enforcement Point
- Policy Repository
Figure: PBM Architecture and Elements
PMT enables the administrator to enforce the policies definition or update in the managed network. Then the policies resulted are stored in the policy repository in a new form for corresponding to the information model. So, it ensures interoperability possible across the products resulted from many vendors. When the existing policies are changed or new ones are added, in the repository, the relevant PDP along with the necessary notifications, by the PMT issues. The policies are interpreted by the PDP and communicate the policies towards the PEP. The latter one is considered as a component used to run on a node that runs on policy awareness and enforces to execute the policies. All these components communicate with each other through many protocols.
Policy refinement transforms a abstract or higher level policy specification into concrete and low level policies, which could be enforced for the systems that are managed.
Logical PBM Architecture
Figure: Logical PBM Architecture of PBM
The following are the distinct characteristics of the network management and traffic that is policy based.
- Stateful traffic inspection
- Classification and categorization of the network, like data, video, web, voice, audio, protocol, etc.
- User identification, for instance, through hostname, IP address, login account, etc.
- Policy enforcement
- Application identification, anything like, application type and well-known service
Wider areas of services as well as the controls can be deployed through the policy based network management as the following, for example.
- Scope of control, like control of the mode groups, users, etc.
- Centralized policy management, with certain directives and rules that can be established on access policy of the network
- Scalability of the end-nodes, end-users, etc.
- Distribution policy controls, like resources of memory, local processor, etc.
- Network privileges, specific to the users, with roaming policies
- Network privileges specific to the applications, like bandwidth, admission control, etc.
- Restrictions of time and delay
- Restrictions of traffic class, like email, chat, email, web pages, etc.
- Restrictions of site, in terms of allowing specific URLs, denying specific URLs and IP Addresses
- Restrictions of content, like keywords, PICS ratings web documents, phrases with logical operators AND, OR, email etc.
- Dynamic bandwidth management, like reservation of bandwidth, bandwidth on demand, etc.
- Traffic recording performed based on triggers
- Prioritization of the traffic, like voice acceleration
- Surveillance of networking, with status monitor
- Alert notifications
- Reporting of violation
- Network congestion management
- Traffic billing, like accounting, budget allocation, etc.
The network administrator can set the networks with the following example policies.
- Allow access of internet only for a certain amount of time
- Allow access of only a few websites
- Only specified group of people to access the specific directories on the network
- Allow specified group to access certain services and resources of the network
- Allocate only a certain amount of bandwidth to particular application
- Run antivirus locally, on the server and client for every x minutes
- Virus check from a specific drive to the hard disk
- Automation of reactions that are pre-defined
- Translation of policies at higher level into the configuration of low level specifications of the low devices
Figure: An Example Deployment
There are new security challenges created by the pervasive mobile computing as well as the communication. These problems as well as the network management issues can be solved through the PBM networking approach. However, though there are many solutions, the same concept and approach brings new challenges. And the research is going on and continuing to overcome the new challenges.
Policy Based Network Management has many benefits associated with the processes, organizations as the following.
- Client Based Paradigm
A comprehensive network policy not only manages the traffic at the network backbone and pints of WAN access, but also should have manage the traffic at the origin.
The network access is regulated by the firewalls, based on the server, without end-nodes direct involvement. It gives a clear indication that the end user or end node acts dumb. The new networking approach make the proxy based firewall, as a gateway, acts as viable and potential applications for control and security. Until this proxy becomes available, new services over the network are denied. Firewall that is based on packet inspection needs modifications that are application sensitive to the code of inspections towards providing maximum security and also help the new services to be allowed to pass through the firewall. In this client centric approach, content application specific inspection and the privileges of access for the new services can be provisioned easily at the location of the client, without modifying the client software.
- Network Traffic Management
A spectrum of traffic that is quite typical and usual in the present network environments, adaptive and dynamic mechanisms would be offered by bandwidth specification, in association with the traffic policy.
Usually, the applications traffic nature might be characterized by variable or constant bit rage, burst or continuous bandwidth allocation, continuous or loose relationships of timing between the delay sensitivity and endpoints. Here a potential combination of allocation of bandwidth based on application and priority offers intuitive and flexible resource management method.
- Managed Network Architecture
The new networking approach makes the policy control protocol to be extensible and simpler to support information specific to the diverse client and policy directives, without the need for protocol modification.
- Distributed Architecture
The architecture provided and distributed by policy.net, provides a module services and single framework towards simplification of traffic engineering.
