OpenSec：Policy-Based Security Using Software-Defined Networking

Slides:

Advertisements

Similar presentations

Network II.5 simulator ..

Advertisements

Deep Packet Inspection with DFA-trees and Parametrized Language Overapproximation Author: Daniel Luchaup, Lorenzo De Carli, Somesh Jha, Eric Bach Publisher:

CloudWatcher: Network Security Monitoring Using OpenFlow in Dynamic Cloud Networks or: How to Provide Security Monitoring as a Service in Clouds? Seungwon.

RIP V1 W.lilakiatsakun.

Slick: A control plane for middleboxes Bilal Anwer, Theophilus Benson, Dave Levin, Nick Feamster, Jennifer Rexford Supported by DARPA through the U.S.

CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.

Extensible Networking Platform IWAN 2005 Extensible Network Configuration and Communication Framework Todd Sproull and John Lockwood

Improved TCAM-based Pre-Filtering for Network Intrusion Detection Systems Department of Computer Science and Information Engineering National Cheng Kung.

Secure Network Design: Designing a Secure Local Area Network IT352 | Network Security |Najwa AlGhamdi1 Case Study

OpenFlow-Based Server Load Balancing GoneWild Author : Richard Wang, Dana Butnariu, Jennifer Rexford Publisher : Hot-ICE'11 Proceedings of the 11th USENIX.

Implementing ISA Server Publishing. Introduction What Are Web Publishing Rules? ISA Server uses Web publishing rules to make Web sites on protected networks.

Common Devices Used In Computer Networks

SDN based Network Security Monitoring in Dynamic Cloud Networks Xiuzhen CHEN School of Information Security Engineering Shanghai Jiao Tong University,

Module 4: Configuring ISA Server as a Firewall. Overview Using ISA Server as a Firewall Examining Perimeter Networks and Templates Configuring System.

INTERNATIONAL NETWORKS At Indiana University Hans Addleman TransPAC Engineer, International Networks University Information Technology Services Indiana.

CSCI 530 Lab Intrusion Detection Systems IDS. A collection of techniques and methodologies used to monitor suspicious activities both at the network and.

Leveraging Traffic Repetitions for High- Speed Deep Packet Inspection Author: Anat Bremler-Barr, Shimrit Tzur David, Yotam Harchol, David Hay Publisher:

StriD 2 FA: Scalable Regular Expression Matching for Deep Packet Inspection Author: Xiaofei Wang, Junchen Jiang, Yi Tang, Bin Liu, and Xiaojun Wang Publisher:

Regular Expression Matching for Reconfigurable Packet Inspection Authors: Jo˜ao Bispo, Ioannis Sourdis, Jo˜ao M.P. Cardoso and Stamatis Vassiliadis Publisher:

SDN AND OPENFLOW SPECIFICATION SPEAKER: HSUAN-LING WENG DATE: 2014/11/18.

Switch Features Most enterprise-capable switches have a number of features that make the switch attractive for large organizations. The following is a.

Aaron Gember, Theophilus Benson, Aditya Akella University of Wisconsin-Madison.

Improving Network Management with Software Defined Network Group 5 : z Xuling Wu z Haipeng Jiang z Sichen Wu z Aparna Sanil.

James S. Rothfuss, Computer Protection Program COMPUTING SCIENCES NETS Network Equipment Tracking System.

Early Detection of DDoS Attacks against SDN Controllers

OpenFlow MPLS and the Open Source Label Switched Router Department of Computer Science and Information Engineering, National Cheng Kung University, Tainan,

Shadow MACs: Scalable Label- switching for Commodity Ethernet Author: Kanak Agarwal, John Carter, Eric Rozner and Colin Dixon Publisher: HotSDN 2014 Presenter:

A Fast Regular Expression Matching Engine for NIDS Applying Prediction Scheme Author: Lei Jiang, Qiong Dai, Qiu Tang, Jianlong Tan and Binxing Fang Publisher:

Networking Components Assignment 3 Corbin Watkins.

Packet Classification Using Dynamically Generated Decision Trees

LOP_RE: Range Encoding for Low Power Packet Classification Author: Xin He, Jorgen Peddersen and Sri Parameswaran Conference : IEEE 34th Conference on Local.

Deep Packet Inspection as a Service Author : Anat Bremler-Barr, Yotam Harchol, David Hay and Yaron Koral Conference: ACM 10th International Conference.

