OpenSAFE is a framework for easily and flexibility directing network traffic to monitoring devices for on- and off-path security monitoring. In couples the flexibility and ease of management realizable with a software-based configuration/control plane along with the low latency and high throughput realizable with a hardware-based data plane.
OpenSAFE consists of three components: a set of design abstractions for codifying the flow of traffic; ALARMS, a policy language for easily specifying traffic paths; and a controller that implements the policy using OpenFlow-switches. OpenSAFE's design abstractions are tailored for traffic monitoring scenarios, with support for various monitoring elements and traffic distribution mechanisms. The high-level language we introduce, ALARMS, expresses the abstractions in a simple syntax. OpenSAFE/ALARMS is designed to allow administrators to easily instantiate and update rich policies that control traffic distribution to various security monitoring devices. The abstractions and policy language are motivated by Click, but OpenSAFE's abstractions are more monitoring-specific and realized through hardware-based forwarding. A policy written in ALARMS is placed at a logically central controller, which then instantiates policy constraints in the form of forwarding entries in an OpenFlow switch's flow table. In effect, OpenSAFE couples a high-performance hardware-based monitoring data plane with a flexible software-based configuration/control plane, resulting in a highly effective, yet low-cost, framework.