SDN Applications and Use Cases. Copyright 2015 ITRI

Similar documents
Lecture 10.1 A real SDN implementation: the Google B4 case. Antonio Cianfrani DIET Department Networking Group netlab.uniroma1.it

CSC 4900 Computer Networks: Network Layer

Chapter 4 Network Layer: The Data Plane

Introduction to Software-Defined Networking UG3 Computer Communications & Networks (COMN)

Chapter 5 Network Layer: The Control Plane

COMP211 Chapter 4 Network Layer: The Data Plane

OpenFlow: What s it Good for?

Software Defined Networking

Lesson 9 OpenFlow. Objectives :

Software Defined Networks and OpenFlow. Courtesy of: AT&T Tech Talks.

ProgrammableFlow: OpenFlow Network Fabric

OPENFLOW & SOFTWARE DEFINED NETWORKING. Greg Ferro EtherealMind.com and PacketPushers.net

CSC 401 Data and Computer Communications Networks

Software Defined Networking

CS 5114 Network Programming Languages Data Plane. Nate Foster Cornell University Spring 2013

Application of SDN: Load Balancing & Traffic Engineering

End to End SLA for Enterprise Multi-Tenant Applications

Computer Science 461 Final Exam May 22, :30-3:30pm

Intelligent Service Function Chaining. March 2015

Configuring Firewall Filters (J-Web Procedure)

CSC358 Week 6. Adapted from slides by J.F. Kurose and K. W. Ross. All material copyright J.F Kurose and K.W. Ross, All Rights Reserved

EC441 Fall 2018 Introduction to Computer Networking Chapter4: Network Layer Data Plane

DDoS Protection in Backbone Networks

Fighting the Shadows: How to Stop Real-world Cybersecurity Application Threats That You Can t See

Configuring ACLs. ACL overview. ACL categories. ACL numbering and naming

Chapter 4 Network Layer: The Data Plane

CSC 401 Data and Computer Communications Networks

Managing and Securing Computer Networks. Guy Leduc. Chapter 2: Software-Defined Networks (SDN) Chapter 2. Chapter goals:

Network Security: Network Flooding. Seungwon Shin GSIS, KAIST

SD-WAN Deployment Guide (CVD)

Quality of Service Setup Guide (NB14 Series)

Drive Greater Value from Your Cisco Deployment with Radware Solutions

Techniques and Protocols for Improving Network Availability

Fundamental Questions to Answer About Computer Networking, Jan 2009 Prof. Ying-Dar Lin,

Slicing a Network. Software-Defined Network (SDN) FlowVisor. Advanced! Computer Networks. Centralized Network Control (NC)

Master Course Computer Networks IN2097

CS 4226: Internet Architecture

Software-Defined Networking (Continued)

Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall

Software-Defined Networking (SDN) Overview

Master Course Computer Networks IN2097

SDN Security BRKSEC Alok Mittal Security Business Group, Cisco

Configuring the Catena Solution

Taxonomy of SDN. Vara Varavithya 17 January 2018

ProgrammableFlow White Paper. March 24, 2016 NEC Corporation

Lecture 16: Network Layer Overview, Internet Protocol

Chapter 4 Network Layer: The Data Plane

Enable Infrastructure Beyond Cloud

IT Infrastructure. Transforming Networks to Meet the New Reality. Phil O Reilly, CTO Federal AFCEA-GMU C4I Symposium May 20, 2015

Software Defined Networks

Lecture 3. The Network Layer (cont d) Network Layer 1-1

APNIC elearning: SDN Fundamentals

Cisco Virtual Networking Solution for OpenStack

Cisco Extensible Network Controller

DevoFlow: Scaling Flow Management for High Performance Networks

Xen*, SDN and Apache Cloudstack. Sebastien Goasguen, Apache CloudStack Citrix EMEA August 28 th 2012 Xen Summit

Using NetFlow Filtering or Sampling to Select the Network Traffic to Track

Lecture 8. Network Layer (cont d) Network Layer 1-1

Aruba 8320 Configuring ACLs and Classifier Policies Guide for ArubaOS- CX 10.00

Chapter 3 Part 2 Switching and Bridging. Networking CS 3470, Section 1

Virtualization of networks

SD-Access Wireless: why would you care?

