Network Security through Software Defined Networking: a Survey

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "Network Security through Software Defined Networking: a Survey"

Transcription

1 09/30/14 Network Security through Software Defined Networking: a Survey Jérôme François, Lautaro Dolberg, Olivier Festor, Thomas Engel

2 2 1 Introduction 2 Firewall 3 Monitoring 4 Advanced Security Tasks 5 Conclusion Outline

3 3 SDN OpenFlow Security Outline 1 Introduction SDN OpenFlow Security 2 Firewall 3 Monitoring 4 Advanced Security Tasks 5 Conclusion

4 4 SDN OpenFlow Security Routing algorithms are distributed Every switch runs a program to fill out routing tables look at its routing table to forward packets Usual routing

5 5 SDN OpenFlow Security 2 planes Control plane (routing decisions) Data plane (forward the traffic) 2 main types of entities Decoupling the planes keep switches as forwarders only introduce a dedicated controller to take decisions requires communication between these entities

6 6 SDN OpenFlow Security Application aware networking How is configured the controller? manually from applications / systems through monitoring or interactions network information (topology, link usage) can be monitored as well bidirectional links

7 7 SDN OpenFlow Security Motivations Network programmability Empower research and innovation = easy testing of new methods/protocols Need for more traffic engineering / performance in networking in particular by controlling data delivering paths limited flexibility of standard routing approaches network size and speed increases powerful (and costly) forwarding devices vs. cheap commodity computers natural decomposition planes: control planes has been software based for a long time OpenFlow supported by many actors (research, equipment vendors, operators, chipset designers) incremental deployment

8 8 SDN OpenFlow Security Outline 1 Introduction SDN OpenFlow Security 2 Firewall 3 Monitoring 4 Advanced Security Tasks 5 Conclusion

9 SDN OpenFlow Security Specification 9 A protocol: Communication switch - controller + switch specification Rules to handle packets in a flow table a set of matching fields in headers (IP/MAC addresses, ports, VLAN id, etc.) a priority to choose the rule is several can be matched a timeout counters about the flow instructions to execute (forward, drop, change some values)

10 SDN OpenFlow Security Flow table example 10 App Ingress port Mac Src Addr Mac Dst Addr Ip Src Address Ip Dst Address Protocol Src port Dst port Instructions Switching * * AB:CD:EF:00:11:22 * * * * * Forward to port 3 Routing * * * * * * * * Set Mac src addr=ab:cd:ef:00:11:33, Mac dst addr = AB:CD:EF:00:11:44, forward to port 5 Firewall 1 * * * * TCP * 22 Drop Proxy * * * * TCP * 80 Set IP addr= , forward to port 5 1 * * * TCP * 80 set dst addr = Load balancing , Forward to port 4 2 * * * TCP * 80 set dst addr = , Forward to port 6

11 SDN OpenFlow Security Rule installation 11 2 modes Proactive: rules are installed beforehand coarse grained rule (aggregated) large flow tables lower latency good for general rule like routing or switching Reactive: rules are installed when the first packet of a flow arrives (table-miss) the controller gets a copy (packet in) higher latency small flow tables specific rule (fine-grained) more specific applications like load balancing or firewall

12 12 SDN OpenFlow Security Outline 1 Introduction SDN OpenFlow Security 2 Firewall 3 Monitoring 4 Advanced Security Tasks 5 Conclusion

13 SDN OpenFlow Security What about security 13 2 main questions May SDN/OpenFlow enable or improve security? what are the potential applications? may we create new security processes? what are the benefits? what are the drawbacks? How secure is SDN/OpenFlow? Can be network programmability misused? is there existing approach to guarantee the proper functioning of a SDN enabled network and its applications?

14 14 1 Introduction 2 Firewall 3 Monitoring 4 Advanced Security Tasks 5 Conclusion Outline

15 15 We already have seen an example Easy to implement Stateless firewall static policies install corresponding rule in a proactive or reactive way

16 16 Existing proposals Building firewall over the software-defined network controller, Suh et al., ICACT 2014 command line based tool using POX Floodlight OpenFlow controller + applications REST and Java API include a firewall application which is configured through a REST API ALLOW rule for all flows between and Not specifying action implies ALLOW rule. curl -X POST -d {"src-ip": " /32", "dst-ip": " /32"} curl -X POST -d {"src-ip": " /32", "dst-ip": " /32"}

17 17 Stateful firewall 1/3 Keep track of the connections (history) More powerful in particular for connection oriented protocols to only allow traffic when the session is established from inside accept reverse traffic with a timeout

18 18 Stateful firewall 2/3 What happens when the timeout expires before the session ends? need to reinstall the rule possible with ACK-like mechanisms not really stateful only few packets are analyzed (flow-based) save resources

19 Stateful firewall 3/3 Keep track of the exact status of the connection: need for packet inspection can be done at the controller side match (dst_ip=y,src_ip=x) -> action=controller Problems a lot of overhead: each packet is forwarded to the controller and then analyzed not feasible in practice (latency!!!) Hybrid approach redirect packets which needs stateful packet inspection to a specific middlebox/firewall very similar to the current situation Add support for matching TCP flags possible with OpenFlow v1.2+ controller add a rule to match the last packet(s) (like FIN in TCP) in order to get a copy of this packet and remove the forwarding rule 19

20 20 1 Introduction 2 Firewall 3 Monitoring 4 Advanced Security Tasks 5 Conclusion Outline

21 Security Monitoring Firewall / Access control is important but cannot prevent everything need for monitoring, IDS, IPS to detect misbehaviors How to monitor misbehaviors from the network? connections to multiple suspects IP addresses / domains using blacklists creating multiple connections, traffic volume change (flood/scan/spam) network traffic compared to a profile (day/light, user or application patterns...) observations of similar connections between multiple hosts (botnet, worm propagation...) many attempts to connect to closed ports (scan) observing QoS degradation etc. 21

22 22 Main building blocks Years of research in security monitoring But network monitoring for security purposes rely on common building blocks services/hosts accessed and communicating together traffic statistics (number of bytes, packets,...) timing information to have an historic (timestamp) Retrieve such information with OpenFlow flows are characterized by headers (IP address, ports) flows are associated to counters

23 23 src: OF spec v1.4.0 Flow table counters

24 24 Getting flow information Counters get statistics about flows when a flow is considered inactive: FlowRemoved message on demand: FlowStatisticsRequest message (#bytes, #pkts, duration,...) when a flow start: PacketIn message active flows Different kind of monitoring: passive vs. active, push vs. pull

25 25 Passive Monitoring no additional traffic to inject into the network only able to observe statistics about current usage (for example, unable to infer which links are up, the bandwidth, etc.)

