Presentation on theme: "1 OpenFlow Research on the Georgia Tech Campus Network Russ Clark Nick Feamster Students: Yogesh Mundada, Hyojoon Kim, Ankur Nayak, Anirudh Ramachandran,"— Presentation transcript:
1 OpenFlow Research on the Georgia Tech Campus Network Russ Clark Nick Feamster Students: Yogesh Mundada, Hyojoon Kim, Ankur Nayak, Anirudh Ramachandran, Umayr Hassan
2 Summary of Research Projects Campus Network Deployment –Resonance: Dynamic Access Control for Campus Networks –Pedigree: Traffic Tainting for Securing Enterprise Networks Home Network Deployments –User-Proof Networking (with Prof. Keith Edwards) Class Projects: Network Management/Network Security –OpenFlow Traffic Classification –SNMP MIB for OpenFlow –Home-Network Management using OpenFlow –OpenFlow for High Availability/Service Migration –OpenFlow and Virtualization –Access Control for Home Networks –Automated Intrusion Detection with OpenFlow
3 Dynamic Access Control Enterprise and campus networks are dynamic –Hosts continually coming and leaving –Hosts may become infected Today, access control is static, and poorly integrated with the network layer itself Resonance: Dynamic access control –Track state of each host on the network –Update forwarding state of switches per host as these states change
4 Authentication at GT: START 3. VLAN with Private IP 6. VLAN with Public IP ta.1. New MAC Addr2. VQP 7. REBOOT Web Portal 4. Web Authentication 5. Authentication Result VMPS Switch New Host
5 Problems with Current Approach Access Control is too coarse-grained –Static, inflexible and prone to misconfigurations –Need to rely on VLANs to isolate infected machines Cannot dynamically remap hosts to different portions of the network –Needs a DHCP request which for a windows user would mean a reboot Monitoring is not continuous Idea: Access control policies should reflect network dynamics.
6 Resonance Approach Step 1: Controller associates each host with generic states and security classes. Step 2: Specify a state machine for moving machines from one state to the other. Step 3: Control forwarding state in switches based on the current state of each host.
7 Applying resonance to START Registration Authenticated Operation Quarantined Successful Authentication Vulnerability detected Clean after update Failed Authentication Infection removed or manually fixed Still Infected after an update
8 Challenges Scale –How many forwarding entries per switch? –How much traffic at the controller? Performance –Responsiveness Security –MAC address spoofing –Securing the controller (and control framework)
10 Enterprise Information Flow Control Goal: Control how information flows between different hosts in the network –Control the spread of malware –Prevent data leaks Challenges –Heterogeneous devices –Hosts may not be trusted Solution: Pedigree –Classify traffic based on What process generated the traffic Where that process has taken inputs –Implement control policies in the network
11 Pedigree Design Trusted tagging component resides on host. Traffic carries taints that reflect provenance of network traffic. Switch one hop from hosts makes access control decisions.
12 Current Function Internet 1.Host sends request over control channel to open with flow with taint set. 2. Traffic diverted to controller, which checks policy. 3. Controller inserts flow table entry, if policy compliant.