security assessment on a vxlan based network
play

Security assessment on a VXLAN-based network Guido Pineda Reyes - PowerPoint PPT Presentation

Jan 09, 2023 •104 likes •430 views

Introduction VXLAN prototype Security assessment Q&A Security assessment on a VXLAN-based network Guido Pineda Reyes MSc. Systems and Networking Engineering University of Amsterdam February 5, 2014 Guido Pineda Reyes Security

  1. Introduction VXLAN prototype Security assessment Q&A Security assessment on a VXLAN-based network Guido Pineda Reyes MSc. Systems and Networking Engineering University of Amsterdam February 5, 2014 Guido Pineda Reyes Security assessment on a VXLAN-based network

  2. Introduction VXLAN prototype Security assessment Q&A Outline 1 Introduction Virtual eXtensible LAN Research question Approach 2 VXLAN prototype 3 Security assessment MAC Flood Attack Double-Encapsulated 802.1Q/Nested VLAN Attack ARP Attack UDP Flood Attack Future research Conclusions 4 Q&A Guido Pineda Reyes Security assessment on a VXLAN-based network

  3. Introduction Virtual eXtensible LAN VXLAN prototype Research question Security assessment Approach Q&A Outline 1 Introduction Virtual eXtensible LAN Research question Approach 2 VXLAN prototype 3 Security assessment MAC Flood Attack Double-Encapsulated 802.1Q/Nested VLAN Attack ARP Attack UDP Flood Attack Future research Conclusions 4 Q&A Guido Pineda Reyes Security assessment on a VXLAN-based network

  4. Introduction Virtual eXtensible LAN VXLAN prototype Research question Security assessment Approach Q&A Virtual eXtensible LAN Introduction Still an Internet Draft, current revision: 7th Allows to extend logical networks Encapsulates layer MAC-based Layer 2 frames within a UDP packet Up to 16 million logical networks Security measurements have not been performed yet Guido Pineda Reyes Security assessment on a VXLAN-based network

  5. Introduction Virtual eXtensible LAN VXLAN prototype Research question Security assessment Approach Q&A Virtual eXtensible LAN Typical use case Guido Pineda Reyes Security assessment on a VXLAN-based network

  6. Introduction Virtual eXtensible LAN VXLAN prototype Research question Security assessment Approach Q&A Outline 1 Introduction Virtual eXtensible LAN Research question Approach 2 VXLAN prototype 3 Security assessment MAC Flood Attack Double-Encapsulated 802.1Q/Nested VLAN Attack ARP Attack UDP Flood Attack Future research Conclusions 4 Q&A Guido Pineda Reyes Security assessment on a VXLAN-based network

  7. Introduction Virtual eXtensible LAN VXLAN prototype Research question Security assessment Approach Q&A Research questions Main question: How feasible are the known VLAN attacks in a VXLAN environment? Subquestions: Which attacks were successful? What is the difference between these attacks in a VLAN and a VXLAN environment? Is there anyway to prevent them or mitigate them? Guido Pineda Reyes Security assessment on a VXLAN-based network

  8. Introduction Virtual eXtensible LAN VXLAN prototype Research question Security assessment Approach Q&A Outline 1 Introduction Virtual eXtensible LAN Research question Approach 2 VXLAN prototype 3 Security assessment MAC Flood Attack Double-Encapsulated 802.1Q/Nested VLAN Attack ARP Attack UDP Flood Attack Future research Conclusions 4 Q&A Guido Pineda Reyes Security assessment on a VXLAN-based network

  9. Introduction Virtual eXtensible LAN VXLAN prototype Research question Security assessment Approach Q&A Approach Build the VXLAN prototype. Deploy the security assessment on the prototype. Focus on successful attacks. Understand how this attacks work to give a solution on how to mitigate or prevent them. Guido Pineda Reyes Security assessment on a VXLAN-based network

  10. Introduction VXLAN prototype Security assessment Q&A VXLAN prototype Design Guido Pineda Reyes Security assessment on a VXLAN-based network