26 FlowSense FlowSense: monitoring network utilization with zero measurement cost, Yu et al., PAM 13 zero cost = push mode no intermediate statistics request monitor link usage sum all link usages issues long flow, maybe never ending due to keep alive messages large granularity, i.e. flow patterns may not be regular 26

27 OpenTM OpenTM: traffic matrix estimator for OpenFlow networks, Tootoonchian et al., PAM 10 Volume of traffic between each OD (origin-destination) pair Periodic polling fine grained and tunable update the matrix Switch selection (multiple switches on the path) most accurate = last swictch before reaching the destination other strategies: random uniform, higher probability for closer switches, round-robin, least load multipaths the control is aware of it and can sum over these paths 27

28 28 PayLess PayLess: A Low Cost Network Monitoring Framework for Software Defined Networks, Chowdhury et al., IM 14 Propose a REST API to define high level monitoring request (per user, per application, type of statistics...) Optimization of polling requests adaptive monitoring (periodic requests): flexible interval increase high variation in the last update, decrease otherwise batching multiple requests together

29 29 Active Monitoring inject packets in the network infer other information, even from non used links low overhead compared to traditional approaches based on ICMP src: Monitoring latency with OpenFlow, Phemius et al., CNSM 13

30 OpenNetMon OpenNetMon: Network Monitoring in OpenFlow Software-Defined Networks, Van Adrichemet al., IM 14 active + passive comparison of first and last switch packet loss active latency measurement (need to take in account delays between the controller and switches) Control plane: PacketOut + PacketIn Data plane: install a dedicated VLAN beforehand avoid scheduling in switches perform better accuracy 30

31 31 1 Introduction 2 Firewall 3 Monitoring 4 Advanced Security Tasks 5 Conclusion Outline

32 32 Packet based analysis Some packets need to be collected individually Redirect every packet matching some patterns to the controller (PacketIn) overhead select packets to redirect checking TCP flags is useful for scan/worm detection only monitor SYN, SYNACK RST... Revisiting Traffic Anomaly Detection Using Software Defined Networking, Mehdi et al., RAID 11 successful vs unsuccessful connection initiation only monitor first packets (SYN, SYNACK, RST) normal flows (successful connections) install a rule for consecutive packets suspect flows short flows + few packet

33 33 Detailed analysis require accessing upper layer and maybe payload of packet deep packet inspection How to? Redirect every packet matching some patterns to the controller (PacketIn) Example: filter TCP port 25 to analyze Same as before but no guarantee that decision can be made on first packets only high overhead Redirect/Copy traffic towards dedicated security middleboxes Let SDN Be Your Eyes: Secure Forensics in Data Center Networks, Bates et al., SENT 14

34 34 MiddleBox interception Traffic is forwarded when it is confirmed as safe many ways to do: MiddleBox could use PacketOut (through an interface), tagging as safe may just be based on addresses (everything coming from the middlebox), need for rewriting addresses/redirecting to right ports

35 35 MiddleBox mirroring Traffic is duplicated to the middlebox but not blocked less latency but higher risk need countermeasures (alert, disinfection, isolation...)

36 36 Other approaches Load Balancing of Security MiddleBoxes Middleboxes can modify packets headers difficult to track flows example: NAT traversal, proxies... add tags to track flows from end to end (FlowTags: enforcing network-wide policies in the presence of dynamic middlebox actions, Fayazbakhsh et al., HotSDN 13 Moving target defense OpenFlow Random Host Mutation: Transparent Moving Target Defense Using Software Defined Networking, Jafarian et al., HotSDN 12 Objective: change IP addresses frequently such that attackers cannot gather knowledge about hosts Each host is associated to a real IP address and mapping frequently to virtual IP addresses in a transparent way using OpenFlow

37 37 1 Introduction 2 Firewall 3 Monitoring 4 Advanced Security Tasks 5 Conclusion Outline

38 38 Some limitations and opportunities 1/3 Stateful firewall need for additional support in both swicthes and controllers... while most of them are not fully compliant Validation usual problem in our domain (having a dataset with labeled attacks) more complex with OpenFlow as it needs network traffic, topology and OF messages or rules so much information that very few operators may have hard to define what would be the rule on a production network Validation is based on (most of the time): simple topology: small tree or linear topology generation of traffic using iperf introduction of artificial delays rule fields are usually source and destination IP addresses and ports without prefix aggregation lack of real datasets or scenarios to generate synthetic but realistic datasets

39 39 Some limitations and opportunities 2/3 Monitoring main goal is to gather statistics about the tuple (IP src, IP dst, protocol, src port, src dst) fine grained and similar to flow based approaches like Netflow impossible to predict the tuples impossible to install rules beforehand install rules on fly impracticable in large networks due to latency scalability is an issue... but not only for security applications Are we going in the right direction? OpenFlow was aiming at keeping switches as specialized forwarding devices (not monitoring devices...) why achieving monitoring as we did for many years? is SDN / OpenFlow open new ways to monitor the networks? looking at OF communications and installation rules might be beneficial Automated source code extension for debugging of OpenFlow based networks, Hommes et al., CNSM 13

40 40 Some limitations and opportunities 3/3 Advanced tasks SDN is only limited to forward traffic to dedicated boxes but it brings a high flexibility to create and test new approach to allocate dynamically traffic inspection tasks SDN can be well coupled with NFV (Network Function Virtualization) NFV: allow to instantiate network function into a virtualized appliance (no need for dedicated hardware) example: a firewall can be created on fly in the cloud......but the network has to be (re)configured accordingly Acknowledgment: FNR IDSECOM project

41 09/30/14 Network Security through Software Defined Networking: a Survey Jérôme François, Lautaro Dolberg, Olivier Festor, Thomas Engel

Securing Local Area Network with OpenFlow

Securing Local Area Network with OpenFlow Securing Local Area Network with OpenFlow Master s Thesis Presentation Fahad B. H. Chowdhury Supervisor: Professor Jukka Manner Advisor: Timo Kiravuo Department of Communications and Networking Aalto University

More information

Outline. Institute of Computer and Communication Network Engineering. Institute of Computer and Communication Network Engineering

Outline. Institute of Computer and Communication Network Engineering. Institute of Computer and Communication Network Engineering Institute of Computer and Communication Network Engineering Institute of Computer and Communication Network Engineering Communication Networks Software Defined Networking (SDN) Prof. Dr. Admela Jukan Dr.

