Presentation is loading. Please wait.

Presentation is loading. Please wait.

Leveraging SDN to Improve the Security of DHCP Presented By Jacob H. Cox Jr. For SDN NFV Security Workshop 2016 On 10 March 2016.

Published byMorgan Irma Terry Modified over 8 years ago

Similar presentations

Presentation on theme: "Leveraging SDN to Improve the Security of DHCP Presented By Jacob H. Cox Jr. For SDN NFV Security Workshop 2016 On 10 March 2016."— Presentation transcript:

1 Leveraging SDN to Improve the Security of DHCP Presented By Jacob H. Cox Jr. For SDN NFV Security Workshop 2016 On 10 March 2016

2 Outline Problem (rogue DHCP Servers) Traditional Mitigation Methods Related Work Network Flow Guard (NFG) DHCP (NFGD) Future work Conclusion

3 Problem Statement The tight coupling of control and data planes within traditional network devices make edge-device security solutions tediously complex, time consuming, expensive, and prone to error. SDN separates the control plane from the network's data plane to offer a simple and programmable means to dynamically control OpenFlow switches that theoretically enables new approaches to edge-device security. Objective: apply Network Flow Guard, a modular, SDN-based solution to mitigate or eliminate network security attack vectors in edge-devices.

4 How is DHCP Compromised DHCP Server (Broadcast) DHCP Discover (Port 68) DHCP Offer (Port 67) DHCP Request (Port 68) DHCP Server DHCP Discover ( 68) DHCP Offer (67) Network Attacks Blackhole (Common) Man-in-the-Middle DHCP Packets: Rfc 2131 Ethernet type = 2048 Protocol = 17 (UDP) Ports = 67/68) DHCP Request (68) Rogue Server Personal Router, Attacker, etc.

5 Rogue DHCP Mitigation/Detect Techniques Traditional DHCP Detection/Mitigation Related SDN Security Measures

6 Rogue DHCP Server Detection Methods DHCP server is suspected, network operators must still employ a variety of methods for locating the rogue server. Diagnosis procedures include: 1.Disable the main DHCP server, 2.Record IP address of the false default gateway, 3.Ping the default gateway to populate the host's ARP table, 4.View ARP table to obtain the IP:MAC association, 5.Run a continual ping to confirm when the device is taken down, 6.Review the MAC addresse table contained in each switch until the MAC is found, 7.Identifying the port hosting the offending MAC, and if found, (if multiple MACs, return to 6 and repeat) 8.Shut down the port O'Connor, T., “How to find a rogue dhcp server on your network.“ http://tomoconnor.eu/blogish/how-to-nd-rogue- dhcp-server-your-network/, 2013.http://tomoconnor.eu/blogish/how-to-nd-rogue- dhcp-server-your-network/

7 Mitigation Techniques Other Techniques: Enable DHCP snooping [1] (if available) on Network Switches; configure trust relationships for all switch ports individually Simple network management protocol (SNMP) to pull MAC addresses and ARP tables from the switch fabric to and the rogue server's MAC address [3] Use a multi-vendor tool, like Really Awesome New Cisco Cong Differ (RANCID) [2], to deploy DHCP snooping across affected LANS Sniffing Options like Wireshark and tcpdump Problems: Error Prone, Vendor familiarity Middleboxes Additional Network Operator Requirements [1] D. O'Connor. Dhcp snooping-filter those broadcasts! https://mellowd.co.uk/ccie/?p=5796, Dec 2014. [2] Rancid. http://www.shrubbery.net/rancid/.http://www.shrubbery.net/rancid/ [3] T. Oconnor. How to and a rogue dhcp server on your network. http://tomoconnor.eu/blogish/how-to-nd-rogue-dhcp-server- your-network/, 2013.

8 Rietz et al. developed an OpenFlow controller, using the RYU framework to handle all DHCP requests using an OpenFlow controller. Managed all DHCP offers Generated IP address and other network information Hosts are unable to detect other DHCP-requests or offers Prevents Rogue DHCP attacks Issues: Extensibility Added Burden Rogue DHCP Server Mitigation with SDN Rietz, R., Brinner, A., and Cwalinsky, R., “Improving network security in virtualized environments with OpenFlow," in Proceedings of the International Conference on Networked Systems, ser. NETSYS, 2015. Switch and DHCP Functions Other Modules Other Module Switch Mod DHCP Module Other Modules

9 Network Flow Guard DHCP (NFGD) NAT WWW POX Controller H1 H2 H3 OpenFlow Switch NFGC NFGD SimpleSwitch DHCP Server Southbound Interface Northbound Interface Pyretic 1) DHCP Disc(68) 3) DHCP Rqst (68) DHCP Disc(68) DHCP Rqst (68) 2) DHCP Offer(67) 3) DHCP Rqst (68) 1) DHCP Disc (68) 3) DHCP Rqst (68) 2) DHCP Offer(67) DHCP Offer(67) 2) DHCP Offer(67) 5) DHCP Offer(67) 4) DHCP Disc(68) Whitelist Rogue Server Note: Order for DHCP DISCOVERY, OFFER, and REQUEST shown for DHCP Server, H1, and H2 only. Implementation: Mininet Environment Pyretic Framework w/ POX controller Ubuntu 14.4 OS ISC-DHCP server UDHCPD (rogue server)

10 Network Flow Guard DHCP (NFGD) Once SDN is chosen, the solution is quite simple. Network operator records legitimate DHCP servers to a designated whitelist. NFG monitors all DHCP-offers, blocking those not found on the whitelist All protocols operate the same No changes required for switch application Security is handled by the switch, no middleboxes

11 Network Flow Guard DHCP (NFGD) Utilized the Pyretic Framework and a POX controller Key snippets of the NFG for DHCP module Fig 2. Snippet from dhcp_resolver(self,pkt): Fig. 1. Set Policy

12 Future Work Expand NFG to address additional edge-based security threats (e.g., ARP poisoining, rogue NAT devices, etc.) Develop a framework on top of Ryu to allow for modular security concepts like NFG

13 Conclusion NFG offers the following advantages for edge-device security Automated prevention of rogue DHCP servers Minimal Network operator involvement No change to existing Network Architectures or Protocols Easily updated to include additional security features

14 Leveraging SDN to Improve the Security of DHCP Questions??

15 Objective To investigate how software defined networking (SDN) can mitigate or eliminate network security attack vectors in network edge-devices. We propose Network Flow Guard (NFG) as a novel, modular, and SDN-based solution to counter known security vulnerabilities. Specifically, this project seeks to detect and remove rogue DHCP servers from the network.

16 NAT WWW POX Controller H1 H2 H3 H4 OpenFlow Switch NFGC NFGD SimpleSwitch DHCP Server Southbound Interface Northbound Interface Pyretic 1) DHCP Disc(68) 3) DHCP Rqst (68) DHCP Disc(68) DHCP Rqst (68) 2) DHCP Offer(67) 3) DHCP Rqst (68) 1) DHCP Disc (68) 3) DHCP Rqst (68) DHCP Disc (68) DHCP Rqst (68) 2) DHCP Offer(67) DHCP Offer(67) 2) DHCP Offer(67) DHCP Offer(67) 5) DHCP Offer(67) 4) DHCP Disc(68) Whitelist Rogue Server Note: Order for DHCP DISCOVERY, OFFER, and REQUEST shown for DHCP Server, H1, and H2 only. Network Flow Guard How DHCP works RFC 2131* How DHCP is compromised Implications of compromise How NFG prevents rogue DHCP behavior *Rfc2131, dynamic host configuration protocol. http://www.ietf.org/rfc/rfc2131.txt. 1) In accordance with RFC 2131, DHCP enables hosts to submit a DHCP Discover packet for broadcast to the network. The switch receives this packet and allows it to be broadcast to the network. Ideally, only the DHCP sever will respond to the request, providing its DHCP offer. Receiving the offer, the host responds with a DHCP request to signal its acceptance of the IP, gateway, and mask. Other hosts can update their ARP tables. 2) So how is DHCP compromised, a rogue DHCP server can also listen for such discoveries and make its own DHCP offer. It now becomes a race. Whose offer gets to the host first. If the rogue server does, then the host accepts the rogues provided IP, GW, and mask. 3) The implications are that the affected host may now be subjected to a man-in-the-middle attack, referred to a malicious web site, or have its traffic black holed (dropped packets) 4) NFG prevents this by monitoring all port 67 traffic (mandated my RFC 2131 for DHCP offers) and verifies via the network operator provided whitelist, that the DHCP Offer is coming from an authorized server. If this is not the case, the flow rules in the switch are set to drop the packet, so that the host only receives the offer from the known good server. 5) NFG used a coupler module (NFGC) to couple our DHCP (NFGD) module with an already utilized Simple Switch Application. It requires no change to the existing infrastructure and place minimal burden on the POX controller 1 2 3 So, that’s the high-level view of what Network Flow Guard is doing. Let’s take a closer look at the Pyretic implementation and how NFG handles incoming packets from the switch.

