Leveraging SDN for ARP security

Insider threats are a growing concern for industry, government, and campus networks. Yet, vulnerabilities inherent in Address Resolution Protocol (ARP) are exploitable by insiders seeking to launch sophisticated attacks on local area networks (LANs). Such attacks, initialized through ARP spoofing, include denial of service, server redirect, and man-in-the-middle attacks. Unfortunately, the current state of the art technologies for detecting and preventing ARP poisoning are tediously complex, slow to detect, and difficult to maintain. However, software defined networking (SDN) enables the implementation of novel security measures that are capable of detecting and eliminating ARP spoofing before it can impact other hosts. Hence, this paper presents Network Flow Guard for ARP (NFGA), an SDN security module that augments simple, MAC-learning, protocols on OpenFlow-enabled switches. NFG works by hashing a host's physical address with an appropriate IP: port association to deny ARP spoofing at real-time. Moreover, our framework's key contribution is that it achieves ARP security with minimal intervention by network operators while supporting both dynamic and static port allocations, requiring no changes to the network's topology or protocols, and requiring no client software installation.