1 / 24

SDN-based Network Access Control Management in IHEP

This paper discusses the implementation of SDN in the network environment of IHEP, including network access control and network security. It also presents the current wired and wireless network topology and proposes a new architecture for network access control management.

judyc
Download Presentation

SDN-based Network Access Control Management in IHEP

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Applications of SDN in IHEP network environment Zhihui Sun , Fazhi Qi, Tao Cui sunzh@ihep.ac.cn 4-4-2019 International Symposium on Grids & Clouds 2019

  2. Agenda • IHEP campus network • SDN @ network access control management in IHEP • SDN @ network security in IHEP • Summary

  3. IHEP campus network • Network topology • The wired network and wireless network are independent of each other, and they are connected by the interconnected switch, and it provides a clear physical and functional independence, so we can easily manage and monitor the network status and traffic • Both the wired network and wireless network are IPv4/IPv6 supported • Completed the configuration of LHCONE

  4. IHEP campus network- Wireless Network Access Control management • Wireless Network Access Control • We have designed a solution based on network access control system (http://network.ihep.ac.cn,Self-developed system) , AC(Access Controller), DHCP,FreeRADIUS for our wireless network • Works well, and users can easily access to our wireless network • Implemented the unified access control management of wireless network across campuses by data sharing(Beijing campus, Dongguan campus) • Developed a conference QR code function which users can scan to access to IHEP wireless network Beijing campus CSNS BEPCII • Conference network • access code Dongguan campus • Wireless Network Access Control JUNO • Cross-regional Wireless Network • Access Control Management BESIII

  5. IHEP campus network- Wired Network Access Control management • Current architecture • We are still using a static control strategy based on device MAC, deviceIP and corresponding switch IP, corresponding switch port, corresponding VlanId to manage our wired network access • These strategies must be written into the access switch before users can use IHEP wired network • Inconveniences • Current strategy needs network admin to assign the IP address manually • Needs users to configure the IP address in their network devices • Inconvenient for users to access to our wired network • Wired Network Access Control JUNO BESIII HEPS

  6. IHEP campus network- Wired Network Access Control management • Wanted architecture • Want an automatic IP address allocation for wired network, so users can no longer pay attention to IP address • Want to keep the control strategy of 5 key attributes including device MAC address, device IP address and corresponding switch IP, corresponding switch port, corresponding Vlan Id, so it can avoid confusing access to our wired network • Need the whitelist users who can access to wired network using any port, and this function is just for network admin to use • The final purpose is that we want to provide a user self-service and convenient wired network access service • Need to design a new network access control architecture for wired network JUNO HEPS

  7. SDN @ network access control management in IHEP

  8. SDN @ network access control management in IHEP • New solution based on SDN architecture • Use standard SDN architecture, which contains application Plane、Control Plane、Data Plane • Northbound interface:REST API • Southbound interface:OpenFlow / NETCONF

  9. SDN @ network access control management in IHEP • New solution based on SDN architecture • DHCP, Provides a dynamic address allocation for IPv4 or IPv6 • SDN Controller (Agile controller, provided by HUAWEI) • keeps our control strategy, 5 key attributes for access devices • Device MAC, Device IP, Switch IP, Switch port,Vlanid • Uses radius to provide an access authentication for devices • provides more automatic network management • User access control system (Self-developed system), provides the users and devices information management

  10. SDN @ network access control management in IHEP • Access control process • We implement a wired network access control management based on DHCP server、User Access Control System and SDN Controller Device IP Device MAC Switch IP Switch port Vlan ID Network access process 1-2. When your device accesses to IHEP wired network, the DHCP server will assign IPv4 and IPv6 address to your device 3. And your network access request will be sent to SDN controller to verify, if matched, it will pass the authentication. 4. But if not matched, your request will beredirected to our user access control system, and ask you to register 5. Then you input your personal information 6-7. user access control system will get your device mac, corresponding switch ip, corresponding switch port and corresponding vlan Id from DHCP server 8. When you complete your registration, your IP, MAC,switch IP, switch port, and Vlan Id will be written to the controller, then your device will pass the network authentication

  11. SDN @ network access control management in IHEP • Test-bed and result • We built a Test-bed last month • SDN controller (HUAWEI Agile controller), DHCP(Infoblox) • The access control test results are in line with our expectations • The whitelist test results also satisfy ourrequirements REST API Device mac Switch ip Device ip Switch port Vlan Id

  12. SDN @ network access control management in IHEP • Test-bed and result • Northbound interface test Add an account to the SDN controller Added successfully

  13. SDN @ network access control management in IHEP • Test-bed and result • Northbound interface test Delete the account Deleted successfully

  14. SDN @ network access control management in IHEP • Test-bed and result • Northbound interface test Modify the binding port of an account modified successfully

  15. SDN @ network access control management in IHEP • Future plan • We will develop and upgrade our user access control system using the northbound interface • We will also complete wired network access control management based on SDN architecture in the next 3 months • We also plan to replace the old network equipment step by step

  16. SDN @ network security in IHEP

  17. SDN @ network security inIHEP • Network security challenges in Computing/Data Center • Network security devices may become the bottleneck of network data exchange • Many network security devices need to be deployed at the network exit,such as IDP(Intrusion Detection& Prevention System), WAF(Web Application Firewall), VPN(Virtual Private Network)…and it makes very complex policies about network security • Service chain adjustment is also complex, and most of the time we need to adjust the network topology and reconfigure the network

  18. SDN @ network security inIHEP • Thoughts • We want a simple security policy adjustment for network security devices, and we don’t want to adjust the network topology often • We also want to reduce serial connection of network security devices, and most of them should be connected to the network by bypass • We also want to reduce network traffic pressure on network security devices • Plan • Minimize the impact on the existing network • Our plan is divided into two steps

  19. SDN @ network security inIHEP • Step 1 • We use SDN switch as a traffic aggregation node, and verify our thoughts about network security based on SDN architecture • We set the filtering rules in the controller to make network traffic into the network security node which we defined before • We also set the service chain rules in the controller to make network traffic into different network security nodes in order • We built a test-bed, and use DELL devices to test. • Stage 1

  20. SDN @ network security inIHEP • Test-bed and result Create a rule 2 SDN switch

  21. SDN @ network security inIHEP • Test-bed and result • We create a rule to filter UDP traffic, and define the input port and output port • The test results are in line with our expectations UDP Input port Output port

  22. SDN @ network security inIHEP • Step 2 • We want SDN switch as a gateway, and firewalls are the bypass connection to SDN switch • Current status, we have designed the architecture • Plan • We plan to deploy the second step test-bed in the nearly two months • Evaluate the function and performance of the bypass firewall solution • Stage 2

  23. Summary • Our wired network and wireless network are independent of each other, and they are connected by the interconnected switch • We implemented the unified management of wireless network across campuses, and it works well • We have designed the solution of the wired network access control management based on SDN architecture, and test-bed results show very successful • The architecture of SDN @ network security in IHEP have been designed, and test-bed results are in line with our expectations

  24. Thanks for your attention !

More Related