Dual-layer SDN Model for Deploying and Securing Network Forensic in Distributed Data Center

Many data centers nowadays begin to switch to SDN (Software-Defined Networking), to gain the main features like predictability, centralized management, quality of service and enhanced security. Comparing with traditional networks, SDN provides the ability to separate the control plane from the data plane with variety of protocols and functionalities like OpenFlow. Therefore, SDN reveals new opportunities to build large, complex and scalable networks using various network applications and services. As for network security and forensic aspects, the centralized control plane presented by SDN enhances the process of monitoring and analysis of network traffic to find the potential threats. However, it is so difficult to diagnose the cause of malevolent behaviors in large network with various services, communications, applications and protocols, without systematic model to investigate for the attacks that could happen in the data center. In this paper, we present new insight for the current trends in the aspect of SDN attacks and faults in distributed data centers in addition to the forensic challenges that have not been addressed yet. To diagnose such issues, we proposed an SDN prototype model based on the proven Provenance Verification Point (PVP) and expanded it to work in widely distributed data centers. The proposed prototype deployed as a centralized forensic middlebox working on collecting information and logs from the control and infrastructure layer of the SDN topology to find the root cause of the malicious attacks.