Software-Defined Network Management



Similar documents
Managing the Home Network

Lithium: Event-Driven Network Control

Applying SDN to Network Management Problems. Nick Feamster University of Maryland

The Past, Present, and Future of Software Defined Networking

Facilitating Network Management with Software Defined Networking

Improving Network Management with Software Defined Networking

Improving Network Management with Software Defined Networking

Pushing Enterprise Security Down the Network Stack

The impact of active network devices mis-configuration in network security

Software Defined Networking

Musings on OpenFlow and SDN. David Meyer Cisco Systems OpenFlow Symposium

STRATEGIC POLICY. Information Security Policy Documentation. Network Management Policy. 1. Introduction

Network Virtualization Network Admission Control Deployment Guide

Robust security is a requirement for many companies deploying a wireless network. However, creating a secure wireless network has often been

COMPSCI 314: SDN: Software Defined Networking

SDN AND SECURITY: Why Take Over the Hosts When You Can Take Over the Network

A Coordinated. Enterprise Networks Software Defined. and Application Fluent Programmable Networks

Using SDN-OpenFlow for High-level Services

SDN and NFV in the WAN

Outline. Institute of Computer and Communication Network Engineering. Institute of Computer and Communication Network Engineering

OpenFlow and Onix. OpenFlow: Enabling Innovation in Campus Networks. The Problem. We also want. How to run experiments in campus networks?

An Introduction to Software-Defined Networking (SDN) Zhang Fu

A Network Design Primer

Securing Local Area Network with OpenFlow

Open Source Network: Software-Defined Networking (SDN) and OpenFlow

Limitations of Current Networking Architecture OpenFlow Architecture

VIA CONNECT PRO Deployment Guide

SOFTWARE-DEFINED NETWORKING AND OPENFLOW

Software Defined Networking

VIA COLLAGE Deployment Guide

Software Defined Networking and Network Virtualization

A Look at the New Converged Data Center

Network Segmentation

9 Simple steps to secure your Wi-Fi Network.

VMware vcloud Networking and Security

SDN/Virtualization and Cloud Computing

OpenFlow: Enabling Innovation in Campus Networks

Simplifying Data Data Center Center Network Management Leveraging SDN SDN

Best Practices for Outdoor Wireless Security

Secure Networks for Process Control

Unlock the full potential of data centre virtualisation with micro-segmentation. Making software-defined security (SDS) work for your data centre

Troubleshooting and Maintaining Cisco IP Networks Volume 1

Efficient and easy-to-use network access control and dynamic vlan management. Date: F r e e N A C. n e t Swisscom

SOFTWARE DEFINED NETWORKING: INDUSTRY INVOLVEMENT

Network Security Topologies. Chapter 11

Goals. Understanding security testing

Software Defined Networking Architecture

Using Ranch Networks for Internal LAN Security

On the Deficiencies of Active Network Discovery Systems

White Paper. SDN 101: An Introduction to Software Defined Networking. citrix.com

Software Defined Networking & Openflow

CTS2134 Introduction to Networking. Module Network Security

Software Defined Networking and Network Virtualization

The Future of Networking, and the Past of Protocols

SECURITY POLICY MANAGEMENT ACROSS THE NEXT GENERATION DATA CENTER

Software Defined Network Application in Hospital

Leveraging SDN and NFV in the WAN

Campus Network Best Practices: Core and Edge Networks

Virtualized Domain Name System and IP Addressing Environments. White Paper September 2010

WAN Optimization For Software Defined Networks

Configuring DHCP Snooping

Disaster Recovery Design Ehab Ashary University of Colorado at Colorado Springs

Cisco Discovery 3: Introducing Routing and Switching in the Enterprise hours teaching time

Recommended IP Telephony Architecture

A Systematic Approach to BGP Configuration Checking

Project 3 and Software-Defined Networking (SDN)

How the emergence of OpenFlow and SDN will change the networking landscape

Cisco Advanced Services for Network Security

White Paper. Requirements of Network Virtualization

Microsoft Windows Server System White Paper

SOFTWARE-DEFINED NETWORKING AND OPENFLOW

Computer Networking. Definitions. Introduction

Cisco OverDrive Network Hypervisor 4.0

SDN Programming Languages. Programming SDNs!

ADVANCED SECURITY MECHANISMS TO PROTECT ASSETS AND NETWORKS: SOFTWARE-DEFINED SECURITY

Lab Configuring Access Policies and DMZ Settings

Network Virtualization Solutions - A Practical Solution

Towards a Next- Generation Inter-domain Routing Protocol. L. Subramanian, M. Caesar, C.T. Ee, M. Handley, Z. Mao, S. Shenker, and I.

White Paper Copyright 2011 Nomadix, Inc. All Rights Reserved. Thursday, January 05, 2012

CSCI-1680 So ware-defined Networking

Multihoming and Multi-path Routing. CS 7260 Nick Feamster January

Information Technology Solutions

Cloud Computing Security: What Changes with Software-Defined Networking?

Data Center Network Virtualisation Standards. Matthew Bocci, Director of Technology & Standards, IP Division IETF NVO3 Co-chair

HOW TO PREVENT DDOS ATTACKS IN A SERVICE PROVIDER ENVIRONMENT

1 Network Service Development Trends and Challenges

Netzwerkvirtualisierung? Aber mit Sicherheit!

