SaaA on SDN New app development framework FRESCO FRESCO Modular Composable Security Services for SoftwareDefined Networks by Seugwon Shin Phillip Porras Vinod Yegneswaran Martin Fong Guofei Gu Mabry Tyson NDSS ID: 1019548
Download Presentation The PPT/PDF document "SDN & Security Security as an App (" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
1. SDN & SecuritySecurity as an App (SaaA) on SDNNew app development framework: FRESCOFRESCO: Modular Composable Security Services for Software-Defined Networks by Seugwon Shin, Phillip Porras, Vinod Yegneswaran, Martin Fong, Guofei Gu, Mabry Tyson, NDSS 2012New security enforcement kernel: FortNOXA security enforcement kernel for OpenFlow networks by Philip Porras, Seungwon Shin, Vinod Yegneswaran, Martin Fong, Mabry Tyson, and Guofei Gu, ACM HotSDN, August 2012
2. Problems of Legacy Network DevicesToo complicatedControl plane is implemented with complicated S/W and ASICClosed platformVendor specificHard to modify (nearly impossible)Hard to add new functionalitiesSource: G. Gu, et al, Texas A&M &SRI
3. Software Defined Networking (SDN)Three layerApplication layerApplication part of control layerImplement logic for flow controlControl layerKernel part of control layerRun applications to control network flowsInfrastructure layerData planeNetwork switch or routerSDN architecture from ONF3
4. OpenFlow ArchitectureOpenFlow SwitchFlowTableSecureChannelPCOpenFlowProtocolSSLhwswOpenFlow Switch specificationFrom openflow tutorialcontrollerA controller applicationcan enforce any flow rulesto network switchesapplication4
5. Unique opportunity with SDNEverything is controlled through the logically centralized network OSCan introduce security mechanism here!Think of NFV
6. Killer Applications of SDN?Reducing Energy in Data Center Networks (load balancing)WAN VM Migration…How about security?We are going to talk about this, more specifically:Security as an App (SaaA)Security as a Service (SaaS)Source: G. Gu, et al, Texas A&M &SRI
7. Software App Store Today 77
8. Security as an AppSDN naturally has an application layerSecurity functions can be apps on top of SDN/ networking OSFirewallScan detectionDDoS detectionIntrusion detection/prevention…Why SaaA?Cost efficiencyEasy deployment/maintenanceRich, flexible network control Source: G. Gu, et al, Texas A&M &SRI
9. Challenges and New ContributionsIt is not easy to develop security appsFRESCO: a new app development framework for modular, composable security servicesIt is not secure when running buggy/vulnerable/ multiple security apps (e.g., policy conflict/bypass)FortNOX: a new security enforcement kernelSource: G. Gu, et al, Texas A&M &SRI
10. FRESCO:Framework for Enabling Security Controls in OpenFlow networks
11. What is FRESCO?A new frameworkEnables to compose diverse network security functions easily (bycombining multiple modules)Enables to create own network security functions easily (without requiring additional H/Ws – openflow provides all necessary functionality)Enables to deploy network security functions easily and dynamically (without modifying the underlying network architecture)Enable to add more intelligence to current network security functions Source: G. Gu, et al, Texas A&M &SRI
12. 11/17/14Source: G. Gu, et al, Texas A&M &SRI
13. FRESCO – Overall OperationCreateModulesLoad ModulesNotify NOX of loading FRESCO modulesRunModulesMonitor OpenFlow switchesAnswer from NOXSource: G. Gu, et al, Texas A&M &SRI
14. FRESCO application layerFRESCO have a number of internal NOX python security modules.Developers use the FRESCO script language to instantiate and defined the interactions between the modules – security application.FRESCO security application is triggered by input events.14
15. FRESCO Modular DesignparameteractioninputoutputeventkeyvaluesModuleF-DB instanceSource: G. Gu, et al, Texas A&M &SRI
16. FRESCO development environmentScript-to-module translation:Script-to-module translation – abstracting the implementation complexities of producing OF controller extension.Database management – collects network and switch state information to be shared by all security apps.Event management – notifies an instance about the occurrence of predefined events.Instance execution – authenticated to run with authority granted at registration.
17. FRESCO resource controllerMake sure the resources (flow table entry) are available at switchesEvict flow table entry if necessaryTwo functionsSwitch monitorGarbage collection – clean up flow table.
