Openflow App Security Chao SHI Stephen Duraski. Background Software-defined networking o Control plane abstraction o Abstract topology view o Abstraction.

Slides:



Advertisements
Similar presentations
Resonance: Dynamic Access Control in Enterprise Networks Ankur Nayak, Alex Reimers, Nick Feamster, Russ Clark School of Computer Science Georgia Institute.
Advertisements

1 Resonance: Dynamic Access Control in Enterprise Networks Ankur Nayak, Alex Reimers, Nick Feamster, Russ Clark School of Computer Science Georgia Institute.
1 Resonance: Dynamic Access Control in Enterprise Networks Ankur Nayak, Alex Reimers, Nick Feamster, Russ Clark School of Computer Science Georgia Institute.
SDN Controller Challenges
Frenetic: A High-Level Language for OpenFlow Networks Nate Foster, Rob Harrison, Matthew L. Meola, Michael J. Freedman, Jennifer Rexford, David Walker.
CloudWatcher: Network Security Monitoring Using OpenFlow in Dynamic Cloud Networks or: How to Provide Security Monitoring as a Service in Clouds? Seungwon.
Extensibility, Safety and Performance in the SPIN Operating System Presented by Allen Kerr.
Network Innovation using OpenFlow: A Survey
Scalable Flow-Based Networking with DIFANE 1 Minlan Yu Princeton University Joint work with Mike Freedman, Jennifer Rexford and Jia Wang.
Extensible Networking Platform IWAN 2005 Extensible Network Configuration and Communication Framework Todd Sproull and John Lockwood
Systems Architecture, Fourth Edition1 Internet and Distributed Application Services Chapter 13.
Data Security in Local Networks using Distributed Firewalls
Jaehoon (Paul) Jeong, Hyoungshick Kim, and Jung-Soo Park
1 Logically Centralized? State Distribution Trade-offs in Software Defined Networks Written By Dan Levin, Andreas Wundsam, Brandon Heller, Nikhil Handigol,
A Survey on Interfaces to Network Security
INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.
SECURING NETWORKS USING SDN AND MACHINE LEARNING DRAGOS COMANECI –
A Policy-based Approach to Wireless LAN Security Management George Lapiotis, Byungsuk Kim, Subir Das, Farooq Anjum Speaker: George Lapiotis
Frenetic: A Programming Language for Software Defined Networks Jennifer Rexford Princeton University Joint work with Nate.
Software-Defined Networks Jennifer Rexford Princeton University.
Speaker:Chiang Hong-Ren Botnet Detection by Monitoring Group Activities in DNS Traffic.
Honeypot and Intrusion Detection System
OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
Sungkyunkwan University (SKKU) Security Lab. A Framework for Security Services based on Software-Defined Networking Jaehoon (Paul) Jeong 1, Jihyeok Seo.
SDN based Network Security Monitoring in Dynamic Cloud Networks Xiuzhen CHEN School of Information Security Engineering Shanghai Jiao Tong University,
Intrusion Detection Prepared by: Mohammed Hussein Supervised by: Dr. Lo’ai Tawalbeh NYIT- winter 2007.
INTERNATIONAL NETWORKS At Indiana University Hans Addleman TransPAC Engineer, International Networks University Information Technology Services Indiana.
Distributed IDS The implementation of a Distributed Intrusion Detection System over a medium scale open network where the focus is availability of services.
