Enabling Practical Software-defined Networking Security Applications with OFX

Software Defined Networks (SDNs) are an appealing platform for network security applications. However, existing approaches to building security applications on SDNs are not practical because of performance and deployment challenges. Network security applications often need to analyze and process traffic in more advanced ways than SDN data plane implementations, such as OpenFlow, allow. Much of an application ends up running on the centralized controller, which forms an inherent bottleneck. Researchers have proposed application specific modifications to the underlying data plane to gain performance, but this results in a solution that is not deployable as it requires new switches and does not support all network security applications. In this paper, we introduce OFX (the OpenFlow Extension Framework) which harnesses the processing power of network switches to enable practical SDN security applications within an existing OpenFlow infrastructure. OFX allows applications to dynamically load software modules directly onto unmodified network switches where application-dependent processing/monitoring can execute closer to the data plane at a rate much closer to line speed. We implemented OFX modules for security applications including Silverline (ACSAC’13), BotMiner (Sec’08), and several others motivated by the custom OpenFlow extensions in Avant-Guard (CCS’13). We evaluated OFX on a Pica 8 3290 switch and found that processing traffic in an OFX module running on the switch had orders of magnitude less overhead than processing traffic at the controller. OFX increased the performance of the evaluated security application by 20-40x as compared to standard OpenFlow implementations and up to 1.25x when compared to middlebox implementations running on dedicated servers. This is all achieved without the need for additional or modified hardware.