SlideShare a Scribd company logo

SFA: Stateful Forwarding Abstraction in SDN Data Plane

Open Networking Summits
Open Networking Summits

Jun Bi Tsinghua University Research Track Session Part 1 ONS2015: http://bit.ly/ons2015sd ONS Inspire! Webinars: http://bit.ly/oiw-sd Watch the talk (video) on ONS Content Archives: http://bit.ly/ons-archives-sd

Technology
1 of 18
Download to read offline
Towards a Reliable SDN Firewall Hongxin Hu Delaware State University Gail-Joon Ahn, Wonkyu Han and Ziming Zhao Arizona State University
2 SDN Security Apps  Existing security appliances have to be re-designed and implemented as compatible SDN applications  Firewall  IDS/IPS  DDoS detection  Scan detection  and more… 17:12 SDN Controller FW IDS/IPS DDoS
3 Challenges in Building SDN Firewalls  Examining Dynamic Network Policy Updates  A traditional firewall is only a packet filter  An SDN firewall is both A Packet Filter (flow packet violation) – The first packet of each flow goes through the controller and is filtered by the firewall – The subsequent packets of the flow directly match the flow policy A Policy Checker (flow policy violation) – Existing flow policies may violate the firewall policy  Flow policy update  Firewall policy update  Flow policies can be proactively installed in the switches 17:12
4 Challenges in Building SDN Firewalls (cont’d)  Checking Indirect Security Violations  Firewalls can be bypassed Dynamic packet modification – OpenFlow allows an action, Set-Field, which can rewrite the values of respective header fields in flow packets  E.g. a load balancer may need to dynamically change flow paths Rule dependency – Flow and firewall rules may overlap each other 17:12
5 Challenges in Building SDN Firewalls (cont’d)  Architecture Option  Centralized SDN firewall Firewall policy is centrally defined and enforced at the controller Limitation: cannot deal with partial policy violations  Distributed SDN firewall Firewall policy is defined centrally, but propagated and enforced at each individual flow entry (ingress switch) Limitation: needs a complicated revocation and repropagation mechanism to handle dynamic policy updates 17:12
6 State Of The Art  SDN Firewall App  Built-in firewall application in Floodlight  Limited to check flow packet violations and unable to examine flow policy violations  Policy Conflict Detection and Resolution  VeriFlow [Khurshid’13] and NetPlumber [Kazemian’13]  Lack of automatic, effective and real-time violation resolution  Pyretic [Monsanto’13]  Cannot discover and resolve indirect security violations  FortNOX [Porras’12]  Only conducts pairwise conflict analysis without considering rule dependencies in flow tables and firewall policies 17:13
7 Our Approach  FlowGuard: a comprehensive framework for building reliable SDN firewalls 17:13
8 Violation Detection  Flow Path Space Analysis  Flow tracking (NetPlumber [Kazemian’13]) Dynamic packet modification Rule dependency  Flow path space calculation  Incoming space  Outgoing space  Tracked space 17:13
9 Violation Detection (cont’d)  Firewall Authorization Space Partition  Decouple dependency relations between “allow” rules and “deny” rules in the firewall policy  Denied authorization space  Allowed authorization space 17:13
10 Violation Detection (cont’d)  Space Comparison  Compare Tracked Flow Space against Firewall Denied Authorization Space  Entire Violation – Denied authorization space includes whole tracked space  Partial Violation – Denied authorization space partially includes tracked space 17:13
11 Violation Resolution  Automatic Violation Resolution Mechanism 17:13
12 Implementation & Evaluation  Prototype of FlowGuard  Floodlight V 0.90  Evolution Environment  Real-world network topology  Stanford backbone network [kazemian’13]  Mininet 2.0  Violation Detection and Resolution Table 1: Detection and resolution elapsed time (ms) for different resolution strategies 17:13
13 Evaluation (cont’d)  Performance Comparison with Floodlight Built-in Firewall 17:13
14 On-going Work  Investigate a more sophisticated flow tracking mechanism  Implement stateful SDN firewalls  Design a high-level policy language for SDN firewalls  Develop various toolkits for visualization, optimization, migration, and integration of SDN firewalls 17:13
15 Q & A hhu@desu.edu http://www.cis.desu.edu/~hhu/ 17:13
16 Challenges in Building SDN Firewalls (cont’d)  Stateful Monitoring  Only inspects the first packet of each flow Limited access to packet-level information in the controller [Sajad13] Forwarding plane is almost stateless [Hao13] 17:13

