© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 1 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 1 Chris Shenefiel.

Slides:



Advertisements
Similar presentations
Resonance: Dynamic Access Control in Enterprise Networks Ankur Nayak, Alex Reimers, Nick Feamster, Russ Clark School of Computer Science Georgia Institute.
Advertisements

1 OpenFlow Research on the Georgia Tech Campus Network Russ Clark Nick Feamster Students: Yogesh Mundada, Hyojoon Kim, Ankur Nayak, Anirudh Ramachandran,
© 2012 Gigamon. All rights reserved. The Dynamic World of Threat Detection, Containment & Response 1.
1 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential Session Number Presentation_ID Next Generation Network Architectures Summary John.
CloudWatcher: Network Security Monitoring Using OpenFlow in Dynamic Cloud Networks or: How to Provide Security Monitoring as a Service in Clouds? Seungwon.
SAFE Blueprint and the Security Ecosystem. 2 Chapter Topics  SAFE Blueprint Overview  Achieving the Balance  Defining Customer Expectations  Design.
 Natural consequence of the way Internet is organized o Best effort service means routers don’t do much processing per packet and store no state – they.
1 © 2004, Cisco Systems, Inc. All rights reserved IP Telephony Security Cisco Systems.
Author: Seungwon Shin, Vinod Yegneswaran, Phillip Porras, Guofei Gu
SDN and Openflow.
Network Innovation using OpenFlow: A Survey
© 2012 Cisco and/or its affiliates. All rights reserved. 1 CCNA Security 1.1 Instructional Resource Chapter 4 – Implementing Firewall Technologies.
An Operational Perspective on BGP Security Geoff Huston GROW WG IETF 63 August 2005.
Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.
UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.
Chapter 6 Network Address Translation (NAT). Network Address Translation  Modification of source or destination IP address  Needed by networks using.
Enhanced Secure Dynamic DNS Update with Indirect Route David Wilkinson, C. Edward Chow, Yu Cai 06/11/2004 University of Colorado at Colorado Springs IEEE.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
A Survey on Interfaces to Network Security
TUNDRA The Ultimate Netflow Data Realtime Analysis Jeffrey Papen Yahoo! Inc.
Firewalls CS432. Overview  What are firewalls?  Types of firewalls Packet filtering firewalls Packet filtering firewalls Sateful firewalls Sateful firewalls.
Connecting LANs, (network devices) Backbone Networks, and Virtual LANs Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction.
Intrusion Detection Presentation : 1 OF n by Manish Mehta 01/24/03.
Software-Defined Networks Jennifer Rexford Princeton University.
What is FORENSICS? Why do we need Network Forensics?
TCP/SYN Attack – use ACL to allow traffic from TCP connections that were established from the internal network and block packets from an external network.
1. 2 Device management refers to the IDS Sensor's ability to dynamically reconfigure the filters and access control lists (ACL) on a router, switch, and.
Slide 1 Using Models Introduced in ISA-d Standard: Security of Industrial Automation and Control Systems (IACS) Rahul Bhojani ISA SP99 WG4 Meeting.
VeriFlow: Verifying Network-Wide Invariants in Real Time
Monitoring for network security and management Cyber Solutions Inc.
Address Resolution Protocol(ARP) By:Protogenius. Overview Introduction When ARP is used? Types of ARP message ARP Message Format Example use of ARP ARP.
SDN based Network Security Monitoring in Dynamic Cloud Networks Xiuzhen CHEN School of Information Security Engineering Shanghai Jiao Tong University,
Operational Security Capabilities for IP Network Infrastructure
Staff AAA. Radius is not an ISP AAA Option RADIUS TACACS+ Kerberos.
Chapter 5: Implementing Intrusion Prevention
© 2006 Cisco Systems, Inc. All rights reserved. Cisco IOS Threat Defense Features.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Exploring the Enterprise Network Infrastructure Introducing Routing and Switching.
APM for Security Forensics ENHANCING IT SECURITY WITH POST-EVENT INTRUSION RESOLUTION Lakshya Labs.
SDN AND OPENFLOW SPECIFICATION SPEAKER: HSUAN-LING WENG DATE: 2014/11/18.
A Lone Wolf No More: Supporting Network Intrusion Detection with Real-Time Intelligence Shane Singh | COMPSCI 726.
ISACA – Charlotte Chapter June 3, 2014 Mark Krawczyk, CISA, CISSP, CCNA.
A Pattern Language for Firewalls Eduardo B. Fernandez, Maria M. Petrie, Naeem Seliya, Nelly Delessy, and Angela Herzberg.
Chapter 6: Securing the Local Area Network
Chapter 4: Implementing Firewall Technologies
Attacking on IPv6 W.lilakiatsakun Ref: ipv6-attack-defense-33904http://
Introduction and Overview of Information Security and Policy By: Hashem Alaidaros 4/10/2015 Lecture 1 IS 332.
VLAN Cisco (Router/Switch)
A Blackboard-Based Learning Intrusion Detection System: A New Approach
© 2005 Cisco Systems, Inc. All rights reserved. BGP v3.2—1-1 BGP Overview Establishing BGP Sessions.
1 Randomized Failover Intrusion Tolerant Systems (RFITS) Ranga Ramanujan Architecture Technology Corporation Odyssey Research Associates DARPA OASIS PI.
ANCP Network Anti-Attack Updates draft-fan-ancp-network-anti-attack-01 IETF 78 th, July , 2010 Bo Wu Liang Fan.
Forms of Network Attacks Gabriel Owens COSC 352 February 24, 2011.
Juniper Networks Mobile Security Solution Nosipho Masilela COSC 356.
Programming Assignment 2 Zilong Ye. Traditional router Control plane and data plane embed in a blackbox designed by the vendor high-seed switching fabric.
Lecture 12 Page 1 CS 136, Spring 2009 Network Security: Firewalls CS 136 Computer Security Peter Reiher May 12, 2009.
Secure Access and Mobility Jason Kunst, Technical Marketing Engineer March 2016 Location Based Services with Mobility Services Engine ISE Location Services.
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 1 Security Requirements of NVO3 draft-hartman-nvo3-security-requirements-00.
Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.
Intrusion Detection and Prevention Systems By Colton Delman COSC 454 Information Assurance Management.
Software Defined Networking BY RAVI NAMBOORI. Overview  Origins of SDN.  What is SDN ?  Original Definition of SDN.  What = Why We need SDN ?  Conclusion.
SDN and Security Security as a service in the cloud
SDN challenges Deployment challenges
University of Maryland College Park
ETHANE: TAKING CONTROL OF THE ENTERPRISE
Firewalls at UNM 11/8/2018 Chad VanPelt Sean Taylor.
Intrusion Detection & Prevention
Enabling Innovation Inside the Network
SDNFV: Towards a Flexible and Dynamic Smart Data Plane Motivation
Intrusion Detection system
Presentation transcript:

© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 1 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 1 Chris Shenefiel

© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 2 What is SDN Security considerations Review of SDN Security: A Survey Background of LXC, KVM/QEMU and Xen Questions

© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 3 Control and Data Plane resides within Physical Device

© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 4 In the SDN paradigm, not all processing happens inside the same device

© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 5 Multiple applications sending updates to a controller Controller monitors state of network devices and updates Updates are synchronized and managed by controller Controller Data Plane Application

© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 6 Controller Data Plane Authenticate between applications and controllers Recommendation TLS mutual authentication between controller and switches Application

© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 7 Peer into flow rules on the input buffer to learn traffic routing Monitor packet delays through the data plane to infer the amount of processing done for a given packet Controller Data Plane Application

© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 8 Overload the switches by flooding the data communications channel Overload the switch flow table with too many entries Controller Data Plane Application

© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 9 Controller Data Plane Propose inserting a flow verification stage Prevents bad configurations from hitting network Can model network and test updates for damaging consequences Limitations: Most only support one controller Added overhead impacts performance VeriFlow/FlowChecker/Fl owVisor Application

© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 10 Controller Data Plane Policy enforcement Do configuration changes violate our information security or control policies Auditing to prove that the network configuration conforms to polices and regulations Authentication Are you really who you say you are Application

© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 11 Dynamically re-route traffic Contain infected networks/systems Send traffic to “middle boxes” for further analysis Continuously reconfigure network to confuse attackers (Moving Target Defense) Increase security visibility Monitor or tap any traffic on demand Detect DDoS Intrusion detection Data exfiltration

© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 12 Q: What benefit and liability do SDN “middle boxes” provide? Q: What areas did the authors highlight as needing further study? Q: What security issue from Table 1 would you focus on and why?

© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 13

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.