The Finest Penetration Testing Framework for Software-Defined Networks
|
|
- Bartholomew Brooks
- 5 years ago
- Views:
Transcription
1 The Finest Penetration Testing Framework for Software-Defined Networks Seungsoo Lee, Jinwoo Kim, Seungwon Woo and Seungwon Shin {lss365, jinwoo.kim, seungwonwoo,
2 Seungwon Shin - Associate Professor of EE dept. at KAIST About us - Leading Network and System Security Lab. Seungsoo Lee Jinwoo Kim Seungwon Woo - PhD student at KAIST - PhD student at KAIST - Master student at KAIST 2
3 Contents 1. Motivation of DELTA 2. Software-Defined Networking (SDN) SDN & OpenFlow basics Security of SDN 3. DELTA framework Architecture Attack case demonstrations 4. Final remarks 3
4 Motivation of DELTA Why needed? Software-defined Networking (SDN) are still prone to security threats We need to run security tests against our SDNs But, manually testing each attack is time consuming and annoying job DELTA can AUTOMATICALLY Construct an SDN security test environment (i) Reproduce the known attacks (ii) Find new attacks by randomizing SDN control flows (i.e., OpenFlow) 4
5 Limitations of Traditional Networks Image source: Expensive network/security devices (CAPEX) Increased complexity of network management (OPEX) Proprietary firmware Specialized hardware Complicated maintenance Manual configuration 5
6 Software-defined Networking (SDN) Separation & Centralization of the control plane Control Plane SDN controller OpenFlow: A de-facto standard SDN protocol Host A Control Plane Data Plane Control Plane Data Plane Control Plane Data Plane Control Plane Data Plane Host C Host B 6
7 SDN: New opportunities Flexible service customization Various network functions in SDN APPs SW2 H-A SW1 SW4 H-B SW3 Global network view H-C SDN controller DHCP, Firewall, DDoS detector, and etc. New opportunities Global network view + SDN APPs = Intelligent & innovative network/security services Automated network management Host A OpenFlow OpenFlow OpenFlow OpenFlow Host B 7 Global network view + APPs + Dynamic network control = PROGRAMMABLE NETWORK!! Host C
8 OpenFlow A De-facto standard protocol in SDN Maintained by Open Networking Foundation Supported by 120+ industrial members Version timeline OpenFlow 1.0 Single table Fixed 12 tuple match field OpenFlow 1.2 Role change IPv6 OpenFlow 1.4 Synchronized Table Default Port to 6653 Dec Feb Dec Apr Aug Jan OpenFlow 1.1 Multi-table Group-table OpenFlow 1.3 Long term release: 1.3.1, 1.3.2, Meters OpenFlow 1.5 Egress Table Packet Type Aware Pipeline 8
9 22 message types Flow table structure OpenFlow 1.0 HELLO PACKET_IN FLOW_MOD Header fields, actions and counters Fixed 12 match PKT fields Forward packet Per-table, to controller per-flow, or per-port ports and per queue If matched, perform actions Drop and packet update Packet OpenFlow counters and byte counters Modify fields 32 bits version type length xid (transaction identifier) Body OpenFlow Structure Header Fields (i.e., Match fields) InPort EthSrc EthDst EthType VLANID VLANPri IPSrc IPDst IPProto IPToS TCP/UDP SrcPort TCP/UDP DstPort Actions Counters Flow Table Structure 9
10 OpenFlow 1.0: Basic Operation SDN controller PKT PACKET_IN HELLO FLOW_MOD HELLO 1 2 PKT Host A ( ) OpenFlow Host B ( ) Header Fields (i.e., Match fields) Priority InPort EthSrc EthDst EthType VLANID VLANPri IPSrc IPDst IPProto IPToS TCP/UDP SrcPort TCP/UDP DstPort Actions Counters 10 [InPort]: 1, [EthType]: 0x0800, [IPDst]: Forward 2 P: 1, 0, B: 64 0 Flow Table Structure 10
11 OpenFlow 1.0 vs. OpenFlow 1.3 OpenFlow 1.0 Released in Dec message types Single controller Single flow table Fixed 12 tuple match fields OpenFlow 1.3 Released in Apr message types Multiple controllers Multiple flow tables Extensible match (OXM) Group table Meter table Instruction (action set) 11
12 SDN adoption: Enterprise Source: /deutsche-telekom-touts-benefits-software-based-ran Source: att-to-join-verizon-in-working-with-kt-on-nfv-sdn-and-5g/2017/06/ Source: 12
13 SDN adoption: Military Source: Source: 13
14 But, what about SECURITY? 14
15 Attention to SECURITY has been growing! Keywords: SDN & Security 9720 BlackHat USA 15 Briefing BlackHat USA 16 Briefing BlackHat USA 17 Briefing BlackHat USA 17 Arsenal Paper Counts * Google scholar [scholar.google.com] 15
16 Attack Vectors in SDN architecture SDN controller Control plane Control channel OpenFlow OpenFlow OpenFlow OpenFlow Data plane 16
17 Attack Examples FLOW_MOD PACKET_IN PACKET_IN PACKET_IN FLOW_MOD FLOW_MOD SDN controller FLOW_MOD PACKET_IN PACKET_IN PACKET_IN FLOW_MOD FLOW_MOD Control plane Control channel SW2 SW1 SW4 (e.g., Packet-In Flooding attack) SW3 (e.g., Eavesdropping attack) OpenFlow OpenFlow OpenFlow OpenFlow Data plane (e.g., Flow Rule Flooding attack) 17
18 SDN Vulnerability Genome Project [1] [A-5] Control Message Abuse [A-6] Northbound API Abuse Application Plane [A-2] Service Chain Interference [A-1] Packet-In Flooding App Northbound API App [A-7] Resource Exhaustion [A-9] System Command Execution [A-3] Internal Storage Manipulation Control plane [A-8] System Variable Manipulation Network Operating System [A-4] Control Message Manipulation SDN Controller Control Channel SDN SDN Southbound API Control Plane Control Channel Firmware Flow Table Software Hardware [B-1] Eavesdrop [B-2] Man-In-The-Middle [A-10] Network Topology Poisoning [C-1] Flow Rule Flooding [C-3] Control Message Manipulation [C-2] Firmware Abuse Data Plane Control channel Data plane [1] Yoon, Changhoon, et al. "Flow wars: Systemizing the attack surface and defenses in software-defined networks." IEEE/ACM Transactions on Networking 6 (2017):
