Presentation is loading. Please wait.

Presentation is loading. Please wait.

OpenSec:Policy-Based Security Using Software-Defined Networking

Published byMatthias Jacobs Modified over 5 years ago

Similar presentations

Presentation on theme: "OpenSec:Policy-Based Security Using Software-Defined Networking"— Presentation transcript:

1 OpenSec:Policy-Based Security Using Software-Defined Networking
2019/6/3 OpenSec:Policy-Based Security Using Software-Defined Networking Presenter:Hung-Yen Wang Authors:Adrian Lara and Byrav Ramamurthy Published in:IEEE Transactions on Network and Service Management Department of Computer Science and Information Engineering National Cheng Kung University, Taiwan R.O.C. CSIE CIAL Lab 1

2 2019/6/3 Introduction An openflow-based network security framework that allows network operators to implement security policies. Moving middleboxes away from the main datapath. Reacting automatically to security events Creating a simple policy specification language The first goal of OpenSec is to move the middleboxes away from the choke points of the topology traversed by all traffic. Instead, these devices should be located outside of the main path between the LAN and the Internet and should act as security processing units that are visited only by the traffic that needs to be processed Using a smarter OpenFlow-based control plane, the OpenSec should dynamically create rules to re-route traffic Thus, we designed OpenSec to allow the operator to specify ahead of time what the automated reaction should be National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab

3 Components Policy specification language Northbound Interface
2019/6/3 Components Policy specification language Northbound Interface Policy manager Processing units Security event processor Openflow controller Data repository National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab

4 Policy Specification Language
2019/6/3 Policy Specification Language The matching fields correspond to those available in OpenFlow1.0 The reactions can be to alert only(via ), or to block traffic. National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab 4

5 2019/6/3 Northbound Interface National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab

6 2019/6/3 Policy Manager Parsing new policies sent by the GUI and converting them to OpenSec objects. Implement the policy using the southbound interface component(controller) Periodically check that the policy is implemented appropriately. National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab

7 2019/6/3 Processing Units The units are customized to perform the required security scan, such as a firewall, an IPS or DPI. When suspicious traffic is detected, the processing unit issues an alert to the OpenSec controller OpenSec implements a processing unit manager that collects all the registrations and creates a list of units and the locations in the network where they can be found. National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab 7

8 Security Event Processor
2019/6/3 Security Event Processor The security event processor is responsible for collecting the notifications issued by the processing units and modifying forwarding rules according to the policies involved National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab

9 OpenFlow Controller Use Floodlight controller
2019/6/3 OpenFlow Controller Use Floodlight controller When a request is received from the policy implementer to push a new rule, this module is responsible for sending the message to the right switches National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab

10 2019/6/3 Data Repository All implemented policies are stored to check for conflicts when new policies are received, and also to know how to react to security events raised by the processing units. All the information needed to route traffic to the middleboxes (device id, switch id, input port and output port) is also stored. OpenSec also records when hosts are blocked from accessing the network. National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab

11 Policy Implementation
2019/6/3 Policy Implementation 2.Policy manager parses the policy and Processing units manager…… National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab

12 Policy Implementation
2019/6/3 Policy Implementation 2.Policy manager parses the policy and Processing units manager…… National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab

13 Policy Implementation
2019/6/3 Policy Implementation 2.Policy manager parses the policy and Processing units manager…… National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab

14 Reaction Implementation
2019/6/3 Reaction Implementation 2.Policy manager parses the policy and Processing units manager…… National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab

15 Scenario 1:Multi-Switch and Multi-Unit Network
2019/6/3 Scenario 1:Multi-Switch and Multi-Unit Network Linear topology with seven switches and two processing units connected to each switch. The goal of this scenario is to evaluate the time needed by OpenSec to implement rules across multiple devices. Therefor, the processing units do not implement any security function. 2.Policy manager parses the policy and Processing units manager…… National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab

16 Scenario 2:Incoming Traffic in a Campus Network
2019/6/3 Scenario 2:Incoming Traffic in a Campus Network The goal of this scenario is to demonstrate how OpenSec can block malicious traffic from entering a campus network. This scenario uses dataset made available by the University of Twente. Develop two security units : one for intrusion detection and one for deep packet inspection. The IDS unit runs Bro. The DPI unit is built on top of NDPI. 2.Policy manager parses the policy and Processing units manager…… National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab

17 Scenario 2:Incoming Traffic in a Campus Network
2019/6/3 Scenario 2:Incoming Traffic in a Campus Network 2.Policy manager parses the policy and Processing units manager…… National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab

18 Scenario 3:Deploying a Science DMZ
2019/6/3 Scenario 3:Deploying a Science DMZ This scenario ensures an acceptable level of security while guaranteeing a high-speed loss-free channel. 2.Policy manager parses the policy and Processing units manager…… National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab

19 Evaluation:Performance of Policy Implementation
National Cheng Kung University CSIE Computer & Internet Architecture Lab

20 Evaluation:Performance of Reaction to Security Alerts
National Cheng Kung University CSIE Computer & Internet Architecture Lab

21 Evaluation:Throughput and Latency
National Cheng Kung University CSIE Computer & Internet Architecture Lab

22 Conclusion OpenSec allows network operators to describe security policies using human-readable language and to implement them across the network. OpenSec also allows network operators to specify how to automatically react when malicious traffic is detected. Moving the analysis of traffic away from the controller and into processing units makes the framework more scalable. National Cheng Kung University CSIE Computer & Internet Architecture Lab

Download ppt "OpenSec:Policy-Based Security Using Software-Defined Networking"

Similar presentations

Network II.5 simulator ..

