enabling practical sdn security applications with ofx the
play

Enabling Practical SDN Security Applications with OFX (The O pen F - PowerPoint PPT Presentation

Oct 27, 2022 •236 likes •604 views

Enabling Practical SDN Security Applications with OFX (The O pen F low e X tension Framework) John Sonchack, Adam J. Aviv, Eric Keller, and Jonathan M. Smith Outline Introduction Overview of OFX Using OFX Benchmarks 2 Basic Networking:

  1. Enabling Practical SDN Security Applications with OFX (The O pen F low e X tension Framework) John Sonchack, Adam J. Aviv, Eric Keller, and Jonathan M. Smith

  2. Outline Introduction Overview of OFX Using OFX Benchmarks 2

  3. Basic Networking: Forwarding and Routing Packet Forwarding Route Computation ? 3

  4. SDNs: Networking in Two Planes Control Plane Route computation Data Plane Packet forwarding 4

  5. OpenFlow: A Protocol to Manage Switches Control Plane Route computation Flow rules to implement routes Data Plane Packet forwarding 5

  6. OpenFlow: A Protocol to Manage Switches Control Plane Route computation Flow rules to implement routes Assumption: Interactions between the control plane and data plane are infrequent . Data Plane Packet forwarding 6

  7. SDNs for Network Security Access Control Control Plane Policy Access Control Flow rules to implement access control policy Data Plane Casado, Martin, et al. "Ethane: taking control of the enterprise." ACM SIGCOMM Computer Communication Review . Vol. 37. No. 4. ACM, 2007. 7

  8. SDNs for Dynamic Network Security Control Plane Traffic Declassification Traffic Declassification Advanced Processing Access Control Route for flow DDoS Defense Bot Detection Data Plane Packet from new flow 8

  9. SDNs for Dynamic Network Security: Flow Monitoring Control Plane Gu, Guofei, et al. " BotMiner: Clustering Analysis of Network Traffic for Protocol-and Structure- Independent Botnet Detection. " USENIX Security Symposium . Vol. 5. No. 2. 2008. Install byte Collect flow records counting rule without routing through a middlebox. Bot Detection Data Plane Packet from new TCP flow 9

  10. SDNs for Dynamic Network Security: Traffic Declassification Control Plane Traffic Declassification Traffic Declassification declassification Check flow decision tags and user (Allow | Block) permissions Enforce access control on tagged data leaving the network. Mundada, Yogesh, Anirudh Ramachandran, and Nick Feamster. "SilverLine: preventing data leaks Data Plane Can this flow leave from compromised web applications. " Proceedings of the the network? 29th Annual Computer Security Applications Conference . ACM, 10 2013.

  11. SDNs for Dynamic Network Security Control Plane Traffic Declassification Traffic Declassification Advanced Processing Access Control Route for flow DDoS Defense Bot Detection Data Plane Packet from new flow 11

  12. SDNs for Dynamic Network Security Control Plane Traffic Declassification Traffic Declassification Advanced Processing Access Control Route for flow Assumption: Interactions between the control plane DDoS Defense and data plane are infrequent . Bot Detection Data Plane Packet from new flow 12

  13. Obstacle: Low Throughput Control Path 130 million packets/second!!!!* *can only forward 500 pps to controller. Appelman, Michiel, and Maikel de Boer. "Performance analysis of OpenFlow hardware." University of Amsterdam, Tech. Rep (2012). Curtis, Andrew R., et al. "DevoFlow: scaling flow management for high-performance networks." ACM SIGCOMM Computer Communication Review . Vol. 41. No. 4. ACM, 2011. 13

  14. Obstacle: Centralized Control Plane New Flow New Flow New Flow New Flow New Flow New Flow New Flow New Flow 14

  15. Our question: How Can We Make SDNs More Practical? Control Plane Traffic Declassification Traffic Declassification Traffic Declassification Access Control DDoS Defense Bot Detection Data Plane 15

  16. The General Approach: Switch Level Security Control Plane Traffic Declassification Access Control DDoS Defense Bot Detection Data Plane 16

  17. Previous Work: Security Functionality in the Forwarding Engine Build new switch chips that support security applications Shin, Seungwon, et al. "Avant-guard: Scalable and vigilant switch flow management in software-defined networks." Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security . ACM, 2013. 17

  18. Our insight: Leverage Switch CPUs Run security logic on the switch CPUs 18

  19. OFX: A Framework for Application- Specific Switch Extensions Each application can load custom functionality into switches. At runtime! Declassification Declassification 19

  20. Outline Introduction Overview of OFX Using OFX Benchmarks 20

  21. OFX at a High Level stack 21

  22. OFX at a High Level OFX Controller Library OFX Switch Agents OFX Switch Agents OFX Switch Agents OFX stack stack 22

  23. OFX at a High Level Controller interface OFX Extension Module OFX Switch Agents OFX Switch Agents Switch-level logic OFX stack stack 23

  24. OFX at a High Level Permissions Database Declassifier Module Per-Flow Declassification Logic OFX Switch Agents OFX Switch Agents OFX stack stack 24

  25. OFX at the Switch Level OFX modules use filters to OFX modules process select packets that they need packets with custom to process handler OFX installs OpenFlow OFX OFX Module corresponding Switch Agent Packet Handler rules onto OFX tables Software Hardware … Ingress Egress OFX Filtering Tables Controller-managed Packets Packets forwarding tables 25

  26. Outline Introduction Overview of OFX Using OFX Benchmarks 26

  27. Refactoring OpenFlow Applications to use OFX OFX Declassifier Module

  28. Refactoring OpenFlow Applications to use OFX OFX Declassifier Module

  29. Outline Introduction Overview of OFX Using OFX Benchmarks 29

  30. Benchmarking OFX How much raw overhead is there for processing packets with OFX? How do OFX based security applications perform, compared with Middlebox and OpenFlow implementations? 30

  31. OFX Benchmark: Packets Per Second Log 10 Packet handler in controller Scale Packet handler in OFX module 100,000 10,000 Packets per Second 1,000 100 10 1 64 128 256 512 1024 1500 Packet Size 100 PPS 45,000 PPS @ MTU @ MTU 31

  32. Benchmarking OFX How much raw overhead is there for processing packets with OFX? How do OFX based security applications perform, compared with Middlebox and OpenFlow implementations? 32

  33. Benchmark: Declassifier Packet Drop Rate Frequent arriving High bandwidth Implementation Median flows flows Middlebox Proxy 0.1% 0.1% 20.4% OpenFlow 97.5% 88.2% 0.1% 5.1% 3.2% 0.1% OFX OpenFlow implementation Proxy implementation limited limited by flow arrival rate by bit rate OFX implementation performed well in all workloads Workload Name Frequently arriving flows Median flows High bandwidth flows Flow Inter-arrival Period 0.0015 Seconds 0.015 Seconds 0.15 Seconds Average Transmission Bandwidth 19.75 Mbps 43.57 Mbps 970.99 Mbps . S. Kandula, S. Sengupta, A. Greenberg, P. Patel, and R. Chaiken, “ The nature of data center traffic: measurements & analysis,” in Proceedings of the 9th ACM SIGCOMM conference on Internet measurement conference . ACM, 2009, pp. 202–208. . L. Qian and B. E. Carpenter, “A flow-based performance analysis of tcp and tcp applications,” in Networks (ICON), 2012 18th IEEE International Conference on . IEEE, 2012, pp. 41–45. 33

  34. In the Paper OFX API and Enhanced Application More Implementation Switch API Specific benchmarks Details Modules Modules OpenFlow Controller DDoS Defense TCP Handshake Validation Running on OFX Library Control unmodified New TCP Platform OpenFlow Flow Linux Kernel hardware! Push Based Alerts OpenFlow OpenFlow Switch OFX Agent Bot Detection Agent Linux Kernel Condition Forwarding Linux Network Reached Engine Firmware Stack OpenFlow Packet Path OFX Packet Path 34

  35. Thank You OFX: The OpenFlow Extension Framework OFX lets OpenFlow security OFX applications push parts of their Extension Module control plane logic down to switch CPUs , which can greatly improve performance and scalability on existing hardware and software. 35

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Security vulnerabilities in new web applications Ing. Pavol Luptk, CISSP, CEH Lead Security

Security vulnerabilities in new web applications Ing. Pavol Luptk, CISSP, CEH Lead Security

Security vulnerabilities in new web applications Ing. Pavol Luptk, CISSP, CEH Lead Security Consultant www.nethemba.com www.nethemba.com Introduction $whoami Pavol Luptk 10+ years of practical experience in security and seeking

594 views • 15 slides
eHealth .. How to trust a cloud? Enabling trust in distributed eHealth applications Dr. Mario

eHealth .. How to trust a cloud? Enabling trust in distributed eHealth applications Dr. Mario

eHealth .. How to trust a cloud? Enabling trust in distributed eHealth applications Dr. Mario Drobics Thematic Coordinator Safety & Security Department AIT Austrian Institute of Technology GmbH mario.drobics@ait.ac.at +43 50 550 4810

567 views • 17 slides
Practical Microservice Security Laura Bell Practical Microservice security Laura Bell Founder

Practical Microservice Security Laura Bell Practical Microservice security Laura Bell Founder

Practical Microservice Security Laura Bell Practical Microservice security Laura Bell Founder and Lead Consultant - SafeStack @lady_nerd laura@safestack.io http:/ /safestack.io caution: fast paced field ahead watch for out of date

1.06k views • 66 slides
AI Planner Applications Practical Applications of AI Planners Overview Deep Space 1

AI Planner Applications Practical Applications of AI Planners Overview Deep Space 1

AI Planner Applications Practical Applications of AI Planners Overview Deep Space 1 Other Practical Applications of AI Planners Common Themes AI Planner Applications 2 1 Literature Deep Space 1 Papers Ghallab, M., Nau,

172 views • 15 slides
Practical Security and Key Management Management University of Amsterdam Introduction SNE -

Practical Security and Key Management Management University of Amsterdam Introduction SNE -

Practical Security and Key Practical Security and Key Management Management University of Amsterdam Introduction SNE - Research Project 2 Research Question Security levels Secure elements By: Key Magiel van der Meer management PGP

778 views • 20 slides
CRA Cyber-Security Collaborative Research Alliance: MACRO: Models for Enabling Continuous

CRA Cyber-Security Collaborative Research Alliance: MACRO: Models for Enabling Continuous

CRA Cyber-Security Collaborative Research Alliance: MACRO: Models for Enabling Continuous Reconfigurability of Secure Missions Prof. Patrick McDaniel Initial Feedback Meeting ARL - Adelphi, MD October 15th, 2013 CRA: Models for Enabling

435 views • 7 slides
Enabling dynamic security policy in the Java security manager Fabien Autrel, Fr ed eric

Enabling dynamic security policy in the Java security manager Fabien Autrel, Fr ed eric

Outline Introduction JVM sandbox Modelisation Example and implementation Conclusion Enabling dynamic security policy in the Java security manager Fabien Autrel, Fr ed eric Cuppens, Nora Cuppens FPS2012 symposium October 26 th 2012

321 views • 20 slides
Practical Secure Two-Party Computation and Applications Lecture 4: Hardware-Assisted

Practical Secure Two-Party Computation and Applications Lecture 4: Hardware-Assisted

Practical Secure Two-Party Computation and Applications Lecture 4: Hardware-Assisted Cryptographic Protocols Estonian Winter School in Computer Science 2016 Motivation 2 Two Areas Cryptographic Protocols Secure Hardware strong security

759 views • 52 slides
Enabling Practical Backscatter Communication for On-body Sensors Pengyu Zhang, Mohammad Rostami,

Enabling Practical Backscatter Communication for On-body Sensors Pengyu Zhang, Mohammad Rostami,

Enabling Practical Backscatter Communication for On-body Sensors Pengyu Zhang, Mohammad Rostami, Pan Hu, Deepak Ganesan UMass Amherst 1 Ubiquitous deployment of on-body sensors Fitness-band Smartphone Smart Watch Biometric clothing Sensor

409 views • 29 slides
Aurasium: Practical Policy Enforcement for Android Applications Rubin Xu Hassen Saidi Ross

Aurasium: Practical Policy Enforcement for Android Applications Rubin Xu Hassen Saidi Ross

Aurasium: Practical Policy Enforcement for Android Applications Rubin Xu Hassen Saidi Ross Anderson University of SRI International University of Cambridge Cambridge USENIX Security Symposium 2012 Goal Address the multiple threats

803 views • 33 slides
W SI S Action Lines C2 , C5 & C6 : Com m unication I nfrastructure, Security & Enabling

W SI S Action Lines C2 , C5 & C6 : Com m unication I nfrastructure, Security & Enabling

W SI S Action Lines C2 , C5 & C6 : Com m unication I nfrastructure, Security & Enabling Environm ent Presented at the Expert Group Meeting on Regional Cooperation Tow ards Building an I nform ation Society in Asia and the Pacific

498 views • 25 slides
Hands-On Network Security: Practical Tools & Methods Security Training Course Dr. Charles J.

Hands-On Network Security: Practical Tools & Methods Security Training Course Dr. Charles J.

Hands-On Network Security: Practical Tools & Methods Security Training Course Dr. Charles J. Antonelli The University of Michigan 2012 Hands-On Network Security Module 6 Firewalls & VPNs Topics Firewall Fundamentals Case

881 views • 51 slides
2 nd Partners Meeting Security Outline of activities/floorplans Timeline and practical

2 nd Partners Meeting Security Outline of activities/floorplans Timeline and practical

2 nd Partners Meeting Security Outline of activities/floorplans Timeline and practical information EMAS: Waste reduction Se Security, ou our resp sponsib ibil ilit ity Specific security measures Ensuring safety of visitors,

282 views • 15 slides
Hands-On Network Security: Practical Tools & Methods Security Training Course Dr. Charles J.

Hands-On Network Security: Practical Tools & Methods Security Training Course Dr. Charles J.

Hands-On Network Security: Practical Tools & Methods Security Training Course Dr. Charles J. Antonelli The University of Michigan 2012 Hands-On Network Security Module 3 Network Protocol Attacks Roadmap Network security The

502 views • 39 slides
Enabling holographic media for future applications: Missing pieces and limitations in networks

Enabling holographic media for future applications: Missing pieces and limitations in networks

nd NE 2 nd NEAT W T Worksho hop Pa Panel Enabling holographic media for future applications: Missing pieces and limitations in networks Networks for Future Applications? For the last several decades: Applications have taken advantage

652 views • 44 slides
Practical Principles for Computer Security Butler Lampson Marktoberdorf August 2006 1 Practical

Practical Principles for Computer Security Butler Lampson Marktoberdorf August 2006 1 Practical

Practical Principles for Computer Security Butler Lampson Marktoberdorf August 2006 1 Practical Principles for Computer Security B. W. Lampson 2 August 2006 Outline Introduction: what is security? Principals, the speaks for relation,

1.22k views • 94 slides
Dynamic Flow Regulation for IP Integration on Network-on-Chip Zhonghai Lu and Yi Wang Dept. of

Dynamic Flow Regulation for IP Integration on Network-on-Chip Zhonghai Lu and Yi Wang Dept. of

Dynamic Flow Regulation for IP Integration on Network-on-Chip Zhonghai Lu and Yi Wang Dept. of Electronic Systems KTH Royal Institute of Technology Stockholm, Sweden 6th Symposium on NoCS, Denmark May 9-11, 2012 Agenda The IP integration

824 views • 33 slides
Network Flow Algorithm Design Divide and Dynamic Greedy Conquer Programming Formulate

Network Flow Algorithm Design Divide and Dynamic Greedy Conquer Programming Formulate

Network Flow Algorithm Design Divide and Dynamic Greedy Conquer Programming Formulate problem ? ? ? Design algorithm less work more work more work Prove correctness more work less work less work Analyze running time less work

520 views • 18 slides
Flow Visualization Flow Visualization CS 176 Spring 2011 1 Fluid Simulation a Looking at

Flow Visualization Flow Visualization CS 176 Spring 2011 1 Fluid Simulation a Looking at

Flow Visualization Flow Visualization CS 176 Spring 2011 1 Fluid Simulation a Looking at vector fields g how? Bolz et al. Laidlaw et al. CS 176 Spring 2011 2 Field Visualization V a a Stalling et al. Cabral et al. Stalling

576 views • 18 slides
Verifying that a compiler preserves concurrent value-dependent information-flow security Robert

Verifying that a compiler preserves concurrent value-dependent information-flow security Robert

Verifying that a compiler preserves concurrent value-dependent information-flow security Robert Sison (UNSW Sydney, Data61) and Toby Murray (University of Melbourne) September 2019 THE UNIVERSITY OF NEW SOUTH WALES www.data61.csiro.au So

1.94k views • 156 slides
Toda flows, gradient flows and the generalized Flaschka map Anthony Bloch Dissipation and

Toda flows, gradient flows and the generalized Flaschka map Anthony Bloch Dissipation and

1 Toda flows, gradient flows and the generalized Flaschka map Anthony Bloch Dissipation and Radiation Induced Instability Toda and gradient flows, metric and metriplectic flows The Pukhanzky condition Generalized Flaschka Map

1.02k views • 54 slides
Inter-Data-Center Network Traffic Prediction with Elephant Flows Yi Li , Hong Liu , Wenjun

Inter-Data-Center Network Traffic Prediction with Elephant Flows Yi Li , Hong Liu , Wenjun

Inter-Data-Center Network Traffic Prediction with Elephant Flows Yi Li , Hong Liu , Wenjun Yang , Dianming Hu , Wei Xu Institute for Interdisciplinary Information Sciences, Tsinghua University Baidu Inc.

306 views • 17 slides
Remember Phase 2: Ensuring great products become great businesses

Remember Phase 2: Ensuring great products become great businesses

Remember Phase 2: Ensuring great products become great businesses Andrew Malcolm VP Product Marke3ng Commercial Mobility, HP Definitions What is the product? What is the

314 views • 18 slides
Bidirectional data flow from clinic to lab and back Lawrence Babb Genomic Medicine XI September

Bidirectional data flow from clinic to lab and back Lawrence Babb Genomic Medicine XI September

Bidirectional data flow from clinic to lab and back Lawrence Babb Genomic Medicine XI September 2018 Conflicts of interest No conflicts Objective Briefly discuss Clinic->Lab->Clinic primary data flow Identify fundamental next

303 views • 28 slides

More recommend