ngkyunkwan University (SKKU) Security Lab. A Framework for Security Services based on Software- Defined Networking Jaehoon (Paul) Jeong 1 , Jihyeok Seo 1 , Geumhwan Cho 1 , Hyoungshick Kim 1 , and Jung-Soo Park 2 1 Department of Computer Science and Engineering, Sungkyunkwan University, Korea (Republic of) {pauljeong, seojh43, geumhwan, hyoung}@skku.edu [email protected]2 Elecronics and Telecommunications Research Institute, Korea (Republic of) The second International Workshop on Device Centric Cloud (DC2-2015)
Transcript
Sungkyunkwan University (SKKU) Security Lab.
A Framework for Security Services based on Software-Defined Networking
2Elecronics and Telecommunications Research Institute,Korea (Republic of)
The second International Workshop on Device Centric Cloud (DC2-2015)
Sungkyunkwan University (SKKU) Security Lab. 2 DC2-2015
Motivation
• Legacy firewall
• Inspects packets that attempts to cross a network boundary
• Rejects any illegal packets
Incoming requests to open illegal TCP connections
Packets of other illegal types (e.g., UDP and ICMP)
IP datagrams with illegal IP addresses (or ports)
• Provides security at the loss of flexibility and the cost of network
administration
Sungkyunkwan University (SKKU) Security Lab. 3 DC2-2015
Contributions
• Propose a framework for security services using Software-
Defined Networking (SDN)
• Discuss challenge issues and requirements for SDN
• Introduce two representative security services
• Centralized firewall system
• Centralized DDoS-attack mitigation system
Sungkyunkwan University (SKKU) Security Lab. 4 DC2-2015
Challenges in firewall
• Cost
• The cost of adding firewalls to network resources is substantial
• Performance
• Firewalls are often slower than the link speed of their network interfaces
• Management• Managing access control dynamically across hundreds of network elements is a
challenge
• Policy• It is difficult to describe what are permitted and denied flows within the specific
organization
• Packet-based access mechanism• Packet-based access mechanism is not enough in practice since the basis unit
of access control is usually user or application (e.g., Skype connections for specific users are open)
Sungkyunkwan University (SKKU) Security Lab. 5 DC2-2015
Centralized network firewall
• Firewall rules can be managed flexibly by a centralized server
• SDN protocols can be used for a standard interface between firewall applications
and switches
Public network
Private network
Firewall
add or deleterules
src IP dest IP Action
115.145.171.224
74.125.71.106 Drop packets
Sungkyunkwan University (SKKU) Security Lab. 6 DC2-2015
Expectations for SDN-based firewall - Cost
• Ideally, one single firewall is enough
Firewall application
SDN Controller
Switch2Switch1
Enforces rules to each switch
Switch3
Sungkyunkwan University (SKKU) Security Lab. 7 DC2-2015
Expectations for SDN-based firewall - Performance
• Firewalls can adaptively be deployed depending on network conditions
Firewall application
SDN Controller
Switch2
Switch1
Firewall is applied
Switch3
Incoming packets
Sungkyunkwan University (SKKU) Security Lab. 8 DC2-2015
Expectations for SDN-based firewall - Management
Switch2
Switch3
Switch1
Installnew
rules
Sungkyunkwan University (SKKU) Security Lab. 9 DC2-2015
Expectations for SDN-based firewall - Management
• Firewall rules can dynamically be added with new attacks
Firewall application
SDN Controller
Switch2
Switch3
Switch1
Install new rules (e.g., drop packets with attack patterns)
Sungkyunkwan University (SKKU) Security Lab. 10 DC2-2015
Expectations for SDN-based firewall – Packet based access mechanism
• Application level rules can be defined by software
SDN Controller
Switch2
Switch3
Switch1
Install new rules automatically
Incoming packets
Firewall application
Sungkyunkwan University (SKKU) Security Lab. 11 DC2-2015
Objectives
• Prompt reaction to new network attacks• SDN-based security services allow private networks to defend
themselves against new sophisticated network attacks
• Autonomous defense from network attacks• SDN-based security services identify the category of network
attack (e.g., worms and DDoS attacks)• They take counteraction for the defense without the intervention of
network administrators
• Network-load-aware resource allocation• SDN-based security services measure the overhead of resources
for security services• They dynamically select resources considering load balance for
trading-off between the maximum network performance and security
Sungkyunkwan University (SKKU) Security Lab. 12 DC2-2015
RequirementsM
ult
i-Layer
Man
ag
em
en
t Fu
ncti
on
sSecurity Application
(e.g., Firewall, DDoS-Attack Mitigation)
