dpx
play

DPX: Data-Plane eXtensions for SDN Security Service Instantiation - PowerPoint PPT Presentation

Sep 11, 2022 •342 likes •697 views

DPX: Data-Plane eXtensions for SDN Security Service Instantiation Taejune Park , Yeonkeun Kim , Vinod Yegneswaran , Phillip Porras , Zhaoyan Xu , KyoungSoo Park , and Seungwon Shin 1) KAIST, Korea 2) SRI

  1. DPX: 
 Data-Plane eXtensions for SDN Security Service Instantiation Taejune Park ¹ , Yeonkeun Kim ¹ , 
 Vinod Yegneswaran ² , Phillip Porras ² , 
 Zhaoyan Xu ³ , 
 KyoungSoo Park ¹ , and Seungwon Shin ¹ 1) KAIST, Korea 2) SRI International, USA 3) Palo Alto Networks, USA

  2. Software-Defined Networking • Decouple control-plane from data-plane Control-Plane (Controller) Network L4 Routing … • Centralized controller Discovery Control Interface (OpenFlow) • S DN S wit ches • Centralized operation with standard protocol (e.g., OpenFlow) Data-Plane (Switches) in_port ip_src ip_dst tcp_src tcp_dst actions • Programable net work management 1 10.0.0.1 10.0.0.2 * * output(2) * * * * 80 drop • Dynamic t raffic engineering 2 * 20.0.0.1 22 * set_ip_dst(20.0.0.2),output(1) 2 / 35

  3. Software-Defined Networking • Decouple control-plane from data-plane Control-Plane (Controller) Security is still required Network L4 Routing … • Centralized controller Discovery eung Won, et al. "Fresco: Modular composable security services for software-defined networks." • S hin, S Control Interface (OpenFlow) • S DN S wit ches • S hin, S eung Won, et al. ”Cloudwatcher: Network security monitoring using openflow in dynamic cloud networks." Braga, Rodrigo, et al. "Lightweight DDoS flooding attack detection using NOX/OpenFlow." • Centralized operation with standard • oon, Changhoon, et al. "Enabling security functions with SDN: A feasibility study." • Y protocol (e.g., OpenFlow) Data-Plane (Switches) • S . K. Fayazbakhsh, et al. “Enforcing network-wide policies in the presence of dynamic middlebox actions using flowtags” • Z. A. Qazi, et al. “SIMPLE-fying Middlebox Policy Enforcement Using SDN.” in_port ip_src ip_dst tcp_src tcp_dst actions • Programable net work management • And so on… 1 10.0.0.1 10.0.0.2 * * output(2) * * * * 80 drop • Dynamic t raffic engineering 2 * 20.0.0.1 22 * set_ip_dst(20.0.0.2),output(1) 3 / 35

  4. Security in Software-Defined Networking Control-Plane (Controller) Network Application Network Application Network Application Network Application Network Application Security Application Control Interface (OpenFlow) Middlebox (e.g., NFV) Data-Plane (Switches) 4 / 35

  5. Security in Software-Defined Networking Control-Plane (Controller) • Security applications on a control plane Network Application Network Application Network Application • Applying security service in network-widely Network Application Network Application Security Application • Cheap price Control Interface (OpenFlow) • Easy to manage Middlebox (e.g., NFV) Data-Plane (Switches) 5 / 35

  6. Security in Software-Defined Networking Control-Plane (Controller) • Security applications on a control plane Network Application Network Application Network Application • Applying security service in network-widely Network Application Network Application Security Application • Cheap price Control Interface (OpenFlow) • Easy to manage • Limitation • S imple security only available Middlebox • Controller overhead (e.g., NFV) • Low performance Data-Plane (Switches) 6 / 35

  7. Security in Software-Defined Networking Control-Plane (Controller) Network Application Network Application Network Application Network Application Network Application Security Application Control Interface (OpenFlow) • Middle-boxes (e.g., NFV) • Better performance Middlebox • Rich functions (e.g., payload inspection) (e.g., NFV) • No controller overhead Data-Plane (Switches) 7 / 35