Application Note Secure Enterprise Guest Access August 2004

Transcription:

Software-Defined Network Management Nick Feamster Georgia Tech (with Joon Kim, Marshini Chetty, Srikanth Sundaresan)

Network Management is Hard! Manual, error-prone, complex Network configurations change continually Provisioning of new users and devices Adjustments to access control Response to incidents Changes result in errors

Software Defined Network Management Software defined networking makes it easier for network operators to evolve network capabilities Can SDN also help network operators manage their networks, once they are deployed? Campus/Enterprise networks Home networks 3

Why is network management so hard today? 4

Configuration is Complex, Low-Level A campus network may have More than one million lines of configuration Thousands of devices Hundreds of thousands of changes every year Home networks can be complex, too 5

Network State is Dynamic Enterprise and campus networks are dynamic Hosts continually coming and leaving Hosts may become infected Today, configuration is static, and poorly integrated with the network Instead: Dynamic network configuration Track state of each host on the network Update forwarding state of switches per host as these states change 6

Too Much Complexity is Exposed

Network Devices are Heterogeneous Many components bolted on after the fact Campus: Firewalls, VLANs, Web authentication portal, vulnerability scanner Home: Set-top boxes, cameras, laptops, desktops, phones Separate (and competing) devices for performing different functions Registration (based on MAC addresses) Vulnerability scanning Filtering Rate limiting 8

Retrofit: Configuration Checkers Distributed router configurations Correctness Specification Constraints Intermediate Representation Faults Downloaded and used by hundreds of ISPs Configuration faults found in every network Feamster and Balakrishnan, Detecting BGP Configuration Faults with Static Analysis. Proc NSDI, 2005. Best Paper Award

Better: Software-Defined Networking Distributed configuration is a bad idea Instead: Control the network from a logically centralized system Policies become high-level programs 2004 2005 2008 RCP Decision Dissemination Network Discovery Data Feamster et al. The Case for Separating Routing from Routers. Proc. SIGCOMM FDNA, 2004 10

Resonance: Don t Configure the Network, Program It! Today: Configuring networks with low-level, distributed, vendor-specific configuration With SDN: Writing network policies and protocols as programs More expressive More predictable More evolvable More usable 11

Resonance: Approach Challenge Approach Dynamic State Event Listener w/state Machine Low-Level Configuration High-Level Policy Language Exposed Complexity Refactoring Functions Heterogeneity Standard Control Protocols 12

Processing Dynamic Events Idea: Express network policies as event-based programs. Events Actions Policies can be expressed as centralized programs 13

State Machines Step 1: Associate each host with generic states and security classes Step 2: Specify a state machine for moving machines from one state to the other Step 3: Control forwarding state in switches based on the current state of each machine Actions from other network elements, and distributed inference, can affect network state 14

High-Level Policy Language Defines states, actions, transitions High-level, logically centralized Easier testing and analysis Less complex Design is still inprogress 15

Standard Controls Events: Heterogeneous devices generate standard events that a dynamic listener processes Actions: OpenFlow channel between controller and switches controls behavior 16

Refactoring Functions Current interfaces: Decisions only about whether to hide or display complexity Instead: Changing where function is placed in the system can make the system more usable Only expose information if it Improves situational awareness Is actionable 17

Two Case Studies Access control in enterprise networks Re-implementation of access control on the Georgia Tech campus network Today: Complicated, low-level With SDN: Simpler, more flexible Usage control in home networks Implementation of user controls (e.g., usage cap management, parental controls) in home networks Today: Not possible With SDN: Intuitive, simple 18

Case Study: Enterprise Access Control 7. REBOOT Switch 3. VLAN with Private IP 1. New MAC Addr 2. VQP New Host 6. VLAN with Public IP VMPS 4. Web Authentication 5. Authentication Result Web Portal 19

Problems with Current Architecture Access Control is too coarse-grained Static, inflexible and prone to misconfigurations Need to rely on VLANs to isolate infected machines Cannot dynamically remap hosts to different portions of the network Needs a DHCP request which for a windows user would mean a reboot Monitoring is not continuous Express policies that incorporate network dynamics. 20

Handling Dynamics: State Machine Registration Infection removed or manually fixed Failed Authentication Quarantined Successful Authentication Authenticated Clean after update Vulnerability detected Operation 21

Georgia Tech Campus Deployment 23

Case Study: Usage Controls in Home Networks Network management in homes is challenging One aspect of management: usage control Usage cap management Parental control Bandwidth management Idea: Outsource network management/control Home router runs OpenFlow switch Usage reported to off-site controller Controller adjust behavior of traffic flows 24

Usage Cap Management in Homes: Design and Implementation User monitors behavior and sets policies with UI Resonance controller (OpenFlow) manages policies and router behavior 25

Intuitive Usage and Policies Interface design: Bethany Summer 26

Conclusion: Software-Defined Network Management Many problems result from the fact that configuration is low-level and distributed Resonance: Program the network from a logically centralized control point. Higher-level configuration language Handling of dynamic events, heterogeneity Enables refactoring of function Two case studies Access control in enterprise networks Usage control in home networks 27