1 / 23

A Framework for Security Services based on Software-Defined Networking

The second International Workshop on Device Centric Cloud (DC2-2015). A Framework for Security Services based on Software-Defined Networking. Jaehoon (Paul) Jeong 1 , Jihyeok Seo 1 , Geumhwan Cho 1 , Hyoungshick Kim 1 , and Jung-Soo Park 2.

cortezc
Download Presentation

A Framework for Security Services based on Software-Defined Networking

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The second International Workshop on Device Centric Cloud (DC2-2015) A Framework for Security Services based on Software-Defined Networking Jaehoon (Paul) Jeong1, Jihyeok Seo1,GeumhwanCho1, Hyoungshick Kim1, and Jung-Soo Park2 1Department of Computer Science and Engineering, SungkyunkwanUniversity, Korea (Republic of) {pauljeong, seojh43, geumhwan, hyoung}@skku.edu 2Elecronics and Telecommunications Research Institute, Korea (Republic of) pjs@etri.re.kr

  2. Motivation • Legacy firewall • Inspects packets that attempts to cross a network boundary • Rejects any illegal packets • Incoming requests to open illegal TCP connections • Packets of other illegal types (e.g., UDP and ICMP) • IP datagrams with illegal IP addresses (or ports) • Provides security at the loss of flexibility and the cost of network administration

  3. Contributions • Propose a framework for security services using Software-Defined Networking (SDN) • Discuss challenge issues and requirements for SDN • Introduce two representative security services • Centralized firewall system • Centralized DDoS-attack mitigation system

  4. Challenges in firewall • Cost • The cost of adding firewalls to network resources is substantial • Performance • Firewalls are often slower than the link speed of their network interfaces • Management • Managing access control dynamically across hundreds of network elements is a challenge • Policy • It is difficult to describe what are permitted and denied flows within the specific organization • Packet-based access mechanism • Packet-based access mechanism is not enough in practice since the basis unit of access control is usually user or application (e.g., Skype connections for specific users are open)

  5. Centralized network firewall Firewall add or delete rules Public network Private network • Firewall rules can be managed flexibly by a centralized server • SDN protocols can be used for a standard interface between firewall applications and switches

  6. Expectations for SDN-based firewall - Cost • Ideally, one single firewall is enough Firewall application SDN Controller Enforces rules to each switch Switch1 Switch2 Switch3

  7. Expectations for SDN-based firewall - Performance • Firewalls can adaptively be deployed depending on network conditions Firewall application SDN Controller Firewall is applied Switch2 Incoming packets Switch1 Switch3

  8. Expectations for SDN-based firewall - Management Install new rules Switch1 Switch2 Switch3

  9. Expectations for SDN-based firewall - Management • Firewall rules can dynamically be added with new attacks Firewall application SDN Controller Install new rules (e.g., droppackets with attack patterns) Switch1 Switch2 Switch3

  10. Expectations for SDN-based firewall – Packet based access mechanism • Application level rules can be defined by software Firewall application SDN Controller Install new rules automatically Switch1 Switch2 Incoming packets Switch3

  11. Objectives • Prompt reaction to new network attacks • SDN-based security services allow private networks to defend themselves against new sophisticated network attacks • Autonomous defense from network attacks • SDN-based security services identify the category of network attack (e.g., worms and DDoS attacks) • They take counteraction for the defense without the intervention of network administrators • Network-load-aware resource allocation • SDN-based security services measure the overhead of resources for security services • They dynamically select resources considering load balance for trading-off between the maximum network performance and security

  12. Requirements Security Application (e.g., Firewall, DDoS-Attack Mitigation) Application Layer Application-Control Interface Application Support SDN Control Layer Orchestration Multi-Layer Management Functions Resource-Control Interface Abstraction Control Support Resource Layer Data Transport and Processing

  13. Centralized firewall system for malware packets Firewall SDN Controller 1. Switch1 forwards an unknown flow’s packet to Firewall via SDN Controller. 2. Firewall investigates the packet. 1. Switch1 forwards an unknown flow’s packet to Firewall via SDN Controller. 2. Firewall investigates the packet. 3. Firewall regards it as a malware packet with suspicious patterns. 1. Switch1 forwards an unknown flow’s packet to Firewall via SDN Controller. Switch1 Switch2 Malware packet Switch3

  14. Centralized firewall system for malware packets Firewall Report a dangerous packet to SDN Controller SDN Controller Install new rules (e.g., drop dangerous packets) Switch1 Switch2 Incoming packets Incoming packets The dangerous packets are dropped by switches Switch3

  15. Research Issues

  16. To prevent the unauthorized control of switches Security applications Malicious Controller SDN Controller Switch1 Switch2 Switch3

  17. To prevent the unauthorized control of switches • We need to consider a proper key management for secure communication between them • We should establish a secure and authenticated channel between SDN controller and switches Security applications SDN Controller Key management Secure & authenticated channel Switch1 Switch2 Switch3

  18. A single point of failure or Compromise A centralized server will suffer from a single point of failure or compromise Security applications SDN Controller SDN Controller Applications do not work Switch1 Switch2 Switch3

  19. To support the SDN-based security services We need to consider changes in the existing SDN switches and protocols Security applications SDN Controller Deep Packet Inspection Switch1 Switch2 Incoming packets Switch3

  20. A scalable architecture SDN seems a scalable architecture to provide centralized security services in theory Security applications SDN Controller . . . Switch1 Switch2 Switchn

  21. Intelligence switches We should address scalability to support security services in an autonomous and scalable fashion Security applications SDN Controller Each switch drops the packet automatically based on flow table Switch1 Switch2 Passed packets without malware, DDoS attack Incoming packets with malware, DDoS attack Switch3

  22. Conclusions • Proposed framework for security services based on SDN • Discussed challenge issues and requirements for SDN • As future work, • Develop proposed framework in Mininet emulator and OMNeT++ simulator • Investigate other security services • (e.g., encryption/decryption, junk mail filtering, and anti-spam service)

  23. Any questions?

More Related