  8. Security in Software-Defined Networking • Limitation Control-Plane (Controller) Network Application • Network overhead caused by traffic Network Application Network Application Network Application Network Application Security Application detouring (Performance loss) Control Interface (OpenFlow) • Require flow steering for NFs • Additional control channels for NFs • Middle-boxes (e.g., NFV) • Better performance Middlebox • Rich functions (e.g., payload inspection) (e.g., NFV) • No controller overhead Data-Plane (Switches) 8 / 35

  9. Service Chaining Deep Packet DoS Detector Scan Detector Insepctor Network S ource Destination / 35

  10. Service Chaining Flow_A DoS Detector 1 Scan Detector 1 DPI 1 Flow_B DoS Detector 1 DPI 1 Flow_C DoS Detector 1 Scan Detector 2 Flow_D DoS Detector 2 DPI 2 Flow_E DPI 2 10 / 35

  11. Match forward(…) forward(DPI1) Actions Flow_D Actions Match Actions Flow_B forward(…) Flow_E Flow_A forward(…) Flow_C forward(…) Actions Match Match Flow_B Flow_A forward(Scan1) Flow_C Match DPI2 Flow_E forward(DPI2) forward(DoS1) Actions forward(DoS2) forward(DoS1) forward(DoS1) Actions Flow_D Flow_C Flow_B Flow_A Match Match forward(Scan2) Actions Service Chaining Rules for Scan1 Flow_A Flow_A Rules for DoS1 Scan1 Flow_A forward(DPI1) Flow_ A/B/C DoS1 Flow_A Rules for DPI1 Flow_ Flow_B Flow_A/B A/B/C DPI1 Rules for incoming flows Flow_C Rules for DoS2 Rules for Scan2 Flow_C Flow_D Scan2 Flow_D DoS2 Flow_D forward(DPI2) forward( … ) Rules for DPI2 Flow_D Flow_E Flow_D/E 11 / 35

  12. Challenges of Security in SDN Performance Management 12 / 35

  13. Challenges of Security in SDN Performance Management Flow steering/engineering 13 / 35

  14. DPX: Data-Plane eXtensions for SDN Security Service Instantiation • Provides security services as a part of packet processing logic. ecurity services as a set of OpenFlow act ions • S • Processing packets without detouring DoS S can DPI Packet MATCH Actions Flow_A sec_dos(mbps=1000) , output:2 sec_dos(…), sec_scan(…) ,output:3 Flow_B 14 / 35

  15. Security actions • Providing security services for an incoming flow ip_src ip_dst tcp_src tcp_dst Actions 10.0.0.1 10.0.0.2 * * sec_dos(mbps=1000, policy=alert) , output:2 sec_dpi(pattern=“rule.txt”, policy=discard) ,output:3 * * * 80 Pkt: 10.0.0.1->10.0.0.2 Pkt: -> tcp_80 DPX • To deploy, set a threshold and policy to the parameters of a required security action Threshold Policy { { Security Action: sec_dos(mbps=1000, policy=alert) 15 15 / 35

  16. Security actions • High-compatibility with common OpenFlow actions MATCH Actions sec_dos(mbps=1000), set_ip_dst(10.0.0.2) , output:2 Flow_A • Fine-grained security deployment per a flow MATCH Actions sec_dos(mbps=1000) , output:2 Flow_A sec_dos(mbps=500) ,output:2 Flow_B sec_dos(mbps=750) ,output:2 Flow_C • Easy configuration for a security service chaining MATCH Actions sec_dos(…), sec_scan(…), sec_dpi(…) , output:2 Flow_A 16 / 35

  17. System Design Controller • Similar to a conventional SDN Network Application Network Application Network Application Network Application • Mat ch a flow rule in a flow t able 
 Network Application Security Application -> Perform act ions Rule deployment OpenFlow Channel Event Msg. (via Flow_mod) • Security action block DPX dataplane y s • DPX security application e t a k Common Actions t _ s w _ w o Security Actions l o F Flow l F Table Data Section Inspection Logic Policy Handler 17 / 35

  18. Security Action Block Controller • Individual processing block 
 for a security action Network Application Network Application Network Application Network Application Network Application Security Application • Data S ection Rule deployment OpenFlow Channel Event Msg. (via Flow_mod) • Inspection Logic DPX dataplane Flow_stats Flow_key • Policy Handler Common Actions Security Actions Security Actions Flow Table Data Section Data Section Inspection Logic Inspection Logic Policy Handler Policy Handler 18 / 35

