Sungkyunkwan University (SKKU) Security Lab. A Framework for Security Services based on Software-Defined Networking Jaehoon (Paul) Jeong 1, Jihyeok Seo.

Slides:



Advertisements
Similar presentations
CloudWatcher: Network Security Monitoring Using OpenFlow in Dynamic Cloud Networks or: How to Provide Security Monitoring as a Service in Clouds? Seungwon.
Advertisements

Lecture slides for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 9 “Firewalls and Intrusion Prevention.
CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.
SDN and Openflow.
Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.
Simulation and Analysis of DDos Attacks Poongothai, M Department of Information Technology,Institute of Road and Transport Technology, Erode Tamilnadu,
Access Control for Networks Problems: –Enforce an access control policy Allow trust relationships among machines –Protect local internet from outsiders.
Firewalls and Intrusion Detection Systems
Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung( ) Sriram Gopinath( )
IS Network and Telecommunications Risks
A Security Pattern for a Virtual Private Network Ajoy Kumar and Eduardo B. Fernandez Dept. of Computer Science and Eng. Florida Atlantic University Boca.
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.
Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.
UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.
Circuit & Application Level Gateways CS-431 Dick Steflik.
Security Issues on Distributed Systems 7 August, 1999 S 1 Prepared by : Lorrien K. Y. Lau Student I.D. : August 1999 The Chinese University.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Jaehoon (Paul) Jeong, Hyoungshick Kim, and Jung-Soo Park
Institute of Technology, Sligo Dept of Computing Semester 3, version Semester 3 Chapter 3 VLANs.
COMPUTER NETWORKS.
Secure Network Design: Designing a Secure Local Area Network IT352 | Network Security |Najwa AlGhamdi1 Case Study
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
Firewall Slides by John Rouda
A Survey on Interfaces to Network Security
Firewalls Marin Stamov. Introduction Technological barrier designed to prevent unauthorized or unwanted communications between computer networks or hosts.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
PROS & CONS of Proxy Firewall
Firewalls CS432. Overview  What are firewalls?  Types of firewalls Packet filtering firewalls Packet filtering firewalls Sateful firewalls Sateful firewalls.
A Brief Taxonomy of Firewalls
Port Knocking Software Project Presentation Paper Study – Part 1 Group member: Liew Jiun Hau ( ) Lee Shirly ( ) Ong Ivy ( )
CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.
1 Intrusion Detection Systems. 2 Intrusion Detection Intrusion is any use or attempted use of a system that exceeds authentication limits Intrusions are.
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.
IP Ports and Protocols used by H.323 Devices Liane Tarouco.
January 2009Prof. Reuven Aviv: Firewalls1 Firewalls.
Chapter 6: Packet Filtering
Part 2  Access Control 1 CAPTCHA Part 2  Access Control 2 Turing Test Proposed by Alan Turing in 1950 Human asks questions to another human and a computer,
Software-Defined Networks Jennifer Rexford Princeton University.
Remote Access Chapter 4. Learning Objectives Understand implications of IEEE 802.1x and how it is used Understand VPN technology and its uses for securing.
P RESENTED B Y - Subhomita Gupta Roll no: 10 T OPICS TO BE DISCUSS ARE : Introduction to Firewalls  History Working of Firewalls Needs Advantages and.
Windows 7 Firewall.
Filtering in Firewall By Fantastic 5. Agenda What is Firewall? Types Of Firewall Pros and Cons Of Different Firewalls What Firewall can do? What Firewall.
11 SECURING YOUR NETWORK PERIMETER Chapter 10. Chapter 10: SECURING YOUR NETWORK PERIMETER2 CHAPTER OBJECTIVES  Establish secure topologies.  Secure.
INTERNATIONAL NETWORKS At Indiana University Hans Addleman TransPAC Engineer, International Networks University Information Technology Services Indiana.
Firewall Technologies Prepared by: Dalia Al Dabbagh Manar Abd Al- Rhman University of Palestine
Packet Filtering Chapter 4. Learning Objectives Understand packets and packet filtering Understand approaches to packet filtering Set specific filtering.
Network Security. 2 SECURITY REQUIREMENTS Privacy (Confidentiality) Data only be accessible by authorized parties Authenticity A host or service be able.
© 2006 Cisco Systems, Inc. All rights reserved. Cisco IOS Threat Defense Features.
Securing the Network Infrastructure. Firewalls Typically used to filter packets Designed to prevent malicious packets from entering the network or its.
Module 10: How Middleboxes Impact Performance
Data Communications and Networks Chapter 10 – Network Hardware and Software ICT-BVF8.1- Data Communications and Network Trainer: Dr. Abbes Sebihi.
SDN AND OPENFLOW SPECIFICATION SPEAKER: HSUAN-LING WENG DATE: 2014/11/18.
SDN and Openflow. Motivation Since the invention of the Internet, we find many innovative ways to use the Internet – Google, Facebook, Cloud computing,
1 Internet Firewall Security Present by: Ying Fu Department of Computer Science South Eastern University February, 2001.
Network Equipment Assignment 3 LTEC 4550 Aaron Whitaker.
IP packet filtering Breno de Medeiros. Florida State University Fall 2005 Packet filtering Packet filtering is a network security mechanism that works.
Chapter 11 – Cloud Application Development. Contents Motivation. Connecting clients to instances through firewalls. Cloud Computing: Theory and Practice.
FIREWALLS An Important Component in Computer Systems Security By: Bao Ming Soh.
SDN and Security Security as a service in the cloud
CompTIA Security+ Study Guide (SY0-401)
Computer Data Security & Privacy
Prepared By : Pina Chhatrala
CompTIA Security+ Study Guide (SY0-401)
* Essential Network Security Book Slides.
Firewalls Routers, Switches, Hubs VPNs
Firewall.
Introduction to Network Security
Autonomous Network Alerting Systems and Programmable Networks
Session 20 INST 346 Technologies, Infrastructure and Architecture
Chapter 4: outline 4.1 Overview of Network layer data plane
Presentation transcript:

Sungkyunkwan University (SKKU) Security Lab. A Framework for Security Services based on Software-Defined Networking Jaehoon (Paul) Jeong 1, Jihyeok Seo 1, Geumhwan Cho 1, Hyoungshick Kim 1, and Jung-Soo Park 2 1 Department of Computer Science and Engineering, Sungkyunkwan University, Korea (Republic of) {pauljeong, seojh43, geumhwan, 2 Elecronics and Telecommunications Research Institute, Korea (Republic of) The second International Workshop on Device Centric Cloud (DC2-2015)

Sungkyunkwan University (SKKU) Security Lab. DC Motivation Legacy firewall Inspects packets that attempts to cross a network boundary Rejects any illegal packets Incoming requests to open illegal TCP connections Packets of other illegal types (e.g., UDP and ICMP) IP datagrams with illegal IP addresses (or ports) Provides security at the loss of flexibility and the cost of network administration

Sungkyunkwan University (SKKU) Security Lab. DC Contributions Propose a framework for security services using Software- Defined Networking (SDN) Discuss challenge issues and requirements for SDN Introduce two representative security services Centralized firewall system Centralized DDoS-attack mitigation system

Sungkyunkwan University (SKKU) Security Lab. DC Challenges in firewall Cost The cost of adding firewalls to network resources is substantial Performance Firewalls are often slower than the link speed of their network interfaces Management Managing access control dynamically across hundreds of network elements is a challenge Policy It is difficult to describe what are permitted and denied flows within the specific organization Packet-based access mechanism Packet-based access mechanism is not enough in practice since the basis unit of access control is usually user or application (e.g., Skype connections for specific users are open)

Sungkyunkwan University (SKKU) Security Lab. DC Centralized network firewall Firewall rules can be managed flexibly by a centralized server SDN protocols can be used for a standard interface between firewall applications and switches Public network Private network Firewall add or delete rules src IPdest IPAction Drop packets

Sungkyunkwan University (SKKU) Security Lab. DC Expectations for SDN-based firewall - Cost Ideally, one single firewall is enough Firewall application SDN Controller Switch 2 Switch 1 Enforces rules to each switch Switch 3

Sungkyunkwan University (SKKU) Security Lab. DC Expectations for SDN-based firewall - Performance Firewalls can adaptively be deployed depending on network conditions Firewall application SDN Controller Switch 2 Switch 1 Firewall is applied Switch 3 Incoming packets

Sungkyunkwan University (SKKU) Security Lab. DC Expectations for SDN-based firewall - Management Switch 2 Switch 3 Switch 1 Install new rules