DR Software: Essential Foundational Elements and Platform Components UCLA Smart Grid Energy Research Center (SMERC) Industry Partners Program (IPP) Meeting.
HIPS Host-Based Intrusion Prevention System By Ali Adlavaran & Mahdi Mohamad Pour (M.A. Team) Life’s Live in Code Life.
3 June, 2016 Toorcon Security Expo Hydra Intelligent Agent: Instrument for Security One Size Fits All Distributed Scanning Distributed IDS Distributed.
SNORT Biopsy: A Forensic Analysis on Intrusion Detection System By Asif Syed Chowdhury.
1 COPYRIGHT © 2015 ALCATEL-LUCENT. ALL RIGHTS RESERVED. Cognitive Security: Security Analytics and Autonomics for Virtualized Networks Lalita Jagadeesan.
Securing the Network Infrastructure. Firewalls Typically used to filter packets Designed to prevent malicious packets from entering the network or its.
Programming Languages for Software Defined Networks Jennifer Rexford and David Walker Princeton University Joint work with the.
Aaron Gember, Theophilus Benson, Aditya Akella University of Wisconsin-Madison.
Extending OVN Forwarding Pipeline Topology-based Service Injection
Cryptography and Network Security Sixth Edition by William Stallings.
Improving Network Management with Software Defined Network Group 5 : z Xuling Wu z Haipeng Jiang z Sichen Wu z Aparna Sanil.
Selective Packet Inspection to Detect DoS Flooding Using Software Defined Networking Author : Tommy Chin Jr., Xenia Mountrouidou, Xiangyang Li and Kaiqi.
James S. Rothfuss, Computer Protection Program COMPUTING SCIENCES NETS Network Equipment Tracking System.
Speaker:Chiang Hong-Ren An Investigation and Implementation of Botnet Detection Schemes.
Presented By: Mohammed Al-Mehdhar Presentation Outline Introduction Approaches Implementation Evaluation Conclusion Q & A.
CSci8211: SDN Controller Design 1 Overview of SDN Controller Design  SDN Re-cap  SDN Controller Design: Case Studies  NOX Next Week:  ONIX  ONOS 
Microsoft Visual Basic 2015 CHAPTER ONE Introduction to Visual Basic 2015 Programming.
Towards Secure and Dependable Software-Defined Networks Fernando M. V. Ramos LaSIGE/FCUL, University of Lisbon
Department of Electrical and Computer Engineering Abhishek Dwaraki 1 Srini Seetharaman 2, Sriram Natarajan 3, Tilman Wolf 1 1. Department of Electrical.
SDN & Security Security as an App (SaaA) on SDN
SDN and Security Security as a service in the cloud
SDN challenges Deployment challenges
CompTIA Security+ Study Guide (SY0-401)
Programming SDN Newer proposals Frenetic (ICFP’11) Maple (SIGCOMM’13)
Chapter 9: The Client/Server Database Environment
University of Maryland College Park
The DPIaaS Controller Prototype
Network Anti-Spoofing with SDN Data plane Authors:Yehuda Afek et al.
Author: Daniel Guija Alcaraz
The Client/Server Database Environment
Overview of SDN Controller Design
CompTIA Security+ Study Guide (SY0-401)
2018 Real Cisco Dumps IT-Dumps
A Novel Framework for Software Defined Wireless Body Area Network
ONOS Drake Release September 2015.
Software Defined Networking (SDN)
Enabling Innovation Inside the Network
Securing Home IoT Environments with Attribute-Based Access Control
SDN + NetSec Vyas Sekar.
Autonomous Network Alerting Systems and Programmable Networks
OpenSec:Policy-Based Security Using Software-Defined Networking
Presentation transcript:

Openflow App Security Chao SHI Stephen Duraski

Background Software-defined networking o Control plane abstraction o Abstract topology view o Abstraction make things much simpler o More Innovation in control mechanisms and security products.

Motivations Information Deficiency Challenge o No key state tracking (TCP session) Security Service Composition Challenge o Software not decomposable. o DPI-based signatures does not produce flow rules Threat Response Translation Challenge o Need more complex security directives o Examples  Quarantine modules  Flow Redirection Modules  Traffic Control Modules (defend DDoS)

Basic Problem Is there a way to make the security app development faster on Openflow? Instead of implementing a new security software from scratch, can we migrate the legacy software (Snort) on Openflow directly?

What is FRESCO Framework for Enabling Security Controls in OpenFlow networks Application development framework o module composition o accelerate development cycle How it answers our question Scripting API 16 commonly reusable modules (security mitigation directives) An API to make DPI-based security software compatible on OF

What is FRESCO FRESCO is built on the foundations of work such as SANE and Ethane, however, FRESCO is much more sophisticated than the simple access control provided by those systems. FRESCO is specialized to serve the needs of security applications, prior work in languages that specify security policies include Nettle, Frenetic, Procera, and OpenSAFE. FRESCO is built on NOX, but could be extended to other architectures

Module Design a.input b.output c.parameter d.action e.event Action o Drop o Forward o Group o Set  Redirect  MIrror  Quarantine

Development Environment Script-to-Module Translation o Registration API:  Administrator give developer an ID and an asymmetric key pair  Developer embed ID in app and sign it with private key Database Management o Tracking network states Event Management Instance execution o Authorize the app ID using public key o Instance is instantiated when event happens

Event Handling

Script Language

Resource Controller Two functions o Switch Monitor o Garbage Collection  LFU Policy

Security Enforcement Kernel No flow conflict reconcile o Security enforcement flows should have higher priority and should never be overwritten by non- security flow rules SEK o Sign Your Flow ! o Detect any rule conflict and resolve it using hierarchy authority model. o Not the major focus of this paper

Case Study: Reflector Net A FRESCO application that allows OF network operators to redirect malicious scanners to a third-party remote honeypot.

Case Study: Reflector Net Two Modules o Scan Detector  Event: TCP_CONNECTION_FAIL (from DB)  Input: IP addr causing TCP_CONNECTION_FAIL  Parameter: Threshold  Output: IP addr and scan detection result  Action: Undefined o Redirector  Event: Push  Input: IP addr and Scan detection result  Output: Undefined  Parameter: Undefined  Action: True Scan? Redirect:Forward

Case Study: Cooperating with Legacy Security Applications FRESCO provides an interface for interacting with legacy security applications such as Snort and BotHunter. Alerts from these network security monitors can be integrated into the flow rule production logic of OF- enabled networks.

Case Study: Cooperating with Legacy Security Applications

System Evaluation FRESCO Scan Deflector Service o FRESCO modules and their connections can be linked together to implement a malicious scan deflector for Open-Flow environments

System Evaluation FRESCO BotMiner Service o BotMiner is an application that detects bots through network- level flow analysis, the essentials of which have been implemented through FRESCO

System Evaluation FRESCO P2P Plotter Service o A P2P malware detection algorithm has been implemented in FRESCO

System Evaluation FRESCO has shown the ability to implement similar functionality to existing anomaly detection approaches such as TRW with substantially fewer lines of code than previously possible. FRESCO application require additional setup time between 0.5 ms and 10.9 ms (would likely be improved on a more powerful host as opposed to the emulated environment the testing was done in)

FRESCO garbage collection is shown to work in the paper, and removes unused flow rules. FRESCO shows substantial potential in the ability to enhance the rapid prototyping and development of security algorithms in OpenFlow switches System Evaluation

Related Work

FortNOX SDN apps can compete, contradict, override one another, incorporate vulnerabilities Worst case: an adversary can use a vulnerable and deterministic SDN app to control the state of all SDN switches in the network

SDN/OpenFlow Evasion Scenario

Videos Video Introduction: : Inside FortNOX [Youtube! ]Youtube! Video Demo 1: : Security Constraints Enforcement [ Youtube! ] Youtube! Video Demo 2: : Reflector Nets [ Youtube! ] Youtube! Video Demo 3: : Automated Quarantine [ Youtube! ] Youtube!

Open Issues FRESCO focuses on detection of rule update conflicts and security policy violations More general APIs for managing a distributed control plane in SDNs exist (such as Onix), these techniques and strategies could be integrated into FRESCO Potential expansion could be done in increasing the number and flexibility of FRESCO modules

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.