validating security and resiliency in software defined
play

Validating Security and Resiliency in Software Defined Networks for - PowerPoint PPT Presentation

Apr 25, 2023 •110 likes •349 views

Validating Security and Resiliency in Software Defined Networks for Smart Grids Rakesh Kumar DEPARTMENT OF ELECTRICAL AND COMPUTER ENGINEERING UNIVERSITY OF ILLINOIS, URBANA-CHAMPAIGN Motivation 2 Security: Access Control In United

  1. Validating Security and Resiliency in Software Defined Networks for Smart Grids Rakesh Kumar DEPARTMENT OF ELECTRICAL AND COMPUTER ENGINEERING UNIVERSITY OF ILLINOIS, URBANA-CHAMPAIGN

  2. Motivation 2

  3. Security: Access Control • In United States, power utilities are required to follow NERC CIP Standards. – Utilities are periodically audited to secure their Electronic Security Perimeter (ESP) 3

  4. Resiliency: Link/Device failure • Upon failure, ask the SDN controller for flow rules – Applications may not tolerate the delays incurred • Flow rules that anticipate failures and take corrective actions to provide seamless resilience – Fast Failover Mechanism: Designed for small, predictable latency 4

  5. Resiliency: Illustration SCADA Ethernet Controller Relay

  6. Software Defined Networking (SDN) • Logically centralized Control Plane State at Controller • Standardized Data Plane in Switches and Switch- Controller communication protocol. • Controller’s Northbound API enables exhaustive validation. 6

  7. Validation using the SDN Architecture Control Plane State Static Validation Policy Violations Network-wide Policy 7

  8. Rest of the talk: • Life of a packet • Resilient Routing Policy (RRP) Specification • Model • Design • Evaluation • Conclusion and Future Work 8

  9. Life of a Packet in an OpenFlow 1.x switch … • Flow Table Pipeline • Flow Rule – Match – Instructions • Single port output, packet header modifications • Fast Failover Output: {p 1 , p 2 , p 3 … } 9

  10. Resilient Routing Policy (RRP) Specification • Zones: Set of ports • Traffic Set: Packet header field values • Failure Events: Specific set of link/switch failures • Constraints: Desired properties, such as: – Connectivity – Isolation – Path Length – Link Avoidance 10

  11. RRP Example The policy specifies that: • ESR and IED are connected to the RTAC even when any single link fails by a path that traverses no more than three switches in the topology. • The path of HTTPS traffic from the internet to the RTAC must not cross the link between Switch:3 and Switch:4. 11

  12. Model • Efficiency: Emphasis on having the capability to perform incremental computation as events occur in the network Composition: Model for the structure of the • network on different levels of abstraction (i.e. switch and network-level) Explicit Representation: Model for the traffic • (set of packet headers) that flows on the network 12

  13. Port Graph • The state (topology + configuration) of the SDN is modeled as a directed graph. • Nodes model places of interest, e.g. Ingress, Egress nodes for physical ports • • Nodes representing each table • Each edge (p, s) models the transfer of traffic, it has: • Edge Filter: EF(p, s) • Modifications 13

  14. Admitted Traffic Set (ATS) • ATS (p, d) is the set of packet headers that an SDN is able to carry from node p to node d . • T (p, d, s) is the set of packets that are carried from port p to destination d , via its successor s , thus: • Incremental analysis made possible by comparing ATS before and after an event: 14

  15. Design • First, construction of port graphs • Computation of ATS (p, d) for all p, d using a reverse DFS on the port graphs. • Each edge in the port graph has a flag that represents whether the edge is active based on the current state of the network. 15

  16. Constructing Switch Port Graphs 16

  17. Constructing Network Port Graph 17

  18. Initializing ATS (p, d) Destination MAC: 2 Other Fields: Wildcards Source MAC: 1 Destination MAC: 2 Destination MAC: 2 Other Fields: Wildcards Other Fields: Wildcards Destination MAC: 2 Other Fields: Wildcards Destination MAC: 2 Other Fields: Wildcards 18

  19. Evaluation Setup • Experiments performed on a machine running mininet and Ryu : – Two processor cores at 3.3 GHz – 16 GB RAM. • Ten iterations of each analysis 19

  20. Microbenchmark • Flow rules that fast-failover synthesized to sustain failure of a single link • Policy requires that the path lengths be less than the diameter of the network 20

  21. Resilience in a substation network • Same policy as described previously, except the zone sizes keep increasing now 21

  22. Security for interconnected microgrids • Six microgrids connecting to a control center • Network divided in 19 enclaves and a single functional domain • Policy: Communication only possible within an enclave or functional domain 22

  23. Conclusion • A framework for validating resiliency requirements for an SDN by performing exhaustive packet flow analysis • Model, design of data structures • Incremental Computation technique provides computational gains • Scales for larger topology sizes 23

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Software Defined Security Reloaded Open Infrastructure Summit, Shanghai Nov 4, 2019 Ash

Software Defined Security Reloaded Open Infrastructure Summit, Shanghai Nov 4, 2019 Ash

Software Defined Security Reloaded Open Infrastructure Summit, Shanghai Nov 4, 2019 Ash Bhalgat (Sr. Director, Cloud Marketing, Mellanox Technologies) Yossef Efraim (Director, Software Development, Mellanox Technologies) Zhike Wang (JD

487 views • 38 slides
software defined networking CS 6410 Fall 2017 Eric Campbell and Rolph Recto software defined

software defined networking CS 6410 Fall 2017 Eric Campbell and Rolph Recto software defined

software defined networking CS 6410 Fall 2017 Eric Campbell and Rolph Recto software defined networking software defined networking (OpenFlow, originally) Stanford computer scientist Nick McKeown and colleagues developed a standard called

1.13k views • 77 slides
Software Defined Radios RABC Conference Ottawa, 3 March 2004 www.crc.ca / rmsc Software Defined

Software Defined Radios RABC Conference Ottawa, 3 March 2004 www.crc.ca / rmsc Software Defined

Software Defined Radios RABC Conference Ottawa, 3 March 2004 www.crc.ca / rmsc Software Defined Radio A wireless system whose operating modes and parameters can be changed or augmented post- manufacturing, via software. Based on an

703 views • 22 slides
A tool for specifying and validating software liability VERIMAG, Grenoble, France - Eduardo

A tool for specifying and validating software liability VERIMAG, Grenoble, France - Eduardo

A tool for specifying and validating software liability VERIMAG, Grenoble, France - Eduardo Mazza - Marie-Laure Potet Outline Context Approach Study Case Specifications Entities Logs Properties Responsibility

364 views • 20 slides
Software Defined Networking : A Security Perspective Dr. Sarker Tanveer Ahmed Rumee Dept. of

Software Defined Networking : A Security Perspective Dr. Sarker Tanveer Ahmed Rumee Dept. of

Software Defined Networking : A Security Perspective Dr. Sarker Tanveer Ahmed Rumee Dept. of CSE, University of Dhaka Traditional Network Infrastructure Two Main Tasks Control of information flow (control plane) Calculation of routing

539 views • 26 slides
The Dover Architecture Hardware Enforcement of Software-Defined Security Policies Team: Greg

The Dover Architecture Hardware Enforcement of Software-Defined Security Policies Team: Greg

This Document Does Not Contain Controlled Technology or Technical Data Draper Proprietary The Dover Architecture Hardware Enforcement of Software-Defined Security Policies Team: Greg Sullivan (Draper) (presenting), Andr DeHon (UPenn), Eli

432 views • 19 slides
Networks in the Software Software Age Defined Clouds and Internet Ravinder Shergill of

Networks in the Software Software Age Defined Clouds and Internet Ravinder Shergill of

Networks in the Software Software Age Defined Clouds and Internet Ravinder Shergill of Things Principal Architect Technology Strategy, TELUS June 06, 2016 TELUS RESTRICTED Storyboard Generational changes via Software Defined

601 views • 18 slides
Validating CDI Data for Report Integrity Fran Jurcak, MSN, RN, CCDS Clinical Documentation

Validating CDI Data for Report Integrity Fran Jurcak, MSN, RN, CCDS Clinical Documentation

Validating CDI Data for Report Integrity Fran Jurcak, MSN, RN, CCDS Clinical Documentation Program Manager Iodine Software Objectives The learner will be able to: Articulate the role of validating data in a CDI departments ongoing

453 views • 31 slides
-Service Resiliency With Circuit Breakers Lance Ball - Red Hat - @lanceball FullStack 2018

-Service Resiliency With Circuit Breakers Lance Ball - Red Hat - @lanceball FullStack 2018

-Service Resiliency With Circuit Breakers Lance Ball - Red Hat - @lanceball FullStack 2018 Resilience Resiliency is defined as the capability of a system to maintain its functions and structure in the face of internal and external change

512 views • 38 slides
Software Defined Networks (SDN) SEC2 2015 15 Premier atelier sur la scurit dans les Clouds

Software Defined Networks (SDN) SEC2 2015 15 Premier atelier sur la scurit dans les Clouds

Security Challenges & Opportunities in June 30 th , 2015 Software Defined Networks (SDN) SEC2 2015 15 Premier atelier sur la scurit dans les Clouds Nizar KHEIR Cyber Security Researcher Orange Labs Products and Services 1 Orange

385 views • 15 slides
deel 2 sws1 1 Software and Web Security - 1 & 2 Software is the main source of security

deel 2 sws1 1 Software and Web Security - 1 & 2 Software is the main source of security

Software and Web Security deel 2 sws1 1 Software and Web Security - 1 & 2 Software is the main source of security vulnerabilities esp in systems accessible via a network part 1 security problems in machine code, compiled from C(++)

1.35k views • 67 slides
Software-Defined Network Exchanges (SDXs) and Software-Defined Infrastructure (SDI) Joe

Software-Defined Network Exchanges (SDXs) and Software-Defined Infrastructure (SDI) Joe

Software-Defined Network Exchanges (SDXs) and Software-Defined Infrastructure (SDI) Joe Mambretti, Director, (j-mambretti@northwestern.edu) International Center for Advanced Internet Research (www.icair.org) Northwestern University Director,

442 views • 23 slides
T3E Resiliency Enhancements Dean Elling Software Engineer SGI 41st Cray User Group Conference

T3E Resiliency Enhancements Dean Elling Software Engineer SGI 41st Cray User Group Conference

T3E Resiliency Enhancements Dean Elling Software Engineer SGI 41st Cray User Group Conference Minneapolis, Minnesota A Brief History PE Resiliency Initial releases of UNICOS/mk system panicked processes hung system would

732 views • 21 slides
Software and Web Security deel 2 deel 2 sws1 Software and Web Security - 1 & 2 y Software

Software and Web Security deel 2 deel 2 sws1 Software and Web Security - 1 & 2 y Software

1 Software and Web Security deel 2 deel 2 sws1 Software and Web Security - 1 & 2 y Software is the main source of security vulnerabilities esp in systems accessible via a network i t ibl i t k part 1 part 1 security problems

672 views • 65 slides
Intro & Updates Ben Hilburn What is Software Radio? Defined by the IEEE P1900.1

Intro & Updates Ben Hilburn What is Software Radio? Defined by the IEEE P1900.1

Intro & Updates Ben Hilburn What is Software Radio? Defined by the IEEE P1900.1 Working Group and the WINNF: A radio in which some or all of the physical layer functions are software-defined. 2 What is Software Radio? Defined

714 views • 25 slides
Worldwide Security and Resiliency of Cyber Infrastructures: the Role of the Domain Name System

Worldwide Security and Resiliency of Cyber Infrastructures: the Role of the Domain Name System

Worldwide Security and Resiliency of Cyber Infrastructures: the Role of the Domain Name System Dr. Igor Nai Fovino Head of the Research Department Global Cyber Security Center The Global Cyber Security Center, is an International not-for-profit

615 views • 33 slides
Using Z-Ray for Lightning Fast Security Analysis Martin Bednorz ZendCon Las Vegas 2018 1

Using Z-Ray for Lightning Fast Security Analysis Martin Bednorz ZendCon Las Vegas 2018 1

Using Z-Ray for Lightning Fast Security Analysis Martin Bednorz ZendCon Las Vegas 2018 1 Introduction 10+ years of web development experience IT security background Web application security Incremental static code analysis

881 views • 73 slides
Computational Geometry Lecture 6: Smallest enclosing circles and more Computational Geometry

Computational Geometry Lecture 6: Smallest enclosing circles and more Computational Geometry

Introduction Smallest enclosing circle algorithm Randomized incremental construction Smallest enclosing circles and more Computational Geometry Lecture 6: Smallest enclosing circles and more Computational Geometry Lecture 6: Smallest

706 views • 53 slides
NetBrain Technologies, Inc. Phone: +1 781 221 7199 Email: info@netbraintech.com

NetBrain Technologies, Inc. Phone: +1 781 221 7199 Email: info@netbraintech.com

NetBrain Technologies, Inc. Phone: +1 781 221 7199 Email: info@netbraintech.com 15 Network Drive Website: www.netbraintech.com Burlington, MA 01803 Featured Speakers 2 NetBrain Technologies, Inc. New Feature

677 views • 50 slides
for Real-time NLP Applications Mahsa Yarmohammadi Streaming NLP for Big Data Class SBU

for Real-time NLP Applications Mahsa Yarmohammadi Streaming NLP for Big Data Class SBU

Incremental Input Stream Segmentation for Real-time NLP Applications Mahsa Yarmohammadi Streaming NLP for Big Data Class SBU Computer Science Department 9/29/2016 Outline Introduction Simultaneous speech-to-speech translation (SST)

591 views • 29 slides
IC3 and Beyond: Incremental, Inductive Verification Aaron R. Bradley ECEE, CU Boulder &

IC3 and Beyond: Incremental, Inductive Verification Aaron R. Bradley ECEE, CU Boulder &

IC3 and Beyond: Incremental, Inductive Verification Aaron R. Bradley ECEE, CU Boulder & Summit Middle School IC3 and Beyond: Incremental, Inductive Verification 1/62 Induction Foundation of verification for 40+ years (Floyd, Hoare) To

1.16k views • 62 slides
Incremental Coverage of Legacy Software Languages V. Zaytsev @ PX/17.2 @ SPLASH 2017 The

Incremental Coverage of Legacy Software Languages V. Zaytsev @ PX/17.2 @ SPLASH 2017 The

Incremental Coverage of Legacy Software Languages V. Zaytsev @ PX/17.2 @ SPLASH 2017 The Generation Gap 4GL . 3GL . 2GL 1GL The Generation Gap MAP STD_PARM_V OF ACC_XXX_I TO CASH_ACT_UPD 4GL . MOVE INPUT-PARM OF

625 views • 13 slides
Computational Geometry Linear programming Exercise session #8: Incremental construction &

Computational Geometry Linear programming Exercise session #8: Incremental construction &

Computational Geometry Linear programming Exercise session #8: Incremental construction & Problem : maximize c T x s.t. Ax b Arrangements c = ( c 1 ,, c d ) T Linear Programming x = ( x 1 ,, x d ) T

521 views • 4 slides
Derisking Renewable Energy Investment Finance Case Study [Insert Event] [Insert Location, Date]

Derisking Renewable Energy Investment Finance Case Study [Insert Event] [Insert Location, Date]

Derisking Renewable Energy Investment Finance Case Study [Insert Event] [Insert Location, Date] 1 Aims and Agenda Aims Design two alternative RE policy frameworks that both have the objective to attract private investment into 500MW of

392 views • 18 slides

More recommend