Hands on SDN and BRO

Transcription

1 Hands on SDN and BRO Malware Research Conference 2016 Ian Welch, School of Engineering and Computer Science Victoria University of Wellington 11th July 2016

2 Who am I? Lecturer at Victoria University of Wellington Victoria University

3 Who am I Drive-by-download detection & javascript deobfuscation (unpacking?) Machine learning applied to malware detection A new project called trusting strangers... Teach cloud computing, programming and a general security course

4 Motivation Not everyone has a big security team. Might be one security person/system admin/developer They don't want to be woken at 2am when the IDS goes off. Could it be possible to buy some more time to allow later response?

5 DIY Solution Net Control Framework

6 Bro-IDS Domain specific programming language Network Traffic Event driven programming model Protocol Parsing Built in protocol parsing Low level context free events Scalable deployment model Scripting Language Work here!

7 Active Response Bro is passive, how implement active response? Place it in-line Performance costs Reliability Control channel from IDS to gateway Tied to network configuration Ad-hoc solution

8 Netcontrol Developed in 2015 by Johanna Amann (Berkley) Generic framework for control channels to variety of network devices Based on traffic observed by Bro Simple to use by flexible API including high-level commands

9 High-level commands Dynamically block/allow addresses. Flow shunt large data transfers (GridFTP). Quarantine hosts from each other and direct all web requests to a you have been compromised site.

10 Architecture port mirroring active response

11 Architecture port mirroring Current backends Command line applications Iptables Bro packet filter Openflow

12 Openflow Open Specification for protocol between control and forwarding layers of a software defined network Allows Software to insert rules into switch flow tables Match (and change) characteristics like IPv4/6 addresses, ports, etc. Vlans

13 Netcontrol & Openflow

14 Problems Can we use current system out of the box? #1 Ryu simple switch is too simple: Layer 2 learning Not tested operationally #2 Quarantine is too heavy handed: Stops any communication. Obvious to the attacker.

15 Problem #1: Use Faucet Layer 2 switching with vlans, ACLs, port mirroring, static routing Small enterprise, focus on easy deployability Focus on testability (unit tests) Deployed by ONF Menlo Park, REANNZ and VUW

16 #1 Hardware Support Open vswitch v Open source available at Lagopus OpenFlow Switch - Open source available at Allied Telesis x510 and x930 series NoviFlow 1248 Northbound Networks Zodiac FX Aruba 3810

17 Waikato, REANNZ, ONF, Anarchkiwi and VUW

18

19 #1 Solution Faucet has a different table structure Implement a OpenFlow module aware of structure Integrate port mirroring into Faucet (redefine at runtime to redirect flows) VLAN ACL ETH SRC ETH DST FLOOD

20 #2 Enhanced NetControl Quarantine is black and white. What if we want to capture malware traffic? What if behavioural based and might be false positive? Allow device to keep functioning but limit outgoing traffic while storing it for later analysis?

21 #2 Solution Extend NetControl functions. Add observe and delay functions. Implement observe by mirroring to storage. Delay implemented using QoS support in switches (maybe?).

22 Where from here? We have a roadmap established. Port mirroring implemented (June). Aim to have integration with Faucet complete by end of December. Will be eating own dog food throughout as my own office runs off Faucet.

23 Links

24 Example Table MAC src Switch Port MAC dst Eth type 00:1f:.. port3 00: :1f VLAN ID IP Src IP Dst IP Prot vlan TCP sport TCP dport port6 80 port6 22 drop More exact matches have priority. Table miss sends packet to controller over secure TLS connection. Table entries have idle and hard timeouts. O-65,535 seconds (0 = no timeouts). Action

25 OpenFlow Switch Performs packet lookup and forwarding Flow 1. Rule (exact & wildcard) Action Statistics Flow 2. Rule (exact & wildcard) Action Statistics Flow 3. Rule (exact & wildcard) Action Statistics Flow N. Rule (exact & wildcard) Default Action Statistics Figures from Chao HC & Y. Liang with permissions.

26 Flow Entry (OF 1.x) A flow entry consists of Match fields Match against packets Action Modify the action set or pipeline processing Stats Update the matching packets In Port Src MAC Dst MAC Eth Type Layer 2 1.Forward packet to port(s) 2.Encapsulate and forward to controller 3.Drop packet 4.Send to normal processing pipeline 5.Modify MAC and IP addresses Vlan Id IP Tos 1. Packet 2. Byte counters Match Fields IP Proto IP Src Layer 3 Action IP Dst TCP Src Port Stats TCP Dst Port Layer 4 Figures from Chao HC & Y. Liang with permissions.

27 Traditional network node: Router Changing protocols is hard, monolithic implementation, vendor specific protocols Adjacent Router Router Management/Policy plane Configuration / CLI / GUI Adjacent Router Routing Control plane Control plane OSPF OSPF Neighbor table Switching Data plane Static routes Data plane Link state database s OSPF IP routing table Forwarding table Shamelessly copied from ONF, J Rexford and Chao HC with permissions. Data plane

28 Software Defined Networking Applications deal with abstract logically centralised network view Decides where packets should be forwarded Data plane does forwarding and metering Figure from ONF White Paper: Software Defined Networking The New Norm for Networks (2011)