- Deployment Configuration
- Policy gateway configuration supports all host end-nodes types over the network. Policy gateway configuration comprises multiple end-nodes of client distributed and gateway node that is single multi-homed on the LAN. Policy.net enterprise model can be configured in terms of license per seat and intended to deploy in the environment of business, which requires granular control of both end-users and end-nodes. Both of these configurations can operate with NAT (Network Address Translation), proxy server, VPN (Virtual Private Network) gateway or IP Router from any of the provider.
- Policy Agent
Policy is enforced through packet, session and application level filters through the real time engine, from the agent.
- End Point Policy Enforcement
Rules are enforced at each of the layer for determining the access to be partial, full or deny through traffic to the following layers towards evaluation further. After applying the rules, the traffic starts flowing through the rate control engines, where bandwidth privileges are enforced for service or application.
- Policy Server
The policy server is set of database servers and manager, distributed ways to manage the agents of polcy at the network endpoints.
- Remote Administration
Management services enabled through graphical user interfaces, with the help of policy administrator, remote console and policy monitor.
- Content Restriction
Continuous issues that are associated with the blocking filters of content in the cyberspace are addressed by policy.net
- Activity Reports
The activity report is provided including accurate and granular connection level information.
- Stateful Traffic Inspection
Inspection of the content and protocols in compliance with the internet standards that are established by the stateful traffic provided by the real-time agents
- Network Congestion Management
Meaningful congestion management can be facilitated from the prioritization and classification of the traffic deriving the rate controls.
- Agent Traffic Recorder
The non-promiscuous operation mode is non-intrusive on the network traffic broadcast of traffic recorder and providers better performance and granularity, when compared with the traditional network monitors with promiscuous mode
- Remote Access Management
The remote network access is controlled and regulated by policy.net through VPN connections and dialup adapters over the internet.
- System Security
Security is enforced by the cryptographic technology and state-of-the-art encryption to ensure the user administration integrity, supervision and authentication.
- System Resource Requirements
The effective use of algorithms and memory of non-paged system for content analysis of the incremental pocket are key to the performance at real time.
Impact on IT Staff
Policy Based Management impacts the IT staff in such a way that the resource provision is done only through the policies defined and distributed among them. The key success for this network approach is in the defining the policies, monitoring the network traffic and access consistently, throughout the life of the network.
Both the SDN and PBM are potential in managing the traffic of the network with their own strengths and the following are the capabilities of them.
SOFTWARE DEFINED NETWORKING
POLICY BASED MANAGEMENT
· Provision of centralized networking
· Holistic enterprise management
· More granular security
· Lower cost for operating
· Savings of hardware and reduced expenditures of capital
· Cloud abstraction
· Guaranteed content delivery
· Networking management, physical Vs. Virtual
· Reduced downtime
· Isolation and traffic control
· Central networking management
· Client based paradigm
· Improved network traffic management
· Managed network architecture
· Distributed architecture
· Deployment configuration
· Better policy agent
· End point policy enforcement
· Effective policy server
· Remote administration
· Content restriction
· Activity reports
· Stateful traffic inspection
· Network congestion management
· Agent traffic recorder
· Remote access management
· System security
· Effective usage of the resource requirements
Apart from the regular requirements of the network, the following infrastructure is needed for the new networking approaches.
SOFTWARE DEFINED NETWORKING
POLICY BASED MANAGEMENT
Model of automated control, centralized and provisioning
Supporting monitoring, establishment and maintenance of SLAs
Optimizing network resources
Increase service velocity
Integration of Ethernet,applying the SDN principles and telecommunication technologies
Infrastructure majorly in definition of the policies and implementation
SDN has the potential benefits to the proposed organization majorly in the effective management of the traffic, in a much easier ways, so that today’s speed requirements of the network and internet can be achieved by the organization. However, there are many security issues associated with the SDN, as the infrastructure and protocols are yet to be tighter towards tighter and effective security of the content and privileges for the resources.
PBM architecture has potential benefits to the organization that focuses on regulation of the provision of the resources of the network to the end user. In this context of adapting the new network architecture to the organization, end-users belong at various levels of hierarchy and the end user at each hierarchical level need unique set of control that can be defined with policies. PBM can justify the needs of unique set of controls to the end user and when the restrictions are regulations are made, the traffic would be automatically distributed to various content and resources, to at least half the extent and the remaining to be managed with other network speed enhancing methods.
Out of the two choices, SDN and PBM, policy based management can be recommended for the safety and security of the intellectual property and fair distribution of the content and resources to the authorized users, without the possibilities of hacking, peeping, etc.
"Interop 2014: Avaya to showcase Automated Campus part of SDN initiative". Info Tech Lead.