Centec V350 Product Introduction. Centec Networks (Suzhou) Co. Ltd R

Cybersecurity was nonexistent for most network data exchanges until around 1994.

VXLAN Overview: Cisco Nexus 9000 Series Switches

Computer Network Architectures and Multimedia. Guy Leduc. Chapter 2 MPLS networks. Chapter 2: MPLS

AT&T SD-WAN Network Based service quick start guide

Chapter 8. Network Troubleshooting. Part II

H3C S9500 QoS Technology White Paper

Modular Policy Framework. Class Maps SECTION 4. Advanced Configuration

Chapter 4 Network Layer: The Data Plane. Part A. Computer Networking: A Top Down Approach

So#ware Defined Networking

ADVANCED SECURITY MECHANISMS TO PROTECT ASSETS AND NETWORKS: SOFTWARE-DEFINED SECURITY

Brocade Flow Optimizer

Introduction to Internetworking

Cisco Catalyst 6500 Supervisor Engine 2T: NetFlow Enhancements

Introduction to Segment Routing

plixer Scrutinizer Competitor Worksheet Visualization of Network Health Unauthorized application deployments Detect DNS communication tunnels

Information about Network Security with ACLs

100 GBE AND BEYOND. Diagram courtesy of the CFP MSA Brocade Communications Systems, Inc. v /11/21

DDoS Protection in Backbone Networks Deployed at Trenka Informatik AG (

CMPE 150/L : Introduction to Computer Networks. Chen Qian Computer Engineering UCSC Baskin Engineering Lecture 12

Network Layer: Chapter 4. The Data Plane. Computer Networking: A Top Down Approach

Summary Chapter 4. Smith College, CSC 249 March 2, q IP Addressing. q DHCP dynamic addressing

Chapter 4 Network Layer: The Data Plane

Chapter 4 Network Layer: The Data Plane

ProCurve Network Immunity

internet technologies and standards

Configuring NetFlow. About NetFlow. This chapter describes how to configure the NetFlow feature on Cisco NX-OS devices.

Distributed Denial of Service

CS-580K/480K Advanced Topics in Cloud Computing. Software-Defined Networking

Switching and Routing projects description

Configuring Local SPAN and ERSPAN

Traffic Engineering 2: Layer 2 Prioritisation - CoS (Class of Service)

OpenFlow DDoS Mitigation

Decision Forest: A Scalable Architecture for Flexible Flow Matching on FPGA

IPv6 in Campus Networks

Carrier SDN for Multilayer Control

Chapter 4: network layer. Network service model. Two key network-layer functions. Network layer. Input port functions. Router architecture overview

Network Management and Monitoring

Transcription:

SDN Applications and Use Cases Copyright 20 ITRI

Bachelor B Ph.D (IR) (ITRI) Engineer 20 Copyright 20 ITRI 2

Outline SDN Basics SDN Use Cases & Applications Google B WAN NEC VTN OpenDefenseFlow Firewall Migration ITRI VLAN Migration Concluding Remarks Copyright 20 ITRI

Outline SDN Basics SDN Use Cases & Applications Google B WAN NEC VTN OpenDefenseFlow Firewall Migration ITRI VLAN Migration Concluding Remarks Copyright 20 ITRI

What is SDN? Copyright 20 ITRI

OpenFlow.0 Flow Entry Matching Fields Actions Stats SDN = OpenFlow? Packet counters, byte counters, and etc OpenFlow-Enabled Switch OpenFlow Client Flow Table OpenFlow protocol Not Exactly SDN Controller (software) Forward packet to a port list Add/remove/modify VLAN Tag Drop packet Send packet to the controller Ingress Port MAC DA MAC SA EtherType VLAN ID P-bits IP Src IP Dst IP Protocol IP DSCP TCP/UDP TCP/UDP src port dst port Copyright 20 ITRI

SDN = Still Don t know? Copyright 20 ITRI

SDN is All about Network Programmability API interaction with network elements Separated Control Plane and Forwarding Plane Forwarding Plane can be Software or Hardware Control Plane agnostic to the underlying hardware Network topology derived from the application This is how SDN is different from switched networks. Vendor Independence Open and standardized interface Copyright 20 ITRI

