Transcript Device Centric Cloud (DC2)

The second International Workshop on Device Centric Cloud (DC2-2015)
A Framework for Security Services
based on Software-Defined Networking
Jaehoon (Paul) Jeong1, Jihyeok Seo1, Geumhwan Cho1,
Hyoungshick Kim1, and Jung-Soo Park2
1Department
of Computer Science and Engineering,
Sungkyunkwan University, Korea (Republic of)
{pauljeong, seojh43, geumhwan, hyoung}@skku.edu
2Elecronics
and Telecommunications Research Institute,
Korea (Republic of)
[email protected]
Sungkyunkwan University (SKKU) Security Lab.
Motivation
• Legacy firewall
• Inspects packets that attempts to cross a network boundary
• Rejects any illegal packets
 Incoming requests to open illegal TCP connections
 Packets of other illegal types (e.g., UDP and ICMP)
 IP datagrams with illegal IP addresses (or ports)
• Provides security at the loss of flexibility and the cost of network
administration
Sungkyunkwan University (SKKU) Security Lab.
2
DC2-2015
Contributions
• Propose a framework for security services using SoftwareDefined Networking (SDN)
• Discuss challenge issues and requirements for SDN
• Introduce two representative security services
• Centralized firewall system
• Centralized DDoS-attack mitigation system
Sungkyunkwan University (SKKU) Security Lab.
3
DC2-2015
Challenges in firewall
• Cost
•
The cost of adding firewalls to network resources is substantial
• Performance
•
Firewalls are often slower than the link speed of their network interfaces
• Management
•
Managing access control dynamically across hundreds of network elements is a
challenge
• Policy
•
It is difficult to describe what are permitted and denied flows within the specific
organization
• Packet-based access mechanism
•
Packet-based access mechanism is not enough in practice since the basis unit
of access control is usually user or application (e.g., Skype connections for
specific users are open)
Sungkyunkwan University (SKKU) Security Lab.
4
DC2-2015
Centralized network firewall
Firewall
add or delete
rules
src IP
dest IP
Action
115.145.171.224
74.125.71.106
Drop packets
Public
network
Private
network
•
Firewall rules can be managed flexibly by a centralized server
•
SDN protocols can be used for a standard interface between firewall applications
and switches
Sungkyunkwan University (SKKU) Security Lab.
5
DC2-2015
Expectations for SDN-based firewall - Cost
• Ideally, one single firewall is enough
Firewall application
SDN Controller
Enforces rules to each switch
Switch1
Switch2
Switch3
Sungkyunkwan University (SKKU) Security Lab.
6
DC2-2015
Expectations for SDN-based firewall - Performance
• Firewalls can adaptively be deployed depending on network conditions
Firewall application
SDN Controller
Firewall is applied
Incoming packets
Switch2
Switch1
Switch3
Sungkyunkwan University (SKKU) Security Lab.
7
DC2-2015
Expectations for SDN-based firewall - Management
Install
new rules
Switch1
Switch2
Switch3
Sungkyunkwan University (SKKU) Security Lab.
8
DC2-2015
Expectations for SDN-based firewall - Management
• Firewall rules can dynamically be added with new attacks
Firewall application
SDN Controller
Install new rules
(e.g., drop packets with attack patterns)
Switch1
Switch2
Switch3
Sungkyunkwan University (SKKU) Security Lab.
9
DC2-2015
Expectations for SDN-based firewall – Packet based access mechanism
• Application level rules can be defined by software
Firewall application
SDN Controller
Install new rules automatically
Switch1
Switch2
Incoming packets
Switch3
Sungkyunkwan University (SKKU) Security Lab.
10
DC2-2015
Objectives
• Prompt reaction to new network attacks
• SDN-based security services allow private networks to defend
themselves against new sophisticated network attacks
• Autonomous defense from network attacks
• SDN-based security services identify the category of network
attack (e.g., worms and DDoS attacks)
• They take counteraction for the defense without the intervention of
network administrators
• Network-load-aware resource allocation
• SDN-based security services measure the overhead of resources
for security services
• They dynamically select resources considering load balance for
trading-off between the maximum network performance and
security
Sungkyunkwan University (SKKU) Security Lab.
11
DC2-2015
Requirements
Multi-Layer Management Functions
Security Application
(e.g., Firewall, DDoS-Attack Mitigation)
Application Support
Orchestration
Application Layer
Application-Control Interface
SDN Control Layer
Abstraction
Resource-Control Interface
Control Support
Resource Layer
Data Transport and Processing
Sungkyunkwan University (SKKU) Security Lab.
12
DC2-2015
Centralized firewall system for malware packets
Firewall
SDN Controller
Switch1
1. Switch11 forwards an unknown flow’s
packet to Firewall via SDN Controller.
2. Firewall investigates the packet.
3. Firewall regards it as a malware
Switch
packet with suspicious
patterns.
2
Malware packet
Switch3
Sungkyunkwan University (SKKU) Security Lab.
13
DC2-2015
Centralized firewall system for malware packets
Firewall
Report a dangerous
packet to SDN Controller
SDN Controller
Install new rules
(e.g., drop dangerous packets)
Switch1
Switch2
Incoming packets
The dangerous packets
are dropped by switches
Sungkyunkwan University (SKKU) Security Lab.
Incoming packets
Switch3
14
DC2-2015
Research Issues
Sungkyunkwan University (SKKU) Security Lab.
15
DC2-2015
To prevent the unauthorized control of switches
Security applications
Malicious
Controller
SDN Controller
Switch1
Switch2
Switch3
Sungkyunkwan University (SKKU) Security Lab.
16
DC2-2015
To prevent the unauthorized control of switches
We should
need toestablish
consider aa secure
proper and
key management
authenticated for
channel
securebetween
SDN controller and
communication
between
switches
them
Security applications
SDN Controller
Key
management
Secure &
authenticated
channel
Switch1
Switch2
Switch3
Sungkyunkwan University (SKKU) Security Lab.
17
DC2-2015
A single point of failure or Compromise
A centralized server will suffer from a single point of failure or
compromise
Security applications
SDN Controller
Applications
do not work
Switch1
Switch2
Switch3
Sungkyunkwan University (SKKU) Security Lab.
18
DC2-2015
To support the SDN-based security services
We need to consider changes in the existing SDN switches and
protocols
Security applications
SDN Controller
Switch1
Deep Packet Inspection
Switch2
Incoming packets
Switch3
Sungkyunkwan University (SKKU) Security Lab.
19
DC2-2015
A scalable architecture
SDN seems a scalable architecture to provide centralized security
services in theory
Security applications
SDN Controller
Switch1
...
Switch2
Sungkyunkwan University (SKKU) Security Lab.
20
Switchn
DC2-2015
Intelligence switches
We should address scalability to support security services in an
autonomous and scalable fashion
Security applications
SDN Controller
Each switch drops the
packet automatically
based on flow table
Switch1
Switch2
Passed packets
without malware, DDoS attack
Incoming packets
with malware, DDoS attack
Switch3
Sungkyunkwan University (SKKU) Security Lab.
21
DC2-2015
Conclusions
• Proposed framework for security services based on SDN
• Discussed challenge issues and requirements for SDN
• As future work,
• Develop proposed framework in Mininet emulator and OMNeT++
simulator
• Investigate other security services
(e.g., encryption/decryption, junk mail filtering, and anti-spam service)
Sungkyunkwan University (SKKU) Security Lab.
22
DC2-2015
Any questions?
Sungkyunkwan University (SKKU) Security Lab.
23
DC2-2015