dpx
play

DPX: Data-Plane eXtensions for SDN Security Service Instantiation - PowerPoint PPT Presentation

Sep 11, 2022 •342 likes •697 views

DPX: Data-Plane eXtensions for SDN Security Service Instantiation Taejune Park , Yeonkeun Kim , Vinod Yegneswaran , Phillip Porras , Zhaoyan Xu , KyoungSoo Park , and Seungwon Shin 1) KAIST, Korea 2) SRI

  1. DPX: 
 Data-Plane eXtensions for SDN Security Service Instantiation Taejune Park ¹ , Yeonkeun Kim ¹ , 
 Vinod Yegneswaran ² , Phillip Porras ² , 
 Zhaoyan Xu ³ , 
 KyoungSoo Park ¹ , and Seungwon Shin ¹ 1) KAIST, Korea 2) SRI International, USA 3) Palo Alto Networks, USA

  2. Software-Defined Networking • Decouple control-plane from data-plane Control-Plane (Controller) Network L4 Routing … • Centralized controller Discovery Control Interface (OpenFlow) • S DN S wit ches • Centralized operation with standard protocol (e.g., OpenFlow) Data-Plane (Switches) in_port ip_src ip_dst tcp_src tcp_dst actions • Programable net work management 1 10.0.0.1 10.0.0.2 * * output(2) * * * * 80 drop • Dynamic t raffic engineering 2 * 20.0.0.1 22 * set_ip_dst(20.0.0.2),output(1) 2 / 35

  3. Software-Defined Networking • Decouple control-plane from data-plane Control-Plane (Controller) Security is still required Network L4 Routing … • Centralized controller Discovery eung Won, et al. "Fresco: Modular composable security services for software-defined networks." • S hin, S Control Interface (OpenFlow) • S DN S wit ches • S hin, S eung Won, et al. ”Cloudwatcher: Network security monitoring using openflow in dynamic cloud networks." Braga, Rodrigo, et al. "Lightweight DDoS flooding attack detection using NOX/OpenFlow." • Centralized operation with standard • oon, Changhoon, et al. "Enabling security functions with SDN: A feasibility study." • Y protocol (e.g., OpenFlow) Data-Plane (Switches) • S . K. Fayazbakhsh, et al. “Enforcing network-wide policies in the presence of dynamic middlebox actions using flowtags” • Z. A. Qazi, et al. “SIMPLE-fying Middlebox Policy Enforcement Using SDN.” in_port ip_src ip_dst tcp_src tcp_dst actions • Programable net work management • And so on… 1 10.0.0.1 10.0.0.2 * * output(2) * * * * 80 drop • Dynamic t raffic engineering 2 * 20.0.0.1 22 * set_ip_dst(20.0.0.2),output(1) 3 / 35

  4. Security in Software-Defined Networking Control-Plane (Controller) Network Application Network Application Network Application Network Application Network Application Security Application Control Interface (OpenFlow) Middlebox (e.g., NFV) Data-Plane (Switches) 4 / 35

  5. Security in Software-Defined Networking Control-Plane (Controller) • Security applications on a control plane Network Application Network Application Network Application • Applying security service in network-widely Network Application Network Application Security Application • Cheap price Control Interface (OpenFlow) • Easy to manage Middlebox (e.g., NFV) Data-Plane (Switches) 5 / 35

  6. Security in Software-Defined Networking Control-Plane (Controller) • Security applications on a control plane Network Application Network Application Network Application • Applying security service in network-widely Network Application Network Application Security Application • Cheap price Control Interface (OpenFlow) • Easy to manage • Limitation • S imple security only available Middlebox • Controller overhead (e.g., NFV) • Low performance Data-Plane (Switches) 6 / 35

  7. Security in Software-Defined Networking Control-Plane (Controller) Network Application Network Application Network Application Network Application Network Application Security Application Control Interface (OpenFlow) • Middle-boxes (e.g., NFV) • Better performance Middlebox • Rich functions (e.g., payload inspection) (e.g., NFV) • No controller overhead Data-Plane (Switches) 7 / 35

  8. Security in Software-Defined Networking • Limitation Control-Plane (Controller) Network Application • Network overhead caused by traffic Network Application Network Application Network Application Network Application Security Application detouring (Performance loss) Control Interface (OpenFlow) • Require flow steering for NFs • Additional control channels for NFs • Middle-boxes (e.g., NFV) • Better performance Middlebox • Rich functions (e.g., payload inspection) (e.g., NFV) • No controller overhead Data-Plane (Switches) 8 / 35

  9. Service Chaining Deep Packet DoS Detector Scan Detector Insepctor Network S ource Destination / 35

  10. Service Chaining Flow_A DoS Detector 1 Scan Detector 1 DPI 1 Flow_B DoS Detector 1 DPI 1 Flow_C DoS Detector 1 Scan Detector 2 Flow_D DoS Detector 2 DPI 2 Flow_E DPI 2 10 / 35

  11. Match forward(…) forward(DPI1) Actions Flow_D Actions Match Actions Flow_B forward(…) Flow_E Flow_A forward(…) Flow_C forward(…) Actions Match Match Flow_B Flow_A forward(Scan1) Flow_C Match DPI2 Flow_E forward(DPI2) forward(DoS1) Actions forward(DoS2) forward(DoS1) forward(DoS1) Actions Flow_D Flow_C Flow_B Flow_A Match Match forward(Scan2) Actions Service Chaining Rules for Scan1 Flow_A Flow_A Rules for DoS1 Scan1 Flow_A forward(DPI1) Flow_ A/B/C DoS1 Flow_A Rules for DPI1 Flow_ Flow_B Flow_A/B A/B/C DPI1 Rules for incoming flows Flow_C Rules for DoS2 Rules for Scan2 Flow_C Flow_D Scan2 Flow_D DoS2 Flow_D forward(DPI2) forward( … ) Rules for DPI2 Flow_D Flow_E Flow_D/E 11 / 35

  12. Challenges of Security in SDN Performance Management 12 / 35

  13. Challenges of Security in SDN Performance Management Flow steering/engineering 13 / 35

  14. DPX: Data-Plane eXtensions for SDN Security Service Instantiation • Provides security services as a part of packet processing logic. ecurity services as a set of OpenFlow act ions • S • Processing packets without detouring DoS S can DPI Packet MATCH Actions Flow_A sec_dos(mbps=1000) , output:2 sec_dos(…), sec_scan(…) ,output:3 Flow_B 14 / 35

  15. Security actions • Providing security services for an incoming flow ip_src ip_dst tcp_src tcp_dst Actions 10.0.0.1 10.0.0.2 * * sec_dos(mbps=1000, policy=alert) , output:2 sec_dpi(pattern=“rule.txt”, policy=discard) ,output:3 * * * 80 Pkt: 10.0.0.1->10.0.0.2 Pkt: -> tcp_80 DPX • To deploy, set a threshold and policy to the parameters of a required security action Threshold Policy { { Security Action: sec_dos(mbps=1000, policy=alert) 15 15 / 35

  16. Security actions • High-compatibility with common OpenFlow actions MATCH Actions sec_dos(mbps=1000), set_ip_dst(10.0.0.2) , output:2 Flow_A • Fine-grained security deployment per a flow MATCH Actions sec_dos(mbps=1000) , output:2 Flow_A sec_dos(mbps=500) ,output:2 Flow_B sec_dos(mbps=750) ,output:2 Flow_C • Easy configuration for a security service chaining MATCH Actions sec_dos(…), sec_scan(…), sec_dpi(…) , output:2 Flow_A 16 / 35

  17. System Design Controller • Similar to a conventional SDN Network Application Network Application Network Application Network Application • Mat ch a flow rule in a flow t able 
 Network Application Security Application -> Perform act ions Rule deployment OpenFlow Channel Event Msg. (via Flow_mod) • Security action block DPX dataplane y s • DPX security application e t a k Common Actions t _ s w _ w o Security Actions l o F Flow l F Table Data Section Inspection Logic Policy Handler 17 / 35

  18. Security Action Block Controller • Individual processing block 
 for a security action Network Application Network Application Network Application Network Application Network Application Security Application • Data S ection Rule deployment OpenFlow Channel Event Msg. (via Flow_mod) • Inspection Logic DPX dataplane Flow_stats Flow_key • Policy Handler Common Actions Security Actions Security Actions Flow Table Data Section Data Section Inspection Logic Inspection Logic Policy Handler Policy Handler 18 / 35

  19. Security Action Block: Data Section Controller • Store required statistics data 
 of a packet by Network Application Network Application Network Application Network Application Network Application Security Application • Flow_key : Packet-level metadata 
 Rule deployment OpenFlow Channel Event Msg. (via Flow_mod) used for indexing a flow table DPX dataplane • Flow_st at s : Flow table statistics Flow_stats Flow_stats Flow_key Flow_key Common Actions Security Actions Flow Table Data Section Data Section Inspection Logic Policy Handler 19 / 35

  20. Security Action Block: Inspection Logic Controller • Perform actual inspection Network Application Network Application Network Application Network Application Network Application Security Application • Calculate statistics using the data section Rule deployment OpenFlow Channel Event Msg. • Determine a security violation with (via Flow_mod) DPX dataplane threshold values in the parameter Flow_stats Flow_key Common Actions - sec_dos(mbps=1000,… ) Security Actions Flow Table Data Section Inspection Logic Inspection Logic Policy Handler 20 / 35

Recommend

More recommend