How does SDN work? Copyright 20 ITRI

TM LIN K 0 / 0 0/ 0 0 0 A CT Network Command & Control Traditional Interaction Model Configuration, Command & Control uses a communication channel between the Network Administrator and the Intelligence Entity on-board the Network Device. Brocade ICX 0-2P XL2- XL RESET XL- 0 0+ X X2 X X X X X X 2 0 2 20 2 22 2 2 Every Network Device can be understood to have an INDEPENDENT Intelligence Entity and a Functional Engine source: Brocade SDN creating intelligent lan infrastructures Copyright 20 ITRI 0

IC X 0-2P X L X L- X L0 0+ X X2 X X X X X X IC X 0-2P LI NK 0/ 00/000 AC T 2 0 2 20 2 22 2 2 X L X L- X L0 ID { 2 0+ X X2 X X X X X X IC X 0-2P LI NK 0/ 00/000 AC T 2 0 2 20 2 22 2 2 X L X L- X L0 0+ X X2 X X X X X X IC X 0-2P LI NK 0/ 00/000 AC T 2 0 2 20 2 22 2 2 X L X L- X L0 ID { 2 0+ X X2 X X X X X X IC X 0-2P LI NK 0/ 00/000 AC T 2 0 2 20 2 22 2 2 X L X L- X L0 0+ X X2 X X X X X X IC X 0-2P LI NK 0/ 00/000 AC T 2 0 2 20 2 22 2 2 X L X L- X L0 ID { 2 0+ X X2 X X X X X X IC X 0-2P LI NK 0/ 00/000 AC T 2 0 2 20 2 22 2 2 X L X L- X L0 0+ X X2 X X X X X X IC X 0-2P LI NK 0/ 00/000 AC T 2 0 2 20 2 22 2 2 XL- 0 XL2- XL ID { 2 0+ X X2 X X X X X X IC X 0-2P LI NK0/ 00/000 AC T 2 0 2 20 2 22 2 2 X L X L- X L0 0+ X X2 X X X X X X IC X 0-2P LI NK 0/ 00/000 AC T 2 0 2 20 2 22 2 2 X L X L- X L0 ID { 2 0+ X X2 X X X X X X IC X 0-2P LI NK 0/ 00/000 AC T 2 0 2 20 2 22 2 2 X L X L- X L0 0+ X X2 X X X X X X IC X 0-2P LI NK 0/ 00/000 AC T 2 0 2 20 2 22 2 2 X L X L- X L0 ID { 2 0+ X X2 X X X X X X LI NK 0/ 00/000 AC T 2 0 2 20 2 22 2 2 Network Command & Control What s the Problem with the Traditional Model? The larger the network the more INDEPENDENT devices you need to manage. source: Brocade SDN creating intelligent lan infrastructures Copyright 20 ITRI

IC X 0-2P X L X L- X L0 0+ X X2 X X X X X X IC X 0-2P LI NK 0/ 00/000 AC T 2 0 2 20 2 22 2 2 X L X L- X L0 0+ X X2 X X X X X X IC X 0-2P LI NK 0/ 00/000 AC T 2 0 2 20 2 22 2 2 X L X L- X L0 0+ X X2 X X X X X X IC X 0-2P LI NK 0/ 00/000 AC T 2 0 2 20 2 22 2 2 X L X L- X L0 0+ X X2 X X X X X X IC X 0-2P LI NK 0/ 00/000 AC T 2 0 2 20 2 22 2 2 X L X L- X L0 0+ X X2 X X X X X X IC X 0-2P LI NK 0/ 00/000 AC T 2 0 2 20 2 22 2 2 X L X L- X L0 0+ X X2 X X X X X X IC X 0-2P LI NK 0/ 00/000 AC T 2 0 2 20 2 22 2 2 X L X L- X L0 0+ X X2 X X X X X X IC X 0-2P LI NK 0/ 00/000 AC T 2 0 2 20 2 22 2 2 XL2- XL XL- 0 0+ X X2 X X X X X X IC X 0-2P LI NK0/ 00/000 AC T 2 0 2 20 2 22 2 2 X L X L- X L0 0+ X X2 X X X X X X IC X 0-2P LI NK 0/ 00/000 AC T 2 0 2 20 2 22 2 2 X L X L- X L0 0+ X X2 X X X X X X IC X 0-2P LI NK 0/ 00/000 AC T 2 0 2 20 2 22 2 2 X L X L- X L0 0+ X X2 X X X X X X IC X 0-2P LI NK 0/ 00/000 AC T 2 0 2 20 2 22 2 2 X L X L- X L0 0+ X X2 X X X X X X LI NK 0/ 00/000 AC T 2 0 2 20 2 22 2 2 Network Command & Control What s the Problem with the Traditional Model? The larger the network the more INDEPENDENT devices you need to manage. - they make their switching & routing decisions independently - they make their fowarding & filtering decsions independently - they treat security policies, VLANs, QoS policies, port policies, etc.. INDEPENDENTLY How Can We Make this Easier? Is there a way to make them all operate as a cohesive group? source: Brocade SDN creating intelligent lan infrastructures Copyright 20 ITRI 2

