1 OpenFlow Research on the Georgia Tech Campus Network Russ Clark Nick Feamster Students: Yogesh Mundada, Hyojoon Kim, Ankur Nayak, Anirudh Ramachandran,

Slides:

Advertisements

Similar presentations

Resonance: Dynamic Access Control in Enterprise Networks Ankur Nayak, Alex Reimers, Nick Feamster, Russ Clark School of Computer Science Georgia Institute.

Advertisements

11/20/09 ONR MURI Project Kick-Off 1 Network-Level Monitoring for Tracking Botnets Nick Feamster School of Computer Science Georgia Institute of Technology.

Packets with Provenance Anirudh, Mukarram, Nick, Kaushik.

Campus Testbed for Network Management and Operations Nick Feamster Georgia Tech Joint with Ankur Nayak, Russ Clark, Ron Hutchins, Campus OIT Also input.

DTunnels Year 1 Summary Nick Feamster. Overview Two pieces –DTunnels: Mechanism for creating appearance of layer 2 links between virtual nodes –BGP Mux:

Network Security Highlights Nick Feamster Georgia Tech.

1 Resonance: Dynamic Access Control in Enterprise Networks Ankur Nayak, Alex Reimers, Nick Feamster, Russ Clark School of Computer Science Georgia Institute.

Securing Enterprise Networks with Traffic Tainting Anirudh Ramachandran Nick Feamster Yogesh Mundada Mukarram bin Tariq.

Network Security Highlights Nick Feamster Georgia Tech.

1 Resonance: Dynamic Access Control in Enterprise Networks Ankur Nayak, Alex Reimers, Nick Feamster, Russ Clark School of Computer Science Georgia Institute.

Mitigating Layer 2 Attacks

© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Common Layer 2 Attacks and Countermeasures.

5-Network Defenses Dr. John P. Abraham Professor UTPA.

© 2011 Georgia Institute of Technology OpenFlow/SDN at Georgia Tech Russ Clark in collaboration with Ron Hutchins, Nick Feamster, and Matt Sanders July.

SilverLine: Preventing Data Leaks from Compromised Web Applications Yogesh Mundada Anirudh Ramachandran Nick Feamster Georgia Tech 1 Appeared in Annual.

11 TROUBLESHOOTING Chapter 12. Chapter 12: TROUBLESHOOTING2 OVERVIEW  Determine whether a network communications problem is related to TCP/IP.  Understand.

Lithium: Event-Driven Network Control Nick Feamster, Hyojoon Kim, Russ Clark Georgia Tech Andreas Voellmy Yale University OpenFlow/Software Defined Networking.

Wireless and Switch Security NETS David Mitchell.

Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.

Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung( ) SriramGopinath( )

April 11, Implementation of Virtual LANs for Virus Containment Aaron Soto April 11, 2005 In partnership with: New Mexico Tech Information Services.

COS 461: Computer Networks

© 2012 IBM Corporation IBM Security Systems 1 © 2014 IBM Corporation IBM Security Network Protection (XGS) Advanced Threat Protection Integration Framework.

Advanced Internet Bandwidth and Security Strategies Fred Miller Illinois Wesleyan University.

Being Proactive with Computer Posture Assessment Department of Housing and Residence Education Charles Benjamin.

Microsoft Virtual Academy Module 4 Creating and Configuring Virtual Machine Networks.

Adversaries in Clouds: Protecting Data in Cloud-Based Applications Nick Feamster Georgia Tech.

Virtual LANs. VLAN introduction VLANs logically segment switched networks based on the functions, project teams, or applications of the organization regardless.

Voice VLANs Lecture 7 VLANs.ppt 21/04/ Apr-17

IEEE 802.1q - VLANs Nick Poorman.

Semester 3, v Chapter 3: Virtual LANs

– Chapter 5 – Secure LAN Switching

Network Security1 – Chapter 5 – Secure LAN Switching Layer 2 security –Port security –IP permit lists –Protocol filtering –Controlling LAN floods (using.

Virtual Infrastructure 3 Best Practices for a secure installation. Jeff Mayrand.

Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung( ) Sriram Gopinath( )

SDN based Network Security Monitoring in Dynamic Cloud Networks Xiuzhen CHEN School of Information Security Engineering Shanghai Jiao Tong University,

11 SECURING YOUR NETWORK PERIMETER Chapter 10. Chapter 10: SECURING YOUR NETWORK PERIMETER2 CHAPTER OBJECTIVES  Establish secure topologies.  Secure.

A virus is software that spreads from program to program, or from disk to disk, and uses each infected program or disk to make copies of itself. Basically.

Module 9: Designing Network Access Protection. Scenarios for Implementing NAP Verifying the health of: Roaming laptops Desktop computers Visiting laptops.