19 Network admin s concerns Any more vulnerabilities? 19
20 Don t worry, run DELTA DELTA: A Security Assessment Framework for SDN Automating a working process Finding new attacks Supporting diverse SDN components Covering many attack cases 20
21 DELTA: System Design DELTA control channel App Agent. App 2 App 3 Core APIs DB SDN controller Agent Manager Channel Agent Network hub Host Agent OpenFlow OpenFlow OpenFlow OpenFlow Host B Host A 21
22 DELTA: System Design Agent Manager Agent Manager The Control tower Remotely controls the agents deployed to the target network Leverages different agents to perform various security test cases Analyzes the test results collected from the agents 22
23 DELTA: System Design App Agent. Application Agent SDN applications that conduct attack procedures as instructed by the manager Implements the known malicious functions as an application agent library Includes fuzzing modules that randomize the SDN control flows 23
24 Channel Agent DELTA: System Design Located between the controller and the switch Includes fuzzing modules that sniff and modify the unencrypted SDN control messages Mimics a dummy controller / switch Channel Agent 24
25 DELTA: System Design Host Agent A legitimate network host participating in the target SDN Generates network traffic as instructed by the agent manager ( e.g. DDoS, LLDP injection etc. ) Checks the connectivity to other hosts Host Agent 25
26 Automated Operation App Agent App B. Core APIs App C DB SDN controller Agent Manager Channel Agent 1. Select reproducing known test case or finding unknown test case 2. Instruct each agent to conduct the test Automating a working process OpenFlow Host Agent 3. Collect the result of the test from each agent 4. Notify the result Network hub OpenFlow Host A OpenFlow Host B OpenFlow 26
27 SDN Control Flow Fuzzing Find NEW security holes in SDN (i.e., OpenFlow protocol based) Define three types of control flow operations 1. Symmetric control flow: Req. & Res. message pair 2. Asymmetric control flow: One-way message 3. Intra-controller control flow: between applications and core services App A Core Services ECHO_RES FLOW_MOD App B App C SDN controller RES MSG MSG REQ DB ECHO_REQ PACKET_IN OpenFlow 27
28 Operational State Diagram To find new vulnerabilities, 1. Infer thecurrent state of the controller 2. Manipulate the control flow sequence or the input values ee send HELLO receive HELLO send FEATURES_REQ receive FEATURES_RES S1 S2 S3 S4 R send STATS_REQ S8 receive STATS_RES S9 deliver to applications send GET_CONFIG_REQ S5 receive GET_CONFIG_RES S6 send SET_CONFIG S7 update topology receive PORT_STATUS A1 update topology Rr send ECHO_REQ S10 receive ECHO_RES A3 update topology send VENDOR receive VENDOR send FLOW_MOD S12 S* S13 send BARRIER_REQ receive BARRIER_RES S14 S15 receive PACKET_IN deliver to applications A2 update internal send FLOW_MOD update internal flow tables flow tables Intra-controller flow transitions à I* A4 receive FLOW_REMOVED update internal flow tables A5 A* send PACKET_OUT send PORT_MOD update internal flow tables A6 à Asymmetric flow transitions send PACKET_OUT S11 à Symmetric flow transitions A7 update internal flow tables I2 28 I1
29 Identifying Current State of Controller PACKET_IN App Agent App A App C Agent Manager DB Receive PACKET_IN Send FLOW_MOD PACKET_IN SDN controller FLOW_MOD R A2 A3 A4 Channel Agent Deliver to applications OpenFlow 29
30 Randomizing Symmetric Control Flow Sequence send HELLO receive HELLO send FEATURES_REQ receive FEATURES_RES S1 S2 S3 S4 send GET_CONFIG_REQ S5 receive GET_CONFIG_RES send SET_CONFIG S6 S7 R SDN controller HELLO OpenFlow SDN controller Channel Agent HELLO OpenFlow HELLO HELLO FEATURE_REQ FEATURE_REQ FEATURE_RES GET_CONFIG_REQ GET_CONFIG_RES GET_CONFIG_RES SET_CONFIG SET_CONFIG 30
31 Randomizing Asymmetric Control Flow Sequence App Agent. (2) App App A D App App B C App App C B App App D A Packet-IN Notifier Core Services DB R A3 SDN controller receive PACKET_IN A2 deliver to applications (1) PACKET_IN Host A OpenFlow Host B 31
32 Randomizing Input Values Between an SDN controller and an SDN switch Between SDN applications App A Core Services App Agent. App C DB 9 Findingnew attacks FLOW_MOD SDN controller PACKET_IN Channel Agent e.g.) ADD (0x0000) à (Undefined) (0xFFFF) OpenFlow 32
33 Implementation Program languages: Java / Python [LOC]
34 Supported SDN Components Supports four different SDN controllers 4 open source controllers (ONOS, OpenDaylight, Floodlight and Ryu!) ONOS OpenDaylight Floodlight Ryu Version Hydrogen Helium... Oxygen Release Date 6/5/15 9/18/ /2/18 2/4/14 9/29/ /22/18 12/8/14 12/30/14 4/17/15 2/7/16 7/1/18 Supported OpenFlow v1.0 and v1.3 supported (HW and SW) Supporting diverse SDN components Vendor OpenFlow Version Pica8 P , 1.3 Arista Networks 7050-T HPE E G-2SFP+ 1.0 Linux Foundation Collaborative Project OpenV 1.0,
35 Web-based UI Live test queue: Configuration and log pane: Test case inventory: 35
36 Configuration and Log Pane 36