Recommended

VeriFlow: Verifying Network-Wide Invariants in Real Time
VeriFlow: Verifying Network-Wide Invariants in Real TimeVeriFlow: Verifying Network-Wide Invariants in Real Time
VeriFlow: Verifying Network-Wide Invariants in Real Time
Open Networking Summits
 
Network Security IEEE 2015 Projects
Network Security IEEE 2015 ProjectsNetwork Security IEEE 2015 Projects
Network Security IEEE 2015 Projects
Vijay Karan
 
Composite Intrusion Detection in Process Control Networks
Composite Intrusion Detection in Process Control NetworksComposite Intrusion Detection in Process Control Networks
Composite Intrusion Detection in Process Control Networks
guest8fdee6
 
chaos-monkey-increasing (1) (1)
chaos-monkey-increasing (1) (1)chaos-monkey-increasing (1) (1)
chaos-monkey-increasing (1) (1)
Michael Alan Chang
 
Enhanced Traffic Based Malicious Switch Detection in SDN
Enhanced Traffic Based Malicious Switch Detection in SDNEnhanced Traffic Based Malicious Switch Detection in SDN
Enhanced Traffic Based Malicious Switch Detection in SDN
Akshaya Arunan
 
Network Traffic Anomaly Detection Through Bayes Net
Network Traffic Anomaly Detection Through Bayes NetNetwork Traffic Anomaly Detection Through Bayes Net
Network Traffic Anomaly Detection Through Bayes Net
Gyan Prakash
 
Traffic Based Malicious Switch and DDoS Detection in Software Defined Network
Traffic Based Malicious Switch and DDoS Detection in Software Defined NetworkTraffic Based Malicious Switch and DDoS Detection in Software Defined Network
Traffic Based Malicious Switch and DDoS Detection in Software Defined Network
Akshaya Arunan
 
VeriFlow Presentation
VeriFlow PresentationVeriFlow Presentation
VeriFlow Presentation
Krystle Bates
 

Recommended

VeriFlow: Verifying Network-Wide Invariants in Real Time
VeriFlow: Verifying Network-Wide Invariants in Real TimeVeriFlow: Verifying Network-Wide Invariants in Real Time
VeriFlow: Verifying Network-Wide Invariants in Real Time
Open Networking Summits
 
Network Security IEEE 2015 Projects
Network Security IEEE 2015 ProjectsNetwork Security IEEE 2015 Projects
Network Security IEEE 2015 Projects
Vijay Karan
 
Composite Intrusion Detection in Process Control Networks
Composite Intrusion Detection in Process Control NetworksComposite Intrusion Detection in Process Control Networks
Composite Intrusion Detection in Process Control Networks
guest8fdee6
 
chaos-monkey-increasing (1) (1)
chaos-monkey-increasing (1) (1)chaos-monkey-increasing (1) (1)
chaos-monkey-increasing (1) (1)
Michael Alan Chang
 
Enhanced Traffic Based Malicious Switch Detection in SDN
Enhanced Traffic Based Malicious Switch Detection in SDNEnhanced Traffic Based Malicious Switch Detection in SDN
Enhanced Traffic Based Malicious Switch Detection in SDN
Akshaya Arunan
 
Network Traffic Anomaly Detection Through Bayes Net
Network Traffic Anomaly Detection Through Bayes NetNetwork Traffic Anomaly Detection Through Bayes Net
Network Traffic Anomaly Detection Through Bayes Net
Gyan Prakash
 
Traffic Based Malicious Switch and DDoS Detection in Software Defined Network
Traffic Based Malicious Switch and DDoS Detection in Software Defined NetworkTraffic Based Malicious Switch and DDoS Detection in Software Defined Network
Traffic Based Malicious Switch and DDoS Detection in Software Defined Network
Akshaya Arunan
 
VeriFlow Presentation
VeriFlow PresentationVeriFlow Presentation
VeriFlow Presentation
Krystle Bates
 
Evaluating the vulnerability of network traffic using joint security and rout...
Evaluating the vulnerability of network traffic using joint security and rout...Evaluating the vulnerability of network traffic using joint security and rout...
Evaluating the vulnerability of network traffic using joint security and rout...
Mumbai Academisc
 
OpenSec Policy-Based Security Using
OpenSec Policy-Based Security UsingOpenSec Policy-Based Security Using
OpenSec Policy-Based Security Using
Akshaya Arunan
 
Power system transmission issues and effects
Power system transmission issues and effectsPower system transmission issues and effects
Power system transmission issues and effects
Anand Azad
 
