security assessment on a vxlan based network
play

Security assessment on a VXLAN-based network Guido Pineda Reyes - PowerPoint PPT Presentation

Jan 09, 2023 •104 likes •430 views

Introduction VXLAN prototype Security assessment Q&A Security assessment on a VXLAN-based network Guido Pineda Reyes MSc. Systems and Networking Engineering University of Amsterdam February 5, 2014 Guido Pineda Reyes Security

  1. Introduction VXLAN prototype Security assessment Q&A Security assessment on a VXLAN-based network Guido Pineda Reyes MSc. Systems and Networking Engineering University of Amsterdam February 5, 2014 Guido Pineda Reyes Security assessment on a VXLAN-based network

  2. Introduction VXLAN prototype Security assessment Q&A Outline 1 Introduction Virtual eXtensible LAN Research question Approach 2 VXLAN prototype 3 Security assessment MAC Flood Attack Double-Encapsulated 802.1Q/Nested VLAN Attack ARP Attack UDP Flood Attack Future research Conclusions 4 Q&A Guido Pineda Reyes Security assessment on a VXLAN-based network

  3. Introduction Virtual eXtensible LAN VXLAN prototype Research question Security assessment Approach Q&A Outline 1 Introduction Virtual eXtensible LAN Research question Approach 2 VXLAN prototype 3 Security assessment MAC Flood Attack Double-Encapsulated 802.1Q/Nested VLAN Attack ARP Attack UDP Flood Attack Future research Conclusions 4 Q&A Guido Pineda Reyes Security assessment on a VXLAN-based network

  4. Introduction Virtual eXtensible LAN VXLAN prototype Research question Security assessment Approach Q&A Virtual eXtensible LAN Introduction Still an Internet Draft, current revision: 7th Allows to extend logical networks Encapsulates layer MAC-based Layer 2 frames within a UDP packet Up to 16 million logical networks Security measurements have not been performed yet Guido Pineda Reyes Security assessment on a VXLAN-based network

  5. Introduction Virtual eXtensible LAN VXLAN prototype Research question Security assessment Approach Q&A Virtual eXtensible LAN Typical use case Guido Pineda Reyes Security assessment on a VXLAN-based network

  6. Introduction Virtual eXtensible LAN VXLAN prototype Research question Security assessment Approach Q&A Outline 1 Introduction Virtual eXtensible LAN Research question Approach 2 VXLAN prototype 3 Security assessment MAC Flood Attack Double-Encapsulated 802.1Q/Nested VLAN Attack ARP Attack UDP Flood Attack Future research Conclusions 4 Q&A Guido Pineda Reyes Security assessment on a VXLAN-based network

  7. Introduction Virtual eXtensible LAN VXLAN prototype Research question Security assessment Approach Q&A Research questions Main question: How feasible are the known VLAN attacks in a VXLAN environment? Subquestions: Which attacks were successful? What is the difference between these attacks in a VLAN and a VXLAN environment? Is there anyway to prevent them or mitigate them? Guido Pineda Reyes Security assessment on a VXLAN-based network

  8. Introduction Virtual eXtensible LAN VXLAN prototype Research question Security assessment Approach Q&A Outline 1 Introduction Virtual eXtensible LAN Research question Approach 2 VXLAN prototype 3 Security assessment MAC Flood Attack Double-Encapsulated 802.1Q/Nested VLAN Attack ARP Attack UDP Flood Attack Future research Conclusions 4 Q&A Guido Pineda Reyes Security assessment on a VXLAN-based network

  9. Introduction Virtual eXtensible LAN VXLAN prototype Research question Security assessment Approach Q&A Approach Build the VXLAN prototype. Deploy the security assessment on the prototype. Focus on successful attacks. Understand how this attacks work to give a solution on how to mitigate or prevent them. Guido Pineda Reyes Security assessment on a VXLAN-based network

  10. Introduction VXLAN prototype Security assessment Q&A VXLAN prototype Design Guido Pineda Reyes Security assessment on a VXLAN-based network

