• No results found

Securing Local Area Network with OpenFlow

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Securing Local Area Network with OpenFlow"

Copied!
26
0
0

Loading.... (view fulltext now)

Download now ( 26 Page )

Full text

(1)

Securing Local Area Network with OpenFlow

Master’s Thesis Presentation

Fahad B. H. Chowdhury

Supervisor: Professor Jukka Manner Advisor: Timo Kiravuo

Department of Communications and Networking

(2)

Outline

 Background

Methodology

 Example Test Scenario

 Results

 Shortcoming of the firewall

 Future Work

(3)

1. Background

 Limitations of traditional network

 Software Defined Networking (SDN)

 OpenFlow

 Network Security of OpenFlow

 Firewall

(4)

Limitations of traditional network

 The dynamic character of the modern network environment is in sharp contrast to the static traditional network architecture.

→ Rapid increase of mobile devices and content, server virtualization and use of cloud services.

→ In conventional network switches, the control logic for each switch is co-located with the switching logic.

 The task of operation and maintenance is tedious.

→ The network devices grow to meet the requirements

→ Each entity of network devices need to configured individually using low-level vendor specific commands.

→ To implement network wide policy, a large number of devices need to be configured, which is time-consuming and inefficient

(5)

Software Defined Networking (SDN)

Control Decisions

Forwarding hardware

Traditional Switches and routers

- Both forwarding and control functions reside in network devices

SDN

controller

Network devices

Standard Interface Forwarding Hardware

Control Decisions Standard Interface

Applications

SDN Architecture

-Decouples control decisions from forwarding plane - Logically centralized controller

- Distributed forwarding hardware

(6)

Software Defined Network Architecture

 The centralized controller has network intelligence & global view of the network

 The network devices only has to accept instruction from the controller

 Entire network can be managed by programming the controller

(7)

OpenFlow

 The first standard of SDN architecture.

OpenFlow is a protocol between SDN controllers and network devices, and also a specification of the logical structure of the network switch functions.

 Majority of Ethernet switches and routers have flow tables.

 Although different vendors have different flow-tables, there is common set of functionalities in the switches and routers which OpenFlow exploits.

 By programming the flow table, OpenFlow can add, remove or update flow entries and thus control the flow of traffic in the

network.

(8)

Flow Table Entry

Matching Fields Action Stats

Switch port

MAC src

MAC dst

Eth type

VLAN ID

IP src

IP dst

IP proto

TCP Sr prt

TCP Dst prt

‐ Forward Packet to port(s)

‐ Encapsulate and forward to controller

‐ Drop packet

‐ Send to normal processing pipeline

‐ Customized action

Packet Counters, Byte Counters

 Each Flow Table entry contains a set of rules (e.g. IP src) to match and an action list (e.g. forward to port) to be executed in case of match

(9)

OpenFlow Switch

OpenFlow switch consists of:

1. Flow tables and Group tables:

-Packet look-up and forwarding

2. OpenFlow Channel:

- Connects switch to controller, to facilitate exchange of packets and commands

3. OpenFlow Protocol:

- Standard means of communication between the switch and the controller

(10)

Network Security with OpenFlow

Security Challenge:

- Centralized OpenFlow controller is an ideal target to gain unauthorized access to the network and for exploitation.

Enhancing Security:

-The programmability of the controller also provides means to enhance security.

- Network traffic data can be analyzed to identify irregularity and security threats, and security policies could be established by the OpenFlow controller .

- Thus, firewall or intrusion detection system (IDS) could be included in the network using OpenFlow

(11)

Firewall

→ May consist of software programs or hardware devices or combination of both.

→ Firewall prevents

unauthorized network access and protects the network from hazardous outside environment.

→ It controls the flow of traffic between network segments based on predefined security rules.

(12)

2. Methodology

 Virtualized Environment

 Designed Firewall Functionality

 Flow chart of the Designed Firewall

(13)

Virtualized Environment

Mininet

-Network emulator that mimics the properties and functionalities of actual network

- A network with 4 hosts connected to an OpenFlow switch is created

- Possible to connect external controller

(14)

POX Controller

- Python based controller

- Controls and communicates with all the network devices

-Responsible for all network operations

Virtualized network

(15)

Designed Firewall Functionality

→ It installs rules in flow table of the OpenFlow switch to allow or block traffic.

