SDN based Network Security Monitoring in Dynamic Cloud Networks Xiuzhen CHEN School of Information Security Engineering Shanghai Jiao Tong University, Shanghai, China Report in Telecom ParisTech, Paris 1

Content Background Background Characteristics of Cloud Network Challenges we meet Architecture of Cloud Security Monitor Analysis of concrete scenario

Background Cloud computing has become a popular paradigm. 3 Cloud computing is the third evolution of information technology after micro-computer and Internet.

Background Many recent new services are based on cloud environment.  computing  Storage  Web  Music  Cloud Hosting  …… 4 More and more people are using cloud networks. Many diverse hosts and network configurations coexist in a cloud network. It is essential to protect cloud networks from threats!!

Content Background Characteristics of Cloud Network Characteristics of Cloud Network Challenges we meet Architecture of Cloud Security Monitor Analysis of concrete scenario

Characteristics of Cloud Network Large-scale environment  Consisting of many physical hosts and virtual machines.  Amazon EC2 Cloud runs at least half million physical hosts.  Amazon EC2 Cloud operates almost five millions virtual machines assuming each host serves on average ten virtual machines. 6 Quite complicated configuration  Large number of diverse, networked physical/virtual machines.  Large number of diverse cloud consumers/tenants who may require very different networking configurations.

Characteristics of Cloud Network 7 Quite dynamic  On-demand service.  More VMs would run for a service massively required.  Virtual machines in a physical host can be dynamically invoked or removed, even be migrated to other physical hosts.

Content Background Characteristics of Cloud Network Challenges we meet Challenges we meet Architecture of Cloud Security Monitor Analysis of concrete scenario

Challenges Is it easy or simple to apply current network security devices (firewalls, NIDS) to a cloud network environment? 9 How to provide a network security monitoring service in a cloud network environment?

Challenges 10 Hard-to-ignore issues when deploying network security devices  How to care about threats from both outside and inside? Internet Human Resources Network Corporate Site Demilitarized Zone (DMZ) Public Servers DMZ Corporate Network Gateway It can’t detect malware infection of internal hosts/VMs in the case of public multi-tenant cloud networks.

Challenges 11 Hard-to-ignore issues when deploying network security devices  How to consider the dynamism of cloud computing resulted from virtual machine migration? Internet Human Resources Network Corporate Site Demilitarized Zone (DMZ) Public Servers DMZ Corporate Network Gateway Host A Host B Host C Installing a NIDS on a link between A and B for monitoring network traffic produced by a virtual machine running in host B. If virtual machines in host B migrate to another host C, we need to relocate the NIDS to a link between host A and host C.

Content Background Characteristics of cloud network Challenges we meet Architecture of Cloud Security Monitor Architecture of Cloud Security Monitor Analysis of concrete scenario

Architecture of Cloud Security Monitor Idea  Controlling network flows to guarantee that all necessary network packets are inspected by some security devices.  Providing a simple policy script language to help people use provided service easily.  SDN technology is used to provide a way of controlling network flows as we want, that is to say, making the flows transmit through network nodes where security devices reside. 13 Architecture

Architecture of Cloud Security Monitor As an application on top of network OSs used to control network routers or switches in SDN environment.  Device and policy manager: managing the information of security devices.  Routing rule generator: creating packet handling rule for each flow.  Flow rule enforcer: enforcing generated flow rules to switches. 14 Architecture

Architecture of Cloud Security Monitor Registering security devices  Device ID  Device type (NIDS, FW)  Location  Installation mode (passive (mirroring), in-line)  Supported functions 15 Specified by a SLI- registration script {1 ， NIDS ， 8 ， passive ， detect HTTP attack} Scenario: installing a NIDS in passive mode, which is attached to a router whose device ID is 8, can monitor network packets related to HTTP and detect attacks to Web servers.

Architecture of Cloud Security Monitor Creating security policies  Flow condition: representing the flow to be investigated. {SRC/DST IP Address, SRC/DST Port}  Device set: displaying necessary security devices (one or more) for investigation. 16 { : * →→ : *, {2}} Scenario: Monitoring network packets from to by employing a NIDS, whose device ID is 2. Specified by a SLI-policy script

Architecture of Cloud Security Monitor Controlling network flows which meet a flow condition  Network packet should pass through some specific routers or network links, which specified security devices are attached to.  The creating paths should be optimized.  Utilizing recent SDN technologies to control network flows as we want.  Graph structure, including nodes and arcs, is used to characterize a network. 17

Architecture of Cloud Security Monitor 1 ） Finding the shortest path (the lowest network link cost) between a start node and an end node. This problem can be formulated as: 18 s.t. : available supply at a node i : amount sent along the link from node i to node j : unit cost for flow along the arc between two nodes i and j Minimal cost flow problem Linear Programming 2 ） Finding path satisfying the conditions in our problem domain, including passive security devices and in-line security devices.

Content Background Characteristics of cloud network Challenges we meet Architecture of Cloud Security Monitor Analysis of concrete scenario Analysis of concrete scenario

Analysis of concrete scenario 20 Network layout Traditional packet delivery based on the shortest path routing Without considering the need of security monitoring

Analysis of concrete scenario 21 Multipath-naïve Visiting each security node regardless of the path between a start node and an end node. Finding the shortest path between a start node and an end node. Discovering the shortest path between a start node and each security node. Based on Openflow function: sending network packets to multiple output ports of a router simultaneously.

Analysis of concrete scenario 22 Multipath-shortest An enhanced version of multipath-naïve, which creates multiple redundant network flows Finding a node, which is closet to a security node, in the shortest path between the start node and the end node. If it finds the node, it asks this node to send packets to multiple output ports.

Analysis of concrete scenario 23 Shortest-through Finding all possible connection pairs among all nodes (including the start, the end and the security nodes) by performing permutation of all pairs. Investigating the shortest paths of each pair. Checking possible paths between a start node and an end node. Finding the path that has the minimum cost value and passing through each intermediate security node.

Analysis of concrete scenario 24 Shortest-inline Considering both security node and security links. Modification of multi-path-naïve to make sure that it should include security links in the generated paths.