Enabling Practical SDN Security Applications with OFX (The OpenFlow extension Framework)

Similar documents
Future of DDoS Attacks Mitigation in Software Defined Networks

Network Security: Network Flooding. Seungwon Shin GSIS, KAIST

Towards Autonomic DDoS Mitigation using Software Defined Networking

Improving Network Management with Software Defined Networking

SDN AND SECURITY: Why Take Over the Hosts When You Can Take Over the Network

OpenFlow and Onix. OpenFlow: Enabling Innovation in Campus Networks. The Problem. We also want. How to run experiments in campus networks?

OpenFlow: Load Balancing in enterprise networks using Floodlight Controller

Empowering Software Defined Network Controller with Packet-Level Information

SDN Security Design Challenges

A Survey of SDN Security Research

Open Source Network: Software-Defined Networking (SDN) and OpenFlow

Programmable Networking with Open vswitch

Data Center Network Topologies: FatTree

Intel DPDK Boosts Server Appliance Performance White Paper

SOFTWARE-DEFINED NETWORKING AND OPENFLOW

Comparisons of SDN OpenFlow Controllers over EstiNet: Ryu vs. NOX

Limitations of Current Networking Architecture OpenFlow Architecture

LineSwitch: Efficiently Managing Switch Flow in Software-Defined Networking while Effectively Tackling DoS Attacks

Managing the Home Network

Wedge Networks: Transparent Service Insertion in SDNs Using OpenFlow

On Controller Performance in Software-Defined Networks

/15/$ IEEE

Datacenter Network Large Flow Detection and Scheduling from the Edge

A Study on Software Defined Networking

Hosted cloud computing has significantly. Scalable Network Virtualization in Software- Defined Networks FPO. Virtualization

ON THE IMPLEMENTATION OF ADAPTIVE FLOW MEASUREMENT IN THE SDN-ENABLED NETWORK: A PROTOTYPE

Cisco Integrated Services Routers Performance Overview

SOFTWARE-DEFINED NETWORKING AND OPENFLOW

Multiple Service Load-Balancing with OpenFlow

Improving Network Management with Software Defined Networking

Network Security through Software Defined Networking: a Survey

Index Terms Denial-of-Service Attack, Intrusion Prevention System, Internet Service Provider. Fig.1.Single IPS System

Software Defined Networking for Telecom Operators: Architecture and Applications

AVANT-GUARD: Scalable and Vigilant Switch Flow Management in Software-Defined Networks

LPM: Layered Policy Management for Software-Defined Networks

Implementation of Address Learning/Packet Forwarding, Firewall and Load Balancing in Floodlight Controller for SDN Network Management

Open vswitch and the Intelligent Edge

High-performance vswitch of the user, by the user, for the user

Security Challenges & Opportunities in Software Defined Networks (SDN)

A Method for Load Balancing based on Software- Defined Network

Strategies to Protect Against Distributed Denial of Service (DD

Enabling Software Defined Networking using OpenFlow

Firewalls and IDS. Sumitha Bhandarkar James Esslinger

Mitigating High-Rate Application Layer DDoS Attacks in Software Defined Networks

Pushing Enterprise Security Down the Network Stack

Performance of Network Virtualization in Cloud Computing Infrastructures: The OpenStack Case.

Scalable Network Virtualization in Software-Defined Networks

High-Performance IP Service Node with Layer 4 to 7 Packet Processing Features

Technical Bulletin. Enabling Arista Advanced Monitoring. Overview

Designing Virtual Network Security Architectures Dave Shackleford

SDN/Virtualization and Cloud Computing

TCP Offload Engines. As network interconnect speeds advance to Gigabit. Introduction to

What is SDN (Software Defined Networking) and Openflow? SDN/OF Part of Kernel / SoC to provide security, steering & monitoring

SHIN, WANG AND GU: A FIRST STEP TOWARDS NETWORK SECURITY VIRTUALIZATION: FROM CONCEPT TO PROTOTYPE 1

DDoS Attack Protection in the Era of Cloud Computing and Software-Defined Networking

Software-Defined Networking Architecture Framework for Multi-Tenant Enterprise Cloud Environments

Design and Implementation of Dynamic load balancer on OpenFlow enabled SDNs

CS6204 Advanced Topics in Networking

OperationCheckpoint: SDN Application Control

Software Defined Networking

Scalability of Control Planes for Software Defined Networks:Modeling and Evaluation

FloodGuard: A DoS Attack Prevention Extension in Software-Defined Networks

Software Defined Networking

Mobility Management Framework in Software Defined Networks

Data Center Load Balancing Kristian Hartikainen

Software Defined Networking What is it, how does it work, and what is it good for?

