SDN & Security Security as an App (SaaA) on SDN

Slides:



Advertisements
Similar presentations
Resonance: Dynamic Access Control in Enterprise Networks Ankur Nayak, Alex Reimers, Nick Feamster, Russ Clark School of Computer Science Georgia Institute.
Advertisements

1 Resonance: Dynamic Access Control in Enterprise Networks Ankur Nayak, Alex Reimers, Nick Feamster, Russ Clark School of Computer Science Georgia Institute.
1 Resonance: Dynamic Access Control in Enterprise Networks Ankur Nayak, Alex Reimers, Nick Feamster, Russ Clark School of Computer Science Georgia Institute.
OneBridge Mobile Data Suite Product Positioning. Target Plays IT-driven enterprise mobility initiatives Extensive support for integration into existing.
CloudWatcher: Network Security Monitoring Using OpenFlow in Dynamic Cloud Networks or: How to Provide Security Monitoring as a Service in Clouds? Seungwon.
Virtualization and Cloud Computing. Definition Virtualization is the ability to run multiple operating systems on a single physical system and share the.
An Overview of Software-Defined Network Presenter: Xitao Wen.
Openflow App Security Chao SHI Stephen Duraski. Background Software-defined networking o Control plane abstraction o Abstract topology view o Abstraction.
Author: Seungwon Shin, Vinod Yegneswaran, Phillip Porras, Guofei Gu
Software Defined Networking COMS , Fall 2013 Instructor: Li Erran Li SDNFall2013/
SDN and Openflow.
Scalable Network Virtualization in Software-Defined Networks
Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung( ) SriramGopinath( )
Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung( ) Sriram Gopinath( )
The Architecture of Transaction Processing Systems
An Overview of Software-Defined Network
A Survey on Interfaces to Network Security
An Overview of Software-Defined Network Presenter: Xitao Wen.
EWAN Equipment Last Update Copyright 2010 Kenneth M. Chipps Ph.D. 1.
Securing Legacy Software SoBeNet User group meeting 25/06/2004.
Data Center Network Redesign using SDN
Enabling Innovation Inside the Network Jennifer Rexford Princeton University
Software-Defined Networks Jennifer Rexford Princeton University.
1 IEEE LAN/ MAN Banf 1998 Open Java-Based Intelligent Agent Architecture for Adaptive Networking Devices Tal Lavian, Bay Architecture Lab
Presented by Xiaoyu Qin Virtualized Access Control & Firewall Virtualization.
Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung( ) Sriram Gopinath( )
Open networking w/ Marist College Software Defined Networks.
Software Defined Networking COMS , Fall 2014 Instructor: Li Erran Li SDNFall2014/
Middleware for FIs Apeego House 4B, Tardeo Rd. Mumbai Tel: Fax:
3 June, 2016 Toorcon Security Expo Hydra Intelligent Agent: Instrument for Security One Size Fits All Distributed Scanning Distributed IDS Distributed.
SDN AND OPENFLOW SPECIFICATION SPEAKER: HSUAN-LING WENG DATE: 2014/11/18.
Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung( ) Sriram Gopinath( )
Aaron Gember, Theophilus Benson, Aditya Akella University of Wisconsin-Madison.
SDN and Openflow. Motivation Since the invention of the Internet, we find many innovative ways to use the Internet – Google, Facebook, Cloud computing,
Extending OVN Forwarding Pipeline Topology-based Service Injection
Improving Network Management with Software Defined Network Group 5 : z Xuling Wu z Haipeng Jiang z Sichen Wu z Aparna Sanil.
Slide 1 Simple, Flexible Programming of Data Movement Paths using Algorithmic Policies PIs: Y. Richard Yang, Robert Bjornson, Andrew Sherman Architect:
CSci8211: SDN Controller Design 1 Overview of SDN Controller Design  SDN Re-cap  SDN Controller Design: Case Studies  NOX Next Week:  ONIX  ONOS 
Network Virtualization Sandip Chakraborty. In routing table we keep both the next hop IP (gateway) as well as the default interface. Why do we require.
Department of Electrical and Computer Engineering Abhishek Dwaraki 1 Srini Seetharaman 2, Sriram Natarajan 3, Tilman Wolf 1 1. Department of Electrical.
Software Defined Networking BY RAVI NAMBOORI. Overview  Origins of SDN.  What is SDN ?  Original Definition of SDN.  What = Why We need SDN ?  Conclusion.
Developing an Implementation Framework for the Future Internet using the Y-Comm Architecture, SDN and NFV Glenford Mapp Associate Professor Middlesex University,
SDN and Security Security as a service in the cloud
Instructor Materials Chapter 7: Network Evolution
Xin Li, Chen Qian University of Kentucky
SDN challenges Deployment challenges
Yotam Harchol The Hebrew University of Jerusalem
Design Patterns-1 7 Hours.
University of Maryland College Park
The DPIaaS Controller Prototype
Yotam Harchol The Hebrew University of Jerusalem
Overview of SDN Controller Design
Enterprise vCPE use case requirement
Software Defined Networking (SDN)
A Novel Framework for Software Defined Wireless Body Area Network
Northbound API Dan Shmidt | January 2017
Indigo Doyoung Lee Dept. of CSE, POSTECH
The Stanford Clean Slate Program
CS 31006: Computer Networks – The Routers
Software Defined Networking (SDN)
Ebusiness Infrastructure Platform
Chapter 6 System and Application Software
Enabling Innovation Inside the Network
Service Oriented Architecture (SOA)
An Introduction to Software Architecture
Yotam Harchol The Hebrew University of Jerusalem
Chapter 6 System and Application Software
Autonomous Network Alerting Systems and Programmable Networks
OpenSec:Policy-Based Security Using Software-Defined Networking
An Introduction to Software Defined Networking and OpenFlow
Presentation transcript:

SDN & Security Security as an App (SaaA) on SDN New app development framework: FRESCO FRESCO: Modular Composable Security Services for Software-Defined Networks by Seugwon Shin, Phillip Porras, Vinod Yegneswaran, Martin Fong, Guofei Gu, Mabry Tyson, NDSS 2012 New security enforcement kernel: FortNOX A security enforcement kernel for OpenFlow networks by Philip Porras, Seungwon Shin, Vinod Yegneswaran, Martin Fong, Mabry Tyson, and Guofei Gu, ACM HotSDN, August 2012

Problems of Legacy Network Devices Too complicated Control plane is implemented with complicated S/W and ASIC Closed platform Vendor specific Hard to modify (nearly impossible) Hard to add new functionalities Source: G. Gu, et al, Texas A&M &SRI

Software Defined Networking (SDN) Three layer Application layer Application part of control layer Implement logic for flow control Control layer Kernel part of control layer Run applications to control network flows Infrastructure layer Data plane Network switch or router SDN architecture from ONF

OpenFlow Architecture application OpenFlow Switch specification OpenFlow Switch OpenFlow Protocol PC SSL Secure Channel controller sw A controller application can enforce any flow rules to network switches Flow Table hw From openflow tutorial

Unique opportunity with SDN Everything is controlled through the logically centralized network OS Can introduce security mechanism here! Think of NFV

Killer Applications of SDN? Reducing Energy in Data Center Networks (load balancing) WAN VM Migration … How about security? We are going to talk about this, more specifically: Security as an App (SaaA) Security as a Service (SaaS) Source: G. Gu, et al, Texas A&M &SRI

Software App Store Today 7

Security as an App SDN naturally has an application layer Security functions can be apps on top of SDN/ networking OS Firewall Scan detection DDoS detection Intrusion detection/prevention … Why SaaA? Cost efficiency Easy deployment/maintenance Rich, flexible network control Source: G. Gu, et al, Texas A&M &SRI

Challenges and New Contributions It is not easy to develop security apps FRESCO: a new app development framework for modular, composable security services It is not secure when running buggy/vulnerable/ multiple security apps (e.g., policy conflict/bypass) FortNOX: a new security enforcement kernel Source: G. Gu, et al, Texas A&M &SRI

FRESCO: Framework for Enabling Security Controls in OpenFlow networks

What is FRESCO? A new framework Enables to compose diverse network security functions easily (bycombining multiple modules) Enables to create own network security functions easily (without requiring additional H/Ws – openflow provides all necessary functionality) Enables to deploy network security functions easily and dynamically (without modifying the underlying network architecture) Enable to add more intelligence to current network security functions Source: G. Gu, et al, Texas A&M &SRI

11/17/14 Source: G. Gu, et al, Texas A&M &SRI

FRESCO – Overall Operation Create Modules Load Modules Run Modules Monitor OpenFlow switches Answer from NOX Notify NOX of loading FRESCO modules Source: G. Gu, et al, Texas A&M &SRI

FRESCO application layer FRESCO have a number of internal NOX python security modules. Developers use the FRESCO script language to instantiate and defined the interactions between the modules – security application. FRESCO security application is triggered by input events.

FRESCO Modular Design Module F-DB instance event parameter action input output Module key values F-DB instance Source: G. Gu, et al, Texas A&M &SRI

FRESCO development environment Script-to-module translation: Script-to-module translation – abstracting the implementation complexities of producing OF controller extension. Database management – collects network and switch state information to be shared by all security apps. Event management – notifies an instance about the occurrence of predefined events. Instance execution – authenticated to run with authority granted at registration.

