CloudWatcher: Network Security Monitoring Using OpenFlow in Dynamic Cloud Networks or: How to Provide Security Monitoring as a Service in Clouds? Seungwon.

Slides:

Advertisements

Similar presentations

Jennifer Rexford Princeton University MW 11:00am-12:20pm Logically-Centralized Control COS 597E: Software Defined Networking.

Advertisements

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 4: Routing Concepts Routing Protocols.

Logically Centralized Control Class 2. Types of Networks ISP Networks – Entity only owns the switches – Throughput: 100GB-10TB – Heterogeneous devices:

RIP V1 W.lilakiatsakun.

DOT – Distributed OpenFlow Testbed

Cs/ee 143 Communication Networks Chapter 6 Internetworking Text: Walrand & Parekh, 2010 Steven Low CMS, EE, Caltech.

Packet Switching COM1337/3501 Textbook: Computer Networks: A Systems Approach, L. Peterson, B. Davie, Morgan Kaufmann Chapter 3.

An Overview of Software-Defined Network Presenter: Xitao Wen.

OpenFlow Costin Raiciu Using slides from Brandon Heller and Nick McKeown.

CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.

SDN and Openflow.

Scalable Network Virtualization in Software-Defined Networks

Extensible Networking Platform IWAN 2005 Extensible Network Configuration and Communication Framework Todd Sproull and John Lockwood

Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung( ) SriramGopinath( )

An Overview of Software-Defined Network

ProActive Routing In Scalable Data Centers with PARIS Joint work with Dushyant Arora + and Jennifer Rexford* + Arista Networks *Princeton University Theophilus.

1 25\10\2010 Unit-V Connecting LANs Unit – 5 Connecting DevicesConnecting Devices Backbone NetworksBackbone Networks Virtual LANsVirtual LANs.

Copyright © 2012, QoS-aware Network Operating System for Software Defined Networking with Generalized OpenFlows Kwangtae Jeong, Jinwook Kim.

Jennifer Rexford Princeton University MW 11:00am-12:20pm SDN Software Stack COS 597E: Software Defined Networking.

TCP/IP Tools Lesson 5. Objectives Skills/ConceptsObjective Domain Description Objective Domain Number Using basic TCP/IP commands Understanding TCP/IP3.6.

An Overview of Software-Defined Network Presenter: Xitao Wen.

INTRA- AND INTERDOMAIN ROUTING Routing inside an autonomous system is referred to as intradomain routing. Routing between autonomous systems is.

Enabling Innovation Inside the Network Jennifer Rexford Princeton University

Section 4 : The OSI Network Layer CSIS 479R Fall 1999 “Network +” George D. Hickman, CNI, CNE.

Common Devices Used In Computer Networks

VeriFlow: Verifying Network-Wide Invariants in Real Time

OpenFlow: Enabling Innovation in Campus Networks

© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 1 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 1 Chris Shenefiel.

Day 12 Chapter 13 WAN Technologies and Routing. Classification of Networks LAN – spans a single building or campus MAN – Spans a city WAN – Spans multiple.

Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung( ) Sriram Gopinath( )

 Network Segments  NICs  Repeaters  Hubs  Bridges  Switches  Routers and Brouters  Gateways 2.

Sungkyunkwan University (SKKU) Security Lab. A Framework for Security Services based on Software-Defined Networking Jaehoon (Paul) Jeong 1, Jihyeok Seo.

SDN based Network Security Monitoring in Dynamic Cloud Networks Xiuzhen CHEN School of Information Security Engineering Shanghai Jiao Tong University,

Sujayyendhiren RS, Kaiqi Xiong and Minseok Kwon Rochester Institute of Technology Motivation Experimental Setup in ProtoGENI Conclusions and Future Work.

Software-Defined Networking - Attributes, candidate approaches, and use cases - MK. Shin, ETRI M. Hoffmann, NSN.

Microsoft Windows Server 2003 TCP/IP Protocols and Services Technical Reference Slide: 1 Lesson 7 Internet Protocol (IP) Routing.