Application Support
Orchestration
Abstraction
Control Support
Data Transport and Processing
Application Layer
SDN Control Layer
Resource Layer
Resource-Control Interface
Application-Control Interface
Sungkyunkwan University (SKKU) Security Lab. 13 DC2-2015
Centralized firewall system for malware packets
Firewall
SDN Controller
Switch2
Switch3
Switch1
Malware packet
1. Switch1 forwards an unknown flow’s packet to Firewall via SDN Controller.
1. Switch1 forwards an unknown flow’s packet to Firewall via SDN Controller.2. Firewall investigates the packet.
1. Switch1 forwards an unknown flow’s packet to Firewall via SDN Controller.2. Firewall investigates the packet. 3. Firewall regards it as a malware packet with suspicious patterns.
Sungkyunkwan University (SKKU) Security Lab. 14 DC2-2015
Centralized firewall system for malware packets
Firewall
SDN Controller
Switch2
Switch3
Switch1
Install new rules (e.g., drop dangerous packets)
Incoming packets Incoming packets
Report a dangerous packet to SDN
Controller
The dangerous packets are dropped
by switches
Sungkyunkwan University (SKKU) Security Lab. 15 DC2-2015
Research Issues
Sungkyunkwan University (SKKU) Security Lab. 16 DC2-2015
To prevent the unauthorized control of switches
SDN Controller
Switch2
Switch3
Switch1
Security applications
Malicious Controller
Sungkyunkwan University (SKKU) Security Lab. 17 DC2-2015
To prevent the unauthorized control of switches
SDN Controller
Switch2
Switch3
Switch1
Secure & authenticate
d channel
We should establish a secure and authenticated channel between SDN controller and switchesWe need to consider a proper key management for secure communication between them
Key managemen
t
Security applications
Sungkyunkwan University (SKKU) Security Lab. 18 DC2-2015
A single point of failure or Compromise
A centralized server will suffer from a single point of failure or compromise
SDN Controller
Switch2
Switch3
Switch1
SDN Controller
Applications do not work
Security applications
Sungkyunkwan University (SKKU) Security Lab. 19 DC2-2015
To support the SDN-based security services
SDN Controller
Switch2
Switch3
Switch1
We need to consider changes in the existing SDN switches and protocols
Deep Packet Inspection
Incoming packets
Security applications
Sungkyunkwan University (SKKU) Security Lab. 20 DC2-2015
A scalable architecture
SDN seems a scalable architecture to provide centralized security services in theory
SDN Controller
Switch1 Switch2 Switchn. . .
Security applications
Sungkyunkwan University (SKKU) Security Lab. 21 DC2-2015
Intelligence switches
We should address scalability to support security services in an autonomous and scalable fashion
SDN Controller
Switch2Switch1
Switch3
Security applications
Incoming packetswith malware, DDoS attack
Each switch drops the packet
automatically based on flow
table
Passed packetswithout malware, DDoS attack
Sungkyunkwan University (SKKU) Security Lab. 22 DC2-2015
Conclusions
• Proposed framework for security services based on SDN
• Discussed challenge issues and requirements for SDN
• As future work,
• Develop proposed framework in Mininet emulator and OMNeT++
simulator
• Investigate other security services
(e.g., encryption/decryption, junk mail filtering, and anti-spam service)
Sungkyunkwan University (SKKU) Security Lab. 23 DC2-2015
