Zhihui Sun , Fazhi Qi, Tao Cui

Slides:



Advertisements
Similar presentations
Resonance: Dynamic Access Control in Enterprise Networks Ankur Nayak, Alex Reimers, Nick Feamster, Russ Clark School of Computer Science Georgia Institute.
Advertisements

1 Resonance: Dynamic Access Control in Enterprise Networks Ankur Nayak, Alex Reimers, Nick Feamster, Russ Clark School of Computer Science Georgia Institute.
1 Resonance: Dynamic Access Control in Enterprise Networks Ankur Nayak, Alex Reimers, Nick Feamster, Russ Clark School of Computer Science Georgia Institute.
Chapter 1: Introduction to Scaling Networks
5.1 Overview of Network Access Protection What is Network Access Protection NAP Scenarios NAP Enforcement Methods NAP Platform Architecture NAP Architecture.
Implementing Inter-VLAN Routing
Presented by Serge Kpan LTEC Network Systems Administration 1.
Institute of Technology, Sligo Dept of Computing Semester 3, version Semester 3 Chapter 3 VLANs.
Campus Networking Best Practices Session 2: Layer 3 Dale Smith University of Oregon & NSRC
Microsoft Virtual Academy Module 4 Creating and Configuring Virtual Machine Networks.
Virtual LANs. VLAN introduction VLANs logically segment switched networks based on the functions, project teams, or applications of the organization regardless.
© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—2-1 Implementing VLANs in Campus Networks Applying Best Practices for VLAN Topologies.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 LAN Switching and Wireless Implement Inter-VLAN Routing Chapter 6 Modified.
The Operator Neutral Access At KistaIP. KistaIP ? Is a student dorm with 144 apartments.
1 October 20-24, 2014 Georgian Technical University PhD Zaza Tsiramua Head of computer network management center of GTU South-Caucasus Grid.
Semester 3, v Chapter 3: Virtual LANs
Common Devices Used In Computer Networks
Cisco 3 - LAN Perrine. J Page 110/20/2015 Chapter 8 VLAN VLAN: is a logical grouping grouped by: function department application VLAN configuration is.
Virtual Private Ad Hoc Networking Jeroen Hoebeke, Gerry Holderbeke, Ingrid Moerman, Bard Dhoedt and Piet Demeester 2006 July 15, 2009.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Filtering Traffic Using Access Control Lists Introducing Routing and Switching.
Vic Liu Liang Xia Zu Qiang Speaker: Vic Liu China Mobile Network as a Service Architecture draft-liu-nvo3-naas-arch-01.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 1: Introduction to Scaling Networks Scaling Networks.
SECURE WIRELESS NETWORK IN IŞIK UNIVERSITY ŞİLE CAMPUS.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 1: Introduction to Scaling Networks Scaling Networks.
Resnet Enhancements and Directions Part 1, Bruce Campbell, Information Systems and Technology.
Configuring Network Access Protection
Terri Lahey Control System Cyber-Security Workshop October 14, SLAC Controls Security Overview Introduction SLAC has multiple.
Cisco S3C3 Virtual LANS. Why VLANs? You can define groupings of workstations even if separated by switches and on different LAN segments –They are one.
1 © 2003, Cisco Systems, Inc. All rights reserved. CCNA 3 v3.0 Module 8 Virtual LANs Cisco Networking Academy.
Chapter 3 - VLANs. VLANs Logical grouping of devices or users Configuration done at switch via software Not standardized – proprietary software from vendor.
INDIANAUNIVERSITYINDIANAUNIVERSITY Indiana University Update Tom Zeller
1 | © 2015 Infinera Open SDN in Metro P-OTS Networks Sten Nordell CTO Metro Business Group
Wavetrix Changing the Paradigm: Remote Access Using Outbound Connections Remote Monitoring, Control & Automation Orlando, FL October 6, 2005.
Improving Network Management with Software Defined Network Group 5 : z Xuling Wu z Haipeng Jiang z Sichen Wu z Aparna Sanil.
DHCP Vrushali sonar. Outline DHCP DHCPv6 Comparison Security issues Summary.
BEIJING-LCG Network Yan Xiaofei
QI Fazhi / IHEP CC HEPiX IPv6 F2F Meeting IPv6 Network Status in IHEP/China QI Fazhi Computing Center, IHEP July 4, 2013.
Introduction to Avaya’s SDN Architecture February 2015.
Software Defined Networking and OpenFlow Geddings Barrineau Ryan Izard.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Creating the Network Design Designing and Supporting Computer Networks – Chapter.
Open source IP Address Management Software Review
Isolating and Protecting Devices on the Network A database-driven methodology Tom Zeller June 2008.
Virtual Local Area Networks In Security By Mark Reed.
Ethernet Packet Filtering - Part1 Øyvind Holmeide Jean-Frédéric Gauvin 05/06/2014 by.
The Network Aware IoT Service at Edge Guoxi Wang.
Wireless Ethernet Programming
SDN and Security Security as a service in the cloud
Instructor Materials Chapter 1: LAN Design
The advances in IHEP Cloud facility
Virtual Local Area Networks or VLANs
Research on an universal Openstack upgrade solution
Switch Setup Connectivity to Other locations Via MPLS/LL etc
Implementing Network Access Protection
HUAWEI eSight Secure Center Feature Introduction
Chapter 4: Routing Concepts
SECURE WIRELESS NETWORK IN IŞIK UNIVERSITY ŞİLE CAMPUS
Introduction to Networking
Introducing To Networking
Virtual LANs.
2018 Real CompTIA N Exam Questions Killtest
Implement Inter-VLAN Routing
Implement Inter-VLAN Routing
Lesson 8: Configuring IP Settings MOAC : Configuring Windows Devices.
Chapter 3 VLANs Chaffee County Academy
Implement Inter-VLAN Routing
Implement Inter-VLAN Routing
Network Addressing.
OpenSec:Policy-Based Security Using Software-Defined Networking
Global One Communications
What’s New In WatchGuard Wi-Fi Cloud v8.6
Presentation transcript:

Zhihui Sun , Fazhi Qi, Tao Cui sunzh@ihep.ac.cn 4-4-2019 Applications of SDN in IHEP network environment Zhihui Sun , Fazhi Qi, Tao Cui sunzh@ihep.ac.cn 4-4-2019 International Symposium on Grids & Clouds 2019 2019/6/24

Agenda IHEP campus network SDN @ network access control management in IHEP SDN @ network security in IHEP Summary 2019/6/24

IHEP campus network Network topology The wired network and wireless network are independent of each other, and they are connected by the interconnected switch, and it provides a clear physical and functional independence, so we can easily manage and monitor the network status and traffic Both the wired network and wireless network are IPv4/IPv6 supported Completed the configuration of LHCONE 2019/6/24

IHEP campus network- Wireless Network Access Control management We have designed a solution based on network access control system (http://network.ihep.ac.cn,Self-developed system) , AC(Access Controller), DHCP, FreeRADIUS for our wireless network Works well, and users can easily access to our wireless network Implemented the unified access control management of wireless network across campuses by data sharing(Beijing campus, Dongguan campus) Developed a conference QR code function which users can scan to access to IHEP wireless network Beijing campus CSNS BEPCII Conference network access code Dongguan campus BESIII Wireless Network Access Control 2019/6/24 JUNO Cross-regional Wireless Network Access Control Management

IHEP campus network- Wired Network Access Control management Current architecture We are still using a static control strategy based on device MAC, device IP and corresponding switch IP, corresponding switch port, corresponding Vlan Id to manage our wired network access These strategies must be written into the access switch before users can use IHEP wired network Inconveniences Current strategy needs network admin to assign the IP address manually Needs users to configure the IP address in their network devices Inconvenient for users to access to our wired network Wired Network Access Control 2019/6/24 BESIII JUNO HEPS

IHEP campus network- Wired Network Access Control management Wanted architecture Want an automatic IP address allocation for wired network, so users can no longer pay attention to IP address Want to keep the control strategy of 5 key attributes including device MAC address, device IP address and corresponding switch IP, corresponding switch port, corresponding Vlan Id, so it can avoid confusing access to our wired network Need the whitelist users who can access to wired network using any port, and this function is just for network admin to use The final purpose is that we want to provide a user self-service and convenient wired network access service Need to design a new network access control architecture for wired network 2019/6/24 JUNO HEPS

SDN @ network access control management in IHEP 2019/6/24

SDN @ network access control management in IHEP New solution based on SDN architecture Use standard SDN architecture, which contains application Plane、Control Plane、Data Plane Northbound interface:REST API Southbound interface:OpenFlow / NETCONF 2019/6/24