Sponsored by the National Science Foundation Campus Trials of Enterprise GENI: Georgia Tech Spiral 2 Year-end Project Review Georgia Tech PI: Russ Clark,

Mahindra-British Telecom Ltd. Exploiting Layer 2 By Balwant Rathore.

Vytautas Valancius, Nick Feamster, Akihiro Nakao, and Jennifer Rexford.

Resnet Enhancements and Directions Part 1, Bruce Campbell, Information Systems and Technology.

Pedigree: Network-wide Protection Against Enterprise Data Leaks Team: Nick Feamster, Assistant Professor, School of CS Anirudh Ramachandran, PhD candidate,

Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung( ) Sriram Gopinath( )

Security fundamentals Topic 10 Securing the network perimeter.

Chapter 6: Securing the Local Area Network

Synchronized Security Revolutionizing Advanced Threat Protection

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 4: Planning and Configuring Routing and Switching.

Improving Network Management with Software Defined Network Group 5 : z Xuling Wu z Haipeng Jiang z Sichen Wu z Aparna Sanil.

Network Management CCNA 4 Chapter 7. Monitoring the Network Connection monitoring takes place every day when users log on Ping only shows that the connection.

Bringing External Connectivity and Experimenters to GENI Nick Feamster Georgia Tech.

IS3220 Information Technology Infrastructure Security

Address Resolution Protocol Yasir Jan 20 th March 2008 Future Internet.

Virtual Local Area Networks In Security By Mark Reed.

Network Virtualization Ben Pfaff Nicira Networks, Inc.

Security fundamentals

Instructor Materials Chapter 5: Network Security and Monitoring

Cloud Security– an overview Keke Chen

ETHANE: TAKING CONTROL OF THE ENTERPRISE

Planning and Troubleshooting Routing and Switching

NOX: Towards an Operating System for Networks

– Chapter 5 – Secure LAN Switching

Chapter 5: Network Security and Monitoring

Aled Edwards, Anna Fischer, Antonio Lain HP Labs

2018 Huawei H Real Questions Killtest

2018 Real Cisco Dumps IT-Dumps

The Stanford Clean Slate Program

Network hardening Chapter 14.

Presentation transcript:

1 OpenFlow Research on the Georgia Tech Campus Network Russ Clark Nick Feamster Students: Yogesh Mundada, Hyojoon Kim, Ankur Nayak, Anirudh Ramachandran, Umayr Hassan

2 Summary of Research Projects Campus Network Deployment –Resonance: Dynamic Access Control for Campus Networks –Pedigree: Traffic Tainting for Securing Enterprise Networks Home Network Deployments –User-Proof Networking (with Prof. Keith Edwards) Class Projects: Network Management/Network Security –OpenFlow Traffic Classification –SNMP MIB for OpenFlow –Home-Network Management using OpenFlow –OpenFlow for High Availability/Service Migration –OpenFlow and Virtualization –Access Control for Home Networks –Automated Intrusion Detection with OpenFlow

3 Dynamic Access Control Enterprise and campus networks are dynamic –Hosts continually coming and leaving –Hosts may become infected Today, access control is static, and poorly integrated with the network layer itself Resonance: Dynamic access control –Track state of each host on the network –Update forwarding state of switches per host as these states change

4 Authentication at GT: START 3. VLAN with Private IP 6. VLAN with Public IP ta.1. New MAC Addr2. VQP 7. REBOOT Web Portal 4. Web Authentication 5. Authentication Result VMPS Switch New Host

5 Problems with Current Approach Access Control is too coarse-grained –Static, inflexible and prone to misconfigurations –Need to rely on VLANs to isolate infected machines Cannot dynamically remap hosts to different portions of the network –Needs a DHCP request which for a windows user would mean a reboot Monitoring is not continuous Idea: Access control policies should reflect network dynamics.

6 Resonance Approach Step 1: Controller associates each host with generic states and security classes. Step 2: Specify a state machine for moving machines from one state to the other. Step 3: Control forwarding state in switches based on the current state of each host.

7 Applying resonance to START Registration Authenticated Operation Quarantined Successful Authentication Vulnerability detected Clean after update Failed Authentication Infection removed or manually fixed Still Infected after an update

8 Challenges Scale –How many forwarding entries per switch? –How much traffic at the controller? Performance –Responsiveness Security –MAC address spoofing –Securing the controller (and control framework)

9

10 Enterprise Information Flow Control Goal: Control how information flows between different hosts in the network –Control the spread of malware –Prevent data leaks Challenges –Heterogeneous devices –Hosts may not be trusted Solution: Pedigree –Classify traffic based on What process generated the traffic Where that process has taken inputs –Implement control policies in the network

11 Pedigree Design Trusted tagging component resides on host. Traffic carries taints that reflect provenance of network traffic. Switch one hop from hosts makes access control decisions.

12 Current Function Internet 1.Host sends request over control channel to open with flow with taint set. 2. Traffic diverted to controller, which checks policy. 3. Controller inserts flow table entry, if policy compliant.