SlideShare a Scribd company logo

csec66 a user mode implementation of filtering rule management plane on virtualized networking environment

Download as PPTX, PDF
Ruo Ando
Ruo Ando
InternetTechnology
1 of 16
A user mode implementation of filtering rule management plane on virtualized networking environment Network Security Research Institute, National Institute of Information and Communications Technology Ruo Ando 情報通信研究機構 ネットワークセキュリティ研究所 安藤類央 CSEC66 2014-07-04 第66回CSEC・第10回SPT合同研究発表会 セッションC-5(13:25 - 14:40) http://starbed.nict.go.jp/
Abstract: Towards alternative access control model 仮想ネットワーク環境での新しいアクセス制御モデル [A] The emergence of network virtualization and related technologies such as SDN and Cloud computing make us face the new challenge of new alternative access control model. (1) ネットワーク仮想化(抽象化)とその周辺技術(Software Defined Network, クラウドコンピューティング)の発達 により、アクセス制御技術にも革新と修正が求められている。 (2) アクセス制御技術の近年の傾向としてはカーネル空間での実装と一元化 (Centrazlization) が問題領域とネット ワークの大規模に伴い様々な問題が生じている。 [B] Particularly, besides flexibility, fine-grained traffic engineering functionality for coping with scalability and diversified networks is required for the deployments of SDN and Cloud Computing. [C] Our architecture leverages NoSQL data store for handling a large scale of filtering rules. By adopting NoSQL, we can achieve scalability, availability and tolerance to network partition. Besides, separating management plane and control plane, we can achieve responsiveness and strong consistency at the same time. (3) 提案システムには大規模なフィルタリングルールの処理のためにNoSQLデータストアを用いて、スケーラビリ ティを確保し、従来のSDNのアーキテクチャを修正し、management planeをcontrol planeから明示的に分離し、 ネットワークのレスポンスを向上させた。 [D] In experiment, we have prototyped a lightweight management plane for IP filtering. Access filtering rules including target IP address, prefix and gateway is represented as radix tree. It is shown that proposed method can achieve reasonable utilization in filtering IP packets (4) 評価実験では、radix treeを用いたIPフィルタリングを実装し、10~100以内のフィルタリングルールセットでは許 容可能な負荷率で稼動する(CPU負荷率では3%以内)ことを示した。
Related works: Long-term trend Centralized access control model 2000 2005 2010 2014 Virtualization Technology (hypervisor) Cloud computing Domain Specific / Declarative Language Open Flow DSL for IDS and access control New Security Concerns DSL for SDN Rules and conflict management sHype Pyretic Xen Chimera ForNox RuleBricks Remote Attestation Attack on multi-tenant アクセス制御の 一元化 ネットワーク 抽象化 アクセス制御の 表現方法の問題 Open vSwitch vMAC sandbox xenprobe subvirt 仮想化、ハイパーバイザー内でのAC一元化 スケーラブル、合成可能な 観測システムの構築BGP attack ネットワークのスライシング 仮想化技術を用いた 動的解析 ConfAid BotMiner 解析の大規模化 大規模システムでの設定・ Access Ctrlの検査 Flowvisor HyperDex Ensenble
Avenues of Attack Sensitive data Enterprise Network Missing Security Patches Misconfigured Database Advanced Attacks Sensitive Data Leaks Escalating User Privileges Default Passwords Weak Passwords Unauthorized Database Weak PRNG CDP:Functional & Operational Firewall Pattern - AWS-CloudDesignPattern Nemesis: preventing authentication & access control vulnerabilities in web applications, SSYM'09 Proceedings of the 18th conference on USENIX security symposium Detecting BGP configuration faults with static analysis, NSDI'05 Proceedings of the 2nd conference on Symposium on Networked Systems Design & Implementation A security enforcement kernel for OpenFlow networks, HotSDN '12 Proceedings of the first workshop on Hot topics in software defined networks Misconfigured Filtering
proposed system (設計方針):building management plane for scalability and manageability DataStoreの 適用 Scalabilityを 確保する 一元管理: 設定管理 ミスをなくす Data planeとControl planeは 同一ホスト(インスタンス)内で 分離しない。 フィルタリング・設定情報の 管理用にManagement planeを 設置して管理。 全てのcomponentをuser modeで実装することでdeploymentのコストを下げ、迅速にする。
Alternative access control model for virtualized computing environment 仮想ネットワーク • Virtualized Networking environment = SDN + Cloud computing. • Instance is virtualized • Network is also virtualized hypervisor VM VM hypervisor VM VM SDN controller Network operating system Routing Traffic Engineering Load Balancing Open Flow Switch Open Flow Switch Data Plane Control Plane 各ノードは仮想化 され、マルチテナント として同一物理NIC 上に配置される。 ネットワークも仮想化 され、フィルタリングと マッチング処理が分離 一元化される。 Open vSwitch. B. Pfaff, J. Pettit, K. Amidon, M. Casado, T. Koponen, an d S. Shenker. Extending Networking into the Virtualization Layer. In HotNets, 2009 Operational / Functional FW Amazon EC2 Design Pattern