SDN and Security Security as a service in the cloud

Xin Li, Chen Qian University of Kentucky

CompTIA Security+ Study Guide (SY0-401)

2018/4/23 Dynamic Load-balanced Path Optimization in SDN-based Data Center Networks Author: Yuan-Liang Lan , Kuochen Wang and Yi-Huai Hsu Presenter: Yi-Hsien.

Minimizing latency of critical traffic through SDN

The DPIaaS Controller Prototype

2018/6/26 An Energy-efficient TCAM-based Packet Classification with Decision-tree Mapping Author: Zhao Ruan, Xianfeng Li , Wenjun Li Publisher: 2013.

Chapter 2: Basic Switching Concepts and Configuration

CompTIA Security+ Study Guide (SY0-401)

Northbound API Dan Shmidt | January 2017

2018/11/19 Source Routing with Protocol-oblivious Forwarding to Enable Efficient e-Health Data Transfer Author: Shengru Li, Daoyun Hu, Wenjian Fang and.

Firewalls Routers, Switches, Hubs VPNs

Dynamic Packet-filtering in High-speed Networks Using NetFPGAs

Parallel Processing Priority Trie-based IP Lookup Approach

2018/12/10 Energy Efficient SDN Commodity Switch based Practical Flow Forwarding Method Author: Amer AlGhadhban and Basem Shihada Publisher: 2016 IEEE/IFIP.

2019/1/1 High Performance Intrusion Detection Using HTTP-Based Payload Aggregation 2017 IEEE 42nd Conference on Local Computer Networks (LCN) Author: Felix.

Virtual TCAM for Data Center Switches

Scalable Multi-Match Packet Classification Using TCAM and SRAM

A New String Matching Algorithm Based on Logical Indexing

2019/5/2 Using Path Label Routing in Wide Area Software-Defined Networks with OpenFlow ICNP = International Conference on Network Protocols Presenter：Hung-Yen.

Compact DFA Structure for Multiple Regular Expressions Matching

2019/5/8 BitCoding Network Traffic Classification Through Encoded Bit Level Signatures Author: Neminath Hubballi, Mayank Swarnkar Publisher/Conference:

2019/5/13 A Weighted ECMP Load Balancing Scheme for Data Centers Using P4 Switches Presenter：Hung-Yen Wang Authors：Peng Wang, George Trimponias, Hong Xu,

Pipelined Architecture for Multi-String Matching

SDN-Guard: DoS Attacks Mitigation in SDN Networks

Autonomous Network Alerting Systems and Programmable Networks

Bridges Neil Tang 10/10/2008 CS440 Computer Networks.

Fast Testing Network Data Plane with RuleChecker

Fast Network Congestion Detection And Avoidance Using P4

Design principles for packet parsers

Zhihui Sun , Fazhi Qi, Tao Cui

A Hybrid IP Lookup Architecture with Fast Updates

2019/7/26 OpenFlow-Enabled User Traffic Profiling in Campus Software Defined Networks Presenter: Wei-Li,Wang Date: 2016/1/4 Author: Taimur Bakhshi and.

2019/8/7 Performance Comparison between The Click Modular Router and the NetFPGA Router Author: Leonardo Linguaglossa, Alfio Lombardo, Diego Reforgiato,

Pattern Based Packet Filtering using NetFPGA in DETER Infrastructure

2019/10/9 A Weighted ECMP Load Balancing Scheme for Data Centers Using P4 Switches Presenter：Hung-Yen Wang Authors：Jin-Li Ye, Yu-Huang Chu, Chien Chen.

Authors: Ding-Yuan Lee, Ching-Che Wang, An-Yeu Wu Publisher: 2019 VLSI

2019/11/12 Efficient Measurement on Programmable Switches Using Probabilistic Recirculation Presenter：Hung-Yen Wang Authors：Ran Ben Basat, Xiaoqi Chen,

Presentation transcript:

OpenSec：Policy-Based Security Using Software-Defined Networking 2019/6/3 OpenSec：Policy-Based Security Using Software-Defined Networking Presenter：Hung-Yen Wang Authors：Adrian Lara and Byrav Ramamurthy Published in：IEEE Transactions on Network and Service Management Department of Computer Science and Information Engineering National Cheng Kung University, Taiwan R.O.C. CSIE CIAL Lab 1