  11. Introduction VXLAN prototype Security assessment Q&A VXLAN prototype Options VMware vSphere products VMware vSphere + Cisco Nexus 1000v VXLAN Linux implementation (needs kernel modification) Guido Pineda Reyes Security assessment on a VXLAN-based network

  12. Introduction VXLAN prototype Security assessment Q&A VXLAN prototype Connectivity tests: UDP encapsulated traffic Guido Pineda Reyes Security assessment on a VXLAN-based network

  13. Introduction VXLAN prototype Security assessment Q&A VXLAN prototype Connectivity tests: VXLAN encapsulation Guido Pineda Reyes Security assessment on a VXLAN-based network

  14. MAC Flood Attack Introduction Double-Encapsulated 802.1Q/Nested VLAN Attack VXLAN prototype ARP Attack Security assessment UDP Flood Attack Q&A Future research Conclusions Security Assessment MAC Flood Attack Double-Encapsulated 802.1Q/Nested VLAN Attack ARP Attack UDP Flood Attack Evaluation Guido Pineda Reyes Security assessment on a VXLAN-based network

  15. MAC Flood Attack Introduction Double-Encapsulated 802.1Q/Nested VLAN Attack VXLAN prototype ARP Attack Security assessment UDP Flood Attack Q&A Future research Conclusions Outline 1 Introduction Virtual eXtensible LAN Research question Approach 2 VXLAN prototype 3 Security assessment MAC Flood Attack Double-Encapsulated 802.1Q/Nested VLAN Attack ARP Attack UDP Flood Attack Future research Conclusions 4 Q&A Guido Pineda Reyes Security assessment on a VXLAN-based network

  16. MAC Flood Attack Introduction Double-Encapsulated 802.1Q/Nested VLAN Attack VXLAN prototype ARP Attack Security assessment UDP Flood Attack Q&A Future research Conclusions MAC Flood Attack Scenarios Guido Pineda Reyes Security assessment on a VXLAN-based network

  17. MAC Flood Attack Introduction Double-Encapsulated 802.1Q/Nested VLAN Attack VXLAN prototype ARP Attack Security assessment UDP Flood Attack Q&A Future research Conclusions MAC Flood Attack Tool: macof Results: Attacker on physical net: Successful Attacker on logical net: Failed Mitigation/Prevention: Restrict the number of MAC addresses to one port Specify static MAC address association IDS Guido Pineda Reyes Security assessment on a VXLAN-based network

  18. MAC Flood Attack Introduction Double-Encapsulated 802.1Q/Nested VLAN Attack VXLAN prototype ARP Attack Security assessment UDP Flood Attack Q&A Future research Conclusions Outline 1 Introduction Virtual eXtensible LAN Research question Approach 2 VXLAN prototype 3 Security assessment MAC Flood Attack Double-Encapsulated 802.1Q/Nested VLAN Attack ARP Attack UDP Flood Attack Future research Conclusions 4 Q&A Guido Pineda Reyes Security assessment on a VXLAN-based network

  19. MAC Flood Attack Introduction Double-Encapsulated 802.1Q/Nested VLAN Attack VXLAN prototype ARP Attack Security assessment UDP Flood Attack Q&A Future research Conclusions Double-Encapsulated 802.1Q/Nested VLAN Attack Scenario Guido Pineda Reyes Security assessment on a VXLAN-based network

  20. MAC Flood Attack Introduction Double-Encapsulated 802.1Q/Nested VLAN Attack VXLAN prototype ARP Attack Security assessment UDP Flood Attack Q&A Future research Conclusions Double-Encapsulated 802.1Q/Nested VLAN Attack Concept Guido Pineda Reyes Security assessment on a VXLAN-based network

  21. MAC Flood Attack Introduction Double-Encapsulated 802.1Q/Nested VLAN Attack VXLAN prototype ARP Attack Security assessment UDP Flood Attack Q&A Future research Conclusions Double-Encapsulated 802.1Q/Nested VLAN Attack Tool: scapy Results: Attacker on logical net: Failed Guido Pineda Reyes Security assessment on a VXLAN-based network