What is SDN and network virtualization ? Myth: “SDN is network virtualization” x86 / ARM Virtualization Layer Windows Linux Open Flow Virtualization Or Slicing NOX NOX CPU, Hardisk, PIC, IO X86 instruction set Xen, QEMU, etc Windows Linux Hardware Resources Abstraction layer Virtualization Layer slice slice Bandwidth, CPU, FIB OpenFlow FlowVisor Controller Contoller Definition of a slice • Slice is a set of flows (called flowspace) running on a topology of switches. https://www.clear.rice.edu/comp529/.../tutorial_4.pdf
設計上の問題:仮想化環境とスケーラビリティ Centralized access control model 2000 2005 2010 2014 Virtualization Technology (hypervisor) Cloud computing Domain Specific / Declarative Language Open Flow DSL for IDS and access control New Security Concerns DSL for SDN Rules and conflict management sHype Pyretic Xen Chimera ForNox RuleBricks Remote Attestation Attack on multi-tenant アクセス制御の 一元化 ネットワーク 抽象化 アクセス制御の 表現方法の問題 Open vSwitch vMAC sandbox xenprobe subvirt 仮想化、ハイパーバイザー内でのAC一元化 スケーラブル、合成可能な 観測システムの構築BGP attack ネットワークのスライシング 仮想化技術を用いた 動的解析 ConfAid BotMiner 解析の大規模化 大規模システムでの設定・ Access Ctrlの検査 Flowvisor HyperDex Ensenble
“when virtual is harder than real” drawbacks of virtualized network Tal Garfinkel , Mendel Rosenblum, When virtual is harder than real: Security challenges in virtual machine based computing environments, HotOS 2005 Scalability. Growth in physical machines is ultimately limited by setup time and bounded by organization‘s capital equipment budget. In contrast creating a new VM is as easy as copying file. Users will frequently have several or even dozens of special purpose VMs . Thus,total number of VMs in an organization can grow at an explosive rate.Rarely all administrative tasks completely automated. Diversity. Many IT organizations tackle security problems by enforcing homogenity. all machines must run the most current patched software. This creates a range of problems as one must try and maintain patches or other protection for a wide range of OS and deal with the risk posed by having many unpatched machines on the network. Access Control should be centralized ! CloudPolice: Taking access control out of the network Lucian Popa, Minlan Yu, Steven Y. Ko, Ion Stoica, Sylvia Ratnasamy 9th ACM Workshop on Hot Topics in Networks (HotNets-IX). Monterey, CA, October 2010. Jonathan M McCune, Stefan Berger, Trent Jaeger, Reiner Sailer: Shamon -- A System for Distributed Mandatory Access Control. 22nd Annual Computer Security Applications Conference (ACSAC), Miami Beach, Florida, December 2006
Design requirement: fine grained traffic functioning for scalability, diversity and flexibility. [1] Scalability and diversity: Garfinkel pointed that creating a new virtual instance is far easier than physical environment. the rapid and unpredictable growth can exacerbate management tasks and in worse case the impact of catastorophic events can be multiplied where all instances should be patched. Enforcing homogenity is difficult in the situation that users can have their own special purpose VM easily without expensive cost, like copying files. [2] Flexibility: In SDN, networks are diversified, programmable and elastic. For a long period, from active networks to advanced network technologies like cloud and SDN, one of the general goals of net working research has been arrived at a network which is flexible. [3] Fine-grained traffic functioning: commercial corporations,private Enterprises and universities emplos datacenters to run variety of applications and cloud based services. Their study reveals that existing traffic engineering perform 15%to 20% worse than the optimal solution. MicroTE: fine grained traffic engineering for data centers, CoNEXT '11 Proceedings of the Seventh COnference on emerging Networking EXperiments and Technologies Lucian Popa, Ion Stoica, Sylvia Ratnasamy: Rule-based Forwarding(RBF): Improving Internet’s flexibility and security. HotNets 2009
Tradeoffs between manageability and performance "Logically centralized?: state distribution trade-offs in software defined networks", Dan Levin, Andreas Wundsam, Brandon Heller, Nikhil Handigol and Anja Feldmann, HotSDN '12 Proceedings of the first workshop on Hot topics in software defined networks Controller component choices: [1] Strongly consistent – controller components always operate on the same world view. Imposes delay and overhead. [2] Eventually consistent – controller components incorporate information as it becomes available but may make decisions on different world views. http://www.richardclegg.org/node/21 C A P NoSQLRDBMS Consistency Availability Tolerance to network partition CAP Theorem (Eric Brewer 2000) Enforced Consistency Eventual Consistency パケットフィルタなどの処理では Strongly Consistentであることが 求められる(望ましい) NoSQLを用いることで A (availability) P (Tolerance to network partition) S (Scalability) が達成される。