2019/6/3 Introduction An openflow-based network security framework that allows network operators to implement security policies. Moving middleboxes away from the main datapath. Reacting automatically to security events Creating a simple policy specification language The first goal of OpenSec is to move the middleboxes away from the choke points of the topology traversed by all traffic. Instead, these devices should be located outside of the main path between the LAN and the Internet and should act as security processing units that are visited only by the traffic that needs to be processed Using a smarter OpenFlow-based control plane, the OpenSec should dynamically create rules to re-route traffic ------------------------------------------------------------------------------------------------------------------------------------ Thus, we designed OpenSec to allow the operator to specify ahead of time what the automated reaction should be National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab

Components Policy specification language Northbound Interface 2019/6/3 Components Policy specification language Northbound Interface Policy manager Processing units Security event processor Openflow controller Data repository National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab

Policy Specification Language 2019/6/3 Policy Specification Language The matching fields correspond to those available in OpenFlow1.0 The reactions can be to alert only(via email), or to block traffic. National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab 4

2019/6/3 Northbound Interface National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab

2019/6/3 Policy Manager Parsing new policies sent by the GUI and converting them to OpenSec objects. Implement the policy using the southbound interface component(controller) Periodically check that the policy is implemented appropriately. National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab

2019/6/3 Processing Units The units are customized to perform the required security scan, such as a firewall, an IPS or DPI. When suspicious traffic is detected, the processing unit issues an alert to the OpenSec controller OpenSec implements a processing unit manager that collects all the registrations and creates a list of units and the locations in the network where they can be found. National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab 7

Security Event Processor 2019/6/3 Security Event Processor The security event processor is responsible for collecting the notifications issued by the processing units and modifying forwarding rules according to the policies involved National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab

OpenFlow Controller Use Floodlight controller 2019/6/3 OpenFlow Controller Use Floodlight controller When a request is received from the policy implementer to push a new rule, this module is responsible for sending the message to the right switches National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab

2019/6/3 Data Repository All implemented policies are stored to check for conflicts when new policies are received, and also to know how to react to security events raised by the processing units. All the information needed to route traffic to the middleboxes (device id, switch id, input port and output port) is also stored. OpenSec also records when hosts are blocked from accessing the network. National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab

Policy Implementation 2019/6/3 Policy Implementation 2.Policy manager parses the policy and Processing units manager…… National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab

Policy Implementation 2019/6/3 Policy Implementation 2.Policy manager parses the policy and Processing units manager…… National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab

Policy Implementation 2019/6/3 Policy Implementation 2.Policy manager parses the policy and Processing units manager…… National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab

Reaction Implementation 2019/6/3 Reaction Implementation 2.Policy manager parses the policy and Processing units manager…… National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab

Scenario 1：Multi-Switch and Multi-Unit Network 2019/6/3 Scenario 1：Multi-Switch and Multi-Unit Network Linear topology with seven switches and two processing units connected to each switch. The goal of this scenario is to evaluate the time needed by OpenSec to implement rules across multiple devices. Therefor, the processing units do not implement any security function. 2.Policy manager parses the policy and Processing units manager…… National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab

Scenario 2：Incoming Traffic in a Campus Network 2019/6/3 Scenario 2：Incoming Traffic in a Campus Network The goal of this scenario is to demonstrate how OpenSec can block malicious traffic from entering a campus network. This scenario uses dataset made available by the University of Twente. Develop two security units : one for intrusion detection and one for deep packet inspection. The IDS unit runs Bro. The DPI unit is built on top of NDPI. 2.Policy manager parses the policy and Processing units manager…… National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab

Scenario 2：Incoming Traffic in a Campus Network 2019/6/3 Scenario 2：Incoming Traffic in a Campus Network 2.Policy manager parses the policy and Processing units manager…… National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab

Scenario 3：Deploying a Science DMZ 2019/6/3 Scenario 3：Deploying a Science DMZ This scenario ensures an acceptable level of security while guaranteeing a high-speed loss-free channel. 2.Policy manager parses the policy and Processing units manager…… National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab

Evaluation：Performance of Policy Implementation National Cheng Kung University CSIE Computer & Internet Architecture Lab

Evaluation：Performance of Reaction to Security Alerts National Cheng Kung University CSIE Computer & Internet Architecture Lab

Evaluation：Throughput and Latency National Cheng Kung University CSIE Computer & Internet Architecture Lab

Conclusion OpenSec allows network operators to describe security policies using human-readable language and to implement them across the network. OpenSec also allows network operators to specify how to automatically react when malicious traffic is detected. Moving the analysis of traffic away from the controller and into processing units makes the framework more scalable. National Cheng Kung University CSIE Computer & Internet Architecture Lab