Applications of ATPG
Applications of ATPGApplications of ATPG
Applications of ATPG
Ushaswini Chowdary
 
Quality of Service Channelling for Latency Sensitive Edge Applications
Quality of Service Channelling for Latency Sensitive Edge ApplicationsQuality of Service Channelling for Latency Sensitive Edge Applications
Quality of Service Channelling for Latency Sensitive Edge Applications
AtakanAral
 
Internet ttraffic monitering anomalous behiviour detection
Internet ttraffic monitering anomalous behiviour detectionInternet ttraffic monitering anomalous behiviour detection
Internet ttraffic monitering anomalous behiviour detection
Gyan Prakash
 
Automatic test packet generation
Automatic test packet generationAutomatic test packet generation
Automatic test packet generation
tusharjadhav2611
 
IEEE 2014 JAVA NETWORKING PROJECTS Automatic test packet generation
IEEE 2014 JAVA NETWORKING PROJECTS Automatic test packet generationIEEE 2014 JAVA NETWORKING PROJECTS Automatic test packet generation
IEEE 2014 JAVA NETWORKING PROJECTS Automatic test packet generation
IEEEGLOBALSOFTSTUDENTPROJECTS
 
automatic test packet generation
automatic test packet generationautomatic test packet generation
automatic test packet generation
swathi78
 
Automatic test packet generation in network
Automatic test packet generation in networkAutomatic test packet generation in network
Automatic test packet generation in network
eSAT Journals
 
JPJ1432 Automatic Test Packet Generation
JPJ1432 Automatic Test Packet GenerationJPJ1432 Automatic Test Packet Generation
JPJ1432 Automatic Test Packet Generation
chennaijp
 
Spring colloquium
Spring colloquiumSpring colloquium
Spring colloquium
Manasa Suresh
 
VCU INFO 644 Critical Thinking 2
VCU INFO 644 Critical Thinking 2VCU INFO 644 Critical Thinking 2
VCU INFO 644 Critical Thinking 2
tgbrunet
 
Node-Level Trust Evaluation in Wireless Sensor Networks
Node-Level Trust Evaluation in Wireless Sensor NetworksNode-Level Trust Evaluation in Wireless Sensor Networks
Node-Level Trust Evaluation in Wireless Sensor Networks
JAYAPRAKASH JPINFOTECH
 
Proof-based Verification of Software Defined Networks
Proof-based Verification of Software Defined NetworksProof-based Verification of Software Defined Networks
Proof-based Verification of Software Defined Networks
Open Networking Summits
 
Frenetic: A Programming Language for OpenFlow Networks
Frenetic: A Programming Language for OpenFlow NetworksFrenetic: A Programming Language for OpenFlow Networks
Frenetic: A Programming Language for OpenFlow Networks
Open Networking Summits
 
ATPG flow chart
ATPG flow chart ATPG flow chart
ATPG flow chart
Minh Anh Nguyen
 
Snmp based network monitoring system
Snmp based network monitoring systemSnmp based network monitoring system
Snmp based network monitoring system
sweta dargad
 
Real time misbehavior detection in ieee 802.11-based wireless networks an ana...
Real time misbehavior detection in ieee 802.11-based wireless networks an ana...Real time misbehavior detection in ieee 802.11-based wireless networks an ana...
Real time misbehavior detection in ieee 802.11-based wireless networks an ana...
Papitha Velumani
 
CPS Final Presentation
CPS Final Presentation CPS Final Presentation
CPS Final Presentation
RaviKiran Paladugu
 
An approach for slow distributed denial of service attack detection and allev...
An approach for slow distributed denial of service attack detection and allev...An approach for slow distributed denial of service attack detection and allev...
An approach for slow distributed denial of service attack detection and allev...
nooriasukmaningtyas
 
NovelFrameworkforResourceDiscoveryandSelf-ConfigurationinSoftwareDefinedWirel...
NovelFrameworkforResourceDiscoveryandSelf-ConfigurationinSoftwareDefinedWirel...NovelFrameworkforResourceDiscoveryandSelf-ConfigurationinSoftwareDefinedWirel...
NovelFrameworkforResourceDiscoveryandSelf-ConfigurationinSoftwareDefinedWirel...
Fernando Velez Varela
 

More Related Content

What's hot

Evaluating the vulnerability of network traffic using joint security and rout...
Evaluating the vulnerability of network traffic using joint security and rout...Evaluating the vulnerability of network traffic using joint security and rout...
Evaluating the vulnerability of network traffic using joint security and rout...
Mumbai Academisc
 
