by David Álvarez, Pelayo Nuño, Carlos T. González, Francisco G. Bulnes, Juan Carlos Granda and Dan García-Carrillo
Abstract:
The defence-in-depth (DiD) methodology is a defensive approach usually performed by network administrators to implement secure networks by layering and segmenting them. Typically, segmentation is implemented in the second layer using the standard virtual local area networks (VLANs) or private virtual local area networks (PVLANs). Although defence in depth is usually manageable in small networks, it is not easily scalable to larger environments. Software-defined networks (SDNs) are emerging technologies that can be very helpful when performing network segmentation in such environments. In this work, a corporate networking scenario using PVLANs is emulated in order to carry out a comparative performance analysis on defensive strategies regarding CPU and memory usage, communications delay, packet loss, and power consumption. To do so, a well-known PVLAN attack is executed using simulated attackers located within the corporate network. Then, two mitigation strategies are analysed and compared using the traditional approach involving access control lists (ACLs) and SDNs. The results show the operation of the two mitigation strategies under different network scenarios and demonstrate the better performance of the SDN approach in oversubscribed network designs.
Reference:
Performance analysis of Software-Defined Networks to mitigate Private VLAN attacks (David Álvarez, Pelayo Nuño, Carlos T. González, Francisco G. Bulnes, Juan Carlos Granda and Dan García-Carrillo), In Sensors, volume 23, 2023.
Bibtex Entry:
@article{alvarez2023sensors,
author = {David Álvarez and Pelayo Nuño and Carlos T. González and Francisco G. Bulnes and Juan Carlos Granda and Dan García-Carrillo},
title = {Performance analysis of Software-Defined Networks to mitigate Private VLAN attacks},
volume = {23},
number = {4},
pages = {1--16},
issn = {1424-8220},
abstract = {The defence-in-depth (DiD) methodology is a defensive approach usually performed by network administrators to implement secure networks by layering and segmenting them. Typically, segmentation is implemented in the second layer using the standard virtual local area networks (VLANs) or private virtual local area networks (PVLANs). Although defence in depth is usually manageable in small networks, it is not easily scalable to larger environments. Software-defined networks (SDNs) are emerging technologies that can be very helpful when performing network segmentation in such environments. In this work, a corporate networking scenario using PVLANs is emulated in order to carry out a comparative performance analysis on defensive strategies regarding CPU and memory usage, communications delay, packet loss, and power consumption. To do so, a well-known PVLAN attack is executed using simulated attackers located within the corporate network. Then, two mitigation strategies are analysed and compared using the traditional approach involving access control lists (ACLs) and SDNs. The results show the operation of the two mitigation strategies under different network scenarios and demonstrate the better performance of the SDN approach in oversubscribed network designs.},
author+an = {5=highlight},
date = {2023},
year = {2023},
doi = {10.3390/s23041747},
journal = {Sensors},
keywords = {software-defined networks (SDNs); private VLAN (PVLAN); security; segmentation},
shortjournal = {Sens},
jcr = {3.9 -- Q2 [2022]},
file = {revistas/alvarez2023sensors.pdf}
}