1 / 12

OpenFlow Research on the Georgia Tech Campus Network

OpenFlow Research on the Georgia Tech Campus Network. Russ Clark Nick Feamster Students: Yogesh Mundada, Hyojoon Kim, Ankur Nayak, Anirudh Ramachandran, Umayr Hassan. Summary of Research Projects. Campus Network Deployment Resonance: Dynamic Access Control for Campus Networks

constantine-artemis
Download Presentation

OpenFlow Research on the Georgia Tech Campus Network

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. OpenFlow Research on the Georgia Tech Campus Network Russ ClarkNick Feamster Students: Yogesh Mundada, Hyojoon Kim, Ankur Nayak, Anirudh Ramachandran, Umayr Hassan

  2. Summary of Research Projects • Campus Network Deployment • Resonance: Dynamic Access Control for Campus Networks • Pedigree: Traffic Tainting for Securing Enterprise Networks • Home Network Deployments • User-Proof Networking (with Prof. Keith Edwards) • Class Projects: Network Management/Network Security • OpenFlow Traffic Classification • SNMP MIB for OpenFlow • Home-Network Management using OpenFlow • OpenFlow for High Availability/Service Migration • OpenFlow and Virtualization • Access Control for Home Networks • Automated Intrusion Detection with OpenFlow

  3. Dynamic Access Control • Enterprise and campus networks are dynamic • Hosts continually coming and leaving • Hosts may become infected • Today, access control is static, and poorly integrated with the network layer itself • Resonance:Dynamic access control • Track state of each host on the network • Update forwarding state of switches per host as these states change

  4. Authentication at GT: “START” 3. VLAN with Private IP 7. REBOOT Switch .1. New MAC Addr 2. VQP 6. VLAN with Public IP VMPS New Host 4. Web Authentication 5. Authentication Result ta Web Portal

  5. Problems with Current Approach • Access Control is too coarse-grained • Static, inflexible and prone to misconfigurations • Need to rely on VLANs to isolate infected machines • Cannot dynamically remap hosts to different portions of the network • Needs a DHCP request which for a windows user would mean a reboot • Monitoring is not continuous Idea: Access control policies should reflect network dynamics.

  6. Resonance Approach • Step 1: Controller associates each host with generic states and security classes. • Step 2: Specify a state machine for moving machines from one state to the other. • Step 3: Control forwarding state in switches based on the current state of each host.

  7. Applying resonance to START Infection removed or manually fixed Quarantined Registration Failed Authentication Successful Authentication Still Infected after an update Operation Clean after update Authenticated Vulnerability detected

  8. Challenges • Scale • How many forwarding entries per switch? • How much traffic at the controller? • Performance • Responsiveness • Security • MAC address spoofing • Securing the controller (and control framework)

  9. Enterprise Information Flow Control • Goal: Control how information flows between different hosts in the network • Control the spread of malware • Prevent data leaks • Challenges • Heterogeneous devices • Hosts may not be trusted • Solution: Pedigree • Classify traffic based on • What process generated the traffic • Where that process has taken inputs • Implement control policies in the network

  10. Pedigree Design • Trusted tagging component resides on host. • Traffic carries taints that reflect provenance of network traffic. • Switch one hop from hosts makes access control decisions.

  11. Current Function Internet 3. Controller inserts flowtable entry, if policy compliant. 2. Traffic diverted to controller,which checks policy. • Host sends request over control channel toopen with flow with taint set.

More Related