OpenSec Policy-Based Security Using
OpenSec Policy-Based Security UsingOpenSec Policy-Based Security Using
OpenSec Policy-Based Security Using
Akshaya Arunan
 
Quality of Service Channelling for Latency Sensitive Edge Applications
Quality of Service Channelling for Latency Sensitive Edge ApplicationsQuality of Service Channelling for Latency Sensitive Edge Applications
Quality of Service Channelling for Latency Sensitive Edge Applications
AtakanAral
 
Automatic test packet generation in network
Automatic test packet generation in networkAutomatic test packet generation in network
Automatic test packet generation in network
eSAT Journals
 
Spring colloquium
Spring colloquiumSpring colloquium
Spring colloquium
Manasa Suresh
 
VCU INFO 644 Critical Thinking 2
VCU INFO 644 Critical Thinking 2VCU INFO 644 Critical Thinking 2
VCU INFO 644 Critical Thinking 2
tgbrunet
 

What's hot (20)

Evaluating the vulnerability of network traffic using joint security and rout...
Evaluating the vulnerability of network traffic using joint security and rout...Evaluating the vulnerability of network traffic using joint security and rout...
Evaluating the vulnerability of network traffic using joint security and rout...
 
OpenSec Policy-Based Security Using
OpenSec Policy-Based Security UsingOpenSec Policy-Based Security Using
OpenSec Policy-Based Security Using
 
Power system transmission issues and effects
Power system transmission issues and effectsPower system transmission issues and effects
Power system transmission issues and effects
 
Applications of ATPG
Applications of ATPGApplications of ATPG
Applications of ATPG
 
Quality of Service Channelling for Latency Sensitive Edge Applications
Quality of Service Channelling for Latency Sensitive Edge ApplicationsQuality of Service Channelling for Latency Sensitive Edge Applications
Quality of Service Channelling for Latency Sensitive Edge Applications
 
Internet ttraffic monitering anomalous behiviour detection
Internet ttraffic monitering anomalous behiviour detectionInternet ttraffic monitering anomalous behiviour detection
Internet ttraffic monitering anomalous behiviour detection
 
Automatic test packet generation
Automatic test packet generationAutomatic test packet generation
Automatic test packet generation
 
IEEE 2014 JAVA NETWORKING PROJECTS Automatic test packet generation
IEEE 2014 JAVA NETWORKING PROJECTS Automatic test packet generationIEEE 2014 JAVA NETWORKING PROJECTS Automatic test packet generation
IEEE 2014 JAVA NETWORKING PROJECTS Automatic test packet generation
 
automatic test packet generation
automatic test packet generationautomatic test packet generation
automatic test packet generation
 
Automatic test packet generation in network
Automatic test packet generation in networkAutomatic test packet generation in network
Automatic test packet generation in network
 
JPJ1432 Automatic Test Packet Generation
JPJ1432 Automatic Test Packet GenerationJPJ1432 Automatic Test Packet Generation
JPJ1432 Automatic Test Packet Generation
 
Spring colloquium
Spring colloquiumSpring colloquium
Spring colloquium
 
VCU INFO 644 Critical Thinking 2
VCU INFO 644 Critical Thinking 2VCU INFO 644 Critical Thinking 2
VCU INFO 644 Critical Thinking 2
 
Node-Level Trust Evaluation in Wireless Sensor Networks
Node-Level Trust Evaluation in Wireless Sensor NetworksNode-Level Trust Evaluation in Wireless Sensor Networks
Node-Level Trust Evaluation in Wireless Sensor Networks
 
Proof-based Verification of Software Defined Networks
Proof-based Verification of Software Defined NetworksProof-based Verification of Software Defined Networks
Proof-based Verification of Software Defined Networks
 
Frenetic: A Programming Language for OpenFlow Networks
Frenetic: A Programming Language for OpenFlow NetworksFrenetic: A Programming Language for OpenFlow Networks
Frenetic: A Programming Language for OpenFlow Networks
 
ATPG flow chart
ATPG flow chart ATPG flow chart
ATPG flow chart
 
Snmp based network monitoring system
Snmp based network monitoring systemSnmp based network monitoring system
Snmp based network monitoring system
 
Real time misbehavior detection in ieee 802.11-based wireless networks an ana...
Real time misbehavior detection in ieee 802.11-based wireless networks an ana...Real time misbehavior detection in ieee 802.11-based wireless networks an ana...
Real time misbehavior detection in ieee 802.11-based wireless networks an ana...
 