IC X 0-2P X L X L- X L0 0+ X X2 X X X X X X IC X 0-2P LI NK 0/ 00/000 AC T 2 0 2 20 2 22 2 2 X L X L- X L0 0+ X X2 X X X X X X IC X 0-2P LI NK 0/ 00/000 AC T 2 0 2 20 2 22 2 2 X L X L- X L0 0+ X X2 X X X X X X IC X 0-2P LI NK 0/ 00/000 AC T 2 0 2 20 2 22 2 2 X L X L- X L0 0+ X X2 X X X X X X IC X 0-2P LI NK 0/ 00/000 AC T 2 0 2 20 2 22 2 2 X L X L- X L0 0+ X X2 X X X X X X IC X 0-2P LI NK 0/ 00/000 AC T 2 0 2 20 2 22 2 2 X L X L- X L0 0+ X X2 X X X X X X IC X 0-2P LI NK 0/ 00/000 AC T 2 0 2 20 2 22 2 2 X L X L- X L0 0+ X X2 X X X X X X IC X 0-2P LI NK 0/ 00/000 AC T 2 0 2 20 2 22 2 2 XL2- XL XL- 0 0+ X X2 X X X X X X IC X 0-2P LI NK0/ 00/000 AC T 2 0 2 20 2 22 2 2 X L X L- X L0 0+ X X2 X X X X X X IC X 0-2P LI NK 0/ 00/000 AC T 2 0 2 20 2 22 2 2 X L X L- X L0 0+ X X2 X X X X X X IC X 0-2P LI NK 0/ 00/000 AC T 2 0 2 20 2 22 2 2 X L X L- X L0 0+ X X2 X X X X X X IC X 0-2P LI NK 0/ 00/000 AC T 2 0 2 20 2 22 2 2 X L X L- X L0 0+ X X2 X X X X X X LI NK 0/ 00/000 AC T 2 0 2 20 2 22 2 2 Network Command & Control What s the Solution? Software Defined Networking Separates the Intelligence Entity from the Functional Engine and creates a virtualized Command & Control proxy in the form of a Controller. SDN Controller source: Brocade SDN creating intelligent lan infrastructures Copyright 20 ITRI