  11. Introduction VXLAN prototype Security assessment Q&A VXLAN prototype Options VMware vSphere products VMware vSphere + Cisco Nexus 1000v VXLAN Linux implementation (needs kernel modification) Guido Pineda Reyes Security assessment on a VXLAN-based network

  12. Introduction VXLAN prototype Security assessment Q&A VXLAN prototype Connectivity tests: UDP encapsulated traffic Guido Pineda Reyes Security assessment on a VXLAN-based network

  13. Introduction VXLAN prototype Security assessment Q&A VXLAN prototype Connectivity tests: VXLAN encapsulation Guido Pineda Reyes Security assessment on a VXLAN-based network

  14. MAC Flood Attack Introduction Double-Encapsulated 802.1Q/Nested VLAN Attack VXLAN prototype ARP Attack Security assessment UDP Flood Attack Q&A Future research Conclusions Security Assessment MAC Flood Attack Double-Encapsulated 802.1Q/Nested VLAN Attack ARP Attack UDP Flood Attack Evaluation Guido Pineda Reyes Security assessment on a VXLAN-based network

  15. MAC Flood Attack Introduction Double-Encapsulated 802.1Q/Nested VLAN Attack VXLAN prototype ARP Attack Security assessment UDP Flood Attack Q&A Future research Conclusions Outline 1 Introduction Virtual eXtensible LAN Research question Approach 2 VXLAN prototype 3 Security assessment MAC Flood Attack Double-Encapsulated 802.1Q/Nested VLAN Attack ARP Attack UDP Flood Attack Future research Conclusions 4 Q&A Guido Pineda Reyes Security assessment on a VXLAN-based network

  16. MAC Flood Attack Introduction Double-Encapsulated 802.1Q/Nested VLAN Attack VXLAN prototype ARP Attack Security assessment UDP Flood Attack Q&A Future research Conclusions MAC Flood Attack Scenarios Guido Pineda Reyes Security assessment on a VXLAN-based network

  17. MAC Flood Attack Introduction Double-Encapsulated 802.1Q/Nested VLAN Attack VXLAN prototype ARP Attack Security assessment UDP Flood Attack Q&A Future research Conclusions MAC Flood Attack Tool: macof Results: Attacker on physical net: Successful Attacker on logical net: Failed Mitigation/Prevention: Restrict the number of MAC addresses to one port Specify static MAC address association IDS Guido Pineda Reyes Security assessment on a VXLAN-based network

  18. MAC Flood Attack Introduction Double-Encapsulated 802.1Q/Nested VLAN Attack VXLAN prototype ARP Attack Security assessment UDP Flood Attack Q&A Future research Conclusions Outline 1 Introduction Virtual eXtensible LAN Research question Approach 2 VXLAN prototype 3 Security assessment MAC Flood Attack Double-Encapsulated 802.1Q/Nested VLAN Attack ARP Attack UDP Flood Attack Future research Conclusions 4 Q&A Guido Pineda Reyes Security assessment on a VXLAN-based network

  19. MAC Flood Attack Introduction Double-Encapsulated 802.1Q/Nested VLAN Attack VXLAN prototype ARP Attack Security assessment UDP Flood Attack Q&A Future research Conclusions Double-Encapsulated 802.1Q/Nested VLAN Attack Scenario Guido Pineda Reyes Security assessment on a VXLAN-based network

  20. MAC Flood Attack Introduction Double-Encapsulated 802.1Q/Nested VLAN Attack VXLAN prototype ARP Attack Security assessment UDP Flood Attack Q&A Future research Conclusions Double-Encapsulated 802.1Q/Nested VLAN Attack Concept Guido Pineda Reyes Security assessment on a VXLAN-based network

  21. MAC Flood Attack Introduction Double-Encapsulated 802.1Q/Nested VLAN Attack VXLAN prototype ARP Attack Security assessment UDP Flood Attack Q&A Future research Conclusions Double-Encapsulated 802.1Q/Nested VLAN Attack Tool: scapy Results: Attacker on logical net: Failed Guido Pineda Reyes Security assessment on a VXLAN-based network

  22. MAC Flood Attack Introduction Double-Encapsulated 802.1Q/Nested VLAN Attack VXLAN prototype ARP Attack Security assessment UDP Flood Attack Q&A Future research Conclusions Outline 1 Introduction Virtual eXtensible LAN Research question Approach 2 VXLAN prototype 3 Security assessment MAC Flood Attack Double-Encapsulated 802.1Q/Nested VLAN Attack ARP Attack UDP Flood Attack Future research Conclusions 4 Q&A Guido Pineda Reyes Security assessment on a VXLAN-based network

  23. MAC Flood Attack Introduction Double-Encapsulated 802.1Q/Nested VLAN Attack VXLAN prototype ARP Attack Security assessment UDP Flood Attack Q&A Future research Conclusions ARP Attack Scenarios Guido Pineda Reyes Security assessment on a VXLAN-based network

  24. MAC Flood Attack Introduction Double-Encapsulated 802.1Q/Nested VLAN Attack VXLAN prototype ARP Attack Security assessment UDP Flood Attack Q&A Future research Conclusions ARP Attack Summary Tool: arpspoof Configuring private communication between the Results: hosts at the service provider Attacker on physical net: level. Successful Attacker on logical net: Successful Mitigation/Prevention: Blocking direct communication between the attacker and the victim. Guido Pineda Reyes Security assessment on a VXLAN-based network

  25. MAC Flood Attack Introduction Double-Encapsulated 802.1Q/Nested VLAN Attack VXLAN prototype ARP Attack Security assessment UDP Flood Attack Q&A Future research Conclusions ARP Attack Scenarios Guido Pineda Reyes Security assessment on a VXLAN-based network

  26. MAC Flood Attack Introduction Double-Encapsulated 802.1Q/Nested VLAN Attack VXLAN prototype ARP Attack Security assessment UDP Flood Attack Q&A Future research Conclusions Outline 1 Introduction Virtual eXtensible LAN Research question Approach 2 VXLAN prototype 3 Security assessment MAC Flood Attack Double-Encapsulated 802.1Q/Nested VLAN Attack ARP Attack UDP Flood Attack Future research Conclusions 4 Q&A Guido Pineda Reyes Security assessment on a VXLAN-based network

Recommend

Running OpenStack over a VXLAN Fabric Andre Pech Arista

Running OpenStack over a VXLAN Fabric Andre Pech Arista

Running OpenStack over a VXLAN Fabric Andre Pech Arista Networks Overview VXLAN Refresher Why VXLAN? Network Design Requirements Key

315 views • 19 slides
Fix VxLAN Issue in SFC Integration by Using Eth+NSH and VxLAN-gpe+NSH Hybrid Mode Yi Yang, Intel

Fix VxLAN Issue in SFC Integration by Using Eth+NSH and VxLAN-gpe+NSH Hybrid Mode Yi Yang, Intel

Fix VxLAN Issue in SFC Integration by Using Eth+NSH and VxLAN-gpe+NSH Hybrid Mode Yi Yang, Intel (yi.y.yang@intel.com) Agenda VxLAN Issue in OVSDB+SFC How to Fix Current VxLAN issue by Eth+NSH Demo Introduction Demo Next

191 views • 18 slides
What is network security? Friends and enemies: Alice, Bob, Trudy What is network security?

What is network security? Friends and enemies: Alice, Bob, Trudy What is network security?

