ABSTRACT
Security policy management can be thought of as the framework for specification of an authentication and authorization policy, and the translation of this policy into information that can be used by devices to control access, management of key distribution, audit of security activities and information leakage [254]. This authorization usually pertains to permitting or denying access to resources or information [196]. Security management almost always also includes actions to be taken if any violations are detected.
Given the rapid growth in the scale of networks being deployed, traditional methods which rely on trained personnel to implement and manage information security has become more time consuming, and error-prone [274]. Maintaining a mandated network security scheme for large-scale data center networks and distributed environments is a formidable challenge. It is to this end that several policy-driven management techniques have been suggested [107]. By separating out security policies from their low-level implementation and enforcement in the network, such methodologies simplify network management while paving the way for seamless growth of the network [177,247].
The ease of programmability in SDN makes it a great platform for implementation of various initiatives that involve application deployment, dynamic topology changes, and decentralized network management in a multi-tenant data center environment. This programmability gives great flexibility in implementing applications as well as security solutions. Having flexibility also lends to the possibility of policy conflicts - both intentional and unintended. Throw in the ability to have multiple SDN controllers to complicate the situation by having potentially different policies in place for the same traffic! Thus, implementing security solutions in such an environment is fraught with policy conflicts and consistency issues with the hardness of this problem being affected by the distribution scheme for the SDN controllers.
In this chapter, the implications of security policy conflicts is discussed first. Next a formalism for flow rule conflicts in SDN environments is described. A comprehensive conflict detection and resolution models ensure that no two flow rules in a distributed SDN-based cloud environment have conflicts at any layer; thereby assuring consistent conflict-free security policy implementation and preventing information leakage. Strategies for prioritizing and unassisted resolution of these conflicts are also detailed.