IC X 0-2P X L X L- X L0 0+ X X2 X X X X X X IC X 0-2P LI NK 0/ 00/000 AC T 2 0 2 20 2 22 2 2 X L X L- X L0 0+ X X2 X X X X X X IC X 0-2P LI NK 0/ 00/000 AC T 2 0 2 20 2 22 2 2 X L X L- X L0 0+ X X2 X X X X X X IC X 0-2P LI NK 0/ 00/000 AC T 2 0 2 20 2 22 2 2 X L X L- X L0 0+ X X2 X X X X X X IC X 0-2P LI NK 0/ 00/000 AC T 2 0 2 20 2 22 2 2 X L X L- X L0 0+ X X2 X X X X X X IC X 0-2P LI NK 0/ 00/000 AC T 2 0 2 20 2 22 2 2 X L X L- X L0 0+ X X2 X X X X X X IC X 0-2P LI NK 0/ 00/000 AC T 2 0 2 20 2 22 2 2 X L X L- X L0 0+ X X2 X X X X X X IC X 0-2P LI NK 0/ 00/000 AC T 2 0 2 20 2 22 2 2 XL2- XL XL- 0 0+ X X2 X X X X X X IC X 0-2P LI NK0/ 00/000 AC T 2 0 2 20 2 22 2 2 X L X L- X L0 0+ X X2 X X X X X X IC X 0-2P LI NK 0/ 00/000 AC T 2 0 2 20 2 22 2 2 X L X L- X L0 0+ X X2 X X X X X X IC X 0-2P LI NK 0/ 00/000 AC T 2 0 2 20 2 22 2 2 X L X L- X L0 0+ X X2 X X X X X X IC X 0-2P LI NK 0/ 00/000 AC T 2 0 2 20 2 22 2 2 X L X L- X L0 0+ X X2 X X X X X X LI NK 0/ 00/000 AC T 2 0 2 20 2 22 2 2 Network Command & Control What s the Solution? Software Defined Networking Separates the Intelligence Entity from the Functional Engine and creates a virtualized Command & Control proxy in the form of a Controller. SDN Controller source: Brocade SDN creating intelligent lan infrastructures Copyright 20 ITRI

Outline SDN Basics SDN Use Cases & Applications Google B WAN NEC VTN OpenDefenseFlow Firewall Migration ITRI VLAN Migration Concluding Remarks Copyright 20 ITRI

Google B WAN Copyright 20 ITRI

Motivation: WAN Cost Components Hardware Routers Transport gear Fiber Standard practice: overprovisioning Shortest path routing Slow convergence time Maintain SLAs despite failures No traffic differentiation Operational expenses/human costs Box-centric versus fabric-centric views Copyright 20 ITRI

Google s WAN: B Google inter-datacenter traffic: a. User data copy b. Remote storage access c. large-scale data push for state synchronizing Volume: a b c Latency sensitivity: a b c Priority: a b c B characteristics Elastic bandwidth demands Moderate number of sites End application control Cost sensitivity Copyright 20 ITRI

B Overview B Operations Simultaneously support standard routing protocols and centralized traffic engineering. Control at network edge to adjudicate among competing bandwidth demands. Use multiple forwarding paths to leverage available network capacity. Dynamically reallocate bandwidth in the face of link/switch failures or shifting application demands Source: B (SIGCOMM ) Link utilization: Traditional 0-0% B around % Copyright 20 ITRI

B Usage & TE Example Source: OpenFlow @ Google (ONS 202) Flow Group (FG) Site-to-site flow aggregation Multipath forwarding Tunnel Group (TG) A fraction of FG forwarded along each tunnel Source: B (SIGCOMM ) Copyright 20 ITRI 20

NEC ProgrammableFlow VTN Copyright 20 ITRI 2

VTN Information Model Source: NEC s ProgrammableFlow NBI: VTN Model & Use-cases Copyright 20 ITRI 22

VTN Example Source: NEC s ProgrammableFlow NBI: VTN Model & Use-cases Copyright 20 ITRI 2

VTN Feature Sets & Policies Virtual Network Provisioning VTN design (Add/Delete/Change) VTN model operation (Add/Delete/Change) vfilter: Flow Control in VTN 2-tuple based Flow filter QoS Control in Virtual Network ACL (e.g. drop) Redirect (service chaining) Apply to whole VTN or Virtual Network Monitoring VTN information collection (Traffic /port/link statistics, Failure Events & Alarms, Controller status) Port/VLAN/MAC mapping Copyright 20 ITRI 2

ProgrammableFlow VTN Use Case VTN for Kanazawa University Hospital Copyright 20 ITRI 2

OpenDefenseFlow (DefenseAll in OpenDaylight) Copyright 20 ITRI 2

DDoS Impact on Business zombie zombie zombie zombie zombie Copyright 20 ITRI 2

DDoS Overview Distributed denial-of-service (DDoS) attacks target network infrastructures or computer services by sending overwhelming number of service requests to the server from many sources. Server resources are used up in serving the fake requests resulting in denial or degradation of legitimate service requests to be served Addressing DDoS attacks Detection Detect incoming fake requests Mitigation Diversion Send traffic to a specialized device that removes the fake packets from the traffic stream while retaining the legitimate packets Return Send back the clean traffic to the server Copyright 20 ITRI 2

