flowguard building robust firewalls for software defined
play

FlowGuard: Building Robust Firewalls for Software-Defined Networks - PowerPoint PPT Presentation

Sep 17, 2023 •112 likes •303 views

FlowGuard: Building Robust Firewalls for Software-Defined Networks Hongxin Hu , Wonkyu Han , Gail-Joon Ahn and Ziming Zhao HotSDN 2014 Outline Introduction Challenges for Building FW in SDN FlowGuard

  1. FlowGuard: Building Robust Firewalls for Software-Defined Networks Hongxin Hu † , Wonkyu Han ‡ , Gail-Joon Ahn ‡ and Ziming Zhao ‡ † ‡ HotSDN 2014

  2. Outline  Introduction  Challenges for Building FW in SDN  FlowGuard framework  Violation Detection Mechanism  Resolution Mechanism  Conclusion 13:01 2

  3. Traditional Firewalls Vs. SDN Firewalls  Traditional FWs : all insiders are trusted  Internal traffic is not seen and cannot be filtered by the traditional firewall  SDN FWs: monitoring all insiders Firewall Application SDN Controller 13:01 3

  4. Challenges  Examining Dynamic Network Policy Updates  A firewall in SDN is both  Packet Filter + Policy Checker – The first packet goes through the controller and is filtered by firewall – The subsequent packets of the flow directly match the flow policy  Checking Indirect Security Violations  Indirect violation caused by  Dynamic packet modification – OpenFlow allows an action, Set-Field, which can rewrite packet header  Rule dependency – Dependency relation depends on their priority – Rules may overlap partially / entirely each other (inter / intra table) 13:01 4

  5. Challenges (cont’d)  Indirect violation scenario Firewall app Firewall Rules A  C: Deny Rule 2 SDN Controller … Rule N Host C Host A B  D Switch 1 Switch 2 Host D Host B Table 1 Table 2 A  D: Rewrite A with B, Forward Rule 2.1 Rule 1.2 B  D: Rewrite D with C, Forward … … Rule 1.N Rule 2.N 13:01 5

  6. Challenges (cont’d)  Architecture Options  Centralized SDN firewall  Firewall policy is centrally defined and enforced at the controller  Limitation: cannot deal with partial policy violations  Distributed SDN firewall  Firewall policy is defined centrally, but propagated and enforced at each individual flow entry (ingress switch)  Limitation: needs a complicated revocation and repropagation mechanism to handle dynamic policy updates 13:01 6

  7. State Of The Art  SDN Firewall App  Built-in firewall application in Floodlight  Limited to check flow packet violations and unable to examine flow policy violations  Policy Conflict Detection and Resolution  VeriFlow [ Khurshid’13 ] and NetPlumber [Kazemian’13 ]  Lack of automatic, effective and real-time violation resolution  Pyretic [Monsanto’13 ]  Cannot discover and resolve indirect security violations  FortNOX [ Porras’12 ]  Only conducts pairwise conflict analysis without considering rule dependencies in flow tables and firewall policies 13:01 7

  8. Our Approach  FlowGuard : a comprehensive framework for building robust SDN firewalls 13:01 8

  9. Space Analysis  Flow Path Space Analysis  Flow tracking graph( NetPlumber [Kazemian’13] )  Dynamic packet modification  Rule dependency  Flow path space calculation  Incoming space  Outgoing space  Tracked space 13:01 9

  10. Our Approach  FlowGuard : a comprehensive framework for building robust SDN firewalls 13:01 10

  11. Space Analysis (cont’d)  Firewall Authorization Space  Decouple dependency relations between “allow” rules and “deny” rules in the firewall policy  Denied authorization space  Allowed authorization space 13:01 11

  12. Our Approach  FlowGuard : a comprehensive framework for building robust SDN firewalls 13:01 12

  13. Violation Detection  Space Comparison  Compare Tracked Flow Space against Firewall Denied Authorization Space  Entire Violation – Denied authorization space includes whole tracked space  Partial Violation – Denied authorization space partially includes tracked space 13:01 13

  14. Our Approach  FlowGuard : a comprehensive framework for building robust SDN firewalls 13:01 14

  15. Violation Resolution  Automatic Violation Resolution Mechanism Flow Tagging Flow Rerouting 13:01 15

  16. Implementation & Evaluation  Prototype of FlowGuard  Floodlight V 0.90  Evaluation Environment  Real-world network topology  Stanford backbone network [ kazemian’13 ]  Mininet 2.0  Flow Tracking, Violation Detection and Resolution Table 1: Tracking, Detection and resolution time (ms) for different resolution strategies 13:01 16

  17. Evaluation (cont’d)  Scalability and Performance Analysis 13:01 17

  18. Concluding Remarks  Identifying essential challenges for building robust firewall in SDN  Proposing a comprehensive framework, FlowGuard , to address identified challenges  Future Work  Developing Stateful SDN Firewall  Firewall virtualization using Network Function Virtualization (NFV)  Robust security enforcement kernels for SDN controllers 13:01 18

  19. Q & A This work was partially supported by the grant from Department of Energy (DE-SC0004308) 13:01 19

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Firewalls 1 Outline What are firewalls? Types of Firewalls Building a simple

Firewalls 1 Outline What are firewalls? Types of Firewalls Building a simple

Firewalls 1 Outline What are firewalls? Types of Firewalls Building a simple firewall using Netfilter Iptables firewall in Linux Stateful Firewall Application Firewall Evading Firewalls 2 Firewalls

811 views • 55 slides
Firewalls jnlin Computer Center, CS, NCTU Firewalls q Firewall hardware/software

Firewalls jnlin Computer Center, CS, NCTU Firewalls q Firewall hardware/software

Firewalls jnlin Computer Center, CS, NCTU Firewalls q Firewall hardware/software choke point between secured and unsecured network filter incoming and outgoing traffic prevent communications which are forbidden by the

1.06k views • 57 slides
Firewalls Summary Brief History of Firewalls What is a Firewall? Why Firewalls?

Firewalls Summary Brief History of Firewalls What is a Firewall? Why Firewalls?

Firewalls Summary Brief History of Firewalls What is a Firewall? Why Firewalls? Network Address Translation Types of Firewalls Linux/Windows Firewalls pfSense Blue Team Activity Brief History Firewall

348 views • 30 slides
Robust Software Defined Networks Ravi Manghirmalani Ramesh Subrahmaniam Controller Offload

Robust Software Defined Networks Ravi Manghirmalani Ramesh Subrahmaniam Controller Offload

Experiences in Realizing Large Robust Software Defined Networks Ravi Manghirmalani Ramesh Subrahmaniam Controller Offload SDN mandates a split of control and forwarding plane The control and forwarding planes communicate through a TCP

810 views • 25 slides
BUILDING A MORE ROBUST DEFINED BENEFIT SECTOR SPEAKERS RONAN O'CONNOR LESLEY WILLIAMS DEPUTY

BUILDING A MORE ROBUST DEFINED BENEFIT SECTOR SPEAKERS RONAN O'CONNOR LESLEY WILLIAMS DEPUTY

Stream sponsored by: Media partner: BUILDING A MORE ROBUST DEFINED BENEFIT SECTOR SPEAKERS RONAN O'CONNOR LESLEY WILLIAMS DEPUTY DIRECTOR, DIRECTOR OF PENSIONS PRIVATE PENSIONS POLICY WHITBREAD GROUP DWP CHAIR JOE DABROWSKI HEAD OF

432 views • 15 slides
Firewalls Computer Center, CS, NCTU Firewalls Firewall A piece of hardware and/or

Firewalls Computer Center, CS, NCTU Firewalls Firewall A piece of hardware and/or

Firewalls Computer Center, CS, NCTU Firewalls Firewall A piece of hardware and/or software which functions in a networked environment to prevent some communications forbidden by the security policy. Choke point between secured

613 views • 34 slides
Flexible Building Blocks for Software Defined Network Function Virtualization

Flexible Building Blocks for Software Defined Network Function Virtualization

Introduction Solution Evaluation Summary Flexible Building Blocks for Software Defined Network Function Virtualization (Tenant-Programmable Virtual Networks) Aryan TaheriMonfared Chunming Rong Department of Electrical Engineering and

1.76k views • 37 slides
software defined networking CS 6410 Fall 2017 Eric Campbell and Rolph Recto software defined

software defined networking CS 6410 Fall 2017 Eric Campbell and Rolph Recto software defined

software defined networking CS 6410 Fall 2017 Eric Campbell and Rolph Recto software defined networking software defined networking (OpenFlow, originally) Stanford computer scientist Nick McKeown and colleagues developed a standard called

1.13k views • 77 slides
Software Defined Radios RABC Conference Ottawa, 3 March 2004 www.crc.ca / rmsc Software Defined

Software Defined Radios RABC Conference Ottawa, 3 March 2004 www.crc.ca / rmsc Software Defined

Software Defined Radios RABC Conference Ottawa, 3 March 2004 www.crc.ca / rmsc Software Defined Radio A wireless system whose operating modes and parameters can be changed or augmented post- manufacturing, via software. Based on an

703 views • 22 slides
Networks in the Software Software Age Defined Clouds and Internet Ravinder Shergill of

Networks in the Software Software Age Defined Clouds and Internet Ravinder Shergill of

Networks in the Software Software Age Defined Clouds and Internet Ravinder Shergill of Things Principal Architect Technology Strategy, TELUS June 06, 2016 TELUS RESTRICTED Storyboard Generational changes via Software Defined

601 views • 18 slides
FIRE|WALLS Ohad Katz Overview What are Firewalls Why we need them Types of Firewalls

FIRE|WALLS Ohad Katz Overview What are Firewalls Why we need them Types of Firewalls

FIRE|WALLS Ohad Katz Overview What are Firewalls Why we need them Types of Firewalls (Categories) Implementation Best practices What are Firewalls? Internet Firewall Client/Host Network Network Security

585 views • 39 slides
Chapter 9 Firewalls The Need For Firewalls Internet connectivity is essential however

Chapter 9 Firewalls The Need For Firewalls Internet connectivity is essential however

Chapter 9 Firewalls The Need For Firewalls Internet connectivity is essential however it creates a threat Effective means of protecting LANs Inserted between the premises network and the Internet to establish a controlled

699 views • 34 slides
Software-Defined Network Exchanges (SDXs) and Software-Defined Infrastructure (SDI) Joe

Software-Defined Network Exchanges (SDXs) and Software-Defined Infrastructure (SDI) Joe

Software-Defined Network Exchanges (SDXs) and Software-Defined Infrastructure (SDI) Joe Mambretti, Director, (j-mambretti@northwestern.edu) International Center for Advanced Internet Research (www.icair.org) Northwestern University Director,

442 views • 23 slides
Firewalls Why do people want a firewall? [...] a firewalls purpose is to keep the jerks

Firewalls Why do people want a firewall? [...] a firewalls purpose is to keep the jerks

Firewalls Why do people want a firewall? [...] a firewalls purpose is to keep the jerks out of your network while still letting you get your job done. [Limiting] what kinds of connectivity is allowed between different

538 views • 30 slides
CS 5410 - Computer and Network Security: Firewalls Professor Kevin Butler Fall 2015

CS 5410 - Computer and Network Security: Firewalls Professor Kevin Butler Fall 2015

CS 5410 - Computer and Network Security: Firewalls Professor Kevin Butler Fall 2015 Southeastern Security for Enterprise and Infrastructure (SENSEI) Center Firewalls A firewall ... is a physical barrier inside a building or vehicle,

555 views • 23 slides
Intro & Updates Ben Hilburn What is Software Radio? Defined by the IEEE P1900.1

Intro & Updates Ben Hilburn What is Software Radio? Defined by the IEEE P1900.1

Intro & Updates Ben Hilburn What is Software Radio? Defined by the IEEE P1900.1 Working Group and the WINNF: A radio in which some or all of the physical layer functions are software-defined. 2 What is Software Radio? Defined

714 views • 25 slides
Forest Protection From Human Activities: The Dos And Dont Under Environmental Law In

Forest Protection From Human Activities: The Dos And Dont Under Environmental Law In

ENVIRONMENTAL LAW AWARENESS SEMINAR FOREST AT HEART . 6 DECEMBER 2017. USIM Forest Protection From Human Activities: The Dos And Dont Under Environmental Law In Malaysia By: Assoc. Prof. Dr. Maizatun Mustafa Ahmad Ibrahim

568 views • 20 slides
REVIEW OF THE SMALL-SCALE MINING POLICY AND LICENSING PRACTICES IN THE ASIA-PACIFIC COUNTRIES By

REVIEW OF THE SMALL-SCALE MINING POLICY AND LICENSING PRACTICES IN THE ASIA-PACIFIC COUNTRIES By

REVIEW OF THE SMALL-SCALE MINING POLICY AND LICENSING PRACTICES IN THE ASIA-PACIFIC COUNTRIES By EDMUND M BUGNOSEN BUGNOSEN MINERALS ENGINEERING 80A Belgrave Road London E17 8QG United Kingdom emails: edbugnosen@yahoo.co.uk <>

391 views • 15 slides
Proposed Donation of Land to Beaufort County: 32.27 Acre Site located in Belhaven, NC Location:

Proposed Donation of Land to Beaufort County: 32.27 Acre Site located in Belhaven, NC Location:

https://digital.lib.ecu.edu/137 https://digital.lib.ecu.edu/137 Proposed Donation of Land to Beaufort County: 32.27 Acre Site located in Belhaven, NC Location: Adjacent to the southern corner of the intersection of W. Main Street and NC

395 views • 22 slides
The private sector perspec.ve on developing an ASEAN organic

The private sector perspec.ve on developing an ASEAN organic

The private sector perspec.ve on developing an ASEAN organic standards and a system for recognizing conformity assessment Patrick Belisario President

458 views • 18 slides
INTRODUCING GUILD LIVING. JUNE 2020 ABOUT GUILD LIVING. WHY WERE DIFFERENT. OUR WE FILL THE

INTRODUCING GUILD LIVING. JUNE 2020 ABOUT GUILD LIVING. WHY WERE DIFFERENT. OUR WE FILL THE

INTRODUCING GUILD LIVING. JUNE 2020 ABOUT GUILD LIVING. WHY WERE DIFFERENT. OUR WE FILL THE WHO WE ARE. AUDIENCES ARE... GENERATION GAP. An intergenerational approach. WERE ROOTED IN RESEARCH. L&G HAVE GOT OUR BACKS. Backed

551 views • 40 slides
www.thewebguild.org www.thewebguild.org www.thewebguild.org www.thewebguild.org

www.thewebguild.org www.thewebguild.org www.thewebguild.org www.thewebguild.org

This document contains The Web Guilds responses to the EUs ePrivacy Directive consultation and review. Date: July 4 th 2016 www.thewebguild.org www.thewebguild.org www.thewebguild.org www.thewebguild.org www.thewebguild.org

453 views • 23 slides
Scaling out architectural decision making OReilly Software Architecture Conference Berlin

Scaling out architectural decision making OReilly Software Architecture Conference Berlin

@patkua Scaling out architectural decision making OReilly Software Architecture Conference Berlin (November 2019) The first bank youll love @patkua Banking, this beautiful @patkua Chief Scientist, former CTO #leader #coach

1.1k views • 55 slides
BC CRAFT BREWERS GUILD ORGANIZATIONAL OVERVIEW FEBRUARY 2019 ABOUT US The BC Craft Brewers

BC CRAFT BREWERS GUILD ORGANIZATIONAL OVERVIEW FEBRUARY 2019 ABOUT US The BC Craft Brewers

BC CRAFT BREWERS GUILD ORGANIZATIONAL OVERVIEW FEBRUARY 2019 ABOUT US The BC Craft Brewers Guild represents craft brewers from all over BC. Some are small and others smaller, but they all brew flavourful local beer with passion and

382 views • 13 slides

More recommend