Basic SDN architecture and proposed system Node (VM) Node (VM) Node (VM) Flow Table ControllerSecure Channel Node (VM) Node (VM) Node (VM) Filtering rule Table Data store match match 判定処理(match)はノード側で行い、パケットは転送 しない。→ これにより、フィルタリングの一元管理を 達成しつつ、Control/Management Planeの負荷を下 げる。 Ingress packets Ingress packets Data plane Control plane Control and Data plane Management plane VCRIB: Virtualized rule management in the cloud Masoud Moshref, Minlan Yu, Abhishek Sharma, Ramesh Govindan the 4th USENIX Workshop on Hot Topics in Cloud Computing (HotCloud). Boston, MA, June 2012. Basic SDN 提案手法
Adopting datastore (NoSQL) on management plane auto_ptr<mongo::DBClientCursor> cursor = client.query(ns, mongo::BSONObj()); while(cursor->more()) { mongo::BSONObj p = cursor->next(); mongo::OID oid = p["_id"].OID(); string dest = p["dest"].str(); int mask = p["mask"].numberInt(); string gateway = p["gateway"].str(); const char *p0 = dest.c_str(); const char *p1 = gateway.c_str(); add_rtentry(p0, mask, p1); int res; res = find_route(dstAddress); if(res==0) printf("route find n"); /* flush entry /* rm_rtentry(p0, mask); {"_id": "$oid":"53370eaeb1f58908a9837910" "dest":"10.0.0.0","mask": 8,"gateway":"192.168.0.2"} Radix treeのエントリを動的に読み出すことで リモート(management plane)から任意の タイミングでフィルタリングルールを変更できる ようにする。 Filtering ruleはBSON (JSON)で記述 a radix tree (also patricia trie or radix trie or compact prefix tree) is a space-optimized trie data structure where each node with only one child is merged with its parent. 14 entry.addr = ntohl(addr dst.s addr); 15 entry.prefix len = 32; 17 radix tree<rtentry, in addr>::iterator it; 18 19 it = rttable.longest match(entry); 20 if (it == rttable.end()) f 21 std::cout << ‘‘no route to ‘‘ << dst << std::endl; 22 return 1;
Experimental result on Amazon VPC We compiled our system on ubuntu12 LTS with Linux kernel 3.2.0. proposed system is hosted on Intel Xeon E5645 with 2.4 GHZ clock. ルール数が10~100以内であれば、CPU負 荷率(3%以内)、コンテキストスイッチ(5000 回以内)とも許容範囲内で稼動。 設定した環境内では、1000~10000のルール を用いるケースは稀なため、提案手法は妥当。 vNIC1 vNIC2 Bridge IP capture 1 2 3 MongoDB 5 8 7 8 Radix Module 6 0 Management plane Control plane Python module パケットキャプチャは ユーザモードでの pcapを利用。ルールは Pythonを用いて設定
Further works Centralized access control model 2000 2005 2010 2014 Virtualization Technology (hypervisor) Cloud computing Domain Specific / Declarative Language Open Flow DSL for IDS and access control New Security Concerns DSL for SDN Rules and conflict management sHype Pyretic Xen Chimera ForNox RuleBricks Remote Attestation Attack on multi-tenant アクセス制御の 一元化 ネットワーク 抽象化 アクセス制御の 表現方法の問題 Open vSwitch vMAC sandbox xenprobe subvirt 仮想化、ハイパーバイザー内でのAC一元化 スケーラブル、合成可能な 観測システムの構築BGP attack ネットワークのスライシング 仮想化技術を用いた 動的解析 ConfAid BotMiner 解析の大規模化 大規模システムでの設定・ Access Ctrlの検査 Flowvisor HyperDex Ensenble
Conclusions [A] The emergence of network virtualization and related technologies such as SDN and Cloud computing make us face the new challenge of new alternative access control model. (1) ネットワーク仮想化(抽象化)とその周辺技術(Software Defined Network, クラウドコンピューティング)の発達によ り、アクセス制御技術にも革新と修正が求められている。 (2) アクセス制御技術の近年の傾向としてはカーネル空間での実装と一元化 (Centrazlization) が問題領域とネット ワークの大規模に伴い様々な問題が生じている。 [B] Particularly, besides flexibility, fine-grained traffic engineering functionality for coping with scalability and diversified networks is required for the deployments of SDN and Cloud Computing. [C] Our architecture leverages NoSQL data store for handling a large scale of filtering rules. By adopting NoSQL, we can achieve scalability, availability and tolerance to network partition. Besides, separating management plane and control plane, we can achieve responsiveness and strong consistency at the same time. (3) 提案システムには大規模なフィルタリングルールの処理のためにNoSQLデータストアを用いて、スケーラビリティを 確保し、従来のSDNのアーキテクチャを修正し、management planeをcontrol planeから明示的に分離し、ネットワーク のレスポンスを向上させた。 [D] In experiment, we have prototyped a lightweight management plane for IP filtering. Access filtering rules including target IP address, prefix and gateway is represented as radix tree. It is shown that proposed method can achieve reasonable utilization in filtering IP packets (4) 評価実験では、radix treeを用いたIPフィルタリングを実装し、10~100以内のフィルタリングルールセットでは許容 可能な負荷率で稼動する(CPU負荷率では3%以内)ことを示した。 www.slideshare.net/RuoAndo https://github.com/RuoAndo/cBridge