Network security Network security Foundations: what is security? cryptography Network Security Network Security authentication message integrity key distribution and certification Security in practice: Srinidhi Varadarajan

332 views • 6 slides
Network Security Network Security Srinidhi Varadarajan Network security Network security

Network Security Network Security Srinidhi Varadarajan Network security Network security

Network Security Network Security Srinidhi Varadarajan Network security Network security Foundations: what is security? cryptography authentication message integrity key distribution and certification Security in practice:

634 views • 36 slides
Introduction to Network Security Chapter 4 Taxonomy of Network-Based Vulnerabilities Dr. Doug

Introduction to Network Security Chapter 4 Taxonomy of Network-Based Vulnerabilities Dr. Doug

Introduction to Network Security Chapter 4 Taxonomy of Network-Based Vulnerabilities Dr. Doug Jacobson - Introduction to 1 Network Security - 2009 Topics Network Security Model Header attacks Protocol Attacks

597 views • 25 slides
Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University

Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University

Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University of Michigan 2013 Network Security Fundamentals Module 7 Intrusion Detection Topics Fundamentals Network IDS Snort Host-based IDS

1.03k views • 72 slides
Economics of network security Harald Vranken 1 Economics of network security Note that

Economics of network security Harald Vranken 1 Economics of network security Note that

Advanced Network Security (2019-2020) Economics of network security Harald Vranken 1 Economics of network security Note that network in this lecture means Physical communication network (eg. Internet, telephony, fax, telegraph)

769 views • 49 slides
TCP/IP: TCP Network Security Lecture 6 TCP Based on IP Provides connection-oriented ,

TCP/IP: TCP Network Security Lecture 6 TCP Based on IP Provides connection-oriented ,

TCP/IP: TCP Network Security Lecture 6 TCP Based on IP Provides connection-oriented , reliable stream delivery service (handles loss, duplication, transmission errors, reordering) Provides port abstraction (like UDP) Establishes

559 views • 30 slides
Intro, history, hacking Network Security Lecture 1 Welcome to Network Security Should be able

Intro, history, hacking Network Security Lecture 1 Welcome to Network Security Should be able

Intro, history, hacking Network Security Lecture 1 Welcome to Network Security Should be able to Skills identify design and Ability to analyze the implementation security of networked vulnerabilities in network systems protocols

564 views • 33 slides
Technology Assessment & Recommendations Structured Cabling Network Electronics

Technology Assessment & Recommendations Structured Cabling Network Electronics

7/12/2017 Technology Assessment & Recommendations Structured Cabling Network Electronics Wireless Network Classroom Systems Teacher Tools Electronic Security Public Address Staff and Student feedback 1

334 views • 10 slides
Risk-based Security BARRY KOUNS CEO AT RISK BASED SECURITY Session Overview Warm-up Quiz

Risk-based Security BARRY KOUNS CEO AT RISK BASED SECURITY Session Overview Warm-up Quiz

Risk Assessment the Heart of Risk-based Security BARRY KOUNS CEO AT RISK BASED SECURITY Session Overview Warm-up Quiz Introduction to our security challenge What is Risk-based Security? The language of risk some

787 views • 53 slides
Foundations of Network and Foundations of Network and Computer Security Computer Security J ohn

Foundations of Network and Foundations of Network and Computer Security Computer Security J ohn

Foundations of Network and Foundations of Network and Computer Security Computer Security J ohn Black J CSCI 6268/TLEN 5831, Fall 2004 Introduction UC Davis PhD in 2000 Cryptography Interested in broader security as well

492 views • 12 slides
Network Security Where we are in the Course Security crosses all layers Application

Network Security Where we are in the Course Security crosses all layers Application

Network Security Where we are in the Course Security crosses all layers Application Transport Network Link Physical CSE 461 University of Washington 2 Security Threats Security is like performance Means many things

932 views • 55 slides
Network Security Where we are in the Course Security crosses all layers Application

Network Security Where we are in the Course Security crosses all layers Application

Network Security Where we are in the Course Security crosses all layers Application Transport Network Link Physical CSE 461 University of Washington 2 Security Threats Security is like performance Means many things

374 views • 13 slides
Network Security Where we are in the Course Security crosses all layers Applicatjon

Network Security Where we are in the Course Security crosses all layers Applicatjon