More information

OpenFlow and Software Defined Networking presented by Greg Ferro. OpenFlow Functions and Flow Tables

OpenFlow and Software Defined Networking presented by Greg Ferro. OpenFlow Functions and Flow Tables OpenFlow and Software Defined Networking presented by Greg Ferro OpenFlow Functions and Flow Tables would like to thank Greg Ferro and Ivan Pepelnjak for giving us the opportunity to sponsor to this educational

More information

PayLess: A Low Cost Network Monitoring Framework for Software Defined Networks

PayLess: A Low Cost Network Monitoring Framework for Software Defined Networks PayLess: A Low Cost Network Monitoring Framework for Software Defined Networks Shihabur R. Chowdhury, Md. Faizul Bari, Reaz Ahmed and Raouf Boutaba David R. Cheriton School of Computer Science, University

More information

SDN, OpenFlow and the ONF

SDN, OpenFlow and the ONF SDN, OpenFlow and the ONF OpenFlow/Software-Defined Networking (SDN) OpenFlow/SDN is emerging as one of the most promising and disruptive networking technologies of recent years. It has the potential to

More information

Cisco IOS Flexible NetFlow Technology

Cisco IOS Flexible NetFlow Technology Cisco IOS Flexible NetFlow Technology Last Updated: December 2008 The Challenge: The ability to characterize IP traffic and understand the origin, the traffic destination, the time of day, the application

More information

SDN AND SECURITY: Why Take Over the Hosts When You Can Take Over the Network

SDN AND SECURITY: Why Take Over the Hosts When You Can Take Over the Network SDN AND SECURITY: Why Take Over the s When You Can Take Over the Network SESSION ID: TECH0R03 Robert M. Hinden Check Point Fellow Check Point Software What are the SDN Security Challenges? Vulnerability

More information

Wedge Networks: Transparent Service Insertion in SDNs Using OpenFlow

Wedge Networks: Transparent Service Insertion in SDNs Using OpenFlow Wedge Networks: EXECUTIVE SUMMARY In this paper, we will describe a novel way to insert Wedge Network s multiple content security services (such as Anti-Virus, Anti-Spam, Web Filtering, Data Loss Prevention,

More information

Introduction to Cisco IOS Flexible NetFlow

Introduction to Cisco IOS Flexible NetFlow Introduction to Cisco IOS Flexible NetFlow Last updated: September 2008 The next-generation in flow technology allowing optimization of the network infrastructure, reducing operation costs, improving capacity

More information

Software-Defined Networking for the Data Center. Dr. Peer Hasselmeyer NEC Laboratories Europe

Software-Defined Networking for the Data Center. Dr. Peer Hasselmeyer NEC Laboratories Europe Software-Defined Networking for the Data Center Dr. Peer Hasselmeyer NEC Laboratories Europe NW Technology Can t Cope with Current Needs We still use old technology... but we just pimp it To make it suitable

More information

Flow Analysis Versus Packet Analysis. What Should You Choose?

Flow Analysis Versus Packet Analysis. What Should You Choose? Flow Analysis Versus Packet Analysis. What Should You Choose? www.netfort.com Flow analysis can help to determine traffic statistics overall, but it falls short when you need to analyse a specific conversation

More information

DEMYSTIFYING ROUTING SERVICES IN SOFTWAREDEFINED NETWORKING

DEMYSTIFYING ROUTING SERVICES IN SOFTWAREDEFINED NETWORKING DEMYSTIFYING ROUTING SERVICES IN STWAREDEFINED NETWORKING GAUTAM KHETRAPAL Engineering Project Manager, Aricent SAURABH KUMAR SHARMA Principal Systems Engineer, Technology, Aricent DEMYSTIFYING ROUTING

More information

NetFlow/IPFIX Various Thoughts

NetFlow/IPFIX Various Thoughts NetFlow/IPFIX Various Thoughts Paul Aitken & Benoit Claise 3 rd NMRG Workshop on NetFlow/IPFIX Usage in Network Management, July 2010 1 B #1 Application Visibility Business Case NetFlow (L3/L4) DPI Application

More information

Ethernet-based Software Defined Network (SDN) Cloud Computing Research Center for Mobile Applications (CCMA), ITRI 雲 端 運 算 行 動 應 用 研 究 中 心

Ethernet-based Software Defined Network (SDN) Cloud Computing Research Center for Mobile Applications (CCMA), ITRI 雲 端 運 算 行 動 應 用 研 究 中 心 Ethernet-based Software Defined Network (SDN) Cloud Computing Research Center for Mobile Applications (CCMA), ITRI 雲 端 運 算 行 動 應 用 研 究 中 心 1 SDN Introduction Decoupling of control plane from data plane

More information

SOFTWARE-DEFINED NETWORKING AND OPENFLOW

SOFTWARE-DEFINED NETWORKING AND OPENFLOW SOFTWARE-DEFINED NETWORKING AND OPENFLOW Freddie Örnebjär TREX Workshop 2012 2012 Brocade Communications Systems, Inc. 2012/09/14 Software-Defined Networking (SDN): Fundamental Control

More information

Firewalls P+S Linux Router & Firewall 2013

Firewalls P+S Linux Router & Firewall 2013 Firewalls P+S Linux Router & Firewall 2013 Firewall Techniques What is a firewall? A firewall is a hardware or software device which is configured to permit, deny, or proxy data through a computer network

More information

Software Defined Networking What is it, how does it work, and what is it good for?