Sungkyunkwan University (SKKU) Security Lab. DC Expectations for SDN-based firewall - Management Firewall rules can dynamically be added with new attacks Firewall application SDN Controller Switch 2 Switch 3 Switch 1 Install new rules (e.g., drop packets with attack patterns)

Sungkyunkwan University (SKKU) Security Lab. DC Expectations for SDN-based firewall – Packet based access mechanism Application level rules can be defined by software SDN Controller Switch 2 Switch 3 Switch 1 Install new rules automatically Incoming packets Firewall application

Sungkyunkwan University (SKKU) Security Lab. DC Objectives Prompt reaction to new network attacks SDN-based security services allow private networks to defend themselves against new sophisticated network attacks Autonomous defense from network attacks SDN-based security services identify the category of network attack (e.g., worms and DDoS attacks) They take counteraction for the defense without the intervention of network administrators Network-load-aware resource allocation SDN-based security services measure the overhead of resources for security services They dynamically select resources considering load balance for trading-off between the maximum network performance and security

Sungkyunkwan University (SKKU) Security Lab. DC Requirements Multi-Layer Management Functions Security Application (e.g., Firewall, DDoS-Attack Mitigation) Application Support Orchestration Abstraction Control Support Data Transport and Processing Application Layer SDN Control Layer Resource Layer Resource-Control Interface Application-Control Interface

Sungkyunkwan University (SKKU) Security Lab. DC Centralized firewall system for malware packets Firewall SDN Controller Switch 2 Switch 3 Switch 1 Malware packet 1. Switch 1 forwards an unknown flow’s packet to Firewall via SDN Controller. 1. Switch 1 forwards an unknown flow’s packet to Firewall via SDN Controller. 2. Firewall investigates the packet. 1. Switch 1 forwards an unknown flow’s packet to Firewall via SDN Controller. 2. Firewall investigates the packet. 3. Firewall regards it as a malware packet with suspicious patterns.

Sungkyunkwan University (SKKU) Security Lab. DC Centralized firewall system for malware packets Firewall SDN Controller Switch 2 Switch 3 Switch 1 Install new rules (e.g., drop dangerous packets) Incoming packets Report a dangerous packet to SDN Controller The dangerous packets are dropped by switches

Sungkyunkwan University (SKKU) Security Lab. DC Research Issues

Sungkyunkwan University (SKKU) Security Lab. DC To prevent the unauthorized control of switches SDN Controller Switch 2 Switch 3 Switch 1 Security applications Malicious Controller

Sungkyunkwan University (SKKU) Security Lab. DC To prevent the unauthorized control of switches SDN Controller Switch 2 Switch 3 Switch 1 Secure & authenticated channel We should establish a secure and authenticated channel between SDN controller and switches We need to consider a proper key management for secure communication between them Key management Security applications

Sungkyunkwan University (SKKU) Security Lab. DC A single point of failure or Compromise A centralized server will suffer from a single point of failure or compromise SDN Controller Switch 2 Switch 3 Switch 1 SDN Controller Applications do not work Security applications

Sungkyunkwan University (SKKU) Security Lab. DC To support the SDN-based security services SDN Controller Switch 2 Switch 3 Switch 1 We need to consider changes in the existing SDN switches and protocols Deep Packet Inspection Incoming packets Security applications

Sungkyunkwan University (SKKU) Security Lab. DC A scalable architecture SDN seems a scalable architecture to provide centralized security services in theory SDN Controller Switch 1 Switch 2 Switch n... Security applications

Sungkyunkwan University (SKKU) Security Lab. DC Intelligence switches We should address scalability to support security services in an autonomous and scalable fashion SDN Controller Switch 2 Switch 1 Switch 3 Security applications Incoming packets with malware, DDoS attack Each switch drops the packet automatically based on flow table Passed packets without malware, DDoS attack

Sungkyunkwan University (SKKU) Security Lab. DC Conclusions Proposed framework for security services based on SDN Discussed challenge issues and requirements for SDN As future work, Develop proposed framework in Mininet emulator and OMNeT++ simulator Investigate other security services (e.g., encryption/decryption, junk mail filtering, and anti-spam service)

Sungkyunkwan University (SKKU) Security Lab. DC Any questions?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.