Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Testbed for Security Orchestration in a Network Function Virtualization Environment

219 views

Published on

We present a testbed implementation for the development, evaluation and demonstration of security orchestration
in a network function virtualization environment. As a specific
scenario, we demonstrate how an intelligent response to DDoS
and various other kinds of targeted attacks can be formulated
such that these attacks and future variations can be mitigated. We utilise machine learning to characterise normal network traffic, attacks and responses, then utilise this information to orchestrate virtualized network functions around affected components to isolate these components and to capture, redirect and filter traffic (e.g. honeypotting) for additional analysis. This allows us to maintain a high level of network quality of service to
given network functions and components despite adverse network conditions.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Testbed for Security Orchestration in a Network Function Virtualization Environment

  1. 1. © 2017 Nokia1 Testbed for Security Orchestration in a Network Function Virtualization Environment Testbed features and practical use cases • Aapo Kalliola, Shankar Lal, Kimmo Ahola, Ian Oliver, Yoan Miche and Silke Holtmanns • 7.11.2017 Public
  2. 2. © 2017 Nokia2 ..and motivation for our work Introduction • Security in networks is increasingly moving from discrete physical or software systems to elastic on-demand functionality • Testbeds for the development and testing of security functionality in Cloud are not yet well researched • Multiple aspects of interest • Orchestration methods, security mechanism, operation of security VNFs… • Implementation • OpenStack, Open vSwitch, Ryu + custom security function insertion code with a REST API • Running on lab server setup with multiple compute nodes Public
  3. 3. © 2017 Nokia3 An example setup Testbed architecture • Components as instances in cloud • Traffic generators feeding normal/attack traffic through set of SDN switch elements • Traffic sampling (sFlow) on switches feeding the learning mechanism • DDoS mitigation interfaces with SDN controller to deploy filtering rules on switches • Security orchestration component for instantiation control Public
  4. 4. © 2017 Nokia4 Attacker actions Attack scenario • A volumetric DDoS attack • Spoofed attack packets exceeding SW3 forwarding capacity by 4X targeting one VNF • Attack traffic interlaced with normal traffic in traffic generation • QoS on both VNFs suffers as shared capacity is exceeded • Targeted attack • Covered by the DDoS attack, a targeted attack is launched against another VNF inside the network • Targeting a specific software vulnerability on VNF unrelated to VNF main functionality Public
  5. 5. © 2017 Nokia5 Mitigation actions Attack scenario • Volumetric DDoS attack • Traffic overload is detected through sampling by the DDoS mitigation component • Capacity inside switches is isolated for traffic headed to different destinations • Overall traffic is filtered by proactively deploying filter flow rules on switchess • Attack traffic analyzed by instantiated DDoS traffic analyzer • Targeted attack • A Honeypot is instantiated inside the network proactively or in response to DDoS attack • Packets to other than defined ports on VNFs redirected in network to honeypot Public
  6. 6. © 2017 Nokia6 An abstract example Scenario timeline A. Learning phase B. DDoS attack targeting one VNF C. Network link capacity isolation D. DDoS mitigation E. (targeted attack) Public
  7. 7. © 2017 Nokia7 ..and related/extended work Conclusion • The testbed is implemented on top of OpenStack • Software defined network mesh constructed from OpenvSwitches • Can accomodate different security functionalities and SDN controllers • Orchestration can insert security functionalities to specific network links • Details to be separately published • In terms of performance • Separate measurements indicate DDoS defence performance in order of 50..99% depending on normal and attack traffic profiles • Response time of security orchestration near-instantaneuous for pre-instantiated functionalities • Response time dictated by general VNF instantiation time for on-demand instantiable VNFs • Traffic path modifications and resulting traffic overhead observable but limited Public

×