Software Defined Networking What is it, how does it work, and what is it good for? Software Defined Networking What is it, how does it work, and what is it good for? slides stolen from Jennifer Rexford, Nick McKeown, Michael Schapira, Scott Shenker, Teemu Koponen, Yotam Harchol and David

More information

FlowSense: Monitoring Network Utilization with Zero Measurement Cost

FlowSense: Monitoring Network Utilization with Zero Measurement Cost FlowSense: Monitoring Network Utilization with Zero Measurement Cost Curtis Yu 1, Cristian Lumezanu 2, Yueping Zhang 2, Vishal Singh 2, Guofei Jiang 2, and Harsha V. Madhyastha 1 1 University of California,

More information

FlowSense: Monitoring Network Utilization with Zero Measurement Cost

FlowSense: Monitoring Network Utilization with Zero Measurement Cost FlowSense: Monitoring Network Utilization with Zero Measurement Cost Curtis Yu 1, Cristian Lumezanu 2, Yueping Zhang 2, Vishal Singh 2, Guofei Jiang 2, and Harsha V. Madhyastha 1 1 University of California,

More information

SOFTWARE-DEFINED NETWORKING AND OPENFLOW

SOFTWARE-DEFINED NETWORKING AND OPENFLOW SOFTWARE-DEFINED NETWORKING AND OPENFLOW Eric Choi < echoi@brocade.com> Senior Manager, Service Provider Business Unit, APJ 2012 Brocade Communications Systems, Inc. EPF 7 2012/09/17 Software-Defined Networking

More information

Software Defined Networking (SDN) OpenFlow and OpenStack. Vivek Dasgupta Principal Software Maintenance Engineer Red Hat

Software Defined Networking (SDN) OpenFlow and OpenStack. Vivek Dasgupta Principal Software Maintenance Engineer Red Hat Software Defined Networking (SDN) OpenFlow and OpenStack Vivek Dasgupta Principal Software Maintenance Engineer Red Hat CONTENTS Introduction SDN and components SDN Architecture, Components SDN Controller

More information

OpenDaylight Project Proposal Dynamic Flow Management

OpenDaylight Project Proposal Dynamic Flow Management OpenDaylight Project Proposal Dynamic Flow Management Ram (Ramki) Krishnan, Varma Bhupatiraju et al. (Brocade Communications) Sriganesh Kini et al. (Ericsson) Debo~ Dutta, Yathiraj Udupi (Cisco) 1 Table

More information

DATA COMMUNICATOIN NETWORKING

DATA COMMUNICATOIN NETWORKING DATA COMMUNICATOIN NETWORKING Instructor: Ouldooz Baghban Karimi Course Book: Computer Networking, A Top-Down Approach, Kurose, Ross Slides: - Course book Slides - Slides from Princeton University COS461

More information

Network Security: Network Flooding. Seungwon Shin GSIS, KAIST

Network Security: Network Flooding. Seungwon Shin GSIS, KAIST Network Security: Network Flooding Seungwon Shin GSIS, KAIST Detecting Network Flooding Attacks SYN-cookies Proxy based CAPCHA Ingress/Egress filtering Some examples SYN-cookies Background In a TCP 3-way

More information

Ten Things to Look for in an SDN Controller

Ten Things to Look for in an SDN Controller Ten Things to Look for in an SDN Controller Executive Summary Over the last six months there has been significant growth in the interest that IT organizations have shown in Software-Defined Networking

More information

INTRODUCTION TO FIREWALL SECURITY

INTRODUCTION TO FIREWALL SECURITY INTRODUCTION TO FIREWALL SECURITY SESSION 1 Agenda Introduction to Firewalls Types of Firewalls Modes and Deployments Key Features in a Firewall Emerging Trends 2 Printed in USA. What Is a Firewall DMZ

More information

Network Monitoring and Management NetFlow Overview

Network Monitoring and Management NetFlow Overview Network Monitoring and Management NetFlow Overview These materials are licensed under the Creative Commons Attribution-Noncommercial 3.0 Unported license (http://creativecommons.org/licenses/by-nc/3.0/)

More information

Carrier/WAN SDN Brocade Flow Optimizer Making SDN Consumable

Carrier/WAN SDN Brocade Flow Optimizer Making SDN Consumable Brocade Flow Optimizer Making SDN Consumable Business And IT Are Changing Like Never Before Changes in Application Type, Delivery and Consumption Public/Hybrid Cloud SaaS/PaaS Storage Users/ Machines Device

More information

Flow processing and the rise of the middle.

Flow processing and the rise of the middle. Flow processing and the rise of the middle. Mark Handley, UCL With acknowledgments to Michio Honda, Laurent Mathy, Costin Raiciu, Olivier Bonaventure, and Felipe Huici. Part 1 Today s Internet Protocol

More information

OpenFlow and Onix. OpenFlow: Enabling Innovation in Campus Networks. The Problem. We also want. How to run experiments in campus networks?

OpenFlow and Onix. OpenFlow: Enabling Innovation in Campus Networks. The Problem. We also want. How to run experiments in campus networks? OpenFlow and Onix Bowei Xu boweixu@umich.edu [1] McKeown et al., "OpenFlow: Enabling Innovation in Campus Networks," ACM SIGCOMM CCR, 38(2):69-74, Apr. 2008. [2] Koponen et al., "Onix: a Distributed Control

More information

Tutorial: OpenFlow in GENI

Tutorial: OpenFlow in GENI Tutorial: OpenFlow in GENI GENI Project Office The current Internet is at an impasse because new architecture cannot be deployed or even adequately evaluated [PST04] [PST04]: Overcoming the Internet Impasse

More information

Software Defined Networking and OpenFlow: a Concise Review

Software Defined Networking and OpenFlow: a Concise Review Software Defined Networking and OpenFlow: a Concise Review Stefano Forti stefano.forti92@gmail.com MSc in Computer Science and Networking Scuola Superiore Sant'Anna - University of Pisa 1. Introduction

More information

Software Defined Networks

Software Defined Networks Software Defined Networks Damiano Carra Università degli Studi di Verona Dipartimento di Informatica Acknowledgements! Credits Part of the course material is based on slides provided by the following authors

More information

OpenFlow - the key standard of Software-Defined Networks. Dmitry Orekhov, Epam Systems

OpenFlow - the key standard of Software-Defined Networks. Dmitry Orekhov, Epam Systems OpenFlow - the key standard of Software-Defined Networks Dmitry Orekhov, Epam Systems Software-defined network The Need for a New Network Architecture Limitations of Current Networking Technologies Changing

More information

8. 網路流量管理 Network Traffic Management

8. 網路流量管理 Network Traffic Management 8. 網路流量管理 Network Traffic Management Measurement vs. Metrics end-to-end performance topology, configuration, routing, link properties state active measurements active routes active topology link bit error

More information

Concepts and Mechanisms for Consistent Route Transitions in Software-defined Networks

Concepts and Mechanisms for Consistent Route Transitions in Software-defined Networks Institute of Parallel and Distributed Systems Department Distributed Systems University of Stuttgart Universitätsstraße 38 D-70569 Stuttgart Studienarbeit Nr. 2408 Concepts and Mechanisms for Consistent

More information

LTE - Can SDN paradigm be applied?

