multi multi multi multi layer access control layer access
play

Multi Multi Multi- Multi - - -Layer Access Control Layer - PowerPoint PPT Presentation

May 01, 2023 •514 likes •722 views

Multi Multi Multi- Multi - - -Layer Access Control Layer Access Control Layer Access Control Layer Access Control for SDN for SDN- for SDN for SDN for SDN- for SDN for SDN for SDN - -based Telco Clouds -based Telco Clouds - -

  1. Multi Multi Multi- Multi - - -Layer Access Control Layer Access Control Layer Access Control Layer Access Control for SDN for SDN- for SDN for SDN for SDN- for SDN for SDN for SDN - -based Telco Clouds -based Telco Clouds - - - based Telco Clouds based Telco Clouds based Telco Clouds based Telco Clouds based Telco Clouds based Telco Clouds (result of a joint CELTIC research project called SASER (result of a joint CELTIC research project called SASER (result of a joint CELTIC research project called SASER (result of a joint CELTIC research project called SASER – – – – SAve and SEcure Routing) SAve and SEcure Routing) SAve and SEcure Routing) SAve and SEcure Routing) Bernd Jaeger 1 , Christian Röpke 2 , Iris Adam 1 , Thorsten Holz 2 1: Nokia Networks 2: Ruhr-University Bochum

  2. SDN Security SDN Security SDN Security SDN Security Often postulated: two different flavors of SDN security Security of the SDN Architecture SDN-based Security Functions SDN-based Security Functions � The analysis combines both aspects at the example of a SIP signaling SDN network with focus on the security of the SDN architecture � Assumed are multiple applications on top of a single SDN controller, controlling a number of (partly) chained security functions in a SDN switch � The applications and the SDN controller are assumed to run in a telco cloud with the worst- case threat that an application gets compromised and then acts maliciously 2 Nokia Networks; Ruhr-University Bochum Multi-Layer Access Control for SDN-based Telco Clouds 10/21/2015

  3. Split of Physical Network Elements into VNFs and Split of Physical Network Elements into VNFs and Split of Physical Network Elements into VNFs and Split of Physical Network Elements into VNFs and Simplified SIP SDN Network SDN SDN- SDN SDN - - -based Security Functions based Security Functions based Security Functions based Security Functions Physical Network Elements VNFs in a Telco Cloud CSCF CSCF PCRF PCRF DoS Detection DoS Detection SIP SIP SIP Blacklist SIP Blacklist Blacklist PGW Security Functions PCEF in a SDN Switch SIP PCEF SIP Blacklist Blacklist 3 Nokia Networks; Ruhr-University Bochum Multi-Layer Access Control for SDN-based Telco Clouds 10/21/2015

  4. Simplified Example: Mobile Simplified Example: Mobile Simplified Example: Mobile Simplified Example: Mobile- - -Internet Conference - Internet Conference Internet Conference Internet Conference SIP SDN Protection Telco Cloud eNBi UE Attacker Model Conf. App X PCRF CSCF CSCF UE Service Management System • Malicious end user systems exploit vulnerabilities in cloud Northbound Interface applications eNBj EXT EXT EXT EXT UE • Attackers exploit SDN controller Controller Services SDN vulnerabilities by sending UE Ctr Southbound Interface specially crafted packets to an SDN switch triggering it to SDN switch triggering it to SDN Switch delegate these packets to the Sig Data SDN controller SDN PCEF • Cloud applications respectively Blackl. SDN controller extensions – Internet intentionally or unintentionally – attack and infect other cloud AppX AppX App X traffic traffic applications or SDN controller components UE - User Equipment PCRF – Policy & Charging Rules Function SDN Ctr – SDN Controller eNB – eNodeB (base station) PCEF – Policy & Charging Enforcement Function EXT - Extension Sig – Signaling CSCF – Call Session Control Function Blackl. - Blacklist 4 Nokia Networks; Ruhr-University Bochum Multi-Layer Access Control for SDN-based Telco Clouds 10/21/2015