37 Test Case Inventory Test set 1: Data plane security OpenFlow messages from a controller to a switch Test set 2: Control plane security OpenFlow messages from a switch to a controller Test set 3: Advanced security 40+ Covering many attack cases Sophisticated security tests exploiting a variety of vulnerabilities e.g., SDN applications exploiting SDN controllers architectural vulnerabilities
38 Let s start DEMO time! 38
39 Demonstration Test environments 1 KNOWN attack for Floodlight 2 NEW attacks for ONOS, OpenDaylight 39
40 Test Environments Firewall App Forwarding App Core Services DB SDN controller Network hub Host Agent A B Normal Host B 40
41 Test Environments App Agent. Firewall App Core Services Agent Manager Forwarding App DB SDN controller Channel Agent Network hub Host Agent A B Normal Host B 41
42 Event Subscription in SDN An SDN controller maintains an event subscription list Packet-In events are processed according to a priority PACKET_IN Packet-IN Subscription List Load balancer App PACKET_IN Topology Manager Core Services Firewall App DB 1. Load balancer 2. Topology Manager 3. Firewall App PACKET_IN SDN Controller A PKT OpenFlow B 42
43 Attack Strategy: Smash the subscription! manipulate the Packet-In, and deliver it to the next PACKET_IN 2 The application refers the wrong value 3 Malicious App Topology Manager SDN controller Firewall App 1 Modify the priority Packet-IN Subscription Core Services List 1. Malicious Load balancer App 2. Topology Manager 3. Firewall App DB SDN Controller 43
44 DEMO 1: Packet-In Data Forge attack Agent Manager in_port: 1 reason: Packet-IN NoMatch 3 Notifier DATA: 1. Link Discovery App PKT 3. Device Manager App 4. Firewall App 2. Topology Channel Manager AgentApp Host Agent 7. DELTA App Agent PKT 1 Packet-IN Message 6 A App Agent. 5 PACKET_IN Topology Manager 2 Core Services Packet-IN Message SDN controller in_port: 1 reason: Packet-IN NoMatch Notifier DATA: 1. DELTA Network App hub Agent 4 2. Topology PACKET_IN (empty) Manager App 3. Device Manager App 4. Firewall App 7. Link Discovery App Host B B Firewall App DB The NULL SW1 app AM point Instructs agent instructs delivers exception removes modifies a the Packet-In host app occurred the agent data priority message and to field randomize generate the of to switch the message, controller a the packet connections sequence and then are of the closed hands packet-in it over subscription to the next one list 44
45 DEMO 1: Packet-In Data Forge attack 45
46 DEMO 1: Packet-In Data Forge attack Feasible to Floodlight 1.1 Why? BRING ME APIs!!! SDN applications granted powerful authority How to defend? Policy-based access control to SDN applications e.g., Security-Mode ONOS [1] [1] 46
47 Databases in OpenDaylight OpenDaylight (ODL) manages two types of databases DB Config Proactive and persistent rules, Non-volatile memory Operational Reactive and temporary rules Volatile memory 47
48 Attack Strategy: Exploit the config. DB ODL refers the configuration DB, when handshaking with a switch Attacker Malicious App Core Services 1 Inject a malformed rule to DB 4 Access the DB Config 2 Cut the channel temporarily 3 Ask a handshake MITM Proxy HELLO OpenFlow 48
49 DEMO 2: Malformed Flow Rule Generation 1 App Agent Agent Manager. Firewall App Forwarding App Core Services 3 Config SDN controller 5 Network hub Channel Agent 2 ID IN Match Action F2 1 HA to B GROUP [NULL] HELLO OF 1.3 Host Agent 2 1 A (OF 1.0) B (OF 1.0) 1 2 AM instructs the app agent to a malformed 54 The switch 3 app agent tries makes to connect a malformed to themake flow controller rule including NULLrule group action A fails INFINITELY channel agent to disconnect the flow switch A Normal Host B 49
50 DEMO 2: Malformed Flow Rule Generation 50
51 DEMO 2: Malformed Flow Rule Generation Feasible to OpenDaylight oxygen (latest version) Why? Improper exception handling in the handshake process Absence of malformed flow rule management How to defend? Detecting the infinite failures and resolving root causes Filtering an input that has incompatible fields 51
52 Flow Synchronization in ONOS ONOS synchronizes the internal flow tables with switches using flow statistics Consistency is periodically and strongly investigated Controller s Flow Table Forwarding App Core Services FLOW_RULE Are they same with me? ID DPID Match Action A1 A HA to B FWD 1 DB Make a rule FLOW_MOD STATS_REQ STATS_RES s Flow Table IN Match Action OpenFlow 1 HA to B FWD 1 52
53 Attack Strategy: Exploit the synchronization! If consistency is broken, ONOS removes and reinstalls everything Let s break the consistency by installing a malformed flow rule Controller s Flow Table Malicious App 1 Inject an invalid flow rule ID DPID Match Action A1 A * FWD Core Services 3 Get a flow statistics Compare it with the original DB 4 Reinstall them! 2 Install a wrong flow rule s Flow Table IN Match Action 1 HA to B FWD OpenFlow 53
54 DEMO 3: Infinite Flow Rule Synchronization 2 App Agent. Firewall App Forwarding App Agent Manager Core Services DB 5 6 Host Agent IN Src Dst Action 1 HA B FWD 2 2 B HA FWD FWD Channel Agent 4 A SDN controller FLOW_ADD Network hub 1 B Send Repeat Instruct Make Delete Host a Agent a flow ALL this App flow every rule communicates Agent overflowed rules including 5 to seconds generate the with outport switch the Host number B a and malformed abnormal then retry flow outport to install rulenumber 3 ID IN Src Dst Action A1 1 HA B FWD 2 A2 2 B HA FWD 1 B1 3 B HA FWD 2 B2 4 HA B FWD 1 A FWD Normal Host B IN Src Dst Action 1 HA B FWD 2 2 B HA FWD 1 54
55 DEMO 3: Infinite Flow Rule Synchronization / 50 58
