Presentation is loading. Please wait.

Presentation is loading. Please wait.

Sungkyunkwan University (SKKU) Security Lab. A Framework for Security Services based on Software-Defined Networking Jaehoon (Paul) Jeong 1, Jihyeok Seo.

Published byMadeline Daniel Modified over 8 years ago

Similar presentations

Presentation on theme: "Sungkyunkwan University (SKKU) Security Lab. A Framework for Security Services based on Software-Defined Networking Jaehoon (Paul) Jeong 1, Jihyeok Seo."— Presentation transcript:

1 Sungkyunkwan University (SKKU) Security Lab. A Framework for Security Services based on Software-Defined Networking Jaehoon (Paul) Jeong 1, Jihyeok Seo 1, Geumhwan Cho 1, Hyoungshick Kim 1, and Jung-Soo Park 2 1 Department of Computer Science and Engineering, Sungkyunkwan University, Korea (Republic of) {pauljeong, seojh43, geumhwan, hyoung}@skku.edu pjs@etri.re.kr 2 Elecronics and Telecommunications Research Institute, Korea (Republic of) The second International Workshop on Device Centric Cloud (DC2-2015)

2 Sungkyunkwan University (SKKU) Security Lab. DC2-2015 2 Motivation Legacy firewall Inspects packets that attempts to cross a network boundary Rejects any illegal packets Incoming requests to open illegal TCP connections Packets of other illegal types (e.g., UDP and ICMP) IP datagrams with illegal IP addresses (or ports) Provides security at the loss of flexibility and the cost of network administration

3 Sungkyunkwan University (SKKU) Security Lab. DC2-2015 3 Contributions Propose a framework for security services using Software- Defined Networking (SDN) Discuss challenge issues and requirements for SDN Introduce two representative security services Centralized firewall system Centralized DDoS-attack mitigation system

4 Sungkyunkwan University (SKKU) Security Lab. DC2-2015 4 Challenges in firewall Cost The cost of adding firewalls to network resources is substantial Performance Firewalls are often slower than the link speed of their network interfaces Management Managing access control dynamically across hundreds of network elements is a challenge Policy It is difficult to describe what are permitted and denied flows within the specific organization Packet-based access mechanism Packet-based access mechanism is not enough in practice since the basis unit of access control is usually user or application (e.g., Skype connections for specific users are open)

5 Sungkyunkwan University (SKKU) Security Lab. DC2-2015 5 Centralized network firewall Firewall rules can be managed flexibly by a centralized server SDN protocols can be used for a standard interface between firewall applications and switches Public network Private network Firewall add or delete rules src IPdest IPAction 115.145.171.22 4 74.125.71.106 Drop packets

6 Sungkyunkwan University (SKKU) Security Lab. DC2-2015 6 Expectations for SDN-based firewall - Cost Ideally, one single firewall is enough Firewall application SDN Controller Switch 2 Switch 1 Enforces rules to each switch Switch 3

7 Sungkyunkwan University (SKKU) Security Lab. DC2-2015 7 Expectations for SDN-based firewall - Performance Firewalls can adaptively be deployed depending on network conditions Firewall application SDN Controller Switch 2 Switch 1 Firewall is applied Switch 3 Incoming packets

8 Sungkyunkwan University (SKKU) Security Lab. DC2-2015 8 Expectations for SDN-based firewall - Management Switch 2 Switch 3 Switch 1 Install new rules

9 Sungkyunkwan University (SKKU) Security Lab. DC2-2015 9 Expectations for SDN-based firewall - Management Firewall rules can dynamically be added with new attacks Firewall application SDN Controller Switch 2 Switch 3 Switch 1 Install new rules (e.g., drop packets with attack patterns)

10 Sungkyunkwan University (SKKU) Security Lab. DC2-2015 10 Expectations for SDN-based firewall – Packet based access mechanism Application level rules can be defined by software SDN Controller Switch 2 Switch 3 Switch 1 Install new rules automatically Incoming packets Firewall application

11 Sungkyunkwan University (SKKU) Security Lab. DC2-2015 11 Objectives Prompt reaction to new network attacks SDN-based security services allow private networks to defend themselves against new sophisticated network attacks Autonomous defense from network attacks SDN-based security services identify the category of network attack (e.g., worms and DDoS attacks) They take counteraction for the defense without the intervention of network administrators Network-load-aware resource allocation SDN-based security services measure the overhead of resources for security services They dynamically select resources considering load balance for trading-off between the maximum network performance and security

12 Sungkyunkwan University (SKKU) Security Lab. DC2-2015 12 Requirements Multi-Layer Management Functions Security Application (e.g., Firewall, DDoS-Attack Mitigation) Application Support Orchestration Abstraction Control Support Data Transport and Processing Application Layer SDN Control Layer Resource Layer Resource-Control Interface Application-Control Interface

13 Sungkyunkwan University (SKKU) Security Lab. DC2-2015 13 Centralized firewall system for malware packets Firewall SDN Controller Switch 2 Switch 3 Switch 1 Malware packet 1. Switch 1 forwards an unknown flow’s packet to Firewall via SDN Controller. 1. Switch 1 forwards an unknown flow’s packet to Firewall via SDN Controller. 2. Firewall investigates the packet. 1. Switch 1 forwards an unknown flow’s packet to Firewall via SDN Controller. 2. Firewall investigates the packet. 3. Firewall regards it as a malware packet with suspicious patterns.

14 Sungkyunkwan University (SKKU) Security Lab. DC2-2015 14 Centralized firewall system for malware packets Firewall SDN Controller Switch 2 Switch 3 Switch 1 Install new rules (e.g., drop dangerous packets) Incoming packets Report a dangerous packet to SDN Controller The dangerous packets are dropped by switches

15 Sungkyunkwan University (SKKU) Security Lab. DC2-2015 15 Research Issues

16 Sungkyunkwan University (SKKU) Security Lab. DC2-2015 16 To prevent the unauthorized control of switches SDN Controller Switch 2 Switch 3 Switch 1 Security applications Malicious Controller

17 Sungkyunkwan University (SKKU) Security Lab. DC2-2015 17 To prevent the unauthorized control of switches SDN Controller Switch 2 Switch 3 Switch 1 Secure & authenticated channel We should establish a secure and authenticated channel between SDN controller and switches We need to consider a proper key management for secure communication between them Key management Security applications

18 Sungkyunkwan University (SKKU) Security Lab. DC2-2015 18 A single point of failure or Compromise A centralized server will suffer from a single point of failure or compromise SDN Controller Switch 2 Switch 3 Switch 1 SDN Controller Applications do not work Security applications

19 Sungkyunkwan University (SKKU) Security Lab. DC2-2015 19 To support the SDN-based security services SDN Controller Switch 2 Switch 3 Switch 1 We need to consider changes in the existing SDN switches and protocols Deep Packet Inspection Incoming packets Security applications

20 Sungkyunkwan University (SKKU) Security Lab. DC2-2015 20 A scalable architecture SDN seems a scalable architecture to provide centralized security services in theory SDN Controller Switch 1 Switch 2 Switch n... Security applications

21 Sungkyunkwan University (SKKU) Security Lab. DC2-2015 21 Intelligence switches We should address scalability to support security services in an autonomous and scalable fashion SDN Controller Switch 2 Switch 1 Switch 3 Security applications Incoming packets with malware, DDoS attack Each switch drops the packet automatically based on flow table Passed packets without malware, DDoS attack

22 Sungkyunkwan University (SKKU) Security Lab. DC2-2015 22 Conclusions Proposed framework for security services based on SDN Discussed challenge issues and requirements for SDN As future work, Develop proposed framework in Mininet emulator and OMNeT++ simulator Investigate other security services (e.g., encryption/decryption, junk mail filtering, and anti-spam service)

23 Sungkyunkwan University (SKKU) Security Lab. DC2-2015 23 Any questions?

Download ppt "Sungkyunkwan University (SKKU) Security Lab. A Framework for Security Services based on Software-Defined Networking Jaehoon (Paul) Jeong 1, Jihyeok Seo."

Similar presentations

CloudWatcher: Network Security Monitoring Using OpenFlow in Dynamic Cloud Networks or: How to Provide Security Monitoring as a Service in Clouds? Seungwon.

CloudWatcher: Network Security Monitoring Using OpenFlow in Dynamic Cloud Networks or: How to Provide Security Monitoring as a Service in Clouds? Seungwon.
Lecture slides for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 9 “Firewalls and Intrusion Prevention.

Lecture slides for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 9 “Firewalls and Intrusion Prevention.
CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.

CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.
SDN and Openflow.

SDN and Openflow.
Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.

Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.
Simulation and Analysis of DDos Attacks Poongothai, M Department of Information Technology,Institute of Road and Transport Technology, Erode Tamilnadu,

Simulation and Analysis of DDos Attacks Poongothai, M Department of Information Technology,Institute of Road and Transport Technology, Erode Tamilnadu,
Access Control for Networks Problems: –Enforce an access control policy Allow trust relationships among machines –Protect local internet from outsiders.

Access Control for Networks Problems: –Enforce an access control policy Allow trust relationships among machines –Protect local internet from outsiders.
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung(1203584897) Sriram Gopinath(1203800749)

Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung( ) Sriram Gopinath( )
IS Network and Telecommunications Risks

IS Network and Telecommunications Risks
A Security Pattern for a Virtual Private Network Ajoy Kumar and Eduardo B. Fernandez Dept. of Computer Science and Eng. Florida Atlantic University Boca.

A Security Pattern for a Virtual Private Network Ajoy Kumar and Eduardo B. Fernandez Dept. of Computer Science and Eng. Florida Atlantic University Boca.
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.

Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.
Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.

Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.
UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.

UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.
Circuit & Application Level Gateways CS-431 Dick Steflik.

Circuit & Application Level Gateways CS-431 Dick Steflik.
Security Issues on Distributed Systems 7 August, 1999 S 1 Prepared by : Lorrien K. Y. Lau Student I.D. : 97077200 7 August 1999 The Chinese University.

Security Issues on Distributed Systems 7 August, 1999 S 1 Prepared by : Lorrien K. Y. Lau Student I.D. : August 1999 The Chinese University.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Jaehoon (Paul) Jeong, Hyoungshick Kim, and Jung-Soo Park

Jaehoon (Paul) Jeong, Hyoungshick Kim, and Jung-Soo Park
Institute of Technology, Sligo Dept of Computing Semester 3, version 2.1.3 Semester 3 Chapter 3 VLANs.

Institute of Technology, Sligo Dept of Computing Semester 3, version Semester 3 Chapter 3 VLANs.
COMPUTER NETWORKS.

COMPUTER NETWORKS.

Similar presentations

Ads by Google