Scaling Networking Applications to Multiple Cores

Applying SDN to Network Management Problems. Nick Feamster University of Maryland

SDN. What's Software Defined Networking? Angelo Capossele

FRESCO: Modular Composable Security Services for So;ware- Defined Networks

OpenFlow based Load Balancing for Fat-Tree Networks with Multipath Support

REMOVING THE BARRIERS FOR DATA CENTRE AUTOMATION

Poisoning Network Visibility in Software-Defined Networks: New Attacks and Countermeasures Sungmin Hong, Lei Xu, Haopei Wang, Guofei Gu

Packet-Marking Scheme for DDoS Attack Prevention

Extensible and Scalable Network Monitoring Using OpenSAFE

Where IT perceptions are reality. Test Report. OCe14000 Performance. Featuring Emulex OCe14102 Network Adapters Emulex XE100 Offload Engine

Software Datapath Acceleration for Stateless Packet Processing

libnetvirt: the network virtualization library

ORAN: OpenFlow Routers for Academic Networks

A Testbed for research and development of SDN applications using OpenFlow

SDN Software Defined Networks

IO Visor: Programmable and Flexible Data Plane for Datacenter s I/O

What is SDN? And Why Should I Care? Jim Metzler Vice President Ashton Metzler & Associates

LTE - Can SDN paradigm be applied?

Network Virtualization and Software-defined Networking. Chris Wright and Thomas Graf Red Hat June 14, 2013

Using SDN-OpenFlow for High-level Services

Multi Stage Filtering

Kandoo: A Framework for Efficient and Scalable Offloading of Control Applications

Software Defined Networking and the design of OpenFlow switches

OpenFlow & Software Defined Networking

INTERNATIONAL JOURNAL OF PURE AND APPLIED RESEARCH IN ENGINEERING AND TECHNOLOGY

On Scalability of Software-Defined Networking

Scalable High Resolution Network Monitoring

Performance Comparison of SCTP and TCP over Linux Platform

OFCProbe: A Platform-Independent Tool for OpenFlow Controller Analysis

A Presentation at DGI 2014 Government Cloud Computing and Data Center Conference & Expo, Washington, DC. September 18, 2014.

Parallel Firewalls on General-Purpose Graphics Processing Units

Transcription:

Enabling Practical SDN Security Applications with OFX (The OpenFlow extension Framework) John Sonchack, Adam J. Aviv, Eric Keller, and Jonathan M. Smith

Outline Introduction Overview of OFX Using OFX Benchmarks 2

Basic Networking: Forwarding and Routing Packet Forwarding Route Computation? 3

SDNs: Networking in Two Planes Route computation Control Plane Packet forwarding Data Plane 4

OpenFlow: A Protocol to Manage Switches Route computation Control Plane Flow rules to implement routes Packet forwarding Data Plane 5

OpenFlow: A Protocol to Manage Switches Route computation Control Plane Flow rules to implement routes Assumption: Interactions between the control plane and data plane are infrequent. Packet forwarding Data Plane 6

SDNs for Network Security Access Control Policy Control Plane Access Control Flow rules to implement access control policy Casado, Martin, et al. "Ethane: taking control of the enterprise." ACM SIGCOMM Computer Communication Review. Vol. 37. No. 4. ACM, 2007. 7 Data Plane

SDNs for Dynamic Network Security Traffic Declassification Control Plane Advanced Processing Access Control Route for flow DDoS Defense Bot Detection Packet from new flow 8 Data Plane

SDNs for Dynamic Network Security: Flow Monitoring Control Plane Gu, Guofei, et al. "BotMiner: Clustering Analysis of Network Traffic for Protocol-and Structure- Independent Botnet Detection." USENIX Security Symposium. Vol. 5. No. 2. 2008. Collect flow records without routing through a middlebox. Install byte counting rule Bot Detection Packet from new TCP flow 9 Data Plane

SDNs for Dynamic Network Security: Traffic Declassification Traffic Declassification Control Plane Check flow tags and user permissions declassification decision (Allow Block) Enforce access control on tagged data leaving the network. Mundada, Yogesh, Anirudh Ramachandran, and Nick Feamster. "SilverLine: preventing data leaks from compromised web applications." Proceedings of the 29th Annual Computer Security Applications Conference. ACM, 2013. Can this flow leave the network? 10 Data Plane

SDNs for Dynamic Network Security Traffic Declassification Control Plane Advanced Processing Access Control Route for flow DDoS Defense Bot Detection Packet from new flow 11 Data Plane

SDNs for Dynamic Network Security Traffic Declassification Control Plane Advanced Processing Access Control Route for flow DDoS Defense Assumption: Interactions between the control plane and data plane are infrequent. Bot Detection Packet from new flow 12 Data Plane