SDN @ network access control management in IHEP New solution based on SDN architecture DHCP, Provides a dynamic address allocation for IPv4 or IPv6 SDN Controller (Agile controller, provided by HUAWEI) keeps our control strategy, 5 key attributes for access devices Device MAC, Device IP, Switch IP, Switch port, Vlan id Uses radius to provide an access authentication for devices provides more automatic network management User access control system (Self-developed system), provides the users and devices information management 2019/6/24

SDN @ network access control management in IHEP Device IP Device MAC Switch IP Switch port Vlan ID Network access process 1-2. When your device accesses to IHEP wired network, the DHCP server will assign IPv4 and IPv6 address to your device 3. And your network access request will be sent to SDN controller to verify, if matched, it will pass the authentication. 4. But if not matched, your request will be redirected to our user access control system, and ask you to register 5. Then you input your personal information 6-7. user access control system will get your device mac, corresponding switch ip, corresponding switch port and corresponding vlan Id from DHCP server 8. When you complete your registration, your IP, MAC, switch IP, switch port, and Vlan Id will be written to the controller, then your device will pass the network authentication Access control process We implement a wired network access control management based on DHCP server、User Access Control System and SDN Controller 2019/6/24

SDN @ network access control management in IHEP Test-bed and result We built a Test-bed last month SDN controller (HUAWEI Agile controller), DHCP(Infoblox) The access control test results are in line with our expectations The whitelist test results also satisfy our requirements REST API Device mac Switch ip Device ip Switch port Vlan Id 2019/6/24

SDN @ network access control management in IHEP Test-bed and result Northbound interface test Add an account to the SDN controller Added successfully 2019/6/24

SDN @ network access control management in IHEP Test-bed and result Northbound interface test Delete the account Deleted successfully 2019/6/24

SDN @ network access control management in IHEP Test-bed and result Northbound interface test Modify the binding port of an account modified successfully 2019/6/24

SDN @ network access control management in IHEP Future plan We will develop and upgrade our user access control system using the northbound interface We will also complete wired network access control management based on SDN architecture in the next 3 months We also plan to replace the old network equipment step by step 2019/6/24

SDN @ network security in IHEP 2019/6/24

SDN @ network security in IHEP Network security challenges in Computing/Data Center Network security devices may become the bottleneck of network data exchange Many network security devices need to be deployed at the network exit, such as IDP(Intrusion Detection& Prevention System), WAF(Web Application Firewall), VPN(Virtual Private Network)…and it makes very complex policies about network security Service chain adjustment is also complex, and most of the time we need to adjust the network topology and reconfigure the network 2019/6/24

SDN @ network security in IHEP Thoughts We want a simple security policy adjustment for network security devices, and we don’t want to adjust the network topology often We also want to reduce serial connection of network security devices, and most of them should be connected to the network by bypass We also want to reduce network traffic pressure on network security devices Plan Minimize the impact on the existing network Our plan is divided into two steps 2019/6/24

SDN @ network security in IHEP Step 1 We use SDN switch as a traffic aggregation node, and verify our thoughts about network security based on SDN architecture We set the filtering rules in the controller to make network traffic into the network security node which we defined before We also set the service chain rules in the controller to make network traffic into different network security nodes in order We built a test-bed, and use DELL devices to test. Stage 1 2019/6/24

SDN @ network security in IHEP Test-bed and result Create a rule 2 SDN switch 2019/6/24

SDN @ network security in IHEP Test-bed and result We create a rule to filter UDP traffic, and define the input port and output port The test results are in line with our expectations UDP Input port Output port 2019/6/24

SDN @ network security in IHEP Step 2 We want SDN switch as a gateway, and firewalls are the bypass connection to SDN switch Current status, we have designed the architecture Plan We plan to deploy the second step test-bed in the nearly two months Evaluate the function and performance of the bypass firewall solution Stage 2 2019/6/24

Summary Our wired network and wireless network are independent of each other, and they are connected by the interconnected switch We implemented the unified management of wireless network across campuses, and it works well We have designed the solution of the wired network access control management based on SDN architecture, and test-bed results show very successful The architecture of SDN @ network security in IHEP have been designed, and test-bed results are in line with our expectations 2019/6/24

Thanks for your attention ! 2019/6/24