OpenFlow：Enabling Innovation in Campus Network

SDN AND OPENFLOW SPECIFICATION SPEAKER: HSUAN-LING WENG DATE: 2014/11/18.

Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung( ) Sriram Gopinath( )

Switch Features Most enterprise-capable switches have a number of features that make the switch attractive for large organizations. The following is a.

Routing and Routing Protocols

Aaron Gember, Theophilus Benson, Aditya Akella University of Wisconsin-Madison.

Using Routing and Remote Access Chapter Five. Exam Objectives in this Chapter:  Plan a routing strategy Identify routing protocols to use in a specified.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 4: Planning and Configuring Routing and Switching.

Improving Network Management with Software Defined Network Group 5 : z Xuling Wu z Haipeng Jiang z Sichen Wu z Aparna Sanil.

OSI Model Topology Patch cable Flow control Common layer 2 device Best path Purpose of Layer 2 devices.

+ Routing Concepts 1 st semester Objectives  Describe the primary functions and features of a router.  Explain how routers use information.

Network Virtualization Sandip Chakraborty. In routing table we keep both the next hop IP (gateway) as well as the default interface. Why do we require.

11 ROUTING IP Chapter 3. Chapter 3: ROUTING IP2 CHAPTER INTRODUCTION  Understand the function of a router.  Understand the structure of a routing table.

Coping with Link Failures in Centralized Control Plane Architecture Maulik Desai, Thyagarajan Nandagopal.

Header Space Analysis: Static Checking for Networks Broadband Network Technology Integrated M.S. and Ph.D. Eun-Do Kim Network Standards Research Section.

Fabric: A Retrospective on Evolving SDN Presented by: Tarek Elgamal.

SDN and Beyond Ghufran Baig Mubashir Adnan Qureshi.

© 2001, Cisco Systems, Inc. CSPFA 2.0—16-1 Chapter 16 Cisco PIX Device Manager.

Preliminaries: EE807 Software-defined Networked Computing KyoungSoo Park Department of Electrical Engineering KAIST.

Software Defined Networking BY RAVI NAMBOORI. Overview  Origins of SDN.  What is SDN ?  Original Definition of SDN.  What = Why We need SDN ?  Conclusion.

SDN & Security Security as an App (SaaA) on SDN

SDN and Security Security as a service in the cloud

CompTIA Security+ Study Guide (SY0-401)

The DPIaaS Controller Prototype

Chapter 4: Routing Concepts

6.829 Lecture 13: Software Defined Networking

CompTIA Security+ Study Guide (SY0-401)

NETW 208 Enthusiastic Studysnaptutorial.com

The Stanford Clean Slate Program

Software Defined Networking (SDN)

Firewalls Routers, Switches, Hubs VPNs

OpenSec：Policy-Based Security Using Software-Defined Networking

Elmo Muhammad Shahbaz Lalith Suresh, Jennifer Rexford, Nick Feamster,

Presentation transcript:

CloudWatcher: Network Security Monitoring Using OpenFlow in Dynamic Cloud Networks or: How to Provide Security Monitoring as a Service in Clouds? Seungwon Shin and Guofei Gu SUCCESS LAB Texas A&M University

Contents Background Problem domain CloudWatcher Future work Conclusion

Background Cloud is large and complicated – A lot of VMs in a cloud network “Amazon seems to operate nearly half million servers for a cloud network” – Each server may run more than 10 VMs inside Thus, Amazon may operate around 5 million VMs – A lot of tenants use cloud services They have different network or server configurations Cloud is dynamic – VMs can move any server in a cloud network

Problem Domain How to monitor cloud networks for security purposes – Each tenant will want to have different network configurations – VM can move from a host to a host – Current flow control methods do not consider security devices

Example Scenario Routing from VM1 to VM3 Routing from VM1 to VM3 considering NIDS H1 H2 H3 R1R2 R3 R4 R5 R1R2 R3 R4 R5