Recommended

B530429_FinalDissertation
B530429_FinalDissertationB530429_FinalDissertation
B530429_FinalDissertationJasjoot Mudhar
 
Hybrid cloud based firewalling
Hybrid cloud based firewallingHybrid cloud based firewalling
Hybrid cloud based firewallingJustin Cletus
 
Security for v mware
Security for v mwareSecurity for v mware
Security for v mwareReadWrite
 
Maintaining Secure Cloud by Continuous Auditing
Maintaining Secure Cloud by Continuous AuditingMaintaining Secure Cloud by Continuous Auditing
Maintaining Secure Cloud by Continuous Auditingijtsrd
 
SECURITY FOR SOFTWARE-DEFINED (CLOUD, SDN AND NFV) INFRASTRUCTURES – ISSUES A...
SECURITY FOR SOFTWARE-DEFINED (CLOUD, SDN AND NFV) INFRASTRUCTURES – ISSUES A...SECURITY FOR SOFTWARE-DEFINED (CLOUD, SDN AND NFV) INFRASTRUCTURES – ISSUES A...
SECURITY FOR SOFTWARE-DEFINED (CLOUD, SDN AND NFV) INFRASTRUCTURES – ISSUES A...csandit
 
Trusted computing for infrastructure
Trusted computing for infrastructureTrusted computing for infrastructure
Trusted computing for infrastructureEricsson
 
C43021014
C43021014C43021014
C43021014IJERA Editor
 
Assurance of Security and Privacy Requirements for Cloud Deployment Model
Assurance of Security and Privacy Requirements for Cloud Deployment ModelAssurance of Security and Privacy Requirements for Cloud Deployment Model
Assurance of Security and Privacy Requirements for Cloud Deployment ModelIJMTST Journal
 

Recommended

B530429_FinalDissertation
B530429_FinalDissertationB530429_FinalDissertation
B530429_FinalDissertationJasjoot Mudhar
 