  19. Security Action Block: Data Section Controller • Store required statistics data 
 of a packet by Network Application Network Application Network Application Network Application Network Application Security Application • Flow_key : Packet-level metadata 
 Rule deployment OpenFlow Channel Event Msg. (via Flow_mod) used for indexing a flow table DPX dataplane • Flow_st at s : Flow table statistics Flow_stats Flow_stats Flow_key Flow_key Common Actions Security Actions Flow Table Data Section Data Section Inspection Logic Policy Handler 19 / 35

  20. Security Action Block: Inspection Logic Controller • Perform actual inspection Network Application Network Application Network Application Network Application Network Application Security Application • Calculate statistics using the data section Rule deployment OpenFlow Channel Event Msg. • Determine a security violation with (via Flow_mod) DPX dataplane threshold values in the parameter Flow_stats Flow_key Common Actions - sec_dos(mbps=1000,… ) Security Actions Flow Table Data Section Inspection Logic Inspection Logic Policy Handler 20 / 35

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

C LOS Efficiency: Instantiation Experiments C++ L ISP Structures Didier Verna Classes X-Comp

C LOS Efficiency: Instantiation Experiments C++ L ISP Structures Didier Verna Classes X-Comp

Efficiency of Instantiation Didier Verna Introduction C LOS Efficiency: Instantiation Experiments C++ L ISP Structures Didier Verna Classes X-Comp Conclusion didier@lrde.epita.fr http://www.lrde.epita.fr/didier Perspectives Thanks!

594 views • 26 slides
Complete Instantiation of Quantified Formulas in Satisfiability Modulo Theories Yeting Ge 1

Complete Instantiation of Quantified Formulas in Satisfiability Modulo Theories Yeting Ge 1

Complete Instantiation of Quantified Formulas in Satisfiability Modulo Theories Yeting Ge 1 Leonardo de Moura 2 1 New York University 2 Microsoft Research 7th International Workshop on Satisfiability Modulo Theories Aug 3, 2009 Montreal, Canada

1.33k views • 86 slides
Quantifiers Leonardo de Moura Microsoft Research Satisfiability > + 2, =

Quantifiers Leonardo de Moura Microsoft Research Satisfiability > + 2, =

Quantifiers Leonardo de Moura Microsoft Research Satisfiability > + 2, = 2 + 10, + 1000 Model SAT = 0, = 3, = 5 0 > + 2, 0 = 2 + 10, + () 1000

1.62k views • 125 slides
Labelled Unit Superposition for Instantiation-Based Reasoning Konstantin Korovin joint work with

Labelled Unit Superposition for Instantiation-Based Reasoning Konstantin Korovin joint work with

Labelled Unit Superposition for Instantiation-Based Reasoning Konstantin Korovin joint work with Christoph Sticksel 1 Instantiation, Labelled Superposition SAT/SMT vs First-Order The problem: Show that a given formula is a theorem. Ground

759 views • 60 slides
ECE 4524 Artificial Intelligence and Engineering Applications Lecture 12: Unification in FOL

ECE 4524 Artificial Intelligence and Engineering Applications Lecture 12: Unification in FOL

ECE 4524 Artificial Intelligence and Engineering Applications Lecture 12: Unification in FOL Reading: AIAMA 9.1-9.2 Todays Schedule: Inference by reducing FOL to PL FOL Inference Part I: Unification and Lifting Motivation Given an

276 views • 15 slides
Dj Q: Using Dual Systems to Revisit q-Type Assumptions Melissa Chase (MSR Redmond) Sarah

Dj Q: Using Dual Systems to Revisit q-Type Assumptions Melissa Chase (MSR Redmond) Sarah

Dj Q: Using Dual Systems to Revisit q-Type Assumptions Melissa Chase (MSR Redmond) Sarah Meiklejohn (UC San Diego University College London) 1 Pairing-based cryptography: a brief history Historically, pairings have provided great

1.46k views • 144 slides
CPSC 121: Models of Computation Determine the negation of any quantified statement. Given a

CPSC 121: Models of Computation Determine the negation of any quantified statement. Given a

Pre-Class Learning Goals By the start of class, you should be able to: CPSC 121: Models of Computation Determine the negation of any quantified statement. Given a quantified statement and an equivalence rule, apply the rule to create

267 views • 8 slides
Monotonic Inference for Underspecified Episodic Logic Mandar Juvekar University of Rochester

Monotonic Inference for Underspecified Episodic Logic Mandar Juvekar University of Rochester

Monotonic Inference for Underspecified Episodic Logic Mandar Juvekar University of Rochester Natural Logic Meets Machine Learning 17 July 2020 Gene Louis Kim Lenhart K. Schubert UR UR Snchez Valencia Lambek Derivations Tableau-style

746 views • 38 slides
A CSP Approach for Meta Model Instantiation Adel Ferdjoukh , Anne-Elisabeth Baert, Annie Chateau,

A CSP Approach for Meta Model Instantiation Adel Ferdjoukh , Anne-Elisabeth Baert, Annie Chateau,

A CSP Approach for Meta Model Instantiation Adel Ferdjoukh , Anne-Elisabeth Baert, Annie Chateau, R emi Coletta and Cl ementine Nebut Montpellier, France null A CSP Approach for Meta Model Instantiation Summary 1 Model Driven Engineering

1.18k views • 73 slides
Representing Isabelle in LF Florian Rabe Jacobs University Bremen 1 Slogans Type classes

Representing Isabelle in LF Florian Rabe Jacobs University Bremen 1 Slogans Type classes

Representing Isabelle in LF Florian Rabe Jacobs University Bremen 1 Slogans Type classes are wrong: Type classes should be theories, instances should be morphisms. The Isabelle module system is too complicated: You do not need

255 views • 24 slides
Delft Cooperation on Intelligent Systems SMDS, a top-down approach to Self-Management for Dynamic

Delft Cooperation on Intelligent Systems SMDS, a top-down approach to Self-Management for Dynamic

Delft Cooperation on Intelligent Systems SMDS, a top-down approach to Self-Management for Dynamic Collaboration Systems Bernard van Veelen bernard.vanveelen@decis.nl Delft Cooperation on Intelligent Systems Presentation Overview Context

542 views • 18 slides
Example Instantiation: Multics 11 rules affect rights: set to request, release access

Example Instantiation: Multics 11 rules affect rights: set to request, release access

Example Instantiation: Multics 11 rules affect rights: set to request, release access set to give, remove access to different subject set to create, reclassify objects set to remove objects set to change subject

1.33k views • 68 slides
Templight: A Clang Extension for Debugging and Profiling C++ Template Metaprograms Zoltn

Templight: A Clang Extension for Debugging and Profiling C++ Template Metaprograms Zoltn

Templight: A Clang Extension for Debugging and Profiling C++ Template Metaprograms Zoltn Porkolb, Zoltn Bork-Nagy Etvs Lornd University, Budapest Ericsson Hungary Agenda C++ Template Metaprogramming Possible debugging

1.26k views • 61 slides
Towards Synthetic Descriptive Set Theory: An instantiation with represented spaces Arno Pauly 1

Towards Synthetic Descriptive Set Theory: An instantiation with represented spaces Arno Pauly 1

Towards Synthetic Descriptive Set Theory: An instantiation with represented spaces Arno Pauly 1 Matthew de Brecht 2 CCA 2013, Nancy 1 University of Cambridge, United Kingdom 2 National Institute of Information and Communications Technology, Japan

269 views • 26 slides
Axiomatic Events in ACL2 ( r ) Ruben Gamboa, John Cowles, and Nadya Kuzmina University of Wyoming

Axiomatic Events in ACL2 ( r ) Ruben Gamboa, John Cowles, and Nadya Kuzmina University of Wyoming

Axiomatic Events in ACL2 ( r ) Ruben Gamboa, John Cowles, and Nadya Kuzmina University of Wyoming Introduction ACL2 ( r ) is a variant of ACL2 that supports the irrational numbers It is distributed with the ACL2 sources The foundations of ACL2

479 views • 29 slides
Network Virtualization Architecture: Proposal and Initial Prototype G.Schaffrath 1 , C.Werle 2 , P

Network Virtualization Architecture: Proposal and Initial Prototype G.Schaffrath 1 , C.Werle 2 , P

Introduction Architecture Prototype Next Steps Network Virtualization Architecture: Proposal and Initial Prototype G.Schaffrath 1 , C.Werle 2 , P .Papadimitriou 3 , A.Feldmann 1 , R.Bless 2 , A.Greenhalgh 4 , A.Wundsam 1 , M.Kind 1 , O.Maennel

704 views • 29 slides
C Programming for Engineers Object Oriented Programming ICEN 360 Spring 2017 Prof. Dola

C Programming for Engineers Object Oriented Programming ICEN 360 Spring 2017 Prof. Dola

C Programming for Engineers Object Oriented Programming ICEN 360 Spring 2017 Prof. Dola Saha 1 Evolution of computers Early computers were far less complex than todays computers Modern computers are smaller, but more complex 2

891 views • 22 slides
Program Correctness Literatuur Verification of Sequential and Concurrent Programs. Krzysztof R.

Program Correctness Literatuur Verification of Sequential and Concurrent Programs. Krzysztof R.

Program Correctness Literatuur Verification of Sequential and Concurrent Programs. Krzysztof R. Apt, Frank S. de Boer, Ernst-R udiger Olderog. Series: Texts in Computer Science. Springer. 3rd ed. 2nd Printing. ISBN: 978-1-84882-744-8. Te

1.23k views • 112 slides
The Singleton Pattern Design Patterns In Java Bob Tarr The Singleton Pattern The Singleton

The Singleton Pattern Design Patterns In Java Bob Tarr The Singleton Pattern The Singleton

The Singleton Pattern Design Patterns In Java Bob Tarr The Singleton Pattern The Singleton Pattern G Intent Ensure a class only has one instance, and provide a global point of access to it G Motivation Sometimes we want just a single

436 views • 9 slides
Machine learning for instance selection in SMT solving (W ork in Progress ) Jasmin Christian

Machine learning for instance selection in SMT solving (W ork in Progress ) Jasmin Christian

Machine learning for instance selection in SMT solving (W ork in Progress ) Jasmin Christian Blanchete 1, 2 Daniel El Ouraoui 2 Pascal Fontaine 2 Cezary Kaliszyk 3 Vrije Universiteit Amsterdam, Amsterdam, The Netherlands University of Lorraine,

703 views • 42 slides
Load Balancing for Interdependent IoT Microservices Ruozhou Yu, Vishnu Teja Kilari, Guoliang Xue

Load Balancing for Interdependent IoT Microservices Ruozhou Yu, Vishnu Teja Kilari, Guoliang Xue

Load Balancing for Interdependent IoT Microservices Ruozhou Yu, Vishnu Teja Kilari, Guoliang Xue Arizona State University Dejun Yang Colorado School of Mines Outlines Background and Motivation System Modeling Algorithm Design and Analysis

1.29k views • 30 slides
Object Flow Analysis Taking an Object-centric View on Dynamic Analysis Adrian Lienhard 1 ,

Object Flow Analysis Taking an Object-centric View on Dynamic Analysis Adrian Lienhard 1 ,

Object Flow Analysis Taking an Object-centric View on Dynamic Analysis Adrian Lienhard 1 , Stphane Ducasse 2 and T udor Grba 1 1 Software Composition Group, University of Bern, Switzerland 2 LISTIC, University of Savoie, France A missing

376 views • 21 slides
Policy-Based Instantiation of Norms in MAS Andreea Urzic and Cristian Gratie Policy-Based

Policy-Based Instantiation of Norms in MAS Andreea Urzic and Cristian Gratie Policy-Based

6th International Symposium on Intelligent Distributed Computing IDC 2012 Policy-Based Instantiation of Norms in MAS Andreea Urzic and Cristian Gratie Policy-Based Instantiation of Norms in MAS Paper outline A unified format for

378 views • 10 slides
Kimmo Rossi European Commission DG CONNECT Unit CNECT.G.3 Data Value Chain New organisation

Kimmo Rossi European Commission DG CONNECT Unit CNECT.G.3 Data Value Chain New organisation

Kimmo Rossi European Commission DG CONNECT Unit CNECT.G.3 Data Value Chain New organisation On 1/7/2012, DG INFSO becomes DG CONNECT Units E.1 (LT), E.2 (Data), E.4 (PSI) merge into one unit G.3 "Data value chain" The

2.96k views • 7 slides

More recommend