Goal Provide routing algorithms – The algorithms guarantee that specified network security devices can monitor specific network flows Provide a script language – A network administrator can easily register security devices – Ad network administrator can easily define security policies

SDN and OpenFlow SDN : Software Defined Networking – Separate network control plane and data plane – Intelligent control plane – Simple (and fast) data plane – We can program network Control network flows (e.g., decide routing paths) OpenFlow – One of the popular SDN technologies

OpenFlow Overview OpenFlowSwitch.org OpenFlow Switch specification Controller OpenFlow Switch Flow Table Secure Channel PC OpenFlow Protocol SSL hw sw Add/delete flow entries Encapsulated packets Controller discovery Figure from Stanford OpenFlow tutorial

SDN and OpenFlow People try to apply this technology to a cloud network – Network virtualization E.g., Nicira - NVP – Network Infrastructure as a Service E.g., OpenFlow interface with OpenStack

CloudWatcher A new framework – Provide monitoring services for large and dynamic cloud networks – Automatically detours network packets to be inspected by pre-installed network security devices OpenFlow – Provide a script to operate this framework

Operating Scenario Register Security Devices Create Security Policies Parse Security Policies Create Routing Rules Enforce Flow Rules into Routers Translate Routing Rules into OpenFow Rules Administrator Router (Device ID = 8) {ID, TYPE, LOCATION, MODE, Func} {1, NIDS, 8, PASSIVE, Detect HTTP} NIDS (ID = 1) {FLOW CONDITON, DEVICE SET} {  , {1}}

How to Control Flows 4 approaches – Multipath naïve – Shortest through – Multipath shortest – Shortest inline - Sample network - S: start node, E: end node R: router, C: security device

Simple Shortest Path Basic routing scheme (NOT CloudWatcher’s idea) – Find the shortest path between a start host and an end host – Path: S  R1  R5  R6  E

Multipath Naïve (algorithm 1) Find multiple paths – Shortest path between S and E – Shortest path between S and C – Path S  R1  R5  R6  E S  R1  R2  R3  R4 OpenFlow provides a function to send packets to multiple outputs – E.g., R1  {R2, R5}

Shortest Through (algorithm 2) Find the shortest path passing through R4 – Shortest path between S and R4 – Shortest path between R4 and E – Path: S  R1  R2  R4  R4  R6  E

Multipath Shortest (algorithm 3) Improved version of multipath naïve Two phase – Find the shortest path (P1) S  R1  R5  R6  E – Find the shortest path between routers on the path P1 and R4 R6  R4 R6  {R4, E}

Shortest Inline (algorithm 4) Find a path passing through (a) specific link(s) (not node) Good for delivering network packets to inline devices – E.g., IPS (intrusion prevention system)

Summary for Flow Control Methods ProsConsWhen to use Multipath Naïve Simple and fastRedundant flowsEnough network capacity, delay is important Shortest Through EfficientComputation overhead, when multiple devices Not enough network capacity, delay is not so important Multipath Shortest EfficientComputation overhead Not many hops (e.g., communication between inside VMs) Shortest Inline Guarantee passing through a specific link Computation overhead, when multiple devices For an inline security device (e.g., IPS)

Implementation and Evaluation CloudWatcher is implemented – As an OpenFlow application Running on NOX controller Implemented in Python Verify each algorithm on emulated networks – Use Mininet to emulate networks supporting OpenFlow

Evaluation Results Flow rule generation time Flow rule generation time (12 routers) Shortest: Dijkstra algorithm to find the shortest path Algorithm1: Multipath naive Algorithm2: Shortest Through Algorithm3: Multipath Shortest Algorithm4: Shortest Inline

Future Work Optimize algorithms Dynamic path selection Provide security response strategies Verify the proposed ideas on a large scale system

Conclusion CloudWacther provides a new framework to monitor cloud networks – With the help of the SDN technology A cloud administrator can select algorithms based on network status A cloud administrator can monitor his network by writing simple scripts