Skip to main page content
U.S. flag

An official website of the United States government

Dot gov

The .gov means it’s official.
Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a federal government site.

Https

The site is secure.
The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.

Access keys NCBI Homepage MyNCBI Homepage Main Content Main Navigation
. 2023 Feb 4;23(4):1747.
doi: 10.3390/s23041747.

Performance Analysis of Software-Defined Networks to Mitigate Private VLAN Attacks

David Álvarez  1 Pelayo Nuño  1 Carlos T González  1 Francisco G Bulnes  1 Juan C Granda  1 Dan García-Carrillo  1
Affiliations

Performance Analysis of Software-Defined Networks to Mitigate Private VLAN Attacks

David Álvarez et al. Sensors (Basel). .

Abstract

The defence-in-depth (DiD) methodology is a defensive approach usually performed by network administrators to implement secure networks by layering and segmenting them. Typically, segmentation is implemented in the second layer using the standard virtual local area networks (VLANs) or private virtual local area networks (PVLANs). Although defence in depth is usually manageable in small networks, it is not easily scalable to larger environments. Software-defined networks (SDNs) are emerging technologies that can be very helpful when performing network segmentation in such environments. In this work, a corporate networking scenario using PVLANs is emulated in order to carry out a comparative performance analysis on defensive strategies regarding CPU and memory usage, communications delay, packet loss, and power consumption. To do so, a well-known PVLAN attack is executed using simulated attackers located within the corporate network. Then, two mitigation strategies are analysed and compared using the traditional approach involving access control lists (ACLs) and SDNs. The results show the operation of the two mitigation strategies under different network scenarios and demonstrate the better performance of the SDN approach in oversubscribed network designs.

Keywords: private VLAN (PVLAN); security; segmentation; software-defined networks (SDNs).

PubMed Disclaimer

Conflict of interest statement

The authors declare no conflict of interest.

Figures

Figure 1
Figure 1
PVLAN configuration on the switch.
Figure 2
Figure 2
PVLAN edge.
Figure 3
Figure 3
PVLAN attack.
Figure 4
Figure 4
PVLAN attack mitigation strategies.
Figure 5
Figure 5
Scenarios of the emulated corporate network with PVLAN segmentation. Switch port key: community 1 (blue), community 2 (yellow), isolated (red), promiscuous (green), and trunks (dotted).
Figure 6
Figure 6
CPU usage on Multiple-LAN scenario.
Figure 7
Figure 7
Memory consumption on Multiple-LAN scenario.
Figure 8
Figure 8
Legitimate user statistics.
Figure 9
Figure 9
Power consumption on Multiple-LAN scenario.
Figure 10
Figure 10
CPU usage on Single-LAN scenario.
Figure 11
Figure 11
Memory consumption on Single-LAN scenario.
Figure 12
Figure 12
Legitimate user round-trip delay time.
Figure 13
Figure 13
Power consumption on Single-LAN scenario.
Figure 14
Figure 14
SDNs, inbound ACLs, and outbound ACL comparison.
See this image and copyright information in PMC

References

    1. Kiravuo T., Sarela M., Manner J. A Survey of Ethernet LAN Security. IEEE Commun. Surv. Tutorials. 2013;15:1477–1491. doi: 10.1109/SURV.2012.121112.00190. - DOI
    1. Guven E.Y., Yagci M.Y., Boyaci A., Yarkan S., Aydin M.A. A Survey on Backbone Attack; Proceedings of the 2019 7th International Symposium on Digital Forensics and Security (ISDFS); Barcelos, Portugal. 10–12 June 2019; - DOI
    1. Khedri R., Jones O., Alabbad M. Lecture Notes in Computer Science. Springer; Berlin/Heidelberg, Germany: 2017. Defense in Depth Formulation and Usage in Dynamic Access Control; pp. 253–274. - DOI
    1. Mhaskar N., Alabbad M., Khedri R. A Formal Approach to Network Segmentation. Comput. Secur. 2021;103:102162. doi: 10.1016/j.cose.2020.102162. - DOI
    1. Wagner N., Sahin C.S., Winterrose M., Riordan J., Pena J., Hanson D., Streilein W.W. Towards automated cyber decision support: A case study on network segmentation for security; Proceedings of the 2016 IEEE Symposium Series on Computational Intelligence (SSCI); Athens, Greece. 6–9 December 2016; - DOI

LinkOut - more resources