ECIT Institute (Est.2003)

Transcription

1

2 ECIT Institute (Est.2003) Research Excellence & Innovation 180 people 4 Queen s University Belfast Research Groups - Digital Communications - High Frequency Electronics - Speech, Imaging and Vision Systems - Secure Digital Systems

3 CSIT (Est.2009) A GLOBAL INNOVATION HUB FOR CYBER SECURITY NETWORK SECURITY DATA SECURITY CYBER PHYSICAL SYSTEMS MOBILE SECURITY OPEN INNOVATION TIERED MEMBERSHIP KNOWLEDGE TRANSFER VENTURE CREATION

4 CSIT (Est.2009) A GLOBAL INNOVATION HUB FOR CYBER SECURITY Accelerating Value Creation New Venture Creation Building Capacity

5 CSIT (Est.2009) A GLOBAL INNOVATION HUB FOR CYBER SECURITY Accelerating Value Creation New Venture Creation Building Capacity New Products New Solution

6 CSIT (Est.2009) A GLOBAL INNOVATION HUB FOR CYBER SECURITY Accelerating Value Creation New Venture Creation Building Capacity New Products New Solution Spin-Outs FDI

7 CSIT (Est.2009) A GLOBAL INNOVATION HUB FOR CYBER SECURITY Accelerating Value Creation New Venture Creation Building Capacity New Products New Solution Spin-Outs FDI Go-To Place Spill-over

8 Centre for Secure Information Technologies (CSIT) Est.2009, Based in The ECIT Institute Initial funding over 30M 80 People Researchers Engineers Business Development Largest UK University lab for cyber security technology research GCHQ Academic Centre of Excellence Industry Informed Open Innovation Model Strong international links ETRI, CyLab, GTRI, SRI International Cyber Security Technology Summit

9 Open Innovation - Members Open Innovation / Tiered Membership

10 Network Security Systems Network Security IDS / IPS, DDoS mitigation Cloud Security SDN, Virtualisation SCADA & Smart Grid Security DDoS mitigation Mobile Malware Analysis Reverse engineering Signature extraction Prof. Sakir Sezer Research Director

11 Security in Software-Defined Networking Dr. Sandra Scott-Hayward August 2013

12 Software-Defined Networking (SDN) Platform Security in SDN Security Enhancement using SDN Security Challenges with SDN CSIT SDN Security Contributions Open Areas for Research

13 Traditional Network Control and Data Planes combined in Network Elements: Control Packet Forwarding Hardware Control Packet Forwarding Hardware Control Packet Forwarding Hardware Control Packet Forwarding Hardware

14 SDN Evolution Driven by desire to provide user-controlled management of forwarding in network nodes Software-Defined Networking

15 SDN Separation of Control and Data Planes: Open API APP APP APP Controller Packet Forwarding Hardware Open API Packet Forwarding Hardware Packet Forwarding Hardware Packet Forwarding Hardware

16 SDN Architecture Sezer, S., et al. Are We Ready for SDN? Implementation Challenges for Software-Defined Networks IEEE Communications Magazine, July 2013

17 Network Functions Virtualization Network Functions Virtualization implementation of network functions in software that can run on a range of industry standard server hardware, and that can be moved to, or instantiated in, various locations in the network as required Network Functions Virtualisation Introductory White Paper, October

18 Security Enhancements Using SDN Security Policy Controller Switch Switch Switch Security Service Insertion Controller Security Middlebox e.g. IDS Switch Switch Network Forensics Re-programme Analyze Network Update Policy

19 Security Products - SDN

20 Security Challenges with SDN Central Controller Single Point of ONIX Failure (Distributed State) or Controller Replication Mutual (Controller-Switch) Controller Impersonation Authentication with TLS (Transport Layer Security) Role-based Authorization Conflicting Application e.g. Policies FortNOX Policy Conflict Resolution e.g. VeriFlow, NICE, FlowChecker

21 Security Challenges with SDN Increased potential for Denial of Service: Switch Buffer Flow Table State Table Data Flows/Processes R. Kloti, Openflow: A Security Analysis, Swiss Federal Institute of Technology Zurich, Zurich, Switzerland, 2013.

22 Implementing OpenFlow Controller First Packet Flow Table 5-tuple SP DP Prot SA DA Hash # Execute Action Subsequent Packets Packet In Hdr Payload Hdr Payload Packet Out

23 Data Store DoS Challenge MEMORY

24 CSIT Contributions - SDN Security Lookup Acceleration for Multi-Gigabit SDN M E M O R Y Real-time traffic monitoring, analytics and forensics tools for SDN Security of SDN Applications

25 Open Areas for Research Advanced Persistent Threats Adaptive CyberSecurity Moving Target Defense Dynamic Defense

26 References R. Kloti, Openflow: A Security Analysis, Swiss Federal Institute of Technology Zurich, Zurich, Switzerland, M. Canini, D. Venzano, P. Perevsíni, D. Kostić, and J. Rexford, A NICE way to test openflow applications, in Proceedings of the 9th USENIX conference on Networked Systems Design and Implementation, Berkeley, CA, USA, 2012, pp E. Al-Shaer and S. Al-Haj, FlowChecker: configuration analysis and verification of federated openflow infrastructures, in Proceedings of the 3rd ACM workshop on Assurable and usable security configuration, New York, NY, USA, 2010, pp A. Khurshid, W. Zhou, M. Caesar, and P. B. Godfrey, Veriflow: verifying network-wide invariants in real time, SIGCOMM Comput Commun Rev, vol. 42, no. 4, pp , Sep P. Porras, S. Shin, V. Yegneswaran, M. Fong, M. Tyson, and G. Gu, A security enforcement kernel for OpenFlow networks, in Proceedings of the first workshop on Hot topics in software defined networks, New York, NY, USA, 2012, pp T. Koponen et al., Onix: A Distributed Control Platform for Large-scale Production Networks, in OSDI, 2010.

27 Thank you! Questions?

28 CSIT: A Global Cyber Innovation Hub Thought leader in Secure Information Technology Research Network of Commercial & Research partnerships Portfolio of successful Technology Transfer