CPS Final Presentation
CPS Final Presentation CPS Final Presentation
CPS Final Presentation
 

Similar to SFA: Stateful Forwarding Abstraction in SDN Data Plane

An approach for slow distributed denial of service attack detection and allev...
An approach for slow distributed denial of service attack detection and allev...An approach for slow distributed denial of service attack detection and allev...
An approach for slow distributed denial of service attack detection and allev...
nooriasukmaningtyas
 
NovelFrameworkforResourceDiscoveryandSelf-ConfigurationinSoftwareDefinedWirel...
NovelFrameworkforResourceDiscoveryandSelf-ConfigurationinSoftwareDefinedWirel...NovelFrameworkforResourceDiscoveryandSelf-ConfigurationinSoftwareDefinedWirel...
NovelFrameworkforResourceDiscoveryandSelf-ConfigurationinSoftwareDefinedWirel...
Fernando Velez Varela
 
Entropy based DDos Detection in SDN
Entropy based DDos Detection in SDNEntropy based DDos Detection in SDN
Entropy based DDos Detection in SDN
Vishal Vasudev
 
RINA motivation, introduction and IRATI goals. IEEE ANTS 2012
RINA motivation, introduction and IRATI goals. IEEE ANTS 2012RINA motivation, introduction and IRATI goals. IEEE ANTS 2012
RINA motivation, introduction and IRATI goals. IEEE ANTS 2012
Eleni Trouva
 
A review on software defined network security risks and challenges
A review on software defined network security risks and challengesA review on software defined network security risks and challenges
A review on software defined network security risks and challenges
TELKOMNIKA JOURNAL
 
DDOS ATTACKS DETECTION USING DYNAMIC ENTROPY INSOFTWARE-DEFINED NETWORK PRACT...
DDOS ATTACKS DETECTION USING DYNAMIC ENTROPY INSOFTWARE-DEFINED NETWORK PRACT...DDOS ATTACKS DETECTION USING DYNAMIC ENTROPY INSOFTWARE-DEFINED NETWORK PRACT...
DDOS ATTACKS DETECTION USING DYNAMIC ENTROPY INSOFTWARE-DEFINED NETWORK PRACT...
IJCNCJournal
 
DDoS Attacks Detection using Dynamic Entropy in Software-Defined Network Prac...
DDoS Attacks Detection using Dynamic Entropy in Software-Defined Network Prac...DDoS Attacks Detection using Dynamic Entropy in Software-Defined Network Prac...
DDoS Attacks Detection using Dynamic Entropy in Software-Defined Network Prac...
IJCNCJournal
 
Encountering distributed denial of service attack utilizing federated softwar...
Encountering distributed denial of service attack utilizing federated softwar...Encountering distributed denial of service attack utilizing federated softwar...
Encountering distributed denial of service attack utilizing federated softwar...
IJECEIAES
 

Similar to SFA: Stateful Forwarding Abstraction in SDN Data Plane (20)

An approach for slow distributed denial of service attack detection and allev...
An approach for slow distributed denial of service attack detection and allev...An approach for slow distributed denial of service attack detection and allev...
An approach for slow distributed denial of service attack detection and allev...
 
NovelFrameworkforResourceDiscoveryandSelf-ConfigurationinSoftwareDefinedWirel...
NovelFrameworkforResourceDiscoveryandSelf-ConfigurationinSoftwareDefinedWirel...NovelFrameworkforResourceDiscoveryandSelf-ConfigurationinSoftwareDefinedWirel...
NovelFrameworkforResourceDiscoveryandSelf-ConfigurationinSoftwareDefinedWirel...
 
Lec # 13 Firewall.pptx
Lec # 13 Firewall.pptxLec # 13 Firewall.pptx
Lec # 13 Firewall.pptx
 
Detecting_and_Mitigating_Botnet_Attacks_in_Software-Defined_Networks_Using_De...
Detecting_and_Mitigating_Botnet_Attacks_in_Software-Defined_Networks_Using_De...Detecting_and_Mitigating_Botnet_Attacks_in_Software-Defined_Networks_Using_De...
Detecting_and_Mitigating_Botnet_Attacks_in_Software-Defined_Networks_Using_De...
 
Crossfire DDoS Protection
Crossfire DDoS ProtectionCrossfire DDoS Protection
Crossfire DDoS Protection
 
Entropy based DDos Detection in SDN
Entropy based DDos Detection in SDNEntropy based DDos Detection in SDN
Entropy based DDos Detection in SDN
 
Infrastructure security & Incident Management
Infrastructure security & Incident Management Infrastructure security & Incident Management
Infrastructure security & Incident Management
 
Sdn pres v2-Software-defined networks
Sdn pres v2-Software-defined networksSdn pres v2-Software-defined networks
Sdn pres v2-Software-defined networks
 
Advanced security - Seccom Global
Advanced security - Seccom Global Advanced security - Seccom Global
Advanced security - Seccom Global
 
RINA motivation, introduction and IRATI goals. IEEE ANTS 2012
RINA motivation, introduction and IRATI goals. IEEE ANTS 2012RINA motivation, introduction and IRATI goals. IEEE ANTS 2012
RINA motivation, introduction and IRATI goals. IEEE ANTS 2012
 
A review on software defined network security risks and challenges
A review on software defined network security risks and challengesA review on software defined network security risks and challenges
A review on software defined network security risks and challenges
 
IRJET- SDN Multi-Controller based Framework to Detect and Mitigate DDoS i...
IRJET- SDN Multi-Controller based Framework to Detect and Mitigate DDoS i...IRJET- SDN Multi-Controller based Framework to Detect and Mitigate DDoS i...
IRJET- SDN Multi-Controller based Framework to Detect and Mitigate DDoS i...
 
Firewall
FirewallFirewall
Firewall
 
DDOS ATTACKS DETECTION USING DYNAMIC ENTROPY INSOFTWARE-DEFINED NETWORK PRACT...
DDOS ATTACKS DETECTION USING DYNAMIC ENTROPY INSOFTWARE-DEFINED NETWORK PRACT...DDOS ATTACKS DETECTION USING DYNAMIC ENTROPY INSOFTWARE-DEFINED NETWORK PRACT...
DDOS ATTACKS DETECTION USING DYNAMIC ENTROPY INSOFTWARE-DEFINED NETWORK PRACT...
 
DDoS Attacks Detection using Dynamic Entropy in Software-Defined Network Prac...
DDoS Attacks Detection using Dynamic Entropy in Software-Defined Network Prac...DDoS Attacks Detection using Dynamic Entropy in Software-Defined Network Prac...
DDoS Attacks Detection using Dynamic Entropy in Software-Defined Network Prac...
 
FIREWALLS BY SAIKIRAN PANJALA
FIREWALLS BY SAIKIRAN PANJALAFIREWALLS BY SAIKIRAN PANJALA
FIREWALLS BY SAIKIRAN PANJALA
 
Encountering distributed denial of service attack utilizing federated softwar...
Encountering distributed denial of service attack utilizing federated softwar...Encountering distributed denial of service attack utilizing federated softwar...
Encountering distributed denial of service attack utilizing federated softwar...
 
OPTIMIZING CONGESTION CONTROL BY USING DEVICES AUTHENTICATION IN SOFTWARE-DEF...
OPTIMIZING CONGESTION CONTROL BY USING DEVICES AUTHENTICATION IN SOFTWARE-DEF...OPTIMIZING CONGESTION CONTROL BY USING DEVICES AUTHENTICATION IN SOFTWARE-DEF...
OPTIMIZING CONGESTION CONTROL BY USING DEVICES AUTHENTICATION IN SOFTWARE-DEF...
 
K017135461
K017135461K017135461
K017135461
 
Preventing Web-Proxy Based DDoS using Request Sequence Frequency
Preventing Web-Proxy Based DDoS using Request Sequence Frequency Preventing Web-Proxy Based DDoS using Request Sequence Frequency
Preventing Web-Proxy Based DDoS using Request Sequence Frequency
 

More from Open Networking Summits

CORD: Central Office Re-architected as a Datacenter
CORD: Central Office Re-architected as a DatacenterCORD: Central Office Re-architected as a Datacenter
CORD: Central Office Re-architected as a Datacenter
Open Networking Summits
 
[Webinar Slides] Programming the Network Dataplane in P4
[Webinar Slides] Programming the Network Dataplane in P4[Webinar Slides] Programming the Network Dataplane in P4
[Webinar Slides] Programming the Network Dataplane in P4
Open Networking Summits
 
Software Defined Networks Network Function Virtualization Pivotal Technologies
Software Defined Networks Network Function Virtualization Pivotal TechnologiesSoftware Defined Networks Network Function Virtualization Pivotal Technologies
Software Defined Networks Network Function Virtualization Pivotal Technologies
Open Networking Summits
 

More from Open Networking Summits (20)

CORD: Central Office Re-architected as a Datacenter
CORD: Central Office Re-architected as a DatacenterCORD: Central Office Re-architected as a Datacenter
CORD: Central Office Re-architected as a Datacenter
 
[Webinar Slides] Programming the Network Dataplane in P4
[Webinar Slides] Programming the Network Dataplane in P4[Webinar Slides] Programming the Network Dataplane in P4
[Webinar Slides] Programming the Network Dataplane in P4
 
OPNFV Webinar – No Time to Wait: Accelerating NFV Time to Market Through Open...
OPNFV Webinar – No Time to Wait: Accelerating NFV Time to Market Through Open...OPNFV Webinar – No Time to Wait: Accelerating NFV Time to Market Through Open...
OPNFV Webinar – No Time to Wait: Accelerating NFV Time to Market Through Open...
 
Learnings from Carrier SDN Deployments
Learnings from Carrier SDN DeploymentsLearnings from Carrier SDN Deployments
Learnings from Carrier SDN Deployments
 
Software Defined Networking: Enabling The Mobile Workplace
Software Defined Networking: Enabling The Mobile WorkplaceSoftware Defined Networking: Enabling The Mobile Workplace
Software Defined Networking: Enabling The Mobile Workplace
 
Application Driven SDN
Application Driven SDNApplication Driven SDN
Application Driven SDN
 
Software Defined Networks Network Function Virtualization Pivotal Technologies
Software Defined Networks Network Function Virtualization Pivotal TechnologiesSoftware Defined Networks Network Function Virtualization Pivotal Technologies
Software Defined Networks Network Function Virtualization Pivotal Technologies
 
NFV & SDN Customer Deployments
NFV & SDN Customer DeploymentsNFV & SDN Customer Deployments
NFV & SDN Customer Deployments
 
Automation of end-to-end QOS
Automation of end-to-end QOSAutomation of end-to-end QOS
Automation of end-to-end QOS
 
Building a Digital Telco
Building a Digital TelcoBuilding a Digital Telco
Building a Digital Telco
 
Spreading NFV through the Network: the ETSI NFV use cases
Spreading NFV through the Network: the ETSI NFV use casesSpreading NFV through the Network: the ETSI NFV use cases
Spreading NFV through the Network: the ETSI NFV use cases
 
BeHop : SDN for Dense WiFi Networks
BeHop : SDN for Dense WiFi NetworksBeHop : SDN for Dense WiFi Networks
BeHop : SDN for Dense WiFi Networks
 
Ranges & Cross-Entrance Consistency with OpenFlow
Ranges & Cross-Entrance Consistency with OpenFlowRanges & Cross-Entrance Consistency with OpenFlow
Ranges & Cross-Entrance Consistency with OpenFlow
 
On the Necessity of Time-based Updates in SDN
On the Necessity of Time-based Updates in SDNOn the Necessity of Time-based Updates in SDN
On the Necessity of Time-based Updates in SDN
 
Control Exchange Points: Providing QoS-en abled End-to-End Services via SDN-b...
Control Exchange Points: Providing QoS-en abled End-to-End Services via SDN-b...Control Exchange Points: Providing QoS-en abled End-to-End Services via SDN-b...
Control Exchange Points: Providing QoS-en abled End-to-End Services via SDN-b...
 
ESPRES: Easy Scheduling and Prioritization for SDN
ESPRES: Easy Scheduling and Prioritization for SDNESPRES: Easy Scheduling and Prioritization for SDN
ESPRES: Easy Scheduling and Prioritization for SDN
 
SDN & OPTICAL FLOW STEERING FOR NETWORK FUNCTION VIRTUALIZATION
SDN & OPTICAL FLOW STEERING FOR NETWORK FUNCTION VIRTUALIZATIONSDN & OPTICAL FLOW STEERING FOR NETWORK FUNCTION VIRTUALIZATION
SDN & OPTICAL FLOW STEERING FOR NETWORK FUNCTION VIRTUALIZATION
 
SoftMoW: A Dynamic and Scalable Software Defined Architecture for Cellular WANs
SoftMoW: A Dynamic and Scalable Software Defined Architecture for Cellular WANsSoftMoW: A Dynamic and Scalable Software Defined Architecture for Cellular WANs
SoftMoW: A Dynamic and Scalable Software Defined Architecture for Cellular WANs
 
RadioVisor - A Slicing Plane for Radio Access Networks
RadioVisor - A Slicing Plane for Radio Access NetworksRadioVisor - A Slicing Plane for Radio Access Networks
RadioVisor - A Slicing Plane for Radio Access Networks
 
