Jaehoon (Paul) Jeong, Hyoungshick Kim, and Jung-Soo Park

Slides:

Advertisements

Similar presentations

Access Control List (ACL)

Advertisements

Slick: A control plane for middleboxes Bilal Anwer, Theophilus Benson, Dave Levin, Nick Feamster, Jennifer Rexford Supported by DARPA through the U.S.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

IUT– Network Security Course 1 Network Security Firewalls.

1 Topic 2 – Lesson 4 Packet Filtering Part I. 2 Basic Questions What is packet filtering? What is packet filtering? What elements are inside an IP header?

FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.

FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.

SDN and Openflow.

Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.

Principles of Information Security, 2nd Edition1 Firewalls and VPNs.

Presented by Serge Kpan LTEC Network Systems Administration 1.

A Security Pattern for a Virtual Private Network Ajoy Kumar and Eduardo B. Fernandez Dept. of Computer Science and Eng. Florida Atlantic University Boca.

Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.

Circuit & Application Level Gateways CS-431 Dick Steflik.

Security Issues on Distributed Systems 7 August, 1999 S 1 Prepared by : Lorrien K. Y. Lau Student I.D. : August 1999 The Chinese University.

Chapter 9 Classification And Forwarding. Outline.

Secure Network Design: Designing a Secure Local Area Network IT352 | Network Security |Najwa AlGhamdi1 Case Study

Department Of Computer Engineering

Firewall Slides by John Rouda

A Survey on Interfaces to Network Security

Firewalls Marin Stamov. Introduction Technological barrier designed to prevent unauthorized or unwanted communications between computer networks or hosts.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

Firewalls CS432. Overview  What are firewalls?  Types of firewalls Packet filtering firewalls Packet filtering firewalls Sateful firewalls Sateful firewalls.

A Brief Taxonomy of Firewalls

Port Knocking Software Project Presentation Paper Study – Part 1 Group member: Liew Jiun Hau ( ) Lee Shirly ( ) Ong Ivy ( )

Why do we need Firewalls? Internet connectivity is a must for most people and organizations  especially for me But a convenient Internet connectivity.

Part 2  Access Control 1 CAPTCHA Part 2  Access Control 2 Turing Test Proposed by Alan Turing in 1950 Human asks questions to another human and a computer,

Firewall and Internet Access Mechanism that control (1)Internet access, (2)Handle the problem of screening a particular network or an organization from.

P RESENTED B Y - Subhomita Gupta Roll no: 10 T OPICS TO BE DISCUSS ARE : Introduction to Firewalls  History Working of Firewalls Needs Advantages and.

Sungkyunkwan University (SKKU) Security Lab. A Framework for Security Services based on Software-Defined Networking Jaehoon (Paul) Jeong 1, Jihyeok Seo.

11 SECURING YOUR NETWORK PERIMETER Chapter 10. Chapter 10: SECURING YOUR NETWORK PERIMETER2 CHAPTER OBJECTIVES  Establish secure topologies.  Secure.

Access Control List (ACL) W.lilakiatsakun. ACL Fundamental ► Introduction to ACLs ► How ACLs work ► Creating ACLs ► The function of a wildcard mask.

INTERNATIONAL NETWORKS At Indiana University Hans Addleman TransPAC Engineer, International Networks University Information Technology Services Indiana.

Firewalls Nathan Long Computer Science 481. What is a firewall? A firewall is a system or group of systems that enforces an access control policy between.

1 © 2004, Cisco Systems, Inc. All rights reserved. Chapter 9 Intermediate TCP/IP/ Access Control Lists (ACLs)

© 2006 Cisco Systems, Inc. All rights reserved. Cisco IOS Threat Defense Features.

Security Requirements for Software Defined Networks Internet Area WG IETF 85: Atlanta November 4, 2012 Margaret Wasserman

Vic Liu Liang Xia Zu Qiang Speaker: Vic Liu China Mobile Network as a Service Architecture draft-liu-nvo3-naas-arch-01.

Securing the Network Infrastructure. Firewalls Typically used to filter packets Designed to prevent malicious packets from entering the network or its.

Module 10: How Middleboxes Impact Performance

SDN AND OPENFLOW SPECIFICATION SPEAKER: HSUAN-LING WENG DATE: 2014/11/18.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

FirewallPK Security tool for centralized Access Control List Management th RoEduNet International Conference - Networking in Education and Research.

What's a Firewall? A security system that acts as a protective boundary between a network and the outside world Isolates computer from the internet using.

IP packet filtering Breno de Medeiros. Florida State University Fall 2005 Packet filtering Packet filtering is a network security mechanism that works.

Chapter 11 – Cloud Application Development. Contents Motivation. Connecting clients to instances through firewalls. Cloud Computing: Theory and Practice.

Cisco Exam Questions IMPLEMENTING CISCO IOS NETWORK SECURITY (IINS V2.0) VERSION: Presents: 1.

FIREWALLS By k.shivakumar 08k81f0025. CONTENTS Introduction. What is firewall? Hardware vs. software firewalls. Working of a software firewalls. Firewall.

Software Defined Networking BY RAVI NAMBOORI. Overview  Origins of SDN.  What is SDN ?  Original Definition of SDN.  What = Why We need SDN ?  Conclusion.

Central Management of 300 Firewalls and Access-Lists Fabian Mauchle TNC 2012 Reykjavík, 21-May-2012.

Defining Network Infrastructure and Network Security Lesson 8.

CompTIA Security+ Study Guide (SY0-401)

Multi-layer software defined networking in GÉANT

FIREWALL configuration in linux

Computer Data Security & Privacy

Prepared By : Pina Chhatrala

Introduction to Networking

CompTIA Security+ Study Guide (SY0-401)

Firewalls at UNM 11/8/2018 Chad VanPelt Sean Taylor.