→ The rules are based upon predefined port numbers, MAC addresses and IP addresses

Flow table rules Action Priority

Src IP = 10.0.0.1 Drop packets 100

Src IP = 10.0.0.1 & Dst IP = 10.0.0.2 Allow 200

Port number = 80 Drop packets 50

Src IP = 10.0.0.2 & Dst IP = 10.0.0.1 Forward to 10.0.0.3 250 Dst MAC = 00:00:00:00:00:04 Drop packets 100 Src IP = 10.0.0.1 & TCP port = 80 Allow 500

Example of predefined Rules

(16)

Flow-chart of Designed

Firewall

(17)

10.0.0.1 10.0.0.2 10.0.0.3 10.0.0.4 10.0.0.1 X Block Allow Allow 10.0.0.2 Block X Allow Allow 10.0.0.3 Allow Allow X Allow 10.0.0.4 Allow Allow Allow X

Firewall predefined rules

-Block all traffic between host-1 and host-2 - Allow rest of the hosts to communicate

3. Example Test Scenario

(18)

Host - 1 Host - 2 Host - 3 Host - 4 OF switch

POX controller

Checks the flow table for rules Packet-In Msg

(19)

Host - 2 Host - 4 OF switch

POX controller

Checks the predefined firewall rules and finds out communication between host 1 & 2 is not allowed

Packet-In Msg Flow Add Msg

Host - 1 Host - 3

(20)

Host - 2 Host - 4 OF switch

POX controller

Packet-In Msg Flow Add Msg

Host - 1 Host - 3

Installs flow rule to drop all packets between host 1 & 2, and drops the packet

Flow table rules Action

Src IP = 10.0.0.1 & Dst IP = 10.0.0.2 Drop packets Src IP = 10.0.0.2 & Dst IP = 10.0.0.1 Drop packets

(21)

OF switch POX

controller

Packet-In Msg Flow Add Msg

Host - 1

Host - 2 Host - 3 Host - 4

Wireshark capture of transmitted OpenFlow messages Flow Add

Conf Msg

(22)

4. Results

The firewall successfully blocks traffic based MAC addresses, IP addresses and port number.

The measured round trip time reveals that only the first packet of the flow takes a long time, and the remaining packets are routed quickly.

The bandwidth measurement test reveals that the active firewall offers similar bandwidth compared to inactive firewall.

However, the bandwidth reduces drastically if all the packets are routed to the controller.

Although the firewall has been built and tested in virtual environment, the test results illustrate the prospect of replacing traditional firewall with OpenFlow based firewall.

(23)

Bandwidth Measurement Results

(24)

5. Shortcomings of the Firewall

If the controller has to handle too many packets, it creates a bottle neck in the network.

The controller needs to be restarted every time for the changed firewall policies to come into effect.

The firewall has been designed to control a single switch.

(25)

6. Future Work

The firewall can be modified to provide support for multiple switches.

The unique datapath identifier (dpid) can be used to distinguish switches.

The firewall capabilities could be extended to application layer. For

example, it can be modified to block traffic from all torrent applications.

By utilizing OpenFlow’s traffic flow features, the switches can be

monitored regularly to detect unusual flows, and thus prevent security attacks like denial-of-service.

It is possible to redirect the network traffic dynamically for analysis and create an intrusion detection System (IDS).

(26)

Questions

References

Download now ( PDF - 26 Page - 0.94 MB )

Related documents

How Do Elementary Teachers Study and Learn from a Multimedia Model of Reading Development? An Exploratory Eye-Tracking Study

The purpose of this study was to investigate the patterns of visual behaviour and cogni- tive processes of experienced elementary teachers and pre-service teachers in an initial

AERONAUTICAL INFORMATION CIRCULAR 26/15

Advancements in aircraft avionics and air traffic management flight data processing systems have driven an initiative to analyze whether the lateral separation standard in the

How speaker tongue and name source language affect the automatic recognition of spoken names

The Autonomata Spoken Name Cor- pus (ASNC) [9] contains utterances of Dutch, English, French, Moroccan and Turkish person names (first name + family name) and geographical names

SPECIAL EDUCATION RULES

If the USOE determines that an LEA is adequately providing FAPE to all students with disabilities ages three through five residing in the area served by the LEA with State and

Authors’ Response

In Section 7, we consider variable selection for classification and propose a two-stage discriminant procedure after screening some variables.. CONFIDENCE REGION FOR

Grammar Worksheets Secondary School

Present progressive / continuous tense Put the verb into the correct form.. Sometimes you need the negative (I’m not

Executive Director for Operations AUDIT OF NRC S CYBER SECURITY INSPECTION PROGRAM FOR NUCLEAR POWER PLANTS (OIG-14-A-15)

As a result, NRC staff worked with the nuclear power industry to develop seven interim implementation milestones (i.e., Milestones 1-7) based on organizational and technical security

Several Issues Concerning the Corruption Crimes of Private Entrepreneurs: Based on Empirical Research

In this study, this conclusion is verified by the “means of declared sentences for crimes without statutory sentencing circumstances” in the crime of private entrepreneurs’