LTE - Can SDN paradigm be applied? LTE - Can SDN paradigm be applied? Source of this presentation: Towards Software Defined Cellular Networks Li Erran Li (Bell Labs, Alcatel-Lucent) Morley Mao (University of Michigan) Jennifer Rexford (Princeton

More information

Introduction to Software Defined Networking (SDN) and how it will change the inside of your DataCentre

Introduction to Software Defined Networking (SDN) and how it will change the inside of your DataCentre Introduction to Software Defined Networking (SDN) and how it will change the inside of your DataCentre Wilfried van Haeren CTO Edgeworx Solutions Inc. www.edgeworx.solutions Topics Intro Edgeworx Past-Present-Future

More information

Towards Software Defined Cellular Networks

Towards Software Defined Cellular Networks Towards Software Defined Cellular Networks Li Erran Li (Bell Labs, Alcatel-Lucent) Morley Mao (University of Michigan) Jennifer Rexford (Princeton University) 1 Outline Critiques of LTE Architecture CellSDN

More information

Application Centric Infrastructure Overview: Implement a Robust Transport Network for Dynamic Workloads

Application Centric Infrastructure Overview: Implement a Robust Transport Network for Dynamic Workloads White Paper Application Centric Infrastructure Overview: Implement a Robust Transport Network for Dynamic Workloads What You Will Learn Application centric infrastructure (ACI) provides a robust transport

More information

OpenFlow Overview. Daniel Turull danieltt@kth.se

OpenFlow Overview. Daniel Turull danieltt@kth.se OpenFlow Overview Daniel Turull danieltt@kth.se Overview OpenFlow Software Defined Networks (SDN) Network Systems Lab activities Daniel Turull - Netnod spring meeting 2012 2 OpenFlow Why and where was

More information

基 於 SDN 與 可 程 式 化 硬 體 架 構 之 雲 端 網 路 系 統 交 換 器

基 於 SDN 與 可 程 式 化 硬 體 架 構 之 雲 端 網 路 系 統 交 換 器 基 於 SDN 與 可 程 式 化 硬 體 架 構 之 雲 端 網 路 系 統 交 換 器 楊 竹 星 教 授 國 立 成 功 大 學 電 機 工 程 學 系 Outline Introduction OpenFlow NetFPGA OpenFlow Switch on NetFPGA Development Cases Conclusion 2 Introduction With the proposal

More information

HP Intelligent Management Center v7.1 Network Traffic Analyzer Administrator Guide

HP Intelligent Management Center v7.1 Network Traffic Analyzer Administrator Guide HP Intelligent Management Center v7.1 Network Traffic Analyzer Administrator Guide Abstract This guide contains comprehensive information for network administrators, engineers, and operators working with

More information

Configuring Flexible NetFlow

Configuring Flexible NetFlow CHAPTER 62 Note Flexible NetFlow is only supported on Supervisor Engine 7-E, Supervisor Engine 7L-E, and Catalyst 4500X. Flow is defined as a unique set of key fields attributes, which might include fields

More information

Empowering Software Defined Network Controller with Packet-Level Information

Empowering Software Defined Network Controller with Packet-Level Information Empowering Software Defined Network Controller with Packet-Level Information Sajad Shirali-Shahreza, Yashar Ganjali Department of Computer Science, University of Toronto, Toronto, Canada Abstract Packet

More information

Software Defined Networking

Software Defined Networking Software Defined Networking Dr. Nick Feamster Associate Professor In this course, you will learn about software defined networking and how it is changing the way communications networks are managed, maintained,

More information

The State of OpenFlow: Advice for Those Considering SDN. Steve Wallace Executive Director, InCNTRE SDN Lab Indiana University ssw@iu.

The State of OpenFlow: Advice for Those Considering SDN. Steve Wallace Executive Director, InCNTRE SDN Lab Indiana University ssw@iu. The State of OpenFlow: Advice for Those Considering SDN Steve Wallace Executive Director, InCNTRE SDN Lab Indiana University ssw@iu.edu 2 3 4 SDN is an architecture Separation of Control and Data Planes

More information

Cloud Networking Disruption with Software Defined Network Virtualization. Ali Khayam

Cloud Networking Disruption with Software Defined Network Virtualization. Ali Khayam Cloud Networking Disruption with Software Defined Network Virtualization Ali Khayam In the next one hour Let s discuss two disruptive new paradigms in the world of networking: Network Virtualization Software

More information

CISCO IOS NETFLOW AND SECURITY

CISCO IOS NETFLOW AND SECURITY CISCO IOS NETFLOW AND SECURITY INTERNET TECHNOLOGIES DIVISION FEBRUARY 2005 1 Cisco IOS NetFlow NetFlow is a standard for acquiring IP network and operational data Benefits Understand the impact of network

More information

HP OpenFlow Protocol Overview

HP OpenFlow Protocol Overview HP OpenFlow Protocol Overview Technical Solution Guide Version: 1 September 2013 Table of Contents Introduction: Traditional Switch and Openflow... 2 Destination Address-based Switching... 2 Flow-based

More information

VLAN und MPLS, Firewall und NAT,

VLAN und MPLS, Firewall und NAT, Internet-Technologien (CS262) VLAN und MPLS, Firewall und NAT, 15.4.2015 Christian Tschudin Departement Mathematik und Informatik, Universität Basel 6-1 Wiederholung Unterschied CSMA/CD und CSMA/CA? Was

More information

J-Flow on J Series Services Routers and Branch SRX Series Services Gateways

J-Flow on J Series Services Routers and Branch SRX Series Services Gateways APPLICATION NOTE Juniper Flow Monitoring J-Flow on J Series Services Routers and Branch SRX Series Services Gateways Copyright 2011, Juniper Networks, Inc. 1 APPLICATION NOTE - Juniper Flow Monitoring

More information

Software Defined Networking and the design of OpenFlow switches

Software Defined Networking and the design of OpenFlow switches Software Defined Networking and the design of OpenFlow switches Paolo Giaccone Notes for the class on Packet Switch Architectures Politecnico di Torino December 2015 Outline 1 Introduction to SDN 2 OpenFlow

More information

Radware s Attack Mitigation Solution On-line Business Protection

Radware s Attack Mitigation Solution On-line Business Protection Radware s Attack Mitigation Solution On-line Business Protection Table of Contents Attack Mitigation Layers of Defense... 3 Network-Based DDoS Protections... 3 Application Based DoS/DDoS Protection...

More information

From Active & Programmable Networks to.. OpenFlow & Software Defined Networks. Prof. C. Tschudin, M. Sifalakis, T. Meyer, M. Monti, S.

From Active & Programmable Networks to.. OpenFlow & Software Defined Networks. Prof. C. Tschudin, M. Sifalakis, T. Meyer, M. Monti, S. From Active & Programmable Networks to.. OpenFlow & Software Defined Networks Prof. C. Tschudin, M. Sifalakis, T. Meyer, M. Monti, S. Braun University of Basel Cs321 - HS 2012 (Slides material from www.bigswitch.com)

More information

Netflow Overview. PacNOG 6 Nadi, Fiji

Netflow Overview. PacNOG 6 Nadi, Fiji Netflow Overview PacNOG 6 Nadi, Fiji Agenda Netflow What it is and how it works Uses and Applications Vendor Configurations/ Implementation Cisco and Juniper Flow-tools Architectural issues Software, tools

More information

Poisoning Network Visibility in Software-Defined Networks: New Attacks and Countermeasures Sungmin Hong, Lei Xu, Haopei Wang, Guofei Gu

Poisoning Network Visibility in Software-Defined Networks: New Attacks and Countermeasures Sungmin Hong, Lei Xu, Haopei Wang, Guofei Gu Poisoning Network Visibility in Software-Defined Networks: New Attacks and Countermeasures Sungmin Hong, Lei Xu, Haopei Wang, Guofei Gu Presented by Alaa Shublaq SDN Overview Software-Defined Networking

More information

Network performance in virtual infrastructures

Network performance in virtual infrastructures Network performance in virtual infrastructures A closer look at Amazon EC2 Alexandru-Dorin GIURGIU University of Amsterdam System and Network Engineering Master 03 February 2010 Coordinators: Paola Grosso

More information

ICND2 NetFlow. Question 1. What are the benefit of using Netflow? (Choose three) A. Network, Application & User Monitoring. B.

ICND2 NetFlow. Question 1. What are the benefit of using Netflow? (Choose three) A. Network, Application & User Monitoring. B. ICND2 NetFlow Question 1 What are the benefit of using Netflow? (Choose three) A. Network, Application & User Monitoring B. Network Planning C. Security Analysis D. Accounting/Billing Answer: A C D NetFlow

More information

OF-RHM: Transparent Moving Target Defense using Software Defined Networking

OF-RHM: Transparent Moving Target Defense using Software Defined Networking OF-RHM: Transparent Moving Target Defense using Software Defined Networking Haadi Jafarian, Qi Duan and Ehab Al-Shaer ACM SIGCOMM HotSDN Workshop August 2012 Helsinki, Finland Why IP Mutation Static assignment

More information

Datasheet iscsi Protocol

Datasheet iscsi Protocol Protocol with DCB PROTOCOL PACKAGE Industry s premiere validation system for SAN technologies Overview Load DynamiX offers SCSI over TCP/IP transport () support to its existing powerful suite of file,

More information

642 523 Securing Networks with PIX and ASA

642 523 Securing Networks with PIX and ASA 642 523 Securing Networks with PIX and ASA Course Number: 642 523 Length: 1 Day(s) Course Overview This course is part of the training for the Cisco Certified Security Professional and the Cisco Firewall

More information

NetStream (Integrated) Technology White Paper HUAWEI TECHNOLOGIES CO., LTD. Issue 01. Date 2012-9-6

NetStream (Integrated) Technology White Paper HUAWEI TECHNOLOGIES CO., LTD. Issue 01. Date 2012-9-6 (Integrated) Technology White Paper Issue 01 Date 2012-9-6 HUAWEI TECHNOLOGIES CO., LTD. 2012. All rights reserved. No part of this document may be reproduced or transmitted in any form or by any means

More information

Software Defined Networking (SDN) - Open Flow

Software Defined Networking (SDN) - Open Flow Software Defined Networking (SDN) - Open Flow Introduction Current Internet: egalitarian routing/delivery based on destination address, best effort. Future Internet: criteria based traffic management,

More information

Flexible Building Blocks for Software Defined Network Function Virtualization (Tenant-Programmable Virtual Networks)

Flexible Building Blocks for Software Defined Network Function Virtualization (Tenant-Programmable Virtual Networks) Flexible Building Blocks for Software Defined Network Function Virtualization (Tenant-Programmable Virtual Networks) Aryan TaheriMonfared Chunming Rong Department of Electrical Engineering and Computer

More information

COMPSCI 314: SDN: Software Defined Networking

COMPSCI 314: SDN: Software Defined Networking COMPSCI 314: SDN: Software Defined Networking Nevil Brownlee n.brownlee@auckland.ac.nz Lecture 23 Current approach to building a network Buy 802.3 (Ethernet) switches, connect hosts to them using UTP cabling

More information

IMPLEMENTATION AND EVALUATION OF THE MOBILITYFIRST PROTOCOL STACK ON SOFTWARE-DEFINED NETWORK PLATFORMS

IMPLEMENTATION AND EVALUATION OF THE MOBILITYFIRST PROTOCOL STACK ON SOFTWARE-DEFINED NETWORK PLATFORMS IMPLEMENTATION AND EVALUATION OF THE MOBILITYFIRST PROTOCOL STACK ON SOFTWARE-DEFINED NETWORK PLATFORMS BY ARAVIND KRISHNAMOORTHY A thesis submitted to the Graduate School New Brunswick Rutgers, The State