Enabling SDN in old school networks with Software-Controlled Routing Protocols
Enabling SDN in old school networks with Software-Controlled Routing ProtocolsEnabling SDN in old school networks with Software-Controlled Routing Protocols
Enabling SDN in old school networks with Software-Controlled Routing Protocols
 

Recently uploaded

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 

Recently uploaded (20)

MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 

SFA: Stateful Forwarding Abstraction in SDN Data Plane

  • 1.
  • 2.
  • 3. Towards a Reliable SDN Firewall Hongxin Hu Delaware State University Gail-Joon Ahn, Wonkyu Han and Ziming Zhao Arizona State University
  • 4. 2 SDN Security Apps  Existing security appliances have to be re-designed and implemented as compatible SDN applications  Firewall  IDS/IPS  DDoS detection  Scan detection  and more… 17:12 SDN Controller FW IDS/IPS DDoS
  • 5. 3 Challenges in Building SDN Firewalls  Examining Dynamic Network Policy Updates  A traditional firewall is only a packet filter  An SDN firewall is both A Packet Filter (flow packet violation) – The first packet of each flow goes through the controller and is filtered by the firewall – The subsequent packets of the flow directly match the flow policy A Policy Checker (flow policy violation) – Existing flow policies may violate the firewall policy  Flow policy update  Firewall policy update  Flow policies can be proactively installed in the switches 17:12
  • 6. 4 Challenges in Building SDN Firewalls (cont’d)  Checking Indirect Security Violations  Firewalls can be bypassed Dynamic packet modification – OpenFlow allows an action, Set-Field, which can rewrite the values of respective header fields in flow packets  E.g. a load balancer may need to dynamically change flow paths Rule dependency – Flow and firewall rules may overlap each other 17:12
  • 7. 5 Challenges in Building SDN Firewalls (cont’d)  Architecture Option  Centralized SDN firewall Firewall policy is centrally defined and enforced at the controller Limitation: cannot deal with partial policy violations  Distributed SDN firewall Firewall policy is defined centrally, but propagated and enforced at each individual flow entry (ingress switch) Limitation: needs a complicated revocation and repropagation mechanism to handle dynamic policy updates 17:12
  • 8. 6 State Of The Art  SDN Firewall App  Built-in firewall application in Floodlight  Limited to check flow packet violations and unable to examine flow policy violations  Policy Conflict Detection and Resolution  VeriFlow [Khurshid’13] and NetPlumber [Kazemian’13]  Lack of automatic, effective and real-time violation resolution  Pyretic [Monsanto’13]  Cannot discover and resolve indirect security violations  FortNOX [Porras’12]  Only conducts pairwise conflict analysis without considering rule dependencies in flow tables and firewall policies 17:13
  • 9. 7 Our Approach  FlowGuard: a comprehensive framework for building reliable SDN firewalls 17:13
  • 10. 8 Violation Detection  Flow Path Space Analysis  Flow tracking (NetPlumber [Kazemian’13]) Dynamic packet modification Rule dependency  Flow path space calculation  Incoming space  Outgoing space  Tracked space 17:13
  • 11. 9 Violation Detection (cont’d)  Firewall Authorization Space Partition  Decouple dependency relations between “allow” rules and “deny” rules in the firewall policy  Denied authorization space  Allowed authorization space 17:13
  • 12. 10 Violation Detection (cont’d)  Space Comparison  Compare Tracked Flow Space against Firewall Denied Authorization Space  Entire Violation – Denied authorization space includes whole tracked space  Partial Violation – Denied authorization space partially includes tracked space 17:13
  • 13. 11 Violation Resolution  Automatic Violation Resolution Mechanism 17:13
  • 14. 12 Implementation & Evaluation  Prototype of FlowGuard  Floodlight V 0.90  Evolution Environment  Real-world network topology  Stanford backbone network [kazemian’13]  Mininet 2.0  Violation Detection and Resolution Table 1: Detection and resolution elapsed time (ms) for different resolution strategies 17:13
  • 15. 13 Evaluation (cont’d)  Performance Comparison with Floodlight Built-in Firewall 17:13
  • 16. 14 On-going Work  Investigate a more sophisticated flow tracking mechanism  Implement stateful SDN firewalls  Design a high-level policy language for SDN firewalls  Develop various toolkits for visualization, optimization, migration, and integration of SDN firewalls 17:13
  • 18. 16 Challenges in Building SDN Firewalls (cont’d)  Stateful Monitoring  Only inspects the first packet of each flow Limited access to packet-level information in the controller [Sajad13] Forwarding plane is almost stateless [Hao13] 17:13