230 likes | 244 Views
Explore a framework for security services using Software-Defined Networking (SDN) to address challenges in firewall management, cost, performance, and policies by introducing centralized solutions. Expectations include cost-effective, adaptive, and autonomous defense mechanisms.
E N D
The second International Workshop on Device Centric Cloud (DC2-2015) A Framework for Security Services based on Software-Defined Networking Jaehoon (Paul) Jeong1, Jihyeok Seo1,GeumhwanCho1, Hyoungshick Kim1, and Jung-Soo Park2 1Department of Computer Science and Engineering, SungkyunkwanUniversity, Korea (Republic of) {pauljeong, seojh43, geumhwan, hyoung}@skku.edu 2Elecronics and Telecommunications Research Institute, Korea (Republic of) pjs@etri.re.kr
Motivation • Legacy firewall • Inspects packets that attempts to cross a network boundary • Rejects any illegal packets • Incoming requests to open illegal TCP connections • Packets of other illegal types (e.g., UDP and ICMP) • IP datagrams with illegal IP addresses (or ports) • Provides security at the loss of flexibility and the cost of network administration
Contributions • Propose a framework for security services using Software-Defined Networking (SDN) • Discuss challenge issues and requirements for SDN • Introduce two representative security services • Centralized firewall system • Centralized DDoS-attack mitigation system
Challenges in firewall • Cost • The cost of adding firewalls to network resources is substantial • Performance • Firewalls are often slower than the link speed of their network interfaces • Management • Managing access control dynamically across hundreds of network elements is a challenge • Policy • It is difficult to describe what are permitted and denied flows within the specific organization • Packet-based access mechanism • Packet-based access mechanism is not enough in practice since the basis unit of access control is usually user or application (e.g., Skype connections for specific users are open)
Centralized network firewall Firewall add or delete rules Public network Private network • Firewall rules can be managed flexibly by a centralized server • SDN protocols can be used for a standard interface between firewall applications and switches
Expectations for SDN-based firewall - Cost • Ideally, one single firewall is enough Firewall application SDN Controller Enforces rules to each switch Switch1 Switch2 Switch3
Expectations for SDN-based firewall - Performance • Firewalls can adaptively be deployed depending on network conditions Firewall application SDN Controller Firewall is applied Switch2 Incoming packets Switch1 Switch3
Expectations for SDN-based firewall - Management Install new rules Switch1 Switch2 Switch3
Expectations for SDN-based firewall - Management • Firewall rules can dynamically be added with new attacks Firewall application SDN Controller Install new rules (e.g., droppackets with attack patterns) Switch1 Switch2 Switch3
Expectations for SDN-based firewall – Packet based access mechanism • Application level rules can be defined by software Firewall application SDN Controller Install new rules automatically Switch1 Switch2 Incoming packets Switch3
Objectives • Prompt reaction to new network attacks • SDN-based security services allow private networks to defend themselves against new sophisticated network attacks • Autonomous defense from network attacks • SDN-based security services identify the category of network attack (e.g., worms and DDoS attacks) • They take counteraction for the defense without the intervention of network administrators • Network-load-aware resource allocation • SDN-based security services measure the overhead of resources for security services • They dynamically select resources considering load balance for trading-off between the maximum network performance and security
Requirements Security Application (e.g., Firewall, DDoS-Attack Mitigation) Application Layer Application-Control Interface Application Support SDN Control Layer Orchestration Multi-Layer Management Functions Resource-Control Interface Abstraction Control Support Resource Layer Data Transport and Processing
Centralized firewall system for malware packets Firewall SDN Controller 1. Switch1 forwards an unknown flow’s packet to Firewall via SDN Controller. 2. Firewall investigates the packet. 1. Switch1 forwards an unknown flow’s packet to Firewall via SDN Controller. 2. Firewall investigates the packet. 3. Firewall regards it as a malware packet with suspicious patterns. 1. Switch1 forwards an unknown flow’s packet to Firewall via SDN Controller. Switch1 Switch2 Malware packet Switch3
Centralized firewall system for malware packets Firewall Report a dangerous packet to SDN Controller SDN Controller Install new rules (e.g., drop dangerous packets) Switch1 Switch2 Incoming packets Incoming packets The dangerous packets are dropped by switches Switch3
To prevent the unauthorized control of switches Security applications Malicious Controller SDN Controller Switch1 Switch2 Switch3
To prevent the unauthorized control of switches • We need to consider a proper key management for secure communication between them • We should establish a secure and authenticated channel between SDN controller and switches Security applications SDN Controller Key management Secure & authenticated channel Switch1 Switch2 Switch3
A single point of failure or Compromise A centralized server will suffer from a single point of failure or compromise Security applications SDN Controller SDN Controller Applications do not work Switch1 Switch2 Switch3
To support the SDN-based security services We need to consider changes in the existing SDN switches and protocols Security applications SDN Controller Deep Packet Inspection Switch1 Switch2 Incoming packets Switch3
A scalable architecture SDN seems a scalable architecture to provide centralized security services in theory Security applications SDN Controller . . . Switch1 Switch2 Switchn
Intelligence switches We should address scalability to support security services in an autonomous and scalable fashion Security applications SDN Controller Each switch drops the packet automatically based on flow table Switch1 Switch2 Passed packets without malware, DDoS attack Incoming packets with malware, DDoS attack Switch3
Conclusions • Proposed framework for security services based on SDN • Discussed challenge issues and requirements for SDN • As future work, • Develop proposed framework in Mininet emulator and OMNeT++ simulator • Investigate other security services • (e.g., encryption/decryption, junk mail filtering, and anti-spam service)