More information

Centec s SDN Switch Built from the Ground Up to Deliver an Optimal Virtual Private Cloud

Centec s SDN Switch Built from the Ground Up to Deliver an Optimal Virtual Private Cloud Centec s SDN Switch Built from the Ground Up to Deliver an Optimal Virtual Private Cloud Table of Contents Virtualization Fueling New Possibilities Virtual Private Cloud Offerings... 2 Current Approaches

More information

Network Security. Chapter 3. Cornelius Diekmann. Version: October 21, 2015. Lehrstuhl für Netzarchitekturen und Netzdienste Institut für Informatik

Network Security. Chapter 3. Cornelius Diekmann. Version: October 21, 2015. Lehrstuhl für Netzarchitekturen und Netzdienste Institut für Informatik Network Security Chapter 3 Cornelius Diekmann Lehrstuhl für Netzarchitekturen und Netzdienste Institut für Informatik Version: October 21, 2015 IN2101, WS 15/16, Network Security 1 Security Policies and

More information

Software Defined Networking & Openflow

Software Defined Networking & Openflow Software Defined Networking & Openflow Autonomic Computer Systems, HS 2015 Christopher Scherb, 01.10.2015 Overview What is Software Defined Networks? Brief summary on routing and forwarding Introduction

More information

Network Management & Monitoring

Network Management & Monitoring Network Management & Monitoring NetFlow Overview These materials are licensed under the Creative Commons Attribution-Noncommercial 3.0 Unported license (http://creativecommons.org/licenses/by-nc/3.0/)

More information

Distributed monitoring of IP-availability

Distributed monitoring of IP-availability IPLU-II Seminar 08.02.2008 1 Distributed monitoring of IP-availability Jorma Kilpi, VTT February 8, 2008 IPLU-II Seminar 08.02.2008 2 Availability vs. IP-Availability In this presentation Availability

More information

Case Study: Instrumenting a Network for NetFlow Security Visualization Tools

Case Study: Instrumenting a Network for NetFlow Security Visualization Tools Case Study: Instrumenting a Network for NetFlow Security Visualization Tools William Yurcik* Yifan Li SIFT Research Group National Center for Supercomputing Applications (NCSA) University of Illinois at

More information

SDN 交 換 機 核 心 技 術 - 流 量 分 類 以 及 應 用 辨 識 技 術. 黃 能 富 教 授 國 立 清 華 大 學 特 聘 教 授, 資 工 系 教 授 E-mail: nfhuang@cs.nthu.edu.tw

SDN 交 換 機 核 心 技 術 - 流 量 分 類 以 及 應 用 辨 識 技 術. 黃 能 富 教 授 國 立 清 華 大 學 特 聘 教 授, 資 工 系 教 授 E-mail: nfhuang@cs.nthu.edu.tw SDN 交 換 機 核 心 技 術 - 流 量 分 類 以 及 應 用 辨 識 技 術 黃 能 富 教 授 國 立 清 華 大 學 特 聘 教 授, 資 工 系 教 授 E-mail: nfhuang@cs.nthu.edu.tw Contents 1 2 3 4 5 6 Introduction to SDN Networks Key Issues of SDN Switches Machine

More information

The Internet: A Remarkable Story. Inside the Net: A Different Story. Networks are Hard to Manage. Software Defined Networking Concepts

The Internet: A Remarkable Story. Inside the Net: A Different Story. Networks are Hard to Manage. Software Defined Networking Concepts The Internet: A Remarkable Story Software Defined Networking Concepts Based on the materials from Jennifer Rexford (Princeton) and Nick McKeown(Stanford) Tremendous success From research experiment to

More information

Open Source Network: Software-Defined Networking (SDN) and OpenFlow

Open Source Network: Software-Defined Networking (SDN) and OpenFlow Open Source Network: Software-Defined Networking (SDN) and OpenFlow Insop Song, Ericsson LinuxCon North America, Aug. 2012, San Diego CA Objectives Overview of OpenFlow Overview of Software Defined Networking

More information

SDN Overview for UCAR IT meeting 19-March-2014. Presenter Steven Wallace (ssw@iu.edu) Support by the GENI Program Office!

SDN Overview for UCAR IT meeting 19-March-2014. Presenter Steven Wallace (ssw@iu.edu) Support by the GENI Program Office! SDN Overview for UCAR IT meeting 19-March-2014 Presenter Steven Wallace (ssw@iu.edu) Support by the GENI Program Office! Patterns (here, there, everywhere) Patterns (here, there, everywhere) Today s Internet

More information

ForeScout CounterACT. Device Host and Detection Methods. Technology Brief

ForeScout CounterACT. Device Host and Detection Methods. Technology Brief ForeScout CounterACT Device Host and Detection Methods Technology Brief Contents Introduction... 3 The ForeScout Approach... 3 Discovery Methodologies... 4 Passive Monitoring... 4 Passive Authentication...

More information

SDN. What's Software Defined Networking? Angelo Capossele

SDN. What's Software Defined Networking? Angelo Capossele SDN What's Software Defined Networking? Angelo Capossele Outline Introduction to SDN OpenFlow Network Functions Virtualization Some examples Opportunities Research problems Security Case study: LTE (Mini)Tutorial

More information

to-end Packet Loss Estimation for Grid Traffic Monitoring

to-end Packet Loss Estimation for Grid Traffic Monitoring Passive End-to to-end Packet Loss Estimation for Grid Traffic Monitoring Antonis Papadogiannakis, Alexandros Kapravelos, Michalis Polychronakis, Evangelos P. Markatos Institute of Computer Science (ICS)

More information

Comparisons of SDN OpenFlow Controllers over EstiNet: Ryu vs. NOX

Comparisons of SDN OpenFlow Controllers over EstiNet: Ryu vs. NOX Comparisons of SDN OpenFlow Controllers over EstiNet: Ryu vs. NOX Shie-Yuan Wang Hung-Wei Chiu and Chih-Liang Chou Department of Computer Science, National Chiao Tung University, Taiwan Email: shieyuan@cs.nctu.edu.tw

More information

Firewall Defaults and Some Basic Rules

Firewall Defaults and Some Basic Rules Firewall Defaults and Some Basic Rules ProSecure UTM Quick Start Guide This quick start guide provides the firewall defaults and explains how to configure some basic firewall rules for the ProSecure Unified

More information

Enhancing network security with SDN

Enhancing network security with SDN 11.4.2014 Overview Security in Traditional Networks SDN Security Solutions Ethane OpenFlow Random Host Mutation Security of SDN Potential Threats Possible Solutions Enterprise and Campus Networks Networks

More information

Multiple Service Load-Balancing with OpenFlow

Multiple Service Load-Balancing with OpenFlow 2012 IEEE 13th International Conference on High Performance Switching and Routing Multiple Service Load-Balancing with OpenFlow Marc Koerner Technische Universitaet Berlin Department of Telecommunication

More information

FIREWALL AND NAT Lecture 7a

FIREWALL AND NAT Lecture 7a FIREWALL AND NAT Lecture 7a COMPSCI 726 Network Defence and Countermeasures Muhammad Rizwan Asghar August 3, 2015 Source of most of slides: University of Twente FIREWALL An integrated collection of security

More information

Designing Virtual Network Security Architectures Dave Shackleford

Designing Virtual Network Security Architectures Dave Shackleford SESSION ID: CSV R03 Designing Virtual Network Security Architectures Dave Shackleford Sr. Faculty and Analyst SANS @daveshackleford Introduction Much has been said about virtual networking and softwaredefined

More information

Software Defined Networking A quantum leap for Devops?

Software Defined Networking A quantum leap for Devops? Software Defined Networking A quantum leap for Devops? TNG Technology Consulting GmbH, http://www.tngtech.com/ Networking is bottleneck in today s devops Agile software development and devops is increasing

More information

Network Functions Virtualization in Home Networks

Network Functions Virtualization in Home Networks Network Functions Virtualization in Home Networks Marion Dillon Timothy Winters Abstract The current model of home networking includes relatively low- cost, failure- prone devices, requiring frequent intervention

More information

Flow Analysis. Make A Right Policy for Your Network. GenieNRM

Flow Analysis. Make A Right Policy for Your Network. GenieNRM Flow Analysis Make A Right Policy for Your Network GenieNRM Why Flow Analysis? Resolve Network Managers Challenge as follow: How can I know the Detail and Real-Time situation of my network? How can I do

More information

Internet Firewall CSIS 4222. Packet Filtering. Internet Firewall. Examples. Spring 2011 CSIS 4222. net15 1. Routers can implement packet filtering

Internet Firewall CSIS 4222. Packet Filtering. Internet Firewall. Examples. Spring 2011 CSIS 4222. net15 1. Routers can implement packet filtering Internet Firewall CSIS 4222 A combination of hardware and software that isolates an organization s internal network from the Internet at large Ch 27: Internet Routing Ch 30: Packet filtering & firewalls

More information

Technical Bulletin. Enabling Arista Advanced Monitoring. Overview

Technical Bulletin. Enabling Arista Advanced Monitoring. Overview Technical Bulletin Enabling Arista Advanced Monitoring Overview Highlights: Independent observation networks are costly and can t keep pace with the production network speed increase EOS eapi allows programmatic

More information

Introduction to Netflow

Introduction to Netflow Introduction to Netflow Mike Jager Network Startup Resource Center mike.jager@synack.co.nz These materials are licensed under the Creative Commons Attribution-NonCommercial 4.0 International license (http://creativecommons.org/licenses/by-nc/4.0/)

More information

MASTER THESIS. Performance Comparison Of the state of the art Openflow Controllers. Ahmed Sonba, Hassan Abdalkreim

MASTER THESIS. Performance Comparison Of the state of the art Openflow Controllers. Ahmed Sonba, Hassan Abdalkreim Master's Programme in Computer Network Engineering, 60 credits MASTER THESIS Performance Comparison Of the state of the art Openflow Controllers Ahmed Sonba, Hassan Abdalkreim Computer Network Engineering,

More information

Testing Challenges for Modern Networks Built Using SDN and OpenFlow

Testing Challenges for Modern Networks Built Using SDN and OpenFlow Using SDN and OpenFlow July 2013 Rev. A 07/13 SPIRENT 1325 Borregas Avenue Sunnyvale, CA 94089 USA Email: Web: sales@spirent.com www.spirent.com AMERICAS 1-800-SPIRENT +1-818-676-2683 sales@spirent.com

More information

Software-Defined Networking Architecture Framework for Multi-Tenant Enterprise Cloud Environments

Software-Defined Networking Architecture Framework for Multi-Tenant Enterprise Cloud Environments Software-Defined Networking Architecture Framework for Multi-Tenant Enterprise Cloud Environments Aryan TaheriMonfared Department of Electrical Engineering and Computer Science University of Stavanger

More information

Network Virtualization and Application Delivery Using Software Defined Networking

Network Virtualization and Application Delivery Using Software Defined Networking Network Virtualization and Application Delivery Using Software Defined Networking Project Leader: Subharthi Paul Washington University in Saint Louis Saint Louis, MO 63130 Jain@cse.wustl.edu Keynote at

More information

Directory Enabled Distributed Packet Filtration System

Directory Enabled Distributed Packet Filtration System Directory Enabled Distributed Packet Filtration System A Scalable and High Performance Security Architecture Siddhartha Gavirneni sgavirne@eecs.ku.edu Electrical Engineering and Computer Science Networking

More information

Network traffic monitoring and management. Sonia Panchen sonia.panchen@inmon.com 11 th November 2010

Network traffic monitoring and management. Sonia Panchen sonia.panchen@inmon.com 11 th November 2010 Network traffic monitoring and management Sonia Panchen sonia.panchen@inmon.com 11 th November 2010 Lecture outline What is network traffic management? Traffic management applications Traffic monitoring

More information

Chapter 11 Network Address Translation

Chapter 11 Network Address Translation Chapter 11 Network Address Translation You can configure an HP routing switch to perform standard Network Address Translation (NAT). NAT enables private IP networks that use nonregistered IP addresses

More information

Cisco IOS Flexible NetFlow Command Reference

Cisco IOS Flexible NetFlow Command Reference Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883 THE SPECIFICATIONS AND INFORMATION

More information