  5. Simplified Example: Mobile- Simplified Example: Mobile Simplified Example: Mobile Simplified Example: Mobile -Internet Conference - - Internet Conference Internet Conference Internet Conference SIP SDN Protection Telco Cloud eNBi UE Attacker Model Conf. App X PCRF CSCF UE Service Management System • Malicious end user systems exploit vulnerabilities in cloud Northbound Interface applications eNBj EXT EXT EXT EXT EXT UE • Attackers exploit SDN controller Controller Services Controller Services SDN vulnerabilities by sending UE Ctr Southbound Interface specially crafted packets to an SDN switch triggering it to SDN switch triggering it to SDN Switch delegate these packets to the Sig Data SDN controller SDN PCEF • Cloud applications respectively Blackl. SDN controller extensions – Internet intentionally or unintentionally – attack and infect other cloud AppX AppX App X traffic traffic applications or SDN controller components UE - User Equipment PCRF – Policy & Charging Rules Function SDN Ctr – SDN Controller eNB – eNodeB (base station) PCEF – Policy & Charging Enforcement Function EXT - Extension Sig – Signaling CSCF – Call Session Control Function Blackl. - Blacklist 5 Nokia Networks; Ruhr-University Bochum Multi-Layer Access Control for SDN-based Telco Clouds 10/21/2015

  6. Simplified Example: Mobile- Simplified Example: Mobile Simplified Example: Mobile Simplified Example: Mobile - -Internet Conference - Internet Conference Internet Conference Internet Conference SIP SDN Protection Telco Cloud eNBi UE Attacker Model Conf. PCRF App X App X PCRF CSCF UE Service Management System • Malicious end user systems exploit vulnerabilities in cloud Northbound Interface applications eNBj EXT EXT EXT EXT EXT UE • Attackers exploit SDN controller Controller Services SDN vulnerabilities by sending UE Ctr Southbound Interface specially crafted packets to an SDN switch triggering it to SDN switch triggering it to SDN Switch delegate these packets to the Sig Data SDN controller SDN PCEF • Cloud applications respectively Blackl. SDN controller extensions – Internet intentionally or unintentionally – attack and infect other cloud AppX AppX App X traffic traffic applications or SDN controller components UE - User Equipment PCRF – Policy & Charging Rules Function SDN Ctr – SDN Controller eNB – eNodeB (base station) PCEF – Policy & Charging Enforcement Function EXT - Extension Sig – Signaling CSCF – Call Session Control Function Blackl. - Blacklist 6 Nokia Networks; Ruhr-University Bochum Multi-Layer Access Control for SDN-based Telco Clouds 10/21/2015

  7. Multi Multi- Multi Multi -Layer Access Control - - Layer Access Control Layer Access Control Layer Access Control SIP SDN Protection • A Policy Enforcement (PE) unit provides Telco Cloud protection against malicious behavior of northbound applications and SDN controller CSCF App X PCRF Application extensions, provided by means of a descriptor Layer from an independent management system agement System • On Application Layer the Policy Enforcement Northbound Interface unit restricts the allowed instruction set EXT EXT EXT EXT according to an application profile criptor Managem Control Control Descript • On Control Layer the allowed instruction set of • On Control Layer the allowed instruction set of SDN-specific EXT Interface SDN-specific EXT Interface PE PE Layer Layer SDN controller extensions is reduced by high- Controller-specific EXT Service level permissions in an SDN controller Controller Services independent fashion SDN Ctr Southbound Interface • SDN controller independence can be achieved by providing an additional layer that adapts the high-level permissions to the respective SDN Switch SDN controller specifics 7 Nokia Networks; Ruhr-University Bochum Multi-Layer Access Control for SDN-based Telco Clouds 10/21/2015