  22. MAC Flood Attack Introduction Double-Encapsulated 802.1Q/Nested VLAN Attack VXLAN prototype ARP Attack Security assessment UDP Flood Attack Q&A Future research Conclusions Outline 1 Introduction Virtual eXtensible LAN Research question Approach 2 VXLAN prototype 3 Security assessment MAC Flood Attack Double-Encapsulated 802.1Q/Nested VLAN Attack ARP Attack UDP Flood Attack Future research Conclusions 4 Q&A Guido Pineda Reyes Security assessment on a VXLAN-based network

  23. MAC Flood Attack Introduction Double-Encapsulated 802.1Q/Nested VLAN Attack VXLAN prototype ARP Attack Security assessment UDP Flood Attack Q&A Future research Conclusions ARP Attack Scenarios Guido Pineda Reyes Security assessment on a VXLAN-based network

  24. MAC Flood Attack Introduction Double-Encapsulated 802.1Q/Nested VLAN Attack VXLAN prototype ARP Attack Security assessment UDP Flood Attack Q&A Future research Conclusions ARP Attack Summary Tool: arpspoof Configuring private communication between the Results: hosts at the service provider Attacker on physical net: level. Successful Attacker on logical net: Successful Mitigation/Prevention: Blocking direct communication between the attacker and the victim. Guido Pineda Reyes Security assessment on a VXLAN-based network

  25. MAC Flood Attack Introduction Double-Encapsulated 802.1Q/Nested VLAN Attack VXLAN prototype ARP Attack Security assessment UDP Flood Attack Q&A Future research Conclusions ARP Attack Scenarios Guido Pineda Reyes Security assessment on a VXLAN-based network

  26. MAC Flood Attack Introduction Double-Encapsulated 802.1Q/Nested VLAN Attack VXLAN prototype ARP Attack Security assessment UDP Flood Attack Q&A Future research Conclusions Outline 1 Introduction Virtual eXtensible LAN Research question Approach 2 VXLAN prototype 3 Security assessment MAC Flood Attack Double-Encapsulated 802.1Q/Nested VLAN Attack ARP Attack UDP Flood Attack Future research Conclusions 4 Q&A Guido Pineda Reyes Security assessment on a VXLAN-based network

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Running OpenStack over a VXLAN Fabric Andre Pech Arista

Running OpenStack over a VXLAN Fabric Andre Pech Arista

Running OpenStack over a VXLAN Fabric Andre Pech Arista Networks Overview VXLAN Refresher Why VXLAN? Network Design Requirements Key

315 views • 19 slides
Fix VxLAN Issue in SFC Integration by Using Eth+NSH and VxLAN-gpe+NSH Hybrid Mode Yi Yang, Intel

Fix VxLAN Issue in SFC Integration by Using Eth+NSH and VxLAN-gpe+NSH Hybrid Mode Yi Yang, Intel

Fix VxLAN Issue in SFC Integration by Using Eth+NSH and VxLAN-gpe+NSH Hybrid Mode Yi Yang, Intel (yi.y.yang@intel.com) Agenda VxLAN Issue in OVSDB+SFC How to Fix Current VxLAN issue by Eth+NSH Demo Introduction Demo Next

191 views • 18 slides
What is network security? Friends and enemies: Alice, Bob, Trudy What is network security?

What is network security? Friends and enemies: Alice, Bob, Trudy What is network security?

Network security Network security Foundations: what is security? cryptography Network Security Network Security authentication message integrity key distribution and certification Security in practice: Srinidhi Varadarajan

332 views • 6 slides
Network Security Network Security Srinidhi Varadarajan Network security Network security

Network Security Network Security Srinidhi Varadarajan Network security Network security

Network Security Network Security Srinidhi Varadarajan Network security Network security Foundations: what is security? cryptography authentication message integrity key distribution and certification Security in practice:

634 views • 36 slides
Introduction to Network Security Chapter 4 Taxonomy of Network-Based Vulnerabilities Dr. Doug

Introduction to Network Security Chapter 4 Taxonomy of Network-Based Vulnerabilities Dr. Doug