56 DEMO 3: Infinite Flow Rule Synchronization Feasible to ONOS 1.13 (latest version) Why? Careless range check against to field values Meaningless flow synchronization How to defend? Thorough range check in critical fields Root cause analysis of synchronization failures 56
57 Summary of NEW attack cases No. Attack Name ControlFlow Type Controller 1 Malformed Flow Rule Generation 1 Intra-Controller Flow OpenDaylight 2 Malformed Flow Rule Generation 2 Intra-ControllerFlow ONOS 3 Flow Rule Inconsistency 1 Asymmetric Flow ONOS 4 Flow Rule Inconsistency 2 Asymmetric Flow Floodlight 5 Flow Rule Inconsistency 3 Asymmetric Flow ONOS 6 Infinite Flow Rule Synchronization 1 Asymmetric Flow ONOS 7 Infinite Flow Rule Synchronization 2 Asymmetric Flow ONOS 8 Flow Rule ID Spoofing 1 Asymmetric Flow Floodlight 9 Flow Rule ID Spoofing 2 Asymmetric Flow Floodlight 57
58 Final Remarks Although SDN offers significant benefits as a next-gen networking, a lot of work still needs to be done to improve the security of SDN. DELTA helps to verify the security of SDN architecture thoroughly. DELTA fuzzing techniques enable us to discover new vulnerabilities. DELTA is now available as an open source project, so anyone can join us! ( 58
59 Q&A Thanks to Changhoon Yoon and Haney Kang for helping us make the slides J 59
60 Acknowledgement This work was supported by Institute for Information & communications Technology Promotion(IITP) grant funded by the Korea government(msit) (No , SDN security technology development) And also, this work was supported by Institute for Information & communications Technology Promotion(IITP) grant funded by the Korea government(msip) (No. B , Global SDN/NFV OpenSource Software Core Module/Function Development) 60
Securing Network Application Deployment in Software Defined Networking 11/23/17
Securing Network Application Deployment in Software Defined Networking Yuchia Tseng, Farid Naıı t-abdesselam, and Ashfaq Khokhar 11/23/17 1 Outline Introduction to OpenFlow-based SDN Security issues of
More informationSoftware Defined Networking
CSE343/443 Lehigh University Fall 2015 Software Defined Networking Presenter: Yinzhi Cao Lehigh University Acknowledgement Many materials are borrowed from the following links: https://www.cs.duke.edu/courses/spring13/compsc
More informationChapter 5 Network Layer: The Control Plane
Chapter 5 Network Layer: The Control Plane A note on the use of these Powerpoint slides: We re making these slides freely available to all (faculty, students, readers). They re in PowerPoint form so you
More informationProfessor Yashar Ganjali Department of Computer Science University of Toronto
Professor Yashar Ganjali Department of Computer Science University of Toronto yganjali@cs.toronto.edu http://www.cs.toronto.edu/~yganjali Some slides courtesy of J. Rexford (Princeton), N. Foster (Cornell)
More informationOpenState demo. Hands-on activity. NetSoft 15 - April 13, 2015 A.Capone & C. Cascone: OpenState Live Demo 1
OpenState demo Hands-on activity NetSoft 15 - April 13, 2015 A.Capone & C. Cascone: OpenState Live Demo 1 Outline OpenState specification State table, key extractors, set-state action Demo tools: Mininet,
More informationNetwork Security: Network Flooding. Seungwon Shin GSIS, KAIST
Network Security: Network Flooding Seungwon Shin GSIS, KAIST Detecting Network Flooding Attacks SYN-cookies Proxy based CAPCHA Ingress/Egress filtering Some examples SYN-cookies Background In a TCP 3-way
More informationand controller independence with NetIDE
Supporting composed SDN applications and controller independence with NetIDE Alec Leckey Intel Labs SDN Application Development Java Python C/C++ Javascript Beacon Iris Pox Nox NodeFlow Jaxon Floodlight
More informationCSC 401 Data and Computer Communications Networks
CSC 401 Data and Computer Communications Networks Network Layer ICMP (5.6), Network Management(5.7) & SDN (5.1, 5.5, 4.4) Prof. Lina Battestilli Fall 2017 Outline 5.6 ICMP: The Internet Control Message
More informationLeveraging SDN & NFV to Achieve Software-Defined Security
Leveraging SDN & NFV to Achieve Software-Defined Security Zonghua Zhang @imt-lille-douai.fr NEPS: NEtwork Performance and Security Group 2 Topics Anomaly detection, root cause analysis Security evaluation
More informationHow SDN Works Introduction of OpenFlow Protocol
行動寬頻尖端技術課程推廣計畫 How SDN Works Introduction of OpenFlow Protocol Oct. 12, 2017 1 Outline From Legacy Network to SDN How SDN Works OpenFlow Overview - OpenFlow Switch - OpenFlow Controller - The Controller-Switch
More informationProceedings of the Fourth Engineering Students Conference at Peradeniya (ESCaPe) SDN Flow Caching
Proceedings of the Fourth Engineering Students Conference at Peradeniya (ESCaPe) 2016 SDN Flow Caching N.B.U.S. Nanayakkara, R.M.L.S. Bandara, N.B. Weerasinghe, S,N, Karunarathna Department of Computer
More informationSoftware-Defined Networking (SDN) Overview
Reti di Telecomunicazione a.y. 2015-2016 Software-Defined Networking (SDN) Overview Ing. Luca Davoli Ph.D. Student Network Security (NetSec) Laboratory davoli@ce.unipr.it Luca Davoli davoli@ce.unipr.it
More informationNetwork Programming Languages. Nate Foster
Network Programming Languages Nate Foster We are at the start of a revolution! Network architectures are being opened up giving programmers the freedom to tailor their behavior to suit applications!