OpenDefenseFlow Overview SDN Applications OpenDefenseFlow Application (DefenseAll) The SDN Application That Programs Networks for DDoS Protection API SDN Controller SDN Controller Controller OpenFlow API SDN Data Plane DefensePro (mitigation devices) Source: OpenDefenseFlow proposal overview for OpenDaylight 2 Copyright 20 ITRI

OpenDefenseFlow Anti-DDoS SDN Security Service provisioning Programmable Probe Collect Detection Analyze & Decide Flow Diversion - Control Security Application Configure DefensePro with learned baselines DefenseFlow SDN Controller Attack!!! Create baselines per: IP Address, Protocol & Service (Port) servers servers Internet DefensePro (or equivalent) servers Source: OpenDefenseFlow proposal overview for OpenDaylight Slide 0 Copyright 20 ITRI 0

OpenDefenseFlow on OpenDaylight Copyright 20 ITRI

OpenDefenseFlow Architecture Statistics Service addcounter(selector) readcounter(selector) removecounter(selector) resetcounter(selector) Flow Entry in OpenFlow v.0 Match Fields Priority Counters Copyright 20 ITRI 2

Statistics Service Counter Smart Placement Copyright 20 ITRI

OpenDefenseFlow Architecture Redirection Service redirecttraffic(selector, devices[]) mirrortraffic(selector, devices[]) (a) Redirection (b) Mirroring Copyright 20 ITRI

Traffic Redirection for Attack Mitigation PO Copyright 20 ITRI

OpenDefenseFlow Architecture Anomaly Detection Builds peace time (normal) traffic baselines Identifies deviations from normal traffic baselines Pluggable system to support: Multiple vendors Different detection techniques Extensibility (detect new attacks) etc. Copyright 20 ITRI

OpenDefenseFlow Architecture Mitigation Driver Configures external mitigation device(s) E.g., pass to device baseline to expedite detection Configuring the network such that the suspicious traffic (and only the suspicious traffic) is diverted to suitable mitigation device Monitoring of external mitigation device(s) e.g., attack ended After attacks, restores the network to original configuration Vendor Independent Interested vendors can connect to the system by written a Mitigator Driver (think device drivers in OS) Copyright 20 ITRI

OpenDefenseFlow Unique Value Proposition Scalable, precise and fast attack/anomaly detection Utilize native SDN programming for attack traffic diversion Lower solution costs Statistical collection without costly specialized hardware detectors Simple attack diversion (no need to use BGP injection, GRE tunnel) Centralized control allows efficient management of mitigation resources, monitoring and reporting Extensible Add detection algorithms Add mitigation devices Copyright 20 ITRI

Flow Information Collection in Conventional Network NetFlow record (extended as IETF IPFIX) Input interface index used by SNMP Output interface index Timestamps for the flow start and finish time Number of bytes and packets observed Layer headers: Source & destination IP addresses Source and destination port numbers for TCP, UDP, SCTP ICMP Type and Code. IP protocol Type of Service (ToS) value The union of all TCP flags observed over the life of the flow. Layer Routing information: IP address of the immediate next-hop along the route to the destination Source & destination IP masks (prefix lengths in the CIDR notation) Copyright 20 ITRI

Conventional DDoS Mitigation with Netflow Records of all flows passing through specific router interface Copyright 20 ITRI 0

Conventional DDoS Mitigation with Netflow Copyright 20 ITRI

Conventional DDoS Mitigation with Netflow Copyright 20 ITRI 2

Netflow vs. OpenDefenseFlow Capability Netflow based Mitigation Open- DefenseFlow Detection Network DDoS flood attacks Full coverage Full Coverage Mitigation Mitigation response time Slow Min Network Operation Requires BGP announcement, GRE tunneling and several detectors Slow Complicated Complicated Diversion Traffic granularity Low Inaccurate Granularity Cost Effective Requires hardware detectors Requires scrubbing center Consumes routers CPU and ports Expensive Expensive Immediate seconds Simple - diversion is a network service High Granularity divert only suspicious traffic (Conventional network vs. SDN) Low cost Copyright 20 ITRI

