Firewall offloading based on SDN and NFV

Similar documents
Using SDN and NFV to Realize a Scalable and Resilient Omni-Present Firewall

Lecture 14 SDN and NFV. Antonio Cianfrani DIET Department Networking Group netlab.uniroma1.it

Software-Defined Networking (SDN) Overview

Network Function Virtualization (NFV)

Communication System Design Projects

L7 Application Visibility for NFV and Data Centers

IQ for DNA. Interactive Query for Dynamic Network Analytics. Haoyu Song. HUAWEI TECHNOLOGIES Co., Ltd.

Software Defined Networking

Making Network Functions Software-Defined

Enabling Efficient and Scalable Zero-Trust Security

FlexNets: It s all about flexibility!

Design and development of the reactive BGP peering in softwaredefined routing exchanges

Typhoon: An SDN Enhanced Real-Time Big Data Streaming Framework

Programmable Software Switches. Lecture 11, Computer Networks (198:552)

Lecture 10.1 A real SDN implementation: the Google B4 case. Antonio Cianfrani DIET Department Networking Group netlab.uniroma1.it

Design and Implementation of Virtual TAP for Software-Defined Networks

Software Defined Networking

STATEFUL TCP/UDP traffic generation and analysis

SDN Software-Defined Networking

ETSI FUTURE Network SDN and NFV for Carriers MP Odini HP CMS CT Office April 2013

IT Infrastructure. Transforming Networks to Meet the New Reality. Phil O Reilly, CTO Federal AFCEA-GMU C4I Symposium May 20, 2015

Thomas Lin, Naif Tarafdar, Byungchul Park, Paul Chow, and Alberto Leon-Garcia

SmartNIC Programming Models

Investigating the Use of Synchronized Clocks in TCP Congestion Control

State Synchronization for Fast Failover of Stateful Firewall VNF

Using Flexibility as a Measure to Evaluate Softwarized Networks

Shim6: Network Operator Concerns. Jason Schiller Senior Internet Network Engineer IP Core Infrastructure Engineering UUNET / MCI

End to End SLA for Enterprise Multi-Tenant Applications

Ixia Test Solutions to Ensure Stability of its New, LXC-based Virtual Customer Premises Equipment (vcpe) Framework for Residential and SMB Markets

Some research topics and challenges at Alcatel-Lucent Bell Labs France

Service Function Chaining (SFC)

K a t h y Meier- H e l l s t e r n, P h D

Leveraging SDN & NFV to Achieve Software-Defined Security

Network Virtualisation Vision and Strategy_ (based on lesson learned) Telefónica Global CTO

Phil Dredger Global Lead Network Services Cloud Platform and ITO DXC. Presentation title here edit on Slide Master

UNIVERSITY OF CAGLIARI

Communication System Design Projects. Communication System Design:

Software Defined. All The Way with OpenStack. T. R. Bosworth Senior Product Manager SUSE OpenStack Cloud

SmartNIC Programming Models

CellSDN: Software-Defined Cellular Core networks

MWC 2015 End to End NFV Architecture demo_

Network Layer: The Control Plane

15-744: Computer Networking. Middleboxes and NFV

The Function Placement Problem (FPP)

New trends in IT. Network Functions Virtualization (NFV) & Software Defined-WAN

Some Musings on OpenFlow and SDN for Enterprise Networks. David Meyer Open Networking Summit October 18-19, 2011

PDP : A Flexible and Programmable Data Plane. Massimo Gallo et al.

ICN & 5G. Dr.-Ing. Dirk Kutscher Chief Researcher Networking. NEC Laboratories Europe

Virtualization of Customer Premises Equipment (vcpe)

Virtualizing Managed Business Services for SoHo/SME Leveraging SDN/NFV and vcpe

OpenStack Networking: Where to Next?

SDN/DANCES Project Update Developing Applications with Networking Capabilities via End-to-end SDN (DANCES)

Software Defined Networking

AMD EPYC Processors Showcase High Performance for Network Function Virtualization (NFV)

Comparing Open vswitch (OpenFlow) and P4 Dataplanes for Agilio SmartNICs

Network Function Virtualization in Software Defined Optical Transport Networks

IEEE COMMUNICATIONS SURVEYS & TUTORIALS, VOL. 18, NO. 1, FIRST QUARTER

ONOS-based Data Plane Acceleration Support for 5G. Dec 4, SKTelecom

Managing a Virtual Network Function using SDN and Control Theory

Chapter 5 Network Layer: The Control Plane

Exploring Cloud Security, Operational Visibility & Elastic Datacenters. Kiran Mohandas Consulting Engineer

FlexNets: Evaluating Flexibility in Softwarized Communication Networks

Building Security Services on top of SDN

Xen*, SDN and Apache Cloudstack. Sebastien Goasguen, Apache CloudStack Citrix EMEA August 28 th 2012 Xen Summit

CS-580K/480K Advanced Topics in Cloud Computing. Network Virtualization

TCP versus UDP Response Time

Introduction to OpenFlow

DaoliNet A Simple and Smart Networking Technology for Docker Applications

Enabling Agile Service Chaining with Service Based Routing

Network Security: Network Flooding. Seungwon Shin GSIS, KAIST

IEEE TRANS. ON NETWORK AND SERVICE MANAGEMENT, SPECIAL ISSUE ON ADVANCES IN MANAGEMENT OF SOFTWARIZED NETWORKS 1

Ferdinand von Tüllenburg Layer-2 Failure Recovery Methods in Critical Communication Networks

CSE 565 Computer Security Fall 2018

NETWORK VIRTUALIZATION IN THE HOME Chris Donley CableLabs

NFV and SDN what does it mean to enterprises?

Performance and Security Influence of Augmenting IDS using SDN and NFV

SDN Software Switch Lagopus enables SDN/NFV transformation

SDN+NFV Next Steps in the Journey

TALK THUNDER SOFTWARE FOR BARE METAL HIGH-PERFORMANCE SOFTWARE FOR THE MODERN DATA CENTER WITH A10 DATASHEET YOUR CHOICE OF HARDWARE

IEEE NetSoft 2016 Keynote. June 7, 2016

Current Challenges on SDN Research

Layer 7 Visibility for vcpe Services

BIG-IP Analytics: Implementations. Version 13.1

Towards an SDN-based Mobile Core Networks (MCN)

Securing the Software-Defined Network Control Layer

Building a Platform Optimized for the Network Edge

Solution to Question 1: ``Quickies'' (25 points, 15 minutes)

Casa Systems Axyom Multiservice Router

INF3190 A critical look at the Internet / alternative network architectures. Michael Welzl

Towards (More) Data Science in Communication Networks NetSys KuVS Preisverleihung - Presentation

Performance investigation and comparison between virtual networks and physical networks based on Sea-Cloud Innovation Environment

Casa Systems Axyom Multiservice Router

Exploiting Cloud Technologies in Networks: NFV and SDN. Andy Reid and Peter Willis BT Research and Innovation

HY436: Network Virtualization

Chapter 13 TRANSPORT. Mobile Computing Winter 2005 / Overview. TCP Overview. TCP slow-start. Motivation Simple analysis Various TCP mechanisms

CSC 401 Data and Computer Communications Networks

New Approach to OVS Datapath Performance. Founder of CloudNetEngine Jun Xiao

Why Firewalls? Firewall Characteristics

SNAP: Stateful Network-Wide Abstractions for Packet Processing. Collaboration of Princeton University & Pomona College

Ananta: Cloud Scale Load Balancing. Nitish Paradkar, Zaina Hamid. EECS 589 Paper Review

Transcription:

Chair of Communication Networks Department of Electrical and Computer Engineering Technical University of Munich Firewall offloading based on SDN and NFV ITG 5.2.2/5.2.4 05.12.2016 Raphael Durner r.durner@tum.de 2016 Technical University of Munich

Overview Introduction Motivation Main security requirements Network Function Virtualization State of the Art SDN & NFV Architecture Offloading Approach ByteLim Logic Conclusion and open Questions 2

Motivation Software Defined Networking: Central control improves programmability and makes innovations easier Network Function Virtualization: Run Network Functions on Commodity Hardware and in the cloud Reduce costs Use available resources flexible How can we guarantee a certain security level in these environments? How can security related network functions be virtualized? 3

Main Security Requirements Isolation of services Authentication and Authorization of devices/users/services Isolation of flows Stateless firewalling Stateful Firewalling Check states of protocols e.g. TCP, SIP Normalization e.g. filter non-standard DNS replys, filter html Stateless < Stateful < Application Layer 4

State of the Art Firewalls External Network Internal Network Client Firewall Resides on the Networks Edge Control Plane (State) and Forwarding Plane not decoupled 5

SDN and NFV Network Security Architecture Private Cloud External Network SDN SDN SDN Application 1 Application 2 SDN SDN VNF 1 Client Client Client VNF 2 No distinct edge of the network Firewall has to filter everywhere Higher Load on Firewalls Potentially higher security 6

Offloading Approach Combine NFV and SDN Traffic steering with SDN Some parts of the Network function with SDN Some parts offloaded to NE - More Complex + leverages benefits of both approaches SDN Controller DP Client 1. 2. Optimizer CP Client VNF vfirewall CP DP Example TCP: 1. Connection Setup using VNF 2. Established connection using Hardware 7

Building Blocks VNF Offloading Logic SDN Controller Data Plane VNF signals connection state to Logic Logic decides for Offloading Flow Command to SDN Controller SDN Controller installs necessary rules in Hardware 8

Challenges Flow setup in switch Can cause duplicates, packet loss and (short time) connection interruption Lack of Hardware Current OpenFlow switches handle header rewrite in software very low throughput Offloading Decision: Flow classification algorithms needed Which Flows can be offloaded and what are the gains? 9

Challenges Which Flows can be offloaded and what are the gains? What limits the usage of Offloading? Flow capactiy in the hardware Flow Setup Rate Delay from decision to active Offloading 10

Constraint: Delay in the complete system TCP handshake finished VNF Logic Controller Switch t_p t_v Total Delay t_p t_v t_p t_v Flow handeled in Hardware 11

Building Blocks Realisation VNF Logic SDN Controller Data Plane Realisation IpTables Logic (Python) Ryu SDN Controller OVS/ PICA/ NEC Conntrack REST OpenFlow 12

Total Delays Results: ~ 100 ms for OVS & NEC Implications: Not feasible for short lived flows like DNS Delay > RTT Effects on TCP algorithm 13

Effects of Logic on Performance VNF Logic SDN Controller Data Plane Oracle Which Flow metrics must be estimated by the Oracle? Gain i.e. cost of flow through VNF proportional to packet count Offload Flows with many Packets 14

Bytelimit Logic Logic decides based on Flowsize Flows above a threshold are offloaded Oracle predicts Flowsize based on used application Mathematical Description: f x : PDF of flow size x: Flow size P x : PDF of Packets P x = f x x = න f x x dx discrete P = F X 15

Bytelimit Logic Example: Negative Exponentially distributed Flowsize Share of Flows f(x) Share of Packets P(x) P x = f x x = න f x x dx discrete P = F X 16

Bytelimit Logic Simulation vs Theory Trendline similar Very big flows are hard to simulate 17

Bytelimit Logic Simulation vs Theory Trendline similar Offset between simulation and theory Very big flows are hard to simulate 18

Conclusion and Open Questions Basic building blocks for offloading developed Bytlim logic shows promising results Difference between simulation and theory should be evaluated Open: How to predict Bytesize? Simple classification by {source IP, Port} 19

Questions?

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback