hex switch
play

HEX Switch: Hardware-assisted security extensions of OpenFlow - PowerPoint PPT Presentation

Aug 24, 2022 •297 likes •673 views

HEX Switch: Hardware-assisted security extensions of OpenFlow Taejune Park / KAIST / taejune.park@kaist.ac.kr Zhaoyan Xu / StackRox Inc. / z@stackrox.com Seungwon Shin / KAIST / claude@kaist.ac.kr Software-Defined Networking

  1. HEX Switch: 
 Hardware-assisted security extensions of OpenFlow Taejune Park / KAIST / taejune.park@kaist.ac.kr Zhaoyan Xu / StackRox Inc. / z@stackrox.com Seungwon Shin / KAIST / claude@kaist.ac.kr

  2. Software-Defined Networking • Centralized management • Dynamic traffic engineering • Programable network operation • High-compatibility with virtualized environments 2 /36

  3. Software-Defined Networking • Centralized management • Dynamic traffic engineering • Programable network operation Security is still required • High-compatibility with virtualized environments 3 /36

  4. Security in Software-Defined Networking Control-Plane Network Control Apps. Security Apps. Layer Network Application Network Application Network Application Network Application Network Application Security Application Standard Protocol (e.g., OpenFlow) Data-Plane Layer Middle-box 4 /36

  5. Security in Software-Defined Networking •Security applications on a control plane Control-Plane Network Control Apps. Security Apps. • Applying security features network-widely Layer Network Application Network Application Network Application Network Application Network Application Security Application • Cheap price • Easy to manage Standard Protocol (e.g., OpenFlow) Data-Plane Layer Middle-box 5 /36

  6. Security in Software-Defined Networking •Security applications on a control plane Control-Plane Network Control Apps. Security Apps. • Applying security features network-widely Layer Network Application Network Application Network Application Network Application Network Application Security Application • Cheap price • Easy to manage Standard Protocol (e.g., OpenFlow) • Limitation Data-Plane Layer • Simple security only available • Slow-path for inspection Middle-box • Controller overhead 6 /36

  7. Security in Software-Defined Networking Control-Plane Network Control Apps. Security Apps. Layer Network Application Network Application Network Application Network Application Network Application Security Application Standard Protocol (e.g., OpenFlow) •Middle-boxes on a data plane Data-Plane Layer • Better performance • Rich features such as payload inspection • No controller overhead Middle-box 7 /36

  8. Security in Software-Defined Networking Control-Plane Network Control Apps. Security Apps. Layer Network Application Network Application Network Application Network Application Network Application Security Application Standard Protocol (e.g., OpenFlow) • Limitation •Middle-boxes on a data plane Data-Plane Layer • Better performance • Network overhead by traffic detouring (Taking extra hops) • Rich features such as payload inspection • Require flow steering for NFs • No controller overhead Middle-box • Additional control channels for NFs 8 /36

  9. Summary Category SDN Applications Middle-boxes Flexibility Management Deployability Performance Functionality 9 /36

  10. Related works: 
 Extending SDN architecture to support security • Mekky, Hesham, et al. "Network function virtualization enablement within SDN data plane.” IEEE INFOCOM 2017 (Also, HotSDN 2014) • Sonchack, John, et al. "Enabling Practical Software-defined Networking Security Applications with OFX." NDSS 2016. 10 /36

  11. Related works: 
 • Their security functions are not fully consolidated Extending SDN architecture to support security into a data plane • Mekky, Hesham, et al. "Network function • Application module, Tap-based interface… virtualization enablement within SDN data plane.” IEEE INFOCOM 2017 (Also, HotSDN 2014) • Sonchack, John, et al. "Enabling Practical Software-defined Networking Security Applications with OFX." NDSS 2016. 11 /36

  12. Related works: 
 Extending SDN architecture to support security • In essence, they are NOT different from the middle-box structure! • Mekky, Hesham, et al. "Network function • It's just a scale down! virtualization enablement within SDN data plane.” IEEE INFOCOM 2017 (Also, HotSDN 2014) • Sonchack, John, et al. "Enabling Practical Software-defined Networking Security Applications with OFX." NDSS 2016. 12 /36

  13. Related works: UNISAFE: A union of security actions for software switches Proceedings of the 2016 ACM International Workshop on Security in Software Defined Networks & Network Function Virtualization. ACM, 2016 • Fully integrated security functions into a data plane, not modular one •Security functions as a set of OpenFlow actions UNISAFE (based on Open vSwitch) Flow table Execute actions MATCH Actions Flow_A sec_dos(mbps=100) , output:2 Lookup Flow table Security actions sec_dos(mbps=500),sec_scan(…) ,output:3 Flow_B 13 /36

  14. Security actions of UNISAFE • High-compatibility with common OpenFlow actions - actions=sec_dos(mbps=1000),set_nw_src(…),output:2 • Fine-grained security enforcement per a flow - in_port=1,nw_src=10.0.0.1,tp_dst=80,actions=sec_dos(…),… - in_port=2,nw_dst=10.0.1.2,actions=sec_dpi(…),… • Easy configuration for a security service chaining - actions=sec_dos(…),sec_scan(…),sec_dpi(…),… 14 /36

  15. Performance in UNISAFE • Achieve line-rate latency for all security Throughput 110 forwarding dos scan1 100 scan5 dpi100 dpi500 90 dpi1000 • But, lack of throughput in some actions 80 70 •Payload Inspection (DPI) throughput Throughput(%) 60 ⁃ Throughput less than 100Mbps on 1Gbps 50 40 30 20 10 0 1 10 50 100 500 1000 Bandwidth(Mbps) 15 /36

  16. Performance in UNISAFE • Achieve line-rate latency for all security Throughput 110 forwarding dos scan1 100 scan5 dpi100 dpi500 90 dpi1000 • But, lack of throughput in some actions 80 Challenge 1: 70 •Payload Inspection (DPI) throughput Throughput(%) 60 Performance limitation ⁃ Throughput less than 100Mbps on 1Gbps 50 40 30 20 10 0 1 10 50 100 500 1000 Bandwidth(Mbps) 16 /36

  17. Security operation in UNISAFE • Manual operation for security violations by an administrator ? Controller Manual Operation 17 /36

  18. Security operation in UNISAFE • Manual operation for security violations by an administrator ? Challenge 2: Security operation Controller Manual Operation 18 /36

  19. HEX Switch: 
 Hardware-assisted security extensions of OpenFlow • Hardware-based approach for UNISAFE • Using NetFPGA • Providing line-rate performance with configurability Controller 
 Security Actions Security Policy communication 19 /36

  20. Intf. 2 Buffering (BRAM) Input Arbiter + Output queue Action processor Host Intf. Intf. 3 Intf. 1 Intf. 0 Inspection Data Storage Update Data Storage Read (Input selection) < HEX Security Processor > Intf. 1 (Forwarding) Policy Decision Intf. 0 Packet preprocessor Intf. 2 Intf. 3 Host Intf. Flow Table Controller Data Storage Design • Security Processor between the packet processing sequence. • Six-stages pipeline: Mainly consist of data storage and inspection logic • Flow table controller forwards flow keys, stats and action key after matching g s M t r e l Input output A s t a y Stage 1 Stage 2 Stage 3 Stage 4-5 Stage 6 t s e k , y y n e e o k k i t w w c o A o l l F F & Packet Packet bu ff er 20 /36

  21. Flow Table Controller (Input selection) Input Arbiter + Output queue Action processor Host Intf. Intf. 3 Intf. 2 Intf. 1 Intf. 0 Inspection Data Storage Data Storage Data Storage Read Update Buffering Intf. 0 < HEX Security Processor > (Forwarding) Policy Decision Packet preprocessor (BRAM) Intf. 1 Intf. 2 Intf. 3 Host Intf. Flow Table Controller Design • Security Processor between the packet processing sequence. • Six-stages pipeline: Mainly consist of data storage and inspection logic • Flow table controller forwards flow keys, stats and action key after matching g s M t r e l Input output A s t a y Stage 1 Stage 2 Stage 3 Stage 4-5 Stage 6 t s e k , y y n e e o k k i t w w c o A o l l F F & Packet Packet bu ff er 21 /36

  22. (BRAM) Host Intf. Data Storage Inspection Intf. 0 Intf. 1 Intf. 2 Intf. 3 Action processor Data Storage Update Data Storage Read (Forwarding) Policy Decision Input Arbiter + Output queue Update Data Storage Read Intf. 1 Data Storage (Input selection) Packet preprocessor Intf. 0 Data Storage Intf. 2 Intf. 3 Host Intf. Flow Table Controller < HEX Security Processor > Buffering (BRAM) Design • Security Processor between the packet processing sequence. • Six-stages pipeline: Mainly consist of data storage and inspection logic • Flow table controller forwards flow keys, stats and action key after matching g s M t r e l Input output A s t a y Stage 1 Stage 2 Stage 3 Stage 4-5 Stage 6 t s e k , y y n e e o k k i t w w c o A o l l F F & Packet Packet bu ff er 22 /36

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

ETRA-SWITCH STUDY Switch to Etravirine from PI-Based Regimen ETRA-SWITCH: Design Study Design:

ETRA-SWITCH STUDY Switch to Etravirine from PI-Based Regimen ETRA-SWITCH: Design Study Design:

Switch to Etravirine from PI-Based Regimen ETRA-SWITCH STUDY Switch to Etravirine from PI-Based Regimen ETRA-SWITCH: Design Study Design: ETRA-SWITCH Background : Open label, randomized phase 3b trial that enrolled patients with suppressed

188 views • 7 slides
CHAPTER II SWITCH NETWORKS AND SWITCH DESIGN R.M. Dansereau; v.1.0 SWITCH NETWORKS SWITCH

CHAPTER II SWITCH NETWORKS AND SWITCH DESIGN R.M. Dansereau; v.1.0 SWITCH NETWORKS SWITCH

SWITCH DESIGN CHAPTER II CHAPTER II-1 SWITCH DESIGN CHAPTER II SWITCH NETWORKS AND SWITCH DESIGN R.M. Dansereau; v.1.0 SWITCH NETWORKS SWITCH DESIGN SWITCH NETWORKS CHAPTER II-2 BASIC IDEAL SWITCH SWITCH DESIGN Simplest

348 views • 24 slides
SDG 12.1 Reporting for SWITCH-Asia Countries Connecting the dots between actions and

SDG 12.1 Reporting for SWITCH-Asia Countries Connecting the dots between actions and

SDG 12.1 Reporting for SWITCH-Asia Countries Connecting the dots between actions and reporting Luz Fernandez, PhD luz.fernandezgarcia@un.org Programme Officer, RPAC SWITCH Asia What is SWITCH-Asia? SWITCH Asia I - 2007-2014 SWITCH Asia II

125 views • 10 slides
A Genetic Toggle Switch Using DNA Recombinases Michigan Synthetic Biology Team 2012 Switch

A Genetic Toggle Switch Using DNA Recombinases Michigan Synthetic Biology Team 2012 Switch

A Genetic Toggle Switch Using DNA Recombinases Michigan Synthetic Biology Team 2012 Switch Design and Modeling Mike Contemporary Bistable Switch Disadvantages The state is actively maintained Sensitive Complexity Lou et al.,

792 views • 52 slides
Switch-a-roo: engineering a photoresponsive E.colight switch Team Macquarie University

Switch-a-roo: engineering a photoresponsive E.colight switch Team Macquarie University

Switch-a-roo: engineering a photoresponsive E.colight switch Team Macquarie University Sydney, Australia What are the elements of switch -a- roo? Phytochrome Protein that binds chromophore Chromophore PDB 1ZTU

422 views • 18 slides
So Trendy, So Smart, So Switch ON ! WHO ARE WE ? S ince 1995, Switch Vibration

So Trendy, So Smart, So Switch ON ! WHO ARE WE ? S ince 1995, Switch Vibration

So Trendy, So Smart, So Switch ON ! WHO ARE WE ? S ince 1995, Switch Vibration accompanies you in the organization and animation of your events. With these many years of experience, the company, in constant evolution, has developed

504 views • 12 slides
Switch of Anti-Platelets: for whom and how? Switch des AAP: pour qui et comment ? Prof. Emanuele

Switch of Anti-Platelets: for whom and how? Switch des AAP: pour qui et comment ? Prof. Emanuele

Switch of Anti-Platelets: for whom and how? Switch des AAP: pour qui et comment ? Prof. Emanuele Barbato, MD, PhD, FESC University Federico II, Italy 30-31 Janvier 1 er Fvrier 2019 CONFLICT OF INTERESTS Speakers fee from BSCI and Abbott

776 views • 25 slides
The recent switch lowering improvements Hans Wennborg hwennborg@google.com A Switch C: switch

The recent switch lowering improvements Hans Wennborg hwennborg@google.com A Switch C: switch

The recent switch lowering improvements Hans Wennborg hwennborg@google.com A Switch C: switch (x) { LLVM IR: case 0: // foo switch i32 %x, label %baz [ case 1: i32 0, label %foo // bar i32 1, label %bar ... ... default: ] // baz

248 views • 22 slides
Switch Energy Alliance A 501(c)(3) dedicated to inspiring an energy-educated future that is

Switch Energy Alliance A 501(c)(3) dedicated to inspiring an energy-educated future that is

Switch Energy Alliance A 501(c)(3) dedicated to inspiring an energy-educated future that is objective, nonpartisan, and sensible. Films: Switch and Switch On Videos : 300+ short energy videos Switch Classroom: Online energy education platform

178 views • 5 slides
Generic External Memory for Switch Data Planes Daehyeok Kim Yibo Zhu, Changhoon Kim, Jeongkeun

Generic External Memory for Switch Data Planes Daehyeok Kim Yibo Zhu, Changhoon Kim, Jeongkeun

Generic External Memory for Switch Data Planes Daehyeok Kim Yibo Zhu, Changhoon Kim, Jeongkeun Lee, Srinivasan Seshan Enabling Virtual Switching on ToR Switch Move virtual switch (Tenant, VM IP) Host IP Multi-million to ToR switch (1,

246 views • 20 slides
Chapter 4. Switch Realization 4.1. Switch applications Single-, two-, and four-quadrant switches.

Chapter 4. Switch Realization 4.1. Switch applications Single-, two-, and four-quadrant switches.

Chapter 4. Switch Realization 4.1. Switch applications Single-, two-, and four-quadrant switches. Synchronous rectifiers 4.2. A brief survey of power semiconductor devices Power diodes, MOSFETs, BJTs, IGBTs, and thyristors 4.3. Switching loss

783 views • 77 slides
Switch-mode converters as feedback systems A B m e v o v d

Switch-mode converters as feedback systems A B m e v o v d

Mor M. Peretz, Switch-Mode Power Supplies [8-1] Control of switch-mode converters [8-2] Mor M. Peretz, Switch-Mode Power Supplies Control objectives Produce control command to Regulate the output voltage Obtain zero or small

600 views • 17 slides
CPSC 213 Switch Statements, Understanding Pointers - 2nd ed: 3.6.7, 3.10 - 1st ed: 3.6.6,

CPSC 213 Switch Statements, Understanding Pointers - 2nd ed: 3.6.7, 3.10 - 1st ed: 3.6.6,

Readings for Next Two Lectures Text CPSC 213 Switch Statements, Understanding Pointers - 2nd ed: 3.6.7, 3.10 - 1st ed: 3.6.6, 3.11 Introduction to Computer Systems Unit 1f Dynamic Control Flow Polymorphism and Switch Statements 1 2

266 views • 7 slides
875450 4K Presentation switch 7/2 User Manual 875450 4K Presentation switch 7/2 User Manual Thank

875450 4K Presentation switch 7/2 User Manual 875450 4K Presentation switch 7/2 User Manual Thank

875450 4K Presentation switch 7/2 User Manual 875450 4K Presentation switch 7/2 User Manual Thank you for purchasing this product. For optimum performance and safety, please read these instructions carefully before connecting, operating or

363 views • 20 slides
875450 4K Presentation switch 7/2 User Manual 875450 4K Presentation switch 7/2 User Manual Thank

875450 4K Presentation switch 7/2 User Manual 875450 4K Presentation switch 7/2 User Manual Thank

875450 4K Presentation switch 7/2 User Manual 875450 4K Presentation switch 7/2 User Manual Thank you for purchasing this product. For optimum performance and safety, please read these instructions carefully before connecting, operating or

699 views • 18 slides
CS 457 Lecture 9 ATM and Switch Implementations Fall 2011 Recall: Introduced Switches

CS 457 Lecture 9 ATM and Switch Implementations Fall 2011 Recall: Introduced Switches

CS 457 Lecture 9 ATM and Switch Implementations Fall 2011 Recall: Introduced Switches Switch breaks subnet into LAN segments Switch filters packets Frame only forwarded to the necessary segments Segments become separate

783 views • 30 slides
Bertrand Meyer Lecture 6: More patterns: Visitor, Strategy, Chain, State, Command 1 Command 2

Bertrand Meyer Lecture 6: More patterns: Visitor, Strategy, Chain, State, Command 1 Command 2

Software Architecture Software Architecture Bertrand Meyer Lecture 6: More patterns: Visitor, Strategy, Chain, State, Command 1 Command 2 2 Command pattern - Intent Purpose Way to implement an undo-redo mechanism, e.g. in text y p g

1.11k views • 82 slides
Downtown Pensacola Perception Study September 2017 Contents Purpose and Methodology 3 Key

Downtown Pensacola Perception Study September 2017 Contents Purpose and Methodology 3 Key

Downtown Pensacola Perception Study September 2017 Contents Purpose and Methodology 3 Key Findings 4 5 Downtown Patron Profile Net Promoter Score 6 Downtown Perceptions 9 Delivery vs Expectations 10 Missing from Downtown 13

571 views • 16 slides
Fermilab Measurement of Muon g-2 Dave Kawall, University of Massachusetts Amherst, on behalf of the

Fermilab Measurement of Muon g-2 Dave Kawall, University of Massachusetts Amherst, on behalf of the

Fermilab Measurement of Muon g-2 Dave Kawall, University of Massachusetts Amherst, on behalf of the Muon g -2 Collaboration Goal: Measure the muon anomalous magnetic moment a to 140 ppb, a fourfold improvement over the 540 ppb precision of

740 views • 39 slides
CSC 2515 Lecture 11: Differential Privacy Roger Grosse University of Toronto UofT CSC 2515:

CSC 2515 Lecture 11: Differential Privacy Roger Grosse University of Toronto UofT CSC 2515:

CSC 2515 Lecture 11: Differential Privacy Roger Grosse University of Toronto UofT CSC 2515: 11-Differential Privacy 1 / 53 Overview So far, this class has been about getting algorithms to perform well according to some metric (e.g.

970 views • 53 slides
KMyMoney The BEST Personal Finance Manager for the LINUX User Thomas Baumgart KDE Akademy 2008

KMyMoney The BEST Personal Finance Manager for the LINUX User Thomas Baumgart KDE Akademy 2008

KMyMoney The BEST Personal Finance Manager for the LINUX User Thomas Baumgart KDE Akademy 2008 10.08.2008, Sint-Katelijne-Waver, Belgium KMyMoney - the BEST Personal Finance Manager for the LINUX user Overview History Project

448 views • 21 slides
Semantics and Verification 2005 Lecture 7 bisimulation as a fixed point Hennessy-Milner logic

Semantics and Verification 2005 Lecture 7 bisimulation as a fixed point Hennessy-Milner logic

Bisimulation as a Fixed Point Hennessy-Milner Logic with One Recursive Definition Selection of Temporal Properties Semantics and Verification 2005 Lecture 7 bisimulation as a fixed point Hennessy-Milner logic with recursively defined variables

487 views • 12 slides
RPL: IPv6 Routing Protocol for Low Power and Lossy Networks (draft-ietf-roll-rpl-04) RPL Design

RPL: IPv6 Routing Protocol for Low Power and Lossy Networks (draft-ietf-roll-rpl-04) RPL Design

RPL: IPv6 Routing Protocol for Low Power and Lossy Networks (draft-ietf-roll-rpl-04) RPL Design Team ROLL WG Meeting 76th IETF Meeting Hiroshima, Japan 11/10/2009 76th IETF Meeting - ROLL WG 1 Outline Basic Approach Mechanism

758 views • 39 slides
Homogeneous Systems of Linear Differential Equations with Constant Coefficients and Complex

Homogeneous Systems of Linear Differential Equations with Constant Coefficients and Complex

Overview Complex Eigenvalues An Example Homogeneous Systems of Linear Differential Equations with Constant Coefficients and Complex Eigenvalues Bernd Schr oder logo1 Bernd Schr oder Louisiana Tech University, College of Engineering

1.13k views • 59 slides

More recommend