Network II.5 simulator ..
Deep Packet Inspection with DFA-trees and Parametrized Language Overapproximation Author: Daniel Luchaup, Lorenzo De Carli, Somesh Jha, Eric Bach Publisher:

Deep Packet Inspection with DFA-trees and Parametrized Language Overapproximation Author: Daniel Luchaup, Lorenzo De Carli, Somesh Jha, Eric Bach Publisher:
CloudWatcher: Network Security Monitoring Using OpenFlow in Dynamic Cloud Networks or: How to Provide Security Monitoring as a Service in Clouds? Seungwon.

CloudWatcher: Network Security Monitoring Using OpenFlow in Dynamic Cloud Networks or: How to Provide Security Monitoring as a Service in Clouds? Seungwon.
RIP V1 W.lilakiatsakun.

RIP V1 W.lilakiatsakun.
Slick: A control plane for middleboxes Bilal Anwer, Theophilus Benson, Dave Levin, Nick Feamster, Jennifer Rexford Supported by DARPA through the U.S.

Slick: A control plane for middleboxes Bilal Anwer, Theophilus Benson, Dave Levin, Nick Feamster, Jennifer Rexford Supported by DARPA through the U.S.
CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.

CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.
Extensible Networking Platform 1 1 - IWAN 2005 Extensible Network Configuration and Communication Framework Todd Sproull and John Lockwood

Extensible Networking Platform IWAN 2005 Extensible Network Configuration and Communication Framework Todd Sproull and John Lockwood
Improved TCAM-based Pre-Filtering for Network Intrusion Detection Systems Department of Computer Science and Information Engineering National Cheng Kung.

Improved TCAM-based Pre-Filtering for Network Intrusion Detection Systems Department of Computer Science and Information Engineering National Cheng Kung.
Secure Network Design: Designing a Secure Local Area Network IT352 | Network Security |Najwa AlGhamdi1 Case Study

Secure Network Design: Designing a Secure Local Area Network IT352 | Network Security |Najwa AlGhamdi1 Case Study
OpenFlow-Based Server Load Balancing GoneWild Author : Richard Wang, Dana Butnariu, Jennifer Rexford Publisher : Hot-ICE'11 Proceedings of the 11th USENIX.

OpenFlow-Based Server Load Balancing GoneWild Author : Richard Wang, Dana Butnariu, Jennifer Rexford Publisher : Hot-ICE'11 Proceedings of the 11th USENIX.
Implementing ISA Server Publishing. Introduction What Are Web Publishing Rules? ISA Server uses Web publishing rules to make Web sites on protected networks.

Implementing ISA Server Publishing. Introduction What Are Web Publishing Rules? ISA Server uses Web publishing rules to make Web sites on protected networks.
Common Devices Used In Computer Networks

Common Devices Used In Computer Networks
2016-5-261 SDN based Network Security Monitoring in Dynamic Cloud Networks Xiuzhen CHEN School of Information Security Engineering Shanghai Jiao Tong University,

SDN based Network Security Monitoring in Dynamic Cloud Networks Xiuzhen CHEN School of Information Security Engineering Shanghai Jiao Tong University,
Module 4: Configuring ISA Server as a Firewall. Overview Using ISA Server as a Firewall Examining Perimeter Networks and Templates Configuring System.

Module 4: Configuring ISA Server as a Firewall. Overview Using ISA Server as a Firewall Examining Perimeter Networks and Templates Configuring System.
INTERNATIONAL NETWORKS At Indiana University Hans Addleman TransPAC Engineer, International Networks University Information Technology Services Indiana.

INTERNATIONAL NETWORKS At Indiana University Hans Addleman TransPAC Engineer, International Networks University Information Technology Services Indiana.
CSCI 530 Lab Intrusion Detection Systems IDS. A collection of techniques and methodologies used to monitor suspicious activities both at the network and.

CSCI 530 Lab Intrusion Detection Systems IDS. A collection of techniques and methodologies used to monitor suspicious activities both at the network and.
Leveraging Traffic Repetitions for High- Speed Deep Packet Inspection Author: Anat Bremler-Barr, Shimrit Tzur David, Yotam Harchol, David Hay Publisher:

Leveraging Traffic Repetitions for High- Speed Deep Packet Inspection Author: Anat Bremler-Barr, Shimrit Tzur David, Yotam Harchol, David Hay Publisher:
StriD 2 FA: Scalable Regular Expression Matching for Deep Packet Inspection Author: Xiaofei Wang, Junchen Jiang, Yi Tang, Bin Liu, and Xiaojun Wang Publisher:

StriD 2 FA: Scalable Regular Expression Matching for Deep Packet Inspection Author: Xiaofei Wang, Junchen Jiang, Yi Tang, Bin Liu, and Xiaojun Wang Publisher:
Regular Expression Matching for Reconfigurable Packet Inspection Authors: Jo˜ao Bispo, Ioannis Sourdis, Jo˜ao M.P. Cardoso and Stamatis Vassiliadis Publisher:

Regular Expression Matching for Reconfigurable Packet Inspection Authors: Jo˜ao Bispo, Ioannis Sourdis, Jo˜ao M.P. Cardoso and Stamatis Vassiliadis Publisher:
SDN AND OPENFLOW SPECIFICATION SPEAKER: HSUAN-LING WENG DATE: 2014/11/18.

SDN AND OPENFLOW SPECIFICATION SPEAKER: HSUAN-LING WENG DATE: 2014/11/18.

Similar presentations

Ads by Google