More informationSDN AND NFV SECURITY DR. SANDRA SCOTT-HAYWARD, QUEEN S UNIVERSITY BELFAST COINS SUMMER SCHOOL, 23 JULY 2018
SDN AND NFV SECURITY DR. SANDRA SCOTT-HAYWARD, QUEEN S UNIVERSITY BELFAST COINS SUMMER SCHOOL, 23 JULY 2018 Queen s University Belfast Lanyon Building Est. 1845 Centre for Secure Information Technologies
More informationA Software-Defined Networking Security Controller Architecture. Fengjun Shang, Qiang Fu
4th International Conference on Machinery, Materials and Computing Technology (ICMMCT 2016) A Software-Defined Networking Security Controller Architecture Fengjun Shang, Qiang Fu College of Computer Science
More informationChapter 5 Network Layer: The Control Plane
Chapter 5 Network Layer: The Control Plane A note on the use of these Powerpoint slides: We re making these slides freely available to all (faculty, students, readers). They re in PowerPoint form so you
More informationBuilding world-class security response and secure development processes
Building world-class security response and secure development processes David Jorm, Senior Manager of Product Security, IIX Outline Introduction SDN attack surface Recent OpenDaylight vulnerabilities Defensive
More informationIntroduction to OpenDaylight and Hydrogen, Learnings from the Year, and What s Next for OpenDaylight
Introduction to OpenDaylight and Hydrogen, Learnings from the Year, and What s Next for OpenDaylight David Meyer, CTO and Chief Scientist, Brocade dmm@{brocade.com,uoregon.edu,cs.uoregon.edu,1-4-5.net,
More informationSoftware Defined Networking
Software Defined Networking Jennifer Rexford COS 461: Computer Networks Lectures: MW 10-10:50am in Architecture N101 http://www.cs.princeton.edu/courses/archive/spr12/cos461/ The Internet: A Remarkable
More informationSDN-Based Network Security Functions for VoIP and VoLTE Services
SDN-Based Network Security Functions for VoIP and VoLTE Services Daeyoung Hyun, Jinyoug Kim, Jaehoon (Paul) Jeong, Hyoungshick Kim, Jungsoo Park, and Taejin Ahn Department of Software, Sungkyunkwan University,
More informationNetwork Layer: The Control Plane
Network Layer: The Control Plane 7 th Edition, Global Edition Jim Kurose, Keith Ross Pearson April 06 5- Software defined networking (SDN) Internet network layer: historically has been implemented via
More informationPMC volt v1.0 Getting started
PMC volt v1.0 Getting started Table of Contents 1. Introduction... 3 2. Setup... 4 2.1 Hardware... 4 2.2 Virtual machine... 5 2.3 In band management... 6 3. Package deployment and compilation... 7 4. Package
More informationIdentifier Binding Attacks and Defenses in Software-Defined Networks
Identifier Binding Attacks and Defenses in Software-Defined Networks Samuel Jero 1, William Koch 2, Richard Skowyra 3, Hamed Okhravi 3, Cristina Nita-Rotaru 4, and David Bigelow 3 1 Purdue University,
More informationLecture 14 SDN and NFV. Antonio Cianfrani DIET Department Networking Group netlab.uniroma1.it
Lecture 14 SDN and NFV Antonio Cianfrani DIET Department Networking Group netlab.uniroma1.it Traditional network vs SDN TRADITIONAL Closed equipment Software + hardware Cost Vendor-specific management.
More informationWhat is SDN, Current SDN projects and future of SDN VAHID NAZAKTABAR
What is SDN, Current SDN projects and future of SDN VAHID NAZAKTABAR Index What is SDN? How does it work? Advantages and Disadvantages SDN s Application Example 1, Internet Service Providers SDN s Application
More informationSoftware-Defined Networking (SDN) Now for Operational Technology (OT) Networks SEL 2017
Software-Defined Networking (SDN) Now for Operational Technology (OT) Networks SEL 2017 Traditional Ethernet Challenges Plug-and-play Allow all ROOT D D D D Nondeterministic Reactive failover Difficult
More informationONOS-P4 Tutorial Hands-on Activity. P4 Brigade Work Days, Seoul (Korea) September 18-29, 2017
ONOS-P4 Tutorial Hands-on Activity P4 Brigade Work Days, Seoul (Korea) September 18-29, 2017 Tutorial VM Download (~4GB) http://bit.ly/onos-p4-dev-vm Run The VM is in.ova format and has been created using
More informationUsing SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall
Institute of Computer Science Chair of Communication Networks Prof. Dr.-Ing. P. Tran-Gia Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall comnet.informatik.uni-wuerzburg.de SarDiNe
More informationSDN SEMINAR 2017 ARCHITECTING A CONTROL PLANE
SDN SEMINAR 2017 ARCHITECTING A CONTROL PLANE NETWORKS ` 2 COMPUTER NETWORKS 3 COMPUTER NETWORKS EVOLUTION Applications evolve become heterogeneous increase in traffic volume change dynamically traffic
More informationSoftware-Defined Networking (Continued)
Software-Defined Networking (Continued) CS640, 2015-04-23 Announcements Assign #5 released due Thursday, May 7 at 11pm Outline Recap SDN Stack Layer 2 Learning Switch Control Application Design Considerations
More informationBYZANTINE FAULT TOLERANT SOFTWARE- DEFINED NETWORKING (SDN) CONTROLLERS
BYZANTINE FAULT TOLERANT SOFTWARE- DEFINED NETWORKING (SDN) CONTROLLERS KARIM ELDEFRAWY* AND TYLER KACZMAREK** * INFORMATION AND SYSTEMS SCIENCES LAB (ISSL), HRL LABORATORIES ** UNIVERSITY OF CALIFORNIA
More informationSDN/DANCES Project Update Developing Applications with Networking Capabilities via End-to-end SDN (DANCES)
SDN/DANCES Project Update Developing Applications with Networking Capabilities via End-to-end SDN (DANCES) Kathy L. Benninger Manager of Networking Research PSC Bettis Briefing 15 September 2015 Agenda
More informationOpenADN: Service Chaining of Globally Distributed VNFs
OpenADN: Service Chaining of Globally Distributed VNFs Project Leader: Subharthi Paul Washington University in Saint Louis Saint Louis, MO 63130 Jain@cse.wustl.edu Software Telco Congress, Santa Clara,
More informationOutline. Traditional computer networks. Software Defined Networking - 3 (SDN) Pag. 1 SDN. Openflow protocol Some issues Advances
Software Defined Networking (SDN) Andrea Bianco andrea.bianco@polito.it http://www.telematica.polito.it/ Software Defined Networking - 1 Outline SDN Motivations, definitions, architecture, Flow based forwarding
More informationONOS OVERVIEW. Architecture, Abstractions & Application
ONOS OVERVIEW Architecture, Abstractions & Application WHAT IS ONOS? Open Networking Operating System (ONOS) is an open source SDN network operating system (controller). Mission: to enable Service Providers
More informationThe GenCyber Program. By Chris Ralph
The GenCyber Program By Chris Ralph The Mission of GenCyber Provide a cybersecurity camp experience for students and teachers at the K-12 level. The primary goal of the program is to increase interest
More informationTyphoon: An SDN Enhanced Real-Time Big Data Streaming Framework
Typhoon: An SDN Enhanced Real-Time Big Data Streaming Framework Junguk Cho, Hyunseok Chang, Sarit Mukherjee, T.V. Lakshman, and Jacobus Van der Merwe 1 Big Data Era Big data analysis is increasingly common
More informationCommunication System Design Projects. Communication System Design:
Communication System Design Projects KUNGLIGA TEKNISKA HÖGSKOLAN PROFESSOR: DEJAN KOSTIC TEACHING ASSISTANT: GEORGIOS KATSIKAS Communication System Design: https://www.kth.se/social/course/ik2200/ Traditional
More informationCSC 4900 Computer Networks: Network Layer
CSC 4900 Computer Networks: Network Layer Professor Henry Carter Fall 2017 Chapter 4: Network Layer 4. 1 Introduction 4.2 What s inside a router 4.3 IP: Internet Protocol Datagram format 4.4 Generalized
More informationAugust 14th, 2018 PRESENTED BY:
August 14th, 2018 PRESENTED BY: APPLICATION LAYER ATTACKS 100% 80% 60% 40% 20% 0% DNS is the second most targeted protocol after HTTP. DNS DoS techniques range from: Flooding requests to a given host.