FRESCO resource controller Make sure the resources (flow table entry) are available at switches Evict flow table entry if necessary Two functions Switch monitor Garbage collection – clean up flow table.

FRESCO – Script Language Goal Define interfaces, actions, and parameters Connect multiple modules Similar to C/C++ function, start with { and end with } Format Instance name (# of input) (# of output) denotes the module name and the number of input and output variables INPUT: a1,a2, denotes input items for a module an may be set of flows, packets or integer values OUTPUT: b1,b2, denotes output items for a module bn may be set of flows, packets or integer PARAMETER: c1,c2, denotes configuration values of a module cn may be real numbers or strings EVENT: d1,d2, denotes events that will be delivered to a module dn may be any predefined string ACTION : condition ; action, denotes actions that will be performed based on condition Source: G. Gu, et al, Texas A&M &SRI

An working example

Running the script

A working example Reflector net – detect an active malicious scanner, and reprogram the switch data plan to redirect the scanner’s flow into a remote honeynet.

Simple Working Example: Reflector Net do_redirect (2) (0) { TYPE: ActionHandler EVENT:PUSH INPUT:SRC_IP, scan_result OUTPUT: - PARAMETER: - ACTION: scan_result == 1? REDIRECT: FORWARD /* if scan_result equals 1, redirect; otherwise, forward */ } find_scan (1) (2) { TYPE: ScanDetector EVENT:TCP_CONNECTION_FAIL INPUT: SRC_IP OUTPUT: SRC_IP, scan_result PARAMETER: 5 ACTION: - /* no actions are defined */ } Module 1 Module 2 Source: G. Gu, et al, Texas A&M &SRI

More … Tarpits White Holes Scan detector P2P detector (P2P Plotter) Botnet detector (BotMiner) … Over 90% reduction in lines of code compared with their standard implementations Already include more than 16 commonly reusable modules (expending over time) Source: G. Gu, et al, Texas A&M &SRI

FortNOX: A Security Enforcement Kernel for OpenFlow Source: G. Gu, et al, Texas A&M &SRI

New Threat SDN apps can compete, contradict, override one another, incorporate vulnerabilities Worst case: an adversary can use a vulnerable and deterministic SDN app to control the state of all SDN switches in the network Source: G. Gu, et al, Texas A&M &SRI

SDN/OpenFlow Evasion Scenario: enforcement challenge . Dynamic Flow Tunneling Source: G. Gu, et al, Texas A&M &SRI

Prerequisites for a Secure OpenFlow Platform Must be resilient to Vulnerabilities in OF applications Malicious code in 3rd party OF apps Complex interaction that arise between OF app interactions State inconsistencies due to switch garbage collection or policy coordination across distributed switches Sophisticated OF applications that employ packet modification actions Adversaries who might directly target our security services to harm the network Source: G. Gu, et al, Texas A&M &SRI

FORNOX NOX+non-bypassable policy-based flow rule enforcement. Once a flow rule is inserted to FortNOX by a security application, no peer OF application can insert flow rules that conflict with the rule. Role-based authorization Rule conflict detection Security directive translation Source: G. Gu, et al, Texas A&M &SRI

Classic NOX Architecture PY OF Apps Python SWIG Native C OF Apps Send_OpenFlow_Command() NOX Software Defined Networking (COMS 6998-10) Source: G. Gu, et al, Texas A&M &SRI

FT_Send_OpenFlow_Command FortNOX Architecture Native C OF Apps Separate Process Security Apps PY OF Apps OF IPC Proxy Actuator Python SWIG Directive Translator IPC Interface Aggregate Flow Table FT_Send_OpenFlow_Command Operator Rules Role-based Source Auth State Table Manager OF Mod Commands Add (conflict enforced) Modify (conflict enforced) Delete (priority enforced) SECURITY Rules Conflict Analyzer Switch Callback Tracking OF App Rules FortNOX Switch Callback tracking Source: G. Gu, et al, Texas A&M &SRI

Role based source authentication Human administrator (high priority) Security applications Non-security OF applications (low) Roles implemented with a digital signature scheme.

Conflict detection/resolution Alias set rule reduction Rules are converted into an internal representation called alias reduced rules Resolution Based on the priority of the rule.

Summary of FortNOX FortNOX – A new security enforcement kernel for OF networks Role-based Authorization Rule-Authentication Conflict Detection and Resolution Security Directive Translation “A Security Enforcement Kernel for OpenFlow Networks”. HotSDN’12 Source: G. Gu, et al, Texas A&M &SRI

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.