Agrawal, D. Giles, J,. Lee, K. Lobo, J, 2005, “Policy Ratification,” proceedings of IEEE Workshop on Policies for Networks and Distributed Systems, Stockholm, Sweden.
Al-Shaer, E. Hamed, H, 2004, “Discovery of Policy Anomalies in Distributed Firewalls,” proceedings of IEEE Communications Society Conference, Hong Kong.
Al-Shaer, E. Hamed, H, 2004, “Modeling and Management of Firewall Policies,” IEEE Transactions on Network and Service Management, Vol. 1.
Al-Shaer, Ehab, Al-Haj, Saeed, 2010, "FlowChecker: Configuration analysis and verification of federated OpenFlow infrastructures".Proceedings of the 3rd ACM workshop on Assurable and usable security configuration
Bandara, A Lupu, EA. Russo, A, 2003, “Using Event Calculus to Formalise Policy Specification and Analysis,” proceedings of IEEE Workshop on Policies for Distributed Systems and Networks, Lake Como, Italy.
Benton, Kevin, Camp, L, Jean, Small, Chris, 2013, "Openflow vulnerability assessment". Proceedings of the second ACM SIGCOMM workshop on Hot topics in software defined networking
Bernardo, Chua, 2015, Introduction and Analysis of SDN and NFV Security Architecture (SA-SECA). 29th IEEE AINA 2015
Blair, L. Turner, K, 2005, “Handling Policy Conflicts in Call Control,” proceedings of International Conference on Feature Interaction, Leicester, UK.
Braga, Rodrigo, Mota, Edjard, Passito, Alexandre, 2010, "Lightweight DDoS flooding attack detection using NOX/OpenFlow".Local Computer Networks (LCN), 2010 IEEE 35th Conference
Canini, Marco, Venzano, Daniele, Peresini, Peter, Kostic, Dejan, Rexford, Jennifer; et al., 2012, A NICE Way to Test OpenFlow Applications. NSDI
Charalambides, M. Flegkas, P. Pavlou, G, Loyola, R. Bandara, A. Lupu, E, Sloman, M, Russo, A. Dulay, N, 2009, “Policy Conflict Analysis for DiffServ Quality of Service Management,” IEEE Transactions on Network and Service Management, Vol. 6, No. 1.
Davy, S. Jennings, B. Strassner, J, 2008, “Application Domain Independent Policy Conflict Analysis Using Information Models,” proceedings of IEEE/IFIP Network Operations and Management Symposium, Bahia, Brazil.
Feamster, Nick, 2010, "Outsourcing home network security".Proceedings of the 2010 ACM SIGCOMM workshop on Home networks.
Giotis, K, Argyropoulos, Christos, Androulidakis, Georgios, Kalogeras, Dimitrios, Maglaris, Vasilis, 2014, "Combining OpenFlow and sFlow for an effective and scalable anomaly detection and mitigation mechanism on SDN environments". Computer Networks
Hayward, S, Sandra, O'Callaghan, Gemma, Sezer, Sakir, 2013, "SDN security: A survey". Future Networks and Services (SDN4FNS), 2013 IEEE SDN
Jin, Ruofan, Wang, Bing, 2013, "Malware detection for mobile devices using software-defined networking". Research and Educational Experiment Workshop (GREE), 2013 Second GENI
Kreutz, D, Ramos, Fernando, Verissimo, Paulo, 2013, "Towards secure and dependable software-defined networks".Proceedings of the second ACM SIGCOMM workshop on Hot topics in software defined networking.
Lupu, E. Sloman, M, “Conflicts in Policy-based Distributed Systems Management,” IEEE Transactions on Software Engineering - Special Issue on Inconsistency Management, Vol. 25
Moore, B, Ellesson, E, Strassner, J, Westerinen, A, 2001, “Policy Core Information Model,” RFC 3060, IETF.
Samak, T. Al-Shaer, E. Li, H, 2008, “QoS Policy Modeling and Conflict Analysis,” proceedings of IEEE Workshop on Policies for Networks and Distributed Systems, New York, USA.
Sherwood, Rob, Gibb, Glen, Yap, Kok-Kiong, Appenzeller, Guido, Casado, Martin, McKeown, Nick, Parulkar, Guru, 2009, "Flowvisor: A network virtualization layer".OpenFlow Switch Consortium, Tech. Rep
Sloman, M, 1994, "Policy Driven Management for Distributed Systems," Journal of Network and Systems Management, Vol. 2, Plenoum PressStrassner, J, 2004, “Policy-Based Network Management,” Morgan Kaufmann Publishers