More informationSDN Applications and Use Cases. Copyright 2015 ITRI
SDN Applications and Use Cases Copyright 20 ITRI Bachelor B Ph.D (IR) (ITRI) Engineer 20 Copyright 20 ITRI 2 Outline SDN Basics SDN Use Cases & Applications Google B WAN NEC VTN OpenDefenseFlow Firewall
More informationSoftware Defined Networking Security: Security for SDN and Security with SDN. Seungwon Shin Texas A&M University
Software Defined Networking Security: Security for SDN and Security with SDN Seungwon Shin Texas A&M University Contents SDN Basic Operation SDN Security Issues SDN Operation L2 Forwarding application
More informationApplication-Aware SDN Routing for Big-Data Processing
Application-Aware SDN Routing for Big-Data Processing Evaluation by EstiNet OpenFlow Network Emulator Director/Prof. Shie-Yuan Wang Institute of Network Engineering National ChiaoTung University Taiwan
More informationOpenFlow 1.3: Protocol, Use Cases, and Controller Writing. Ryan Izard
OpenFlow 1.3: Protocol, Use Cases, and Controller Writing Ryan Izard rizard@g.clemson.edu Evolution of the OpenFlow Protocol OpenFlow 1.0 + What you know and love! OpenFlow 1.1 + Multiple tables and group
More informationDisrupting SDN via the Data Plane: A Low-Rate Flow Table Overflow Attack
Disrupting SDN via the Data Plane: A Low-Rate Flow Table Overflow Attack Jiahao Cao 1,2, Mingwei Xu 1,2, Qi Li 1,3, Kun Sun 4, Yuan Yang 1,2, and Jing Zheng 1,3 1 Dept. of Computer Science and Technology,
More informationONOS Controller Performance Test Report
ONOS Controller Performance Test Report Global SDN Certified Testing Center,SDNCTC 216.7.4 w w w. s d n c t c. c o m ONOS Controller Performance Test Report CONTENTS 1. INTRODUCTION... 1 2. TEST ENVIRONMENT
More informationInvestigating. Flow Networks. Focusing on the control-data plane communications M.L. Pors
Investigating current state Security of Open- Flow Networks Focusing on the control-data plane communications M.L. Pors Investigating current state Security of OpenFlow Networks Focusing on the control-data
More informationSource Address Validation: from the Current Network Architecture to SDN-based Architecture
Source Address Validation: from the Current Network Architecture to SDN-based Architecture Jun Bi Tsinghua University/CERNET GFI 2013 Nov. 20, 2013 1 Content Source Address Validation Architecture (SAVA)
More informationJames Won-Ki Hong. Distributed Processing & Network Management Lab. Dept. of Computer Science and Engineering POSTECH, Korea.
James Won-Ki Hong Distributed Processing & Network Management Lab. Dept. of Computer Science and Engineering POSTECH, Korea jwkhong@postech.ac.kr 2017. 7. 6 DPNM Lab., POSTECH NetSoft 2017 DEP Network
More informationSmart Attacks require Smart Defence Moving Target Defence
Smart Attacks require Smart Defence Moving Target Defence Prof. Dr. Gabi Dreo Rodosek Executive Director of the Research Institute CODE 1 Virtual, Connected, Smart World Real World Billions of connected
More informationOpenFlow 1.3: Protocol, Use Cases, And Building a Fault Tolerant Application
OpenFlow 1.3: Protocol, Use Cases, And Building a Fault Tolerant Application Geddings Barrineau Ryan Izard Clemson University Niky Riga GENI Project Office Sponsored by the National Science Foundation
More informationDesign and Implementation of Virtual TAP for Software-Defined Networks
Design and Implementation of Virtual TAP for Software-Defined Networks - Master Thesis Defense - Seyeon Jeong Supervisor: Prof. James Won-Ki Hong Dept. of CSE, DPNM Lab., POSTECH, Korea jsy0906@postech.ac.kr
More informationChallenges for the success of SDN and NFV (from a standardization perspective)
Challenges for the success of SDN and NFV (from a standardization perspective) Dr. Fabian Schneider Senior Researcher, NEC Laboratories Europe Vice-chair of the ONF Architecture WG Disclaimer: The views
More informationAnalysis of OpenFlow Networks.
Analysis of OpenFlow Networks. Vikram Kulkarni Jayesh Kawli Introduction: Enterprise data center networks are rapidly reaching a breaking point, because of the data center network scale and complexity
More informationSoftware-Defined Networking (SDN)
EPFL Princeton University 2 5 A p r 12 Software-Defined Networking (SDN) Third-party Enables new functionality through mability 2 1 at the risk of bugs 3 Software Faults Will make communication unreliable
More informationStratum Project. Enabling era of next generation of SDN
Stratum Project Enabling era of next generation of SDN Next-Generation SDN A set of next generation interfaces Announcements Leverages P4, P4Runtime, OpenConfig, gnmi, gnoi Provides full lifecycle management
More informationCSC 4900 Computer Networks: Routing Protocols
CSC 4900 Computer Networks: Routing Protocols Professor Henry Carter Fall 2017 Last Time Link State (LS) versus Distance Vector (DV) algorithms: What are some of the differences? What is an AS? Why do
More informationVLAN Hopping, ARP Poisoning, and Man-In-TheMiddle Attacks in Virtualized Environments
VLAN Hopping, ARP Poisoning, and Man-In-TheMiddle Attacks in Virtualized Environments Dr. Ronny L. Bull, Ph.D. Utica College Nexus Seminar Series Nov 10th 2017 About Me Ph.D. in Computer Science from Clarkson
More informationSDN and NFV as expressions of a systemic trend «integrating» Cloud, Networks and Terminals
SDN and NFV as expressions of a systemic trend «integrating» Cloud, Networks and Terminals Antonio Manzalini, Chair of the IEEE SDN initiative Bobby Wong, Program Director SDN-NFV Standardization Committee
More informationVerification of NFV Services : Problem Statement and Challenges
Verification of NFV Services : Problem Statement and Challenges draft-shin-nfvrg-service-verification-01 M-K. Shin, ETRI K. Nam, Friesty S. Pack, Korea Univ. S. Lee, ETRI Tae-wan Kim, LG U+ NFVRG Meeting@IETF92,
More information11/30/16. Game Plan. OpenFlow 1.3: Protocol, Use Cases, And Building a Fault Tolerant Application. Up Next. Before We Get Started
OpenFlow 1.3: Protocol, Use Cases, And Building a Fault Tolerant Application Geddings Barrineau Ryan Izard Clemson University Niky Riga GENI Project Office 1 Game Plan 2 Before We Get Started 1. Login
More informationONOS Mini-Summit, Beijing, China
1 ONOS Mini-Summit, Beijing, China Aseem Parikh, VP Solutions and Partnerships, ONF August 2017 About ONF 3 New ONF Being Formed to Lead in this New Open Source Era ONF Champion For SDN Standards SDN/NFV
More informationCommunication System Design Projects
Communication System Design Projects KUNGLIGA TEKNISKA HÖGSKOLAN PROFESSOR: DEJAN KOSTIC TEACHING ASSISTANT: GEORGIOS KATSIKAS Traditional Vs. Modern Network Management What is Network Management (NM)?