  8. Assigning Applications to Forwarding Tables Assigning Applications to Forwarding Tables Assigning Applications to Forwarding Tables Assigning Applications to Forwarding Tables SIP SDN Protection Telco Cloud • A first step to increase security is to separate the flow App X App X PCRF PCRF CSCF CSCF rules of the respective applications into separate Management System Forwarding Tables (FT) Northbound Interface • With that Forwarding Tables are decoupled unless they work on the same traffic stream. If so, they are still EXT EXT EXT EXT Descriptor able to affect each other. PE SDN-specific EXT Interface • But even if the Forwarding Tables are completely De Controller-specific EXT Service Controller-specific EXT Service decoupled from each other, they are still not protected decoupled from each other, they are still not protected Ma against attacks because each of the applications in the Controller Services SDN Telco Cloud can be potentially compromised and then Ctr Southbound Interface send malicious instructions to the SDN controller • This may e.g. result in DoS attacks (drop *.*), in FT1 illegitimate service consumption attacks, in PCEF PCEF manipulation of traffic integrity or in eavesdropping Blackl. Blackl. attacks by copying the traffic to an unauthorized FT2 destination FT3 AppX App X App X traffic SDN Switch 8 Nokia Networks; Ruhr-University Bochum Multi-Layer Access Control for SDN-based Telco Clouds 10/21/2015

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

A multi- -layer layer A multi A multi-layer research and training platform research and

A multi- -layer layer A multi A multi-layer research and training platform research and

Final Workshop of CDC 2002-2007 Tallinn, Brotherhood of the Blackheads, 21 22 January 2008 A multi- -layer layer A multi A multi-layer research and training platform research and training platform research and training platform for

769 views • 35 slides
Routing in Multi- -Layer Layer Routing in Multi Transport Networks Transport Networks

Routing in Multi- -Layer Layer Routing in Multi Transport Networks Transport Networks

I nternational Telecom m unication Union ITU-T Routing in Multi- -Layer Layer Routing in Multi Transport Networks Transport Networks Jonathan S adler Office of the CTO Technology S trategy, Tellabs Chair, OIF Architecture & S

483 views • 29 slides
Overview Multi-layer networks: Cognitive Modeling limits of single layer networks; Lecture

Overview Multi-layer networks: Cognitive Modeling limits of single layer networks; Lecture

Overview Multi-layer networks: Cognitive Modeling limits of single layer networks; Lecture 12: Connectionist Networks: multi-layer networks: solution to XOR; Multi-layer Networks; Backpropagation properties of multi-layer networks;

581 views • 4 slides
Multi Layer Performance Based PCE Enhancements to ONOS Controller for SD WAN Packet Optical

Multi Layer Performance Based PCE Enhancements to ONOS Controller for SD WAN Packet Optical

Multi Layer Performance Based PCE Enhancements to ONOS Controller for SD WAN Packet Optical Integration David Altstaetter , CALIENT Technologies Raghu Gangi , ADARA Networks What is Multi-Layer Convergence? Bringing the physical Layer into the

504 views • 13 slides
Influence of Array Storage and Access Methods on Performance of Multi-Dimensional Arrays Used in

Influence of Array Storage and Access Methods on Performance of Multi-Dimensional Arrays Used in

Influence of Array Storage and Access Methods on Performance of Multi-Dimensional Arrays Used in Programs with High Cache Reuse Tian Jin and David Wonnacott Multi-dimensional Array Access Pattern 1). Array of Pointers A layer of pointers

197 views • 3 slides
Minimizing resource protection in IP over WDM networks: Multi- layer Shared Backup Router A.

Minimizing resource protection in IP over WDM networks: Multi- layer Shared Backup Router A.

Minimizing resource protection in IP over WDM networks: Multi- layer Shared Backup Router A. Mayoral, V. Lpez, Ori Gerstel, Eleni Palkopoulou, O. Gonzalez de Dios, J.P. Fernndez-Palacios Index Introduction 01 Multi-layer Restoration

452 views • 18 slides
COMMON: Coordinated Multi layer Multi domain Optical Network Framework for Large scale

COMMON: Coordinated Multi layer Multi domain Optical Network Framework for Large scale

COMMON: Coordinated Multi layer Multi domain Optical Network Framework for Large scale Science Applications (2010 2013) PI: Dr. Vinod Vokkarane Associate Professor, University of Massachusetts at Dartmouth (Currently on Sabbatical:

749 views • 48 slides
Multi-rate Medium Access Control David Holmer dholmer@jhu.edu What is Multi-Rate? Ability

Multi-rate Medium Access Control David Holmer dholmer@jhu.edu What is Multi-Rate? Ability

Multi-rate Medium Access Control David Holmer dholmer@jhu.edu What is Multi-Rate? Ability of a wireless card to automatically operate at several different bit-rates (e.g. 1, 2, 5.5, and 11 Mbps for 802.11b) Part of many existing

603 views • 18 slides
COMMON: Coordinated Multi-layer Multi-domain Optical Network Framework for Large-scale Science

COMMON: Coordinated Multi-layer Multi-domain Optical Network Framework for Large-scale Science

COMMON: Coordinated Multi-layer Multi-domain Optical Network Framework for Large-scale Science Applications Vinod Vokkarane (University of Massachusetts at Dartmouth) Addendum - Updated list of Project Tasks and Deliverables We intend to

562 views • 3 slides
COMMON: Coordinated Multi-layer Multi-domain Optical Network Framework for Large-scale Science

COMMON: Coordinated Multi-layer Multi-domain Optical Network Framework for Large-scale Science

COMMON: Coordinated Multi-layer Multi-domain Optical Network Framework for Large-scale Science Applications (2010-2013) PI: Dr. Vinod Vokkarane Associate Professor, University of Massachusetts at Dartmouth (Sabbatical: Visiting Scientist, MIT)

589 views • 29 slides
Spiking row-by-row FPGA Multi-kernel and Multi-layer Convolution Processor. Ricardo Tapiador

Spiking row-by-row FPGA Multi-kernel and Multi-layer Convolution Processor. Ricardo Tapiador

Spiking row-by-row FPGA Multi-kernel and Multi-layer Convolution Processor. Ricardo Tapiador Morales Robotic & Tech of Computers Lab, University of Seville ricardo@atc.us.es Convolutional neural networks ricardo@atc.us.es 2

370 views • 12 slides
AGENDA Multi-access Edge Computing(MEC) use cases K8s/Openshift as candidate for Edge PaaS

AGENDA Multi-access Edge Computing(MEC) use cases K8s/Openshift as candidate for Edge PaaS

K8s(Kubernetes) and SDN for Multi-access Edge Computing deployment Open Source Summit | 2017.06.02 | Red Hat Hyde SUGIYAMA Senior Principal Technologist NFV | SDN | ICT Red Hat APAC Office of Technology AGENDA Multi-access Edge

762 views • 28 slides
Multi-Source Adjustment of Multi-Layer Annotation: the Bits of Wisdom Approach Kilian Evang 20

Multi-Source Adjustment of Multi-Layer Annotation: the Bits of Wisdom Approach Kilian Evang 20

Multi-Source Adjustment of Multi-Layer Annotation: the Bits of Wisdom Approach Multi-Source Adjustment of Multi-Layer Annotation: the Bits of Wisdom Approach Kilian Evang 20 January 2012 http://gmb.let.rug.nl 1/1 Multi-Source Adjustment of

611 views • 14 slides
OFC/NFOEC 2012 Review on Multi-Layer Networks, Network Virtualization, and Survivability Ferhat

OFC/NFOEC 2012 Review on Multi-Layer Networks, Network Virtualization, and Survivability Ferhat

OFC/NFOEC 2012 Review on Multi-Layer Networks, Network Virtualization, and Survivability Ferhat Dikbiyik April 6, 2012 Group Meeting Presentation, Davis, CA Page 1 Sessions Reviewed Multi-Layer Awareness and Management (NFOEC)

670 views • 48 slides
Multi-Layer vs. Single-Layer Networks Single-layer networks based on a linear combination of

Multi-Layer vs. Single-Layer Networks Single-layer networks based on a linear combination of