Introduction to Network Security Chapter 4 Taxonomy of Network-Based Vulnerabilities Dr. Doug Jacobson - Introduction to 1 Network Security - 2009 Topics Network Security Model Header attacks Protocol Attacks

597 views • 25 slides
Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University

Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University

Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University of Michigan 2013 Network Security Fundamentals Module 7 Intrusion Detection Topics Fundamentals Network IDS Snort Host-based IDS

1.03k views • 72 slides
Economics of network security Harald Vranken 1 Economics of network security Note that

Economics of network security Harald Vranken 1 Economics of network security Note that

Advanced Network Security (2019-2020) Economics of network security Harald Vranken 1 Economics of network security Note that network in this lecture means Physical communication network (eg. Internet, telephony, fax, telegraph)

769 views • 49 slides
TCP/IP: TCP Network Security Lecture 6 TCP Based on IP Provides connection-oriented ,

TCP/IP: TCP Network Security Lecture 6 TCP Based on IP Provides connection-oriented ,

TCP/IP: TCP Network Security Lecture 6 TCP Based on IP Provides connection-oriented , reliable stream delivery service (handles loss, duplication, transmission errors, reordering) Provides port abstraction (like UDP) Establishes

559 views • 30 slides
Intro, history, hacking Network Security Lecture 1 Welcome to Network Security Should be able

Intro, history, hacking Network Security Lecture 1 Welcome to Network Security Should be able

Intro, history, hacking Network Security Lecture 1 Welcome to Network Security Should be able to Skills identify design and Ability to analyze the implementation security of networked vulnerabilities in network systems protocols

564 views • 33 slides
Technology Assessment & Recommendations Structured Cabling Network Electronics

Technology Assessment & Recommendations Structured Cabling Network Electronics

7/12/2017 Technology Assessment & Recommendations Structured Cabling Network Electronics Wireless Network Classroom Systems Teacher Tools Electronic Security Public Address Staff and Student feedback 1

334 views • 10 slides
Risk-based Security BARRY KOUNS CEO AT RISK BASED SECURITY Session Overview Warm-up Quiz

Risk-based Security BARRY KOUNS CEO AT RISK BASED SECURITY Session Overview Warm-up Quiz

Risk Assessment the Heart of Risk-based Security BARRY KOUNS CEO AT RISK BASED SECURITY Session Overview Warm-up Quiz Introduction to our security challenge What is Risk-based Security? The language of risk some

787 views • 53 slides
Foundations of Network and Foundations of Network and Computer Security Computer Security J ohn

Foundations of Network and Foundations of Network and Computer Security Computer Security J ohn

Foundations of Network and Foundations of Network and Computer Security Computer Security J ohn Black J CSCI 6268/TLEN 5831, Fall 2004 Introduction UC Davis PhD in 2000 Cryptography Interested in broader security as well

492 views • 12 slides
Network Security Where we are in the Course Security crosses all layers Application

Network Security Where we are in the Course Security crosses all layers Application

Network Security Where we are in the Course Security crosses all layers Application Transport Network Link Physical CSE 461 University of Washington 2 Security Threats Security is like performance Means many things

932 views • 55 slides
Network Security Where we are in the Course Security crosses all layers Application

Network Security Where we are in the Course Security crosses all layers Application

Network Security Where we are in the Course Security crosses all layers Application Transport Network Link Physical CSE 461 University of Washington 2 Security Threats Security is like performance Means many things

374 views • 13 slides
Network Security Where we are in the Course Security crosses all layers Applicatjon

Network Security Where we are in the Course Security crosses all layers Applicatjon

Network Security Where we are in the Course Security crosses all layers Applicatjon Transport Network Link Physical CSE 461 University of Washington 2 Security Threats Security is like performance Means many things

1.12k views • 92 slides
MulVAL: A logic-based network security analyzer Xinming Ou, Sudhakar Govindavajhala, and Andrew

MulVAL: A logic-based network security analyzer Xinming Ou, Sudhakar Govindavajhala, and Andrew

14th USENIX Security Symposium, August 2005 MulVAL: A logic-based network security analyzer Xinming Ou, Sudhakar Govindavajhala, and Andrew W. Appel Princeton University Outline Introduction Representation Vulnerability

268 views • 23 slides
Biological Products Micro-encapsulation November & December 2017 Introduction Eden is an

Biological Products Micro-encapsulation November & December 2017 Introduction Eden is an

Biological Products Micro-encapsulation November & December 2017 Introduction Eden is an industrial biotechnology company that delivers Natural Solutions to challenges in plant protection, consumer products and animal health .

859 views • 18 slides
MEXICO BIENVENIDO - WELCOME WE HOPE YOUVE BEEN HAVING A GREAT TIME OUR GOAL BE THE BEST

MEXICO BIENVENIDO - WELCOME WE HOPE YOUVE BEEN HAVING A GREAT TIME OUR GOAL BE THE BEST

MEXICO BIENVENIDO - WELCOME WE HOPE YOUVE BEEN HAVING A GREAT TIME OUR GOAL BE THE BEST AND HELP YOU GROW YOU ARE ARE YOU TAKING FULL ADVANTAGE? Training Business Development Tech Support Tribal Knowledge & Resources IDI

671 views • 49 slides
ERSPAN in Linux A short history and review. Presenters: William Tu and Greg Rose 1 What is

ERSPAN in Linux A short history and review. Presenters: William Tu and Greg Rose 1 What is

ERSPAN in Linux A short history and review. Presenters: William Tu and Greg Rose 1 What is Port Mirroring? Port mirroring is one of the most common network troubleshooting techniques. SPAN - Switch Port Analyzer - sends a copy of the

608 views • 23 slides
PPP Protocol Overview 818 West Diamond Avenue - Third Floor, Gaithersburg, MD 20878 Phone: (301)

PPP Protocol Overview 818 West Diamond Avenue - Third Floor, Gaithersburg, MD 20878 Phone: (301)

PPP Protocol Overview 818 West Diamond Avenue - Third Floor, Gaithersburg, MD 20878 Phone: (301) 670-4784 Fax: (301) 670-9187 Email: info@gl.com 1 1 1 Website: http://www.gl.com Point-to-Point Protocol (PPP) Point to Point (PPP) networks

759 views • 46 slides
Handling Large Formats On a Small Budget Tuesday, November 15, 11 What We Do at

Handling Large Formats On a Small Budget Tuesday, November 15, 11 What We Do at

Handling Large Formats On a Small Budget Tuesday, November 15, 11 What We Do at the CHL Anything up to 36x48 is stored in folders and boxes Anything above that is encapsulated and

622 views • 39 slides
secuBT Hacking the Hackers with User-Space Virtualization Mathias Payer

secuBT Hacking the Hackers with User-Space Virtualization Mathias Payer

secuBT Hacking the Hackers with User-Space Virtualization Mathias Payer <mathias.payer@inf.ethz.ch> 1 Mathias Payer: secuBT - User-Space Virtualization Motivation Virtualizing and encapsulating running programs is important:

693 views • 40 slides
Secret-free DRM and efficient delivery method Prepared for CPTWG. Jan 11 2007 Presented by Yves

Secret-free DRM and efficient delivery method Prepared for CPTWG. Jan 11 2007 Presented by Yves

c o n t e n t , u n p l u g g e d Secret-free DRM and efficient delivery method Prepared for CPTWG. Jan 11 2007 Presented by Yves Legris (yves@zotus.com) Contact: Vladan Djakovic, CEO 415.934.0373 voice, 415.934.1276 fx, vladan@zotus.com

126 views • 12 slides
Newbury BO 1447(32) Alternatives Presentation Meeting Town Highway 3, Bridge 15 over Wells River

Newbury BO 1447(32) Alternatives Presentation Meeting Town Highway 3, Bridge 15 over Wells River

Newbury BO 1447(32) Alternatives Presentation Meeting Town Highway 3, Bridge 15 over Wells River June 26, 2019 Introductions Laura Stone, P.E. VTrans Scoping Engineer Todd Sumner, P.E. VTrans Project Manager Purpose of Meeting Provide

796 views • 52 slides

More recommend