TY - GEN
T1 - Leveraging SDN for ARP security
AU - Cox, Jacob H.
AU - Clark, Russell J.
AU - Owen, Henry L.
N1 - Publisher Copyright:
© 2016 IEEE.
PY - 2016/7/7
Y1 - 2016/7/7
N2 - Insider threats are a growing concern for industry, government, and campus networks. Yet, vulnerabilities inherent in Address Resolution Protocol (ARP) are exploitable by insiders seeking to launch sophisticated attacks on local area networks (LANs). Such attacks, initialized through ARP spoofing, include denial of service, server redirect, and man-in-the-middle attacks. Unfortunately, the current state of the art technologies for detecting and preventing ARP poisoning are tediously complex, slow to detect, and difficult to maintain. However, software defined networking (SDN) enables the implementation of novel security measures that are capable of detecting and eliminating ARP spoofing before it can impact other hosts. Hence, this paper presents Network Flow Guard for ARP (NFGA), an SDN security module that augments simple, MAC-learning, protocols on OpenFlow-enabled switches. NFG works by hashing a host's physical address with an appropriate IP: port association to deny ARP spoofing at real-time. Moreover, our framework's key contribution is that it achieves ARP security with minimal intervention by network operators while supporting both dynamic and static port allocations, requiring no changes to the network's topology or protocols, and requiring no client software installation.
AB - Insider threats are a growing concern for industry, government, and campus networks. Yet, vulnerabilities inherent in Address Resolution Protocol (ARP) are exploitable by insiders seeking to launch sophisticated attacks on local area networks (LANs). Such attacks, initialized through ARP spoofing, include denial of service, server redirect, and man-in-the-middle attacks. Unfortunately, the current state of the art technologies for detecting and preventing ARP poisoning are tediously complex, slow to detect, and difficult to maintain. However, software defined networking (SDN) enables the implementation of novel security measures that are capable of detecting and eliminating ARP spoofing before it can impact other hosts. Hence, this paper presents Network Flow Guard for ARP (NFGA), an SDN security module that augments simple, MAC-learning, protocols on OpenFlow-enabled switches. NFG works by hashing a host's physical address with an appropriate IP: port association to deny ARP spoofing at real-time. Moreover, our framework's key contribution is that it achieves ARP security with minimal intervention by network operators while supporting both dynamic and static port allocations, requiring no changes to the network's topology or protocols, and requiring no client software installation.
KW - ARP Poisoning
KW - DHCP
KW - Network Protocols
KW - Network Topology
KW - Security
KW - Software Defined Networks
UR - http://www.scopus.com/inward/record.url?scp=84979984721&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84979984721&partnerID=8YFLogxK
U2 - 10.1109/SECON.2016.7506644
DO - 10.1109/SECON.2016.7506644
M3 - Conference contribution
AN - SCOPUS:84979984721
T3 - Conference Proceedings - IEEE SOUTHEASTCON
BT - SoutheastCon 2016
PB - Institute of Electrical and Electronics Engineers Inc.
T2 - SoutheastCon 2016
Y2 - 30 March 2016 through 3 April 2016
ER -