Multi-Layer vs. Single-Layer Networks Single-layer networks based on a linear combination of the input variables which is transformed by linear/non-linear activation function are limited in terms of the range of functions they can

1.69k views • 22 slides
CompSci 356: Computer Network Architectures Lecture 5: Reliable Transmission and Multi-access

CompSci 356: Computer Network Architectures Lecture 5: Reliable Transmission and Multi-access

CompSci 356: Computer Network Architectures Lecture 5: Reliable Transmission and Multi-access links Chapter 2.4, 2.5, 2.6 Xiaowei Yang xwy@cs.duke.edu Overview Link layer functions Encoding NRZ, NRZI, Manchester, 4B/5B Framing

897 views • 87 slides
Santander EC European Future Internet Science Projects & Industrial Based

Santander EC European Future Internet Science Projects & Industrial Based

Future Internet Cluster 9 June 2009 Santander EC European Future Internet Science Projects & Industrial Based Scientific & Approach Approach Commercial Relevance FI Cluster EIFFEL FIA ETPs (with links to FIRE,

119 views • 7 slides
Meanings of Violence Cohen and Vandello What will article be about? Empirically: a

Meanings of Violence Cohen and Vandello What will article be about? Empirically: a

Meanings of Violence Cohen and Vandello What will article be about? Empirically: a "culture of violence" in the American South "In the South, insults have very serious meanings, and they must occasionally be

439 views • 21 slides
Prizes and Awards Ceremony 2020 Thursday, 8 October the ceremony will commence at 5pm AEST

Prizes and Awards Ceremony 2020 Thursday, 8 October the ceremony will commence at 5pm AEST

School of Literature, Art and Media Prizes and Awards Ceremony 2020 Thursday, 8 October the ceremony will commence at 5pm AEST The University of Sydney Page 1 We acknowledge the tradition of custodianship and law of the Country on

1.2k views • 76 slides
Welsh ICL UNI HEIDELBERG HS LOW RESOURCE LANGUAGES KATHARINA ALLGAIER 18.04.2016

Welsh ICL UNI HEIDELBERG HS LOW RESOURCE LANGUAGES KATHARINA ALLGAIER 18.04.2016

Language Resource Assessment Welsh ICL UNI HEIDELBERG HS LOW RESOURCE LANGUAGES KATHARINA ALLGAIER 18.04.2016 Cymraeg Celtic language can be traced back to 600 AD was spoken widely all over GB Spoken in Wales

317 views • 10 slides
Digital Humanities, Medieval History, and Lexicography: Dictionary of Medieval Names from European

Digital Humanities, Medieval History, and Lexicography: Dictionary of Medieval Names from European

Digital Humanities, Medieval History, and Lexicography: Dictionary of Medieval Names from European Sources Dr. Sara L. Uckelman Dept. of Philosophy / Institute for Medieval and Early Modern Studies Durham University @SaraLUckelman , @theDMNES

352 views • 20 slides
A quick review The clustering problem: partition genes into distinct sets with high

A quick review The clustering problem: partition genes into distinct sets with high

A quick review The clustering problem: partition genes into distinct sets with high homogeneity and high separation Hierarchical clustering algorithm: 1. Assign each object to a separate cluster. 2. Regroup the pair of clusters

488 views • 28 slides
Inves&ga&on of surface homogeneity of mirrors for the

Inves&ga&on of surface homogeneity of mirrors for the

Inves&ga&on of surface homogeneity of mirrors for the CBM-RICH detector and low-mass di-electron feasibility studies Elena Lebedeva

381 views • 35 slides
Take two minutes to get your Packet, Folder, and Signals before we begin today's lesson. Aim 2.4:

Take two minutes to get your Packet, Folder, and Signals before we begin today's lesson. Aim 2.4:

AIM(2.4): How do we create a linear function from a situation? Take two minutes to get your Packet, Folder, and Signals before we begin today's lesson. Aim 2.4: How do we create a linear function from a situation? HW: Worksheet 2.4 DoNow

319 views • 12 slides

More recommend