More informationEnable Infrastructure Beyond Cloud
Enable Infrastructure Beyond Cloud Tim Ti Senior Vice President R&D July 24, 2013 The Ways of Communication Evolve Operator s challenges Challenge 1 Revenue Growth Slow Down Expense rate device platform
More informationManagement in SDN/NFV
Management in SDN/NFV Network Management Spring 2018 Bahador Bakhshi CE & IT Department, Amirkabir University of Technology Outline Introduction What is the SDN? NM in SDN What is the NFV? NM in NFV Summary
More informationOpenFlow Ronald van der Pol
OpenFlow Ronald van der Pol Outline! Goal of this project! Why OpenFlow?! Basics of OpenFlow! Short Demo OpenFlow Overview! Initiative of Stanford University! Run network research experiments
More informationBuilding Security Services on top of SDN
Building Security Services on top of SDN Gregory Blanc Télécom SudParis, IMT 3rd FR-JP Meeting on Cybersecurity WG7 April 25th, 2017 Keio University Mita Campus, Tokyo Table of Contents 1 SDN and NFV as
More informationIPv6- IPv4 Threat Comparison v1.0. Darrin Miller Sean Convery
IPv6- IPv4 Threat Comparison v1.0 Darrin Miller dmiller@cisco.com Sean Convery sean@cisco.com Motivations Discussions around IPv6 security have centered on IPsec Though IPsec is mandatory in IPv6, the
More informationLecture 10.1 A real SDN implementation: the Google B4 case. Antonio Cianfrani DIET Department Networking Group netlab.uniroma1.it
Lecture 10.1 A real SDN implementation: the Google B4 case Antonio Cianfrani DIET Department Networking Group netlab.uniroma1.it WAN WAN = Wide Area Network WAN features: Very expensive (specialized high-end
More informationOpenFlow DDoS Mitigation
OpenFlow DDoS Mitigation C. Dillon, M. Berkelaar February 9, 2014 University of Amsterdam Quanza Engineering Introduction Distributed Denial of Service attacks Types of attacks Application layer attacks
More informationSECURITY STORY WE NEVER SEE, TOUCH NOR HOLD YOUR DATA
SECURITY STORY WE NEVER SEE, TOUCH NOR HOLD YOUR DATA CTO Office www.digi.me another Engineering Briefing digi.me keeping your data secure at all times ALL YOUR DATA IN ONE PLACE TO SHARE WITH PEOPLE WHO
More informationOn the State of the Inter-domain and Intra-domain Routing Security
On the State of the Inter-domain and Intra-domain Routing Security Mingwei Zhang April 19, 2016 Mingwei Zhang Internet Routing Security 1 / 54 Section Internet Routing Security Background Internet Routing
More informationSecurity Issues In Mobile Ad hoc Network Routing Protocols
Abstraction Security Issues In Mobile Ad hoc Network Routing Protocols Philip Huynh phuynh@uccs.edu Mobile ad hoc network (MANET) is gaining importance with increasing number of applications. It can be
More informationCisco Extensible Network Controller
Data Sheet Cisco Extensible Network Controller Product Overview Today s resource intensive applications are making the network traffic grow exponentially putting high demands on the existing network. Companies
More informationCloud Computing and Cloud Networking
Cloud Computing and Cloud Networking Dr. Adel Nadjaran Toosi Cloud Computing and Distributed Systems (CLOUDS) Laboratory, School of Computing and Information Systems The University of Melbourne, Australia
More informationConducting an IP Telephony Security Assessment
Conducting an IP Telephony Security Assessment Mark D. Collier Chief Technology Officer mark.collier@securelogix.com www.securelogix.com Presentation Outline Ground rules and scope Discovery Security policy
More informationClassBench-ng: Recasting ClassBench After a Decade of Network Evolution
ClassBench-ng: Recasting ClassBench After a Decade of Network Evolution Jiří Matoušek 1, Gianni Antichi 2, Adam Lučanský 3 Andrew W. Moore 2, Jan Kořenek 1 1 Brno University of Technology 2 University
More informationOpenDaylight service function chaining usecases. 14 October 2014 Contact: Abhijit Kumbhare & Vinayak Joshi
OpenDaylight service function chaining usecases 14 October 2014 Contact: Abhijit Kumbhare & Vinayak Joshi agenda SFC Architecture Use Cases OpenDaylight SFC Use Cases 2014-10-14 Page 2 Service function
More informationProgramming Network Policies by Examples: Platform, Abstraction and User Studies
Programming Network Policies by Examples: Platform, Abstraction and User Studies Boon Thau Loo University of Pennsylvania NetPL workshop @ SIGCOMM 2017 Joint work with Yifei Yuan, Dong Lin, Siri Anil,
More informationSoftware-Defined WAN: Application-centric Virtualization and Visibility
Software-Defined WAN: Application-centric Virtualization and Visibility Dongkyun Kim, KISTI mirr@kisti.re.kr June 23, KRNet2015 Introduction Software-Defined WAN SD-WAN Optimization, Virtualization, Visibility,
More informationTaxonomy of SDN. Vara Varavithya 17 January 2018
Taxonomy of SDN Vara Varavithya 17 January 2018 Modern Data Center Environmentally protected warehouses Large number of computers for compute and storage Blades Computer- Top-of-Rack (TOR) Switches Full
More informationNETWORK VIRTUALIZATION IN THE HOME Chris Donley CableLabs
NETWORK VIRTUALIZATION IN THE HOME Chris Donley CableLabs Abstract Networks are becoming virtualized. While there has been significant focus on virtualization in core and data center networks, network
More informationA Hybrid Hierarchical Control Plane for Software-Defined Network
A Hybrid Hierarchical Control Plane for Software-Defined Network Arpitha T 1, Usha K Patil 2 1* MTech Student, Computer Science & Engineering, GSSSIETW, Mysuru, India 2* Assistant Professor, Dept of CSE,
More informationEXPERIMENTAL STUDY OF FLOOD TYPE DISTRIBUTED DENIAL-OF- SERVICE ATTACK IN SOFTWARE DEFINED NETWORKING (SDN) BASED ON FLOW BEHAVIORS
EXPERIMENTAL STUDY OF FLOOD TYPE DISTRIBUTED DENIAL-OF- SERVICE ATTACK IN SOFTWARE DEFINED NETWORKING (SDN) BASED ON FLOW BEHAVIORS Andry Putra Fajar and Tito Waluyo Purboyo Faculty of Electrical Engineering,
More informationLEAP DATA SHEET. Lumina Extension Adaptation Platform. Benefits: Model-driven software platform enables automation of heterogeneous networks.
DATA SHEET LEAP Lumina Extension Adaptation Platform Model-driven software platform enables automation of heterogeneous networks. SDN has long enabled interfaces like Netconf and OpenFlow to program network
More informationProduct Security. for Consumer Devices. Anton von Troyer Codenomicon. all rights reserved.
Product Security Anton von Troyer for Consumer Devices About Codenomicon Founded in Autumn 2001 Commercialized the academic approach built since 1996 Technology leader in security test automation Model-based,
More informationSDN+NFV Next Steps in the Journey
SDN+NFV Next Steps in the Journey Margaret T. Chiosi AT&T Labs Distinguished Architect SDN-NFV Realization 2015 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks
More informationOpenADN: A Case for Open Application Delivery Networking
OpenADN: A Case for Open Application Delivery Networking Subharthi Paul, Raj Jain, Jianli Pan Washington University in Saint Louis {Pauls, jain, jp10}@cse.wustl.edu International Conference on Computer
More informationThe 2008 publication of OpenFlow: Enabling. Faucet. Deploying SDN in the Enterprise. Using OpenFlow and DevOps for rapid development
1 OF 15 TEXT ONLY Faucet Deploying SDN in the Enterprise JOSH BAILEY AND STEPHEN STUART Using OpenFlow and DevOps for rapid development The 2008 publication of OpenFlow: Enabling Innovation in Campus Networks
More informationUnlock the Benefits of Transport SDN OIF Transport SDN API Interop Demo
Unlock the Benefits of Transport SDN OIF Transport SDN API Interop Demo June 13 th, 2017 Optinet China Conference 2017 Junjie Li, China Telecom (lijj.bri@chinatelecom.cn) OIF Board Member Agenda Motivation
More informationSOLUTION BRIEF. Enabling and Securing Digital Business in API Economy. Protect APIs Serving Business Critical Applications
Enabling and Securing Digital Business in Economy Protect s Serving Business Critical Applications 40 percent of the world s web applications will use an interface Most enterprises today rely on customers
More informationApplication Delivery Using Software Defined Networking
Application Delivery Using Software Defined Networking Project Leader: Subharthi Paul Washington University in Saint Louis Saint Louis, MO 63130 Jain@cse.wustl.edu GITPro World 2013, Palo Alto, CA, April
More informationAccelerating SDN and NFV Deployments. Malathi Malla Spirent Communications
Accelerating SDN and NFV Deployments Malathi Malla Spirent Communications 2 Traditional Networks Vertically integrated Closed, proprietary Slow innovation 3 Infinite Complexity of Testing Across virtual
More informationOur Narrow Focus Computer Networking Security Vulnerabilities. Outline Part II
Our Narrow Focus 15-441 15-441 Computer Networking 15-641 Lecture 22 Security: DOS Peter Steenkiste Fall 2016 www.cs.cmu.edu/~prs/15-441-f16 Yes: Creating a secure channel for communication (Part I) Protecting
More informationSDX: A Software Defined Internet Exchange
SDX: A Software Defined Internet Exchange @SIGCOMM 2014 Laurent Vanbever Princeton University FGRE Workshop (Ghent, iminds) July, 8 2014 The Internet is a network of networks, referred to as Autonomous
More informationOpenFlow. Finding Feature Information. Prerequisites for OpenFlow
Finding Feature Information, page 1 Prerequisites for, page 1 Restrictions for, page 2 Information About Open Flow, page 3 Configuring, page 8 Monitoring, page 12 Configuration Examples for, page 12 Finding
More informationUNIVERSITY OF CAGLIARI
UNIVERSITY OF CAGLIARI DIEE - Department of Electrical and Electronic Engineering Infrastrutture ed Applicazioni Avanzate nell Internet SDN: Control Plane ACK: content taken from Foundations of Modern
More informationEnding the Confusion About Software- Defined Networking: A Taxonomy
Ending the Confusion About Software- Defined Networking: A Taxonomy This taxonomy cuts through confusion generated by the flood of vendor SDN announcements. It presents a framework that network and server
More informationQuestion No: 1 After running a packet analyzer on the network, a security analyst has noticed the following output:
Volume: 75 Questions Question No: 1 After running a packet analyzer on the network, a security analyst has noticed the following output: Which of the following is occurring? A. A ping sweep B. A port scan
More informationArchitecture for QoS-enabled Application Service Deployment in Virtualized Environment
, pp.121-125 http://dx.doi.org/10.14257/astl.2016.142.22 Architecture for QoS-enabled Application Service Deployment in Virtualized Environment Hyun-Min Yoon, Zeqi Liu, Woo-Suk Yang, Jung-Ho Kim and Jae-Oh
More information