Obstacle: Low Throughput Control Path 130 million packets/second!!!!* *can only forward 500 pps to controller. Appelman, Michiel, and Maikel de Boer. "Performance analysis of OpenFlow hardware." University of Amsterdam, Tech. Rep (2012). Curtis, Andrew R., et al. "DevoFlow: scaling flow management for high-performance networks." ACM SIGCOMM Computer Communication Review. Vol. 41. No. 4. ACM, 2011. 13

Obstacle: Centralized Control Plane New Flow New Flow New Flow New Flow New Flow New Flow New Flow New Flow 14

Our question: How Can We Make SDNs More Practical? Traffic Declassification Control Plane Access Control DDoS Defense Bot Detection Data Plane 15

The General Approach: Switch Level Security Traffic Declassification Control Plane Access Control DDoS Defense Bot Detection Data Plane 16

Previous Work: Security Functionality in the Forwarding Engine Build new switch chips that support security applications Shin, Seungwon, et al. "Avant-guard: Scalable and vigilant switch flow management in software-defined networks." Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security. ACM, 2013. 17

Our insight: Leverage Switch CPUs Run security logic on the switch CPUs 18

OFX: A Framework for Application- Specific Switch Extensions Each application can load custom functionality into switches. At runtime! Declassification Declassification 19

Outline Introduction Overview of OFX Using OFX Benchmarks 20

OFX at a High Level stack 21

OFX at a High Level OFX Controller Library OFX Switch Agents stack OFX stack 22

OFX at a High Level Controller interface OFX Extension Module OFX Switch-level Agents logic stack OFX stack 23

OFX at a High Level Permissions Database Declassifier Module Per-Flow OFX Switch Declassification Agents Logic stack OFX stack 24

OFX at the Switch Level OFX modules use filters to select packets that they need to process OFX modules process packets with custom handler OFX installs corresponding rules onto OFX tables OpenFlow Switch OFX Agent Software Hardware OFX Module Packet Handler Ingress Packets OFX Filtering Tables Controller-managed forwarding tables Egress Packets 25

Outline Introduction Overview of OFX Using OFX Benchmarks 26

Refactoring OpenFlow Applications to use OFX OFX Declassifier Module

Refactoring OpenFlow Applications to use OFX OFX Declassifier Module

Outline Introduction Overview of OFX Using OFX Benchmarks 29

Benchmarking OFX How much raw overhead is there for processing packets with OFX? How do OFX based security applications perform, compared with Middlebox and OpenFlow implementations? 30

OFX Benchmark: Packets Per Second Log 10 Scale 100,000 Packet handler in controller Packet handler in OFX module Packets per Second 10,000 1,000 100 10 1 64 128 256 512 1024 1500 Packet Size 31 100 PPS @ MTU 45,000 PPS @ MTU

Benchmarking OFX How much raw overhead is there for processing packets with OFX? How do OFX based security applications perform, compared with Middlebox and OpenFlow implementations? 32

Benchmark: Declassifier Packet Drop Rate Implementation Middlebox Proxy OpenFlow OFX Frequent arriving flows OpenFlow implementation limited by flow arrival rate Median High bandwidth flows 0.1% 0.1% 20.4% 97.5% 88.2% 0.1% 5.1% 3.2% 0.1% Proxy implementation limited by bit rate OFX implementation performed well in all workloads Workload Name Frequently arriving flows Median flows High bandwidth flows Flow Inter-arrival Period 0.0015 Seconds 0.015 Seconds 0.15 Seconds Average Transmission Bandwidth 19.75 Mbps 43.57 Mbps 970.99 Mbps. S. Kandula, S. Sengupta, A. Greenberg, P. Patel, and R. Chaiken, The nature of data center traffic: measurements & analysis, in Proceedings of the 9th ACM SIGCOMM conference on Internet measurement conference. ACM, 2009, pp. 202 208.. L. Qian and B. E. Carpenter, A flow-based performance analysis of tcp and tcp applications, in Networks (ICON), 2012 18th IEEE International Conference on. IEEE, 2012, pp. 41 45. 33

In the Paper OFX API and Implementation Details OpenFlow Controller Control Platform Application Specific Modules Enhanced Switch API Modules DDoS Defense TCP Handshake Validation OFX Library New TCP Flow Linux Kernel OpenFlow Switch OpenFlow Agent OFX Agent Push Based Alerts Bot Detection Linux Kernel Forwarding Engine Firmware OpenFlow Packet Path Condition Reached Linux Network Stack OFX Packet Path 34 More benchmarks Running on unmodified OpenFlow hardware!

Thank You OFX: The OpenFlow Extension Framework OFX Extension Module OFX lets OpenFlow security applications push parts of their control plane logic down to switch CPUs, which can greatly improve performance and scalability on existing hardware and software. 35

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information