Securing Local Area Network with OpenFlow Master s Thesis Presentation Fahad B. H. Chowdhury Supervisor: Professor Jukka Manner Advisor: Timo Kiravuo Department of Communications and Networking Aalto University
Outline Background Methodology Example Test Scenario Results Shortcoming of the firewall Future Work 2
1. Background Limitations of traditional network Software Defined Networking (SDN) OpenFlow Network Security of OpenFlow Firewall 3
Limitations of traditional network The dynamic character of the modern network environment is in sharp contrast to the static traditional network architecture. Rapid increase of mobile devices and content, server virtualization and use of cloud services. In conventional network switches, the control logic for each switch is co-located with the switching logic. The task of operation and maintenance is tedious. The network devices grow to meet the requirements Each entity of network devices need to configured individually using low-level vendor specific commands. To implement network wide policy, a large number of devices need to be configured, which is time-consuming and inefficient 4
Software Defined Networking (SDN) Control Decisions Forwarding hardware Control Decisions Standard Interface Applications SDN controller Traditional Switches and routers - Both forwarding and control functions reside in network devices Standard Interface Forwarding Hardware Network devices SDN Architecture -Decouples control decisions from forwarding plane - Logically centralized controller - Distributed forwarding hardware - Standard Interface to communicate (e.g. OpenFlow ) 5
Software Defined Network Architecture The centralized controller has network intelligence & global view of the network The network devices only has to accept instruction from the controller Entire network can be managed by programming the controller 6
OpenFlow The first standard of SDN architecture. OpenFlow is a protocol between SDN controllers and network devices, and also a specification of the logical structure of the network switch functions. Majority of Ethernet switches and routers have flow tables. Although different vendors have different flow-tables, there is common set of functionalities in the switches and routers which OpenFlow exploits. By programming the flow table, OpenFlow can add, remove or update flow entries and thus control the flow of traffic in the network. 7
Flow Table Entry Matching Fields Action Stats Forward Packet to port(s) Encapsulate and forward to controller Drop packet Send to normal processing pipeline Customized action Packet Counters, Byte Counters Switch port MAC src MAC dst Eth type VLAN ID IP src IP dst IP proto TCP Sr prt TCP Dst prt Each Flow Table entry contains a set of rules (e.g. IP src) to match and an action list (e.g. forward to port) to be executed in case of match 8
OpenFlow Switch OpenFlow switch consists of: 1. Flow tables and Group tables: -Packet look-up and forwarding 2. OpenFlow Channel: - Connects switch to controller, to facilitate exchange of packets and commands 3. OpenFlow Protocol: - Standard means of communication between the switch and the controller 9
Network Security with OpenFlow Security Challenge: - Centralized OpenFlow controller is an ideal target to gain unauthorized access to the network and for exploitation. Enhancing Security: -The programmability of the controller also provides means to enhance security. - Network traffic data can be analyzed to identify irregularity and security threats, and security policies could be established by the OpenFlow controller. - Thus, firewall or intrusion detection system (IDS) could be included in the network using OpenFlow 10
Firewall May consist of software programs or hardware devices or combination of both. Firewall prevents unauthorized network access and protects the network from hazardous outside environment. It controls the flow of traffic between network segments based on predefined security rules. 11
2. Methodology Virtualized Environment Designed Firewall Functionality Flow chart of the Designed Firewall 12
Virtualized Environment Mininet -Network emulator that mimics the properties and functionalities of actual network - A network with 4 hosts connected to an OpenFlow switch is created - Possible to connect external controller 13
POX Controller - Python based controller - Controls and communicates with all the network devices -Responsible for all network operations Virtualized network 14
Designed Firewall Functionality It installs rules in flow table of the OpenFlow switch to allow or block traffic. The rules are based upon predefined port numbers, MAC addresses and IP addresses Example of predefined Rules Flow table rules Action Priority Src IP = 10.0.0.1 Drop packets 100 Src IP = 10.0.0.1 & Dst IP = 10.0.0.2 Allow 200 Port number = 80 Drop packets 50 Src IP = 10.0.0.2 & Dst IP = 10.0.0.1 Forward to 10.0.0.3 250 Dst MAC = 00:00:00:00:00:04 Drop packets 100 Src IP = 10.0.0.1 & TCP port = 80 Allow 500 15
Flow-chart of Designed Firewall 16
3. Example Test Scenario Firewall predefined rules 10.0.0.1 10.0.0.2 10.0.0.3 10.0.0.4 10.0.0.1 X Block Allow Allow 10.0.0.2 Block X Allow Allow 10.0.0.3 Allow Allow X Allow 10.0.0.4 Allow Allow Allow X -Block all traffic between host-1 and host-2 - Allow rest of the hosts to communicate 17
POX controller Packet-In Msg OF switch Checks the flow table for rules Host - 1 Host - 2 Host - 3 Host - 4 18
Packet-In Msg POX controller Flow Add Msg OF switch Checks the predefined firewall rules and finds out communication between host 1 & 2 is not allowed Host - 1 Host - 2 Host - 3 Host - 4 19
Packet-In Msg POX controller Flow Add Msg OF switch Installs flow rule to drop all packets between host 1 & 2, and drops the packet Flow table rules Src IP = 10.0.0.1 & Dst IP = 10.0.0.2 Src IP = 10.0.0.2 & Dst IP = 10.0.0.1 Action Drop packets Drop packets Host - 1 Host - 2 Host - 3 Host - 4 20
POX controller Packet-In Msg Flow Add Msg OF switch Flow Add Conf Msg Host - 2 Host - 3 Host - 4 Wireshark capture of transmitted OpenFlow messages Host - 1 21
4. Results The firewall successfully blocks traffic based MAC addresses, IP addresses and port number. The measured round trip time reveals that only the first packet of the flow takes a long time, and the remaining packets are routed quickly. The bandwidth measurement test reveals that the active firewall offers similar bandwidth compared to inactive firewall. However, the bandwidth reduces drastically if all the packets are routed to the controller. Although the firewall has been built and tested in virtual environment, the test results illustrate the prospect of replacing traditional firewall with OpenFlow based firewall. 22
Bandwidth Measurement Results 23
5. Shortcomings of the Firewall If the controller has to handle too many packets, it creates a bottle neck in the network. The controller needs to be restarted every time for the changed firewall policies to come into effect. The firewall has been designed to control a single switch. 24
6. Future Work The firewall can be modified to provide support for multiple switches. The unique datapath identifier (dpid) can be used to distinguish switches. The firewall capabilities could be extended to application layer. For example, it can be modified to block traffic from all torrent applications. By utilizing OpenFlow s traffic flow features, the switches can be monitored regularly to detect unusual flows, and thus prevent security attacks like denial-of-service. It is possible to redirect the network traffic dynamically for analysis and create an intrusion detection System (IDS). 25
Questions 26