Network Security Where we are in the Course Security crosses all layers Applicatjon Transport Network Link Physical CSE 461 University of Washington 2 Security Threats Security is like performance Means many things

1.12k views • 92 slides
MulVAL: A logic-based network security analyzer Xinming Ou, Sudhakar Govindavajhala, and Andrew

MulVAL: A logic-based network security analyzer Xinming Ou, Sudhakar Govindavajhala, and Andrew

14th USENIX Security Symposium, August 2005 MulVAL: A logic-based network security analyzer Xinming Ou, Sudhakar Govindavajhala, and Andrew W. Appel Princeton University Outline Introduction Representation Vulnerability

268 views • 23 slides
Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University

Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University

Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University of Michigan 2013 Network Security Fundamentals Module 3 Network Protocol Attacks Roadmap Network security The basic objectives: CIA

1.68k views • 39 slides
Feedback in workplace-based assessment Introduction to workplace-based assessment What is

Feedback in workplace-based assessment Introduction to workplace-based assessment What is

Multisource Feedback in workplace-based assessment Introduction to workplace-based assessment What is workplace-based assessment? Workplace-based assessment (WBA) is assessment conducted in the context of a doctors everyday work.

535 views • 38 slides
CyPSA: Cyber-Physical Security Assessment Project Information Team members Based on

CyPSA: Cyber-Physical Security Assessment Project Information Team members Based on

CyPSA: Cyber-Physical Security Assessment Project Information Team members Based on two papers under TCIPG UIUC : David Nicol, Pete Sauer, Kate Davis, Edmond Rogers, Robin Berthier, Olivier Soubigou, Gabe Weaver. Zonouz,

572 views • 18 slides
Hands-On Network Security: Practical Tools & Methods Security Training Course Dr. Charles J.

Hands-On Network Security: Practical Tools & Methods Security Training Course Dr. Charles J.

Hands-On Network Security: Practical Tools & Methods Security Training Course Dr. Charles J. Antonelli The University of Michigan 2012 Hands-On Network Security Module 3 Network Protocol Attacks Roadmap Network security The

502 views • 39 slides
Experimentation with network-based security mechanisms GENI Security Workshop UC Davis G.

Experimentation with network-based security mechanisms GENI Security Workshop UC Davis G.

Experimentation with network-based security mechanisms GENI Security Workshop UC Davis G. Kesidis January 22-23, 2009 EE and CSE Depts Penn State kesidis@engr.psu.edu . George Kesidis, Penn State University GENI Security Workshop 01/22/09

277 views • 12 slides
Foundations of Network and Foundations of Network and Computer Security Computer Security J ohn

Foundations of Network and Foundations of Network and Computer Security Computer Security J ohn

Foundations of Network and Foundations of Network and Computer Security Computer Security J ohn Black J Lecture #2 Aug 25 th 2005 CSCI 6268/TLEN 5831, Fall 2005 Economist Survey Please read it Main points Security is a MUCH

600 views • 27 slides
TCP/IP: ICMP, UDP Network Security Lecture 5 Recap and overview Looking at security of

TCP/IP: ICMP, UDP Network Security Lecture 5 Recap and overview Looking at security of

TCP/IP: ICMP, UDP Network Security Lecture 5 Recap and overview Looking at security of TCP/IP IP, Ethernet, ARP Sniffing the network and forging packets tcpdump, wireshark Today: ICMP and UDP Eike Ritter Network Security -

881 views • 38 slides
Security Assessment Technique for SDN greenkim@konkuk.ac.kr Contents 1.

Security Assessment Technique for SDN greenkim@konkuk.ac.kr Contents 1.

Security Assessment Technique for SDN greenkim@konkuk.ac.kr Contents 1. Introduction 2. Security Analyses of SDN 3. Security Assessment Technique for SDN 3.1 Taxonomy of issues 3.2 Assessment technique 4. Case study of IMECA

223 views • 19 slides

More recommend