17 Rogue DHCP Server Mitigation with SDN Rietz et al. developed an OpenFlow controller, using the RYU framework to handle all DHCP requests using an OpenFlow controller. Managed all DHCP offers Generated IP address and other network information Hosts are unable to detect other DHCP-requests or offers Prevents Rogue DHCP attacks Issues: Extensibility Added Burden Rietz, R., Brinner, A., and Cwalinsky, R., “Improving network security in virtualized environments with OpenFlow," in Proceedings of the International Conference on Networked Systems, ser. NETSYS, 2015. Other Modules Other Module Switch Mod DHCP Module Other Modules

Download ppt "Leveraging SDN to Improve the Security of DHCP Presented By Jacob H. Cox Jr. For SDN NFV Security Workshop 2016 On 10 March 2016."

Similar presentations

Ethernet Switch Features Important to EtherNet/IP

Ethernet Switch Features Important to EtherNet/IP
ARP Cache Poisoning How the outdated Address Resolution Protocol can be easily abused to carry out a Man In The Middle attack across an entire network.

ARP Cache Poisoning How the outdated Address Resolution Protocol can be easily abused to carry out a Man In The Middle attack across an entire network.
1 Semester 2 Module 4 Learning about Other Devices Yuda college of business James Chen

1 Semester 2 Module 4 Learning about Other Devices Yuda college of business James Chen
CCNPv5 Minimizing Service Loss and Data Theft in a Campus Network 1 Minimizing Service Loss and Data Theft in a Switched BCMSN Module 8 – Sec 2.

CCNPv5 Minimizing Service Loss and Data Theft in a Campus Network 1 Minimizing Service Loss and Data Theft in a Switched BCMSN Module 8 – Sec 2.
11 TROUBLESHOOTING Chapter 12. Chapter 12: TROUBLESHOOTING2 OVERVIEW  Determine whether a network communications problem is related to TCP/IP.  Understand.

11 TROUBLESHOOTING Chapter 12. Chapter 12: TROUBLESHOOTING2 OVERVIEW  Determine whether a network communications problem is related to TCP/IP.  Understand.
SAVI IP Source Guard draft-baker-sava- implementation Fred Baker.

SAVI IP Source Guard draft-baker-sava- implementation Fred Baker.
© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-1 Minimizing Service Loss and Data Theft Protecting Against Spoofing Attacks.

© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-1 Minimizing Service Loss and Data Theft Protecting Against Spoofing Attacks.
Wireless and Switch Security NETS David Mitchell.

Wireless and Switch Security NETS David Mitchell.
Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung(1203584897) SriramGopinath(1203800749)

Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung( ) SriramGopinath( )
Secure Network Design: Designing a Secure Local Area Network IT352 | Network Security |Najwa AlGhamdi1 Case Study

Secure Network Design: Designing a Secure Local Area Network IT352 | Network Security |Najwa AlGhamdi1 Case Study
Layer 2 Security – No Longer Ignored Security Possibilities at Layer 2 Allan Alton, BSc CISA CISSP NetAnalyst UBC October 18, 2007.

Layer 2 Security – No Longer Ignored Security Possibilities at Layer 2 Allan Alton, BSc CISA CISSP NetAnalyst UBC October 18, 2007.
Lesson 3 Introduction to Networking Concepts Lesson 3.

Lesson 3 Introduction to Networking Concepts Lesson 3.
Implementing Dynamic Host Configuration Protocol

Implementing Dynamic Host Configuration Protocol
Name Resolution Domain Name System.

Name Resolution Domain Name System.
© 2006 Cisco Systems, Inc. All rights reserved.1 Microsoft Network Load Balancing Support Vivek V

© 2006 Cisco Systems, Inc. All rights reserved.1 Microsoft Network Load Balancing Support Vivek V
Common Devices Used In Computer Networks

Common Devices Used In Computer Networks
– Chapter 5 – Secure LAN Switching

– Chapter 5 – Secure LAN Switching
Cisco – Chapter 11 Routers All You Ever Wanted To Know But Were Afraid to Ask.

Cisco – Chapter 11 Routers All You Ever Wanted To Know But Were Afraid to Ask.
VeriFlow: Verifying Network-Wide Invariants in Real Time

VeriFlow: Verifying Network-Wide Invariants in Real Time
Network Security1 – Chapter 5 – Secure LAN Switching Layer 2 security –Port security –IP permit lists –Protocol filtering –Controlling LAN floods (using.

Network Security1 – Chapter 5 – Secure LAN Switching Layer 2 security –Port security –IP permit lists –Protocol filtering –Controlling LAN floods (using.

Similar presentations

Ads by Google