18. FRESCO – Script LanguageGoalDefine interfaces, actions, and parametersConnect multiple modulesSimilar to C/C++ function, start with { and end with }FormatInstance name (# of input) (# of output) denotes the module name and the number of input and output variablesINPUT: a1,a2,denotes input items for a module an may be set of flows, packets or integer valuesOUTPUT: b1,b2,denotes output items for a module bn may be set of flows, packets or integer valuesPARAMETER: c1,c2,denotes configuration values of a module cn may be real numbers or stringsEVENT: d1,d2,denotes events that will be delivered to a module dn may be any predefined stringACTION : condition ; action,denotes actions that will be performed based on conditionSource: G. Gu, et al, Texas A&M &SRI
19. An working example
20. Running the script
21. A working exampleReflector net – detect an active malicious scanner, and reprogram the switch data plan to redirect the scanner’s flow into a remote honeynet.
22. Simple Working Example: Reflector Net find_scan (1) (2) { TYPE: ScanDetector EVENT:TCP_CONNECTION_FAIL INPUT: SRC_IP OUTPUT: SRC_IP, scan_result PARAMETER: 5 ACTION: -/* no actions are defined */}do_redirect (2) (0) { TYPE: ActionHandler EVENT:PUSH INPUT:SRC_IP, scan_result OUTPUT: - PARAMETER: - ACTION: scan_result == 1? REDIRECT: FORWARD/* if scan_result equals 1, redirect; otherwise, forward */}Module 1Module 2Source: G. Gu, et al, Texas A&M &SRI
23. More …TarpitsWhite HolesScan detectorP2P detector (P2P Plotter)Botnet detector (BotMiner)…Over 90% reduction in lines of code compared with their standard implementationsAlready include more than 16 commonly reusable modules (expending over time)Source: G. Gu, et al, Texas A&M &SRI
24. FortNOX: A Security Enforcement Kernel for OpenFlow Source: G. Gu, et al, Texas A&M &SRI
25. New ThreatSDN apps can compete, contradict, override one another, incorporate vulnerabilities Worst case: an adversary can use a vulnerable and deterministic SDN app to control the state of all SDN switches in the networkSource: G. Gu, et al, Texas A&M &SRI
26. .SDN/OpenFlow Evasion Scenario: enforcement challengeDynamic Flow TunnelingSource: G. Gu, et al, Texas A&M &SRI
27. Prerequisites for a Secure OpenFlow PlatformMust be resilient to Vulnerabilities in OF applicationsMalicious code in 3rd party OF appsComplex interaction that arise between OF app interactionsState inconsistencies due to switch garbage collection or policy coordination across distributed switchesSophisticated OF applications that employ packet modification actionsAdversaries who might directly target our security services to harm the networkSource: G. Gu, et al, Texas A&M &SRI
28. FORNOXNOX+non-bypassable policy-based flow rule enforcement.Once a flow rule is inserted to FortNOX by a security application, no peer OF application can insert flow rules that conflict with the rule.Role-based authorizationRule conflict detectionSecurity directive translationSource: G. Gu, et al, Texas A&M &SRI
29. Classic NOX ArchitectureNative COF AppsPY OF AppsNOXPython SWIGSend_OpenFlow_Command() Software Defined Networking (COMS 6998-10) 29Source: G. Gu, et al, Texas A&M &SRI
30. FortNOX ArchitectureSecurity AppsNative COF AppsPY OF AppsFortNOXPython SWIGOF IPC ProxySeparateProcessDirective TranslatorIPC InterfaceActuatorSwitch Callback trackingAggregate Flow TableOperator RulesSECURITY RulesOF App RulesFT_Send_OpenFlow_CommandRole-based Source AuthState Table ManagerConflict AnalyzerOF Mod CommandsAdd (conflict enforced)Modify (conflict enforced)Delete (priority enforced)Switch Callback TrackingSource: G. Gu, et al, Texas A&M &SRI
31. Role based source authenticationHuman administrator (high priority)Security applicationsNon-security OF applications (low)Roles implemented with a digital signature scheme.
32. Conflict detection/resolutionAlias set rule reductionRules are converted into an internal representation called alias reduced rulesResolutionBased on the priority of the rule.
33. FortNOX – A new security enforcement kernel for OF networksRole-based AuthorizationRule-AuthenticationConflict Detection and ResolutionSecurity Directive TranslationSummary of FortNOX“A Security Enforcement Kernel for OpenFlow Networks”. HotSDN’12Source: G. Gu, et al, Texas A&M &SRI