BAGUETTE: Towards a Secure and Cost-effective Switch Upgrade in Hybrid Software-Defined Networks

Software-Defined Networking (SDN), providing flexible controlling and monitoring mechanisms that simplifies network management, is becoming prevalent in recent years. However, replacing all legacy network devices with SDN-capable devices is cost-prohibitive. One practical approach for the SDN deployment is to incrementally upgrade a few legacy devices to SDN devices. The network, which consists of legacy and SDN devices, is called a hybrid SDN. Existing hybrid SDN deployment schemes do not consider the security impact of device deployment. They use the same type of devices to upgrade, and upgraded devices could be compromised if an attacker controls one SDN device by leveraging its vulnerabilities.In this paper, we consider this security issue in the hybrid SDN deployment and present the Secure and Cost-effective Switch Upgrade (SCESU) problem. The SCESU problem aims to upgrade a few network devices to satisfy the security requirement by using multiple SDN switch types with a minimal upgrade cost. The complexity of the SCESU problem comes from common vulnerabilities shared among different types of SDN devices and attack propagations among network nodes. To efficiently solve the problem, we propose the BAGUETTE algorithm to judiciously choose and upgrade critical legacy switches with selected SDN devices. Simulation results show that BAGUETTE achieves up to about 92.1 security enhancement compared with legacy network and reduces to 11.1 cost of the securest deployment.