Service Function Chaining-Enabled

Firewalls Routers, Switches, Hubs VPNs

Firewalls Jiang Long Spring 2002.

Chapter 11: Network Address Translation for IPv4

Autonomous Network Alerting Systems and Programmable Networks

Intelligent Network Services through Active Flow Manipulation

Chapter 4: outline 4.1 Overview of Network layer data plane

Presentation transcript:

Jaehoon (Paul) Jeong, Hyoungshick Kim, and Jung-Soo Park Requirements for Security Services based on Software-Defined Networking draft-jeong-i2nsf-sdn-security-services-00 IETF 91, Honolulu, HI, November 13, 2014 Jaehoon (Paul) Jeong, Hyoungshick Kim, and Jung-Soo Park Sungkyunkwan University & ETRI

Contents I Introduction SDN-Based Security Services II Objectives III Requirements V Use Cases VI Discussion

Standardization Status in ITU-T Working Item in Study Group 17 (SG 17), Question 6 (Q.6) in ITU-T Our proposal for“Requirements for Security Services based on Software-Defined Networking”was accepted as a working item in September Meeting in 2014. Scope of the Draft in SG 17. Classify the network resources for SDN-based security services. Define the requirements for SDN-based security services. Define the enhanced framework to support SDN-based security services. Define use cases for security services based on SDN.

Motivation Legacy Firewall Firewall inspects packets that attempt to cross a network boundary. Firewall rejects any illegal packets such as Incoming requests to open illegal TCP connections, Packets of other illegal types (e.g., UDP and ICMP), and IP datagrams with illegal IP addresses (or ports). Firewall provides security at the loss of flexibility and the cost of network administration.

Challenges in Firewall Cost The cost of adding firewalls to routers is substantial. Performance Firewalls are often slower than the link speed of their network interfaces. Management Managing access control dynamically across hundreds of network elements is a challenge. Policy It is difficult to describe what are permitted and denied flows within the specific organization. Binding Packet-based access mechanism is not enough in practice since the basic unit of access control is usually user or application. e.g., Skype connections for specific users are open.

Centralized Network Firewall based on Software-Defined Networking (SDN) Firewall rules can be managed flexibly by a centralized server. SDN protocols can be used for a standard interface between firewall applications and switches. Firewall add or delete rules <Match, Action> … Private network Public network Switches

Expectations for SDN-Based Firewall Cost Ideally, one single firewall is enough. Performance Firewalls can adaptively be deployed depending on network conditions. Management Firewall rules can dynamically be added with new attacks. Policy Centralized view might be helpful to determine security policies. Binding Application level rules can be defined by software.

SDN-Based Security Services Firewall DDoS-Attack Mitigator SDN Controller Install new rules (e.g., drop packets with suspicious patterns) Switch1 Switch2 Incoming packets Incoming packets Switch3

High-Level Architecture for SDN-Based Security Services Multi-Layer Management Functions Security Application (e.g., Firewall, DDoS-Attack Mitigation) Application Support Orchestration Abstraction Control Support Data Transport and Processing Application Layer SDN Control Layer Resource Layer Resource-Control Interface Application-Control Interface

Objectives Prompt reaction to new network attacks SDN-based security services allow private networks to defend themselves against new sophisticated network attacks. Autonomous defense from network attacks SDN-based security services identify the category of network attack (e.g., worms and DDoS attacks). They take counteraction for the defense without the intervention of network administrators. Network-load-aware resource allocation SDN-based security services measure the overhead of resources for security services. They dynamically select resources considering load balance for the maximum network performance.

Requirements The support of the programmability of network resources to mitigate network attacks. The support of an application interface allowing the management of access control policies in an autonomous and prompt manner. The support of a resource-control interface for control of network resources to mitigate network attacks. The support of logically centralized control of network resources to mitigate network attacks.

Use Cases Centralized Firewall System This is for malware packets. Centralized DDoS-Attack Mitigator This is for DDoS-attack packets.

Centralized Firewall System (1/2) SDN Controller 1. Switch1 forwards an unknown flow’s packet to Firewall via SDN Controller. 2. Firewall investigates the packet. 3. Firewall regards it as a malware packet with suspicious patterns. Switch1 Switch2 Malware packet Switch3

Centralized Firewall System (2/2) Report a malware’s packet to SDN Controller SDN Controller Install new rules (e.g., drop packets with suspicious patterns) Switch1 Switch2 Incoming packets Incoming packets The malware’s packets are dropped by switches Switch3

Centralized DDoS-Attack Mitigator (1/2) SDN Controller 1. Switch1 suspects a flow’s packets with inter-arrival patterns. 2. Switch1 reports this flow to DDoS-Attack Mitigator via SDN Controller. 3. DDoS-Attack Mitigator computes a separate path for the suspicious flow. Switch1 Switch2 DDoS-attack packets Switch3

Centralized DDoS-Attack Mitigator (2/2) Report the suspicious flow to SDN Controller SDN Controller Install new rules (e.g., forward packets with suspicious inter-arrival patterns to a separate path with random drop) Switch1 Switch2 Incoming packets Undropped Incoming packets The suspicious flow’s packets are randomly dropped by Switch3 on the separate path Switch3

Discussion Direction of This Draft Direction of our ITU-T SG 17 Draft Develop SDN-based Security Services (e.g., Firewall and DDoS-Attack Mitigator) including API. Include other Security Services, such as Preventing the leakage of internal traffic into the outside networks. Direction of our ITU-T SG 17 Draft Develop Security Scenarios and Requirements for ITU-T Y.3300 (Framework of Software-Defined Networking). Thanks for your attention. Any Comments or Questions?