210 likes | 947 Views
OpenFlow based firewall with embedded IDS. Team Phoenix Savitha Raghunathan, Suraj Rao and Krishan Sharma. Group project Description. SNORT integration with Floodlight controller SNORT attack generation (ICMP rules with a given source ip as Anomaly) Integration with OVS switch in Mininet
E N D
OpenFlow based firewall with embedded IDS Team Phoenix Savitha Raghunathan, Suraj Rao and Krishan Sharma
Group project Description • SNORT integration with Floodlight controller • SNORT attack generation (ICMP rules with a given source ip as Anomaly) • Integration with OVS switch in Mininet • Automated intrusion prevention using OpenFlow network reconfiguration (Block port functionality)
Group project Description • Web GUI for the firewall administration • Viewing Network Topology • Network Reconfiguration / Firewall Rules functionality • Block Port • Redirect traffic • Model View Controller (MVC) framework for the application • Controller and Application Integration • Callback notification on successful updates
Group project Description • Decision Module Development • Heart of the application • Parses snort alert files • Makes connection with controller and updates firewall rules • Provides data interchange between controller and the application • Creates new flows and pushes to the floodlight controller using the REST api
Technical Details • Softwares & API Used • Mininet for the network Emulation • Jackson for Java to JSON interchange and vice versa • Putty for SSH to virtual machine • Xming server • Oracle VirtualBox • WinSCP • Snort for IDS
Technical Details • Softwares & API Used • Floodlight controller • Floodlight REST API • Eclipse IDE • Adobe Dreamweaver • Apache Tomcat application server • Microsoft Office- for reporting and presentation purposes
Technical Details • Network Topology • Requirements - SNORT IDS, Mininet
Technical Details • Open vSwitch (OVS) is the software version of the OpenFlow switch. In our scenario, OVS is implemented in the Mininet. • Snort agent is integrated with the OVS and is used to sniff at the dummy port dummy0. • This agent validates all the packets according to the snort rules database.
Technical Details contd. • The kind of attack generation used in our application is based on validating the IP as specified in the ICMP rules file for snort. • Snort Daemon writes to the log file on which the a watcher listener is listening. (Developed code). • This watcher service makes a call to the parsing function for decision module and snort alert file is passed to the decision module.
Technical Details contd. • Snort Alert message is parsed for the source IP address and a corresponding flow rule is generated by the decision module. • Decision module writes this flow rule into the controller using the REST API. • Controller then sends a packet to switch and the respective flow is pushed to the switch.
Technical Details contd. • Web application module is used to install firewall rules in the OpenFlow switch through controller. • User/Admin can view the network topology using interactive network visualization which also displays information like port, IP and MAC etc. • User/Admin can change network topology dynamically by blocking port in the switch or redirecting traffic.
Risks and Benefits • Novel aspects of this project: • Seamless integration of Snort and the OpenFlow controller • Snort in always on mode provides security • Network reconfigurations to provide security protection • Risks/challenges: • Customized attack generation –Averted using simple IP based rules files • Java web application deployment on GENI • Potential applications & benefits: • Good performance because of locality of snort • Providing security to SDN related research projects
Tasks Accomplished • Snort Integration with OpenFlow • Snort and controller communication module • Port mirroring using Switch Port Analyzer (SPAN) • Attack Generation (dummy attacks) • Operational on Mininet • Web User Interface
Tasks Accomplished • Interactive Network Visualization • Decision Module • Flow Rules update functionality • Decision Module to controller communication • Final Report
Conclusion & Future Scope • This project inherits the intrusion detection capability from Snort and flexible network reconfiguration from OpenFlow. • During implementation, we also discovered a scenario where we might need to add hosts and switches to the existing topology. • Developed a way to serialize Mininet object and partially solved the above issue.(Future)