OpenDefenseFlow Scope The OpenDefenseFlow (DefenseAll) will provide the following: An implementation of the Anomaly Detection subsystem including a vendor independent framework for plugging different detection algorithms and a reference implementation of such a detection plug-in. This sample detector will be able to handle common DoS attacks, and it will serve as an example for developers of more sophisticated detectors. An implementation of the Mitigation Driver subsystem including a vendor independent framework for plugging different mitigation devices and a reference implementation of such mitigator plugin. An OSGI bundle for the Statistics Service subsystem including a REST API An OSGI bundle for the Traffic Redirection Service subsystem including a REST API The OpenDefenseFlow API. Copyright 20 ITRI

Firewall Migration Copyright 20 ITRI

Firewall and Firewall Migration Firewall (FW) Comprehensive powerful functions: packet-filtering, NAT, routing, proxy, VPN etc Product-dependent configuration/management Firewall migration A challenging task where the devil is in the details Challenges come from: Many and many rules Different policy definition manner Ex: zone-based vs. single zone policies Interpretation errors of migration tool Human errors Manual rule translation & validation Unfamiliar with the firewall default behavior Copyright 20 ITRI

Conventional Firewall Migration Big bang strategy Strategies A new firewall completely replaces the old one. Higher risk Finished progress = 0% or 00% Lower complexity Unpredictable migration time Due to high risk Re-addressing strategy The new firewall coexists with the old one. Lower risk Migrating services step by step Higher complexity Require topology re-design and IP re-addressing Time-consuming Is there a novel strategy with lower risk and lower complexity? Copyright 20 ITRI

A Simple Network Conventional network with a firewall Rule subset of the firewall Firewall Rules SRC IP DEST IP DST Port Action... 2.2.2.2 0 Drop...2 2.2.2.2 0 Drop... 2.2.2.2 0 Permit Target Flow Source: Ethereal.com Copyright 20 ITRI

Goal of Firewall Migration How to divert target flow to the new path? Most routers do not support policy-based routing (PBR) with line-rate forwarding. Idea: firewalls and SDN are both about flows Source: Ethereal.com Copyright 20 ITRI

OpenFlow for Firewall Migration Introduce SDN-enabled switches & controller Source: Ethereal.com Copyright 20 ITRI 0

SDN-based Firewall Migration Build FW Migration App. App reads the configuration from the old firewall, and parses the configuration into rules. Manual selection 2. App translates the rules then loads the firewall rules into the new firewall. Manual checking and validation. Flow cutover: the OpenFlow forwarding rules are sent to the OpenFlow switches Manual testing (OF2) (OF) Example Flow entry in OF Switch Port MAC src MAC dst Eth type VLAN ID IP Src IP Dst Copyright 20 ITRI IP Prot TCP sport TCP dport * * * * * * 2.2.2.2 * * 0 port2 Action Source: Ethereal.com

ITRI VLAN Migration Copyright 20 ITRI 2

Motivation of VLAN Migration Rich services/departments WiFi, U-bike, surveillance system, access control system, Legacy L2 switch generally supports (only) port-based VLAN Managing port-based VLAN is complex and time-consuming Copyright 20 ITRI

VLAN Migration ITRI ITSC Goal: to reduce operational expense (OPEX) Flexible VLAN partition rule port, MAC address, IP address, One-shot configuration Replacing access switches Copyright 20 ITRI

Outline SDN Basics SDN Use Cases & Applications Google B WAN NEC VTN OpenDefenseFlow Firewall Migration ITRI VLAN Migration Concluding Remarks Copyright 20 ITRI

Potential Innovative Issues Wired/Wireless network resource management IEEE tutorial wireless SDN in access and backhaul Application-aware traffic engineering Efficient/scalable network state monitoring Device, application, switch/link loading, flow table usage Protocol independent forwarding P: programming protocol-independent packet processors Security applications Unified access control, IDS, DDoS protection Security of SDN OpenFlow: A Security Analysis Copyright 20 ITRI

SDN Brings Network Programmability, Flexibility and Agility Copyright 20 ITRI

There will be much more SDN/NFV innovations!! Copyright 20 ITRI

Thank You! Copyright 20 ITRI

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback