netcontrol
play

NetControl Johanna Amann johanna@icir.org NetControl Push rules - PowerPoint PPT Presentation

NetControl Johanna Amann johanna@icir.org NetControl Push rules to networking hard and software Based on traffic observed by Bro Simple to use but flexible API Uses for NetControl Traffic Shunting Block attacks at network boundary


  1. NetControl Johanna Amann johanna@icir.org

  2. NetControl Push rules to networking hard and software Based on traffic observed by Bro Simple to use but flexible API

  3. Uses for NetControl Traffic Shunting Block attacks at network boundary Redirecting high traffic flows to different interfaces Quarantine hosts

  4. Uses for NetControl Traffic Shunting Block attacks at network boundary Redirecting high traffic flows to different interfaces Quarantine hosts

  5. Uses for NetControl Traffic Shunting Block attacks at network boundary Redirecting high traffic flows to different interfaces Quarantine hosts

  6. Architecture Network Tra ffi c Bro NetControl Framework Backends Device communication Backend 1 Switch Bro Event Engine Backend 2 Switch High level calls or low-level primitives Backend 3 Router Rules NetControl Framework Backend 4 Firewall Success, Failure, Timeout

  7. Architecture Current Backends Network Tra ffi c Bro NetControl Framework OpenFlow Backends Device communication Backend 1 Switch Command line applications Bro Event Engine Acld Backend 2 Switch Bro Packet Filter High level calls or low-level primitives Backend 3 Router Rules NetControl Framework Backend 4 Firewall Success, Failure, Timeout

  8. Bro PacketFilter

  9. High level API drop_connection ( connection , timeout ) drop_address ( host , timeout ) drop_address_catch_release ( host ) shunt flow ( flow , timeout ) quarantine ( infected host , dns host , q. server , timeout ) whitelist ( prefix , timeout )

  10. API Examples event GridFTP::data_channel_detected(c: connection) { NetControl::shunt_flow( [$src_h=c$id$orig_h, $src_p=c$id$orig_p, $dst_h=c$id$resp_h, $resp_p=c$id$resp_p], 1hr); } event log_notice(n: Notice::Info) { if ( n$note == Address_Scan || n$note == Port_Scan ) NetControl::drop_address(n$src, 10min); }

  11. What do Rules look like? Type Target Drop Modify Redirect Whitelist Forward Monitor Timeout Entity Priority Address Mac Connection Flow Location

  12. Example Rule(Type=Drop, Entity=Flow([5-tuple]), Target=Monitor) function shunt_flow(f: flow_id, t: interval) : string { local flow = Flow( $src_h=addr_to_subnet(f$src_h), $src_p=f$src_p, $dst_h=addr_to_subnet(f$dst_h), $dst_p=f$dst_p ); local e: Entity = [$ty=FLOW, $flow=flow]; local r: Rule = [ $ty=DROP, $target=MONITOR, $entity=e, $expire=t ]; return add_rule(r); }

  13. Choosing Backends Network Tra ffi c Bro NetControl Framework Backends Device communication Backend 1 Switch Bro Event Engine Backend 2 Switch High level calls or low-level primitives Backend 3 Router Rules NetControl Framework Backend 4 Firewall Success, Failure, Timeout

  14. Choosing Backends 5 Network A OpenFlow Backend 1 2 NetControl Network B OpenFlow Backend 2 Framework 0 Tap switch OpenFlow Backend 3

  15. Choosing Backends 5 Network A OpenFlow Backend 1 2 NetControl Network B OpenFlow Backend 2 Framework 0 Tap switch OpenFlow Backend 3

  16. Choosing Backends 5 Network A OpenFlow Backend 1 2 NetControl Network B OpenFlow Backend 2 Framework 0 Tap switch OpenFlow Backend 3

  17. Choosing Backends 5 Network A OpenFlow Backend 1 2 NetControl Network B OpenFlow Backend 2 Framework 0 Tap switch OpenFlow Backend 3

  18. Choosing Backends 5 Network A OpenFlow Backend 1 2 NetControl Network B OpenFlow Backend 2 Framework 0 Tap switch OpenFlow Backend 3

  19. Choosing Backends 5 Network A OpenFlow Backend 1 2 NetControl Network B OpenFlow Backend 2 Framework 0 Tap switch OpenFlow Backend 3

  20. Choosing Backends 5 Network A OpenFlow Backend 1 2 NetControl Network B OpenFlow Backend 2 Framework 0 Tap switch OpenFlow Backend 3

  21. Choosing Backends 5 Network A OpenFlow Backend 1 2 NetControl Network B OpenFlow Backend 2 Framework 0 Tap switch OpenFlow Backend 3

  22. Choosing Backends 5 Network A OpenFlow Backend 1 2 NetControl Network B OpenFlow Backend 2 Framework 0 Tap switch OpenFlow Backend 3

  23. Choosing Backends 5 Network A OpenFlow Backend 1 2 NetControl Network B OpenFlow Backend 2 Framework 0 Tap switch OpenFlow Backend 3

  24. Adding Backends local backend = NetControl ::create_backend_Foo([...]); NetControl::activate(backend, 10);

  25. State management Rules often only needed for limited time NetControl supports timeouts …but respects hard/software that don’t need them

  26. OpenFlow Open Specification Allows Software to insert rules into switch flow tables Match (and change) characteristics like IPv4/6 addresses, ports, etc. Vlans

  27. NetControl & OpenFlow Bro Block, Shunt, … OpenFlow Switch Decisions Network Control OpenFlow Framework Protocol Broker Protocol NC OpenFlow OpenFlow Ryu OpenFlow Backend Module Controller

  28. Demonstration

Recommend


More recommend