Hybrid cloud based firewalling
Hybrid cloud based firewallingHybrid cloud based firewalling
Hybrid cloud based firewallingJustin Cletus
 
Security for v mware
Security for v mwareSecurity for v mware
Security for v mwareReadWrite
 
Maintaining Secure Cloud by Continuous Auditing
Maintaining Secure Cloud by Continuous AuditingMaintaining Secure Cloud by Continuous Auditing
Maintaining Secure Cloud by Continuous Auditingijtsrd
 
SECURITY FOR SOFTWARE-DEFINED (CLOUD, SDN AND NFV) INFRASTRUCTURES – ISSUES A...
SECURITY FOR SOFTWARE-DEFINED (CLOUD, SDN AND NFV) INFRASTRUCTURES – ISSUES A...SECURITY FOR SOFTWARE-DEFINED (CLOUD, SDN AND NFV) INFRASTRUCTURES – ISSUES A...
SECURITY FOR SOFTWARE-DEFINED (CLOUD, SDN AND NFV) INFRASTRUCTURES – ISSUES A...csandit
 
Trusted computing for infrastructure
Trusted computing for infrastructureTrusted computing for infrastructure
Trusted computing for infrastructureEricsson
 
C43021014
C43021014C43021014
C43021014IJERA Editor
 
Assurance of Security and Privacy Requirements for Cloud Deployment Model
Assurance of Security and Privacy Requirements for Cloud Deployment ModelAssurance of Security and Privacy Requirements for Cloud Deployment Model
Assurance of Security and Privacy Requirements for Cloud Deployment ModelIJMTST Journal
 
Conceptual Model of Real Time Infrastructure Within Cloud Computing Environment
Conceptual Model of Real Time Infrastructure Within Cloud Computing EnvironmentConceptual Model of Real Time Infrastructure Within Cloud Computing Environment
Conceptual Model of Real Time Infrastructure Within Cloud Computing EnvironmentCSCJournals
 
A Centralized Network Management Application for Academia and Small Business ...
A Centralized Network Management Application for Academia and Small Business ...A Centralized Network Management Application for Academia and Small Business ...
A Centralized Network Management Application for Academia and Small Business ...ITIIIndustries
 
Requirements and Challenges for Securing Cloud Applications and Services
Requirements and Challenges for Securing Cloud Applications and ServicesRequirements and Challenges for Securing Cloud Applications and Services
Requirements and Challenges for Securing Cloud Applications and ServicesIOSR Journals
 
IRJET- Secure Database Management and Privacy Preserving in Cloud Server
IRJET- Secure Database Management and Privacy Preserving in Cloud ServerIRJET- Secure Database Management and Privacy Preserving in Cloud Server
IRJET- Secure Database Management and Privacy Preserving in Cloud ServerIRJET Journal
 
The Impact on Security due to the Vulnerabilities Existing in the network a S...
The Impact on Security due to the Vulnerabilities Existing in the network a S...The Impact on Security due to the Vulnerabilities Existing in the network a S...
The Impact on Security due to the Vulnerabilities Existing in the network a S...IJAEMSJORNAL
 
A Novel SDN Architecture for IoT Security
A Novel SDN Architecture for IoT SecurityA Novel SDN Architecture for IoT Security
A Novel SDN Architecture for IoT Securityijtsrd
 
Re-engineering Engineering: from a cathedral to a bazaar?
Re-engineering Engineering: from a cathedral to a bazaar?Re-engineering Engineering: from a cathedral to a bazaar?
Re-engineering Engineering: from a cathedral to a bazaar?Open Networking Summits
 
Dhana Raj Markandu: Control System Cybersecurity - Challenges in a New Energy...
Dhana Raj Markandu: Control System Cybersecurity - Challenges in a New Energy...Dhana Raj Markandu: Control System Cybersecurity - Challenges in a New Energy...
Dhana Raj Markandu: Control System Cybersecurity - Challenges in a New Energy...Dhana Raj Markandu
 
Cloud computing security- critical infrastructures
Cloud computing security- critical infrastructuresCloud computing security- critical infrastructures
Cloud computing security- critical infrastructuresMohammed Saqib
 
Mashups for Network Management
Mashups for Network ManagementMashups for Network Management
Mashups for Network ManagementOscar Caicedo
 
Domenico di mola_2023 i_iot_whole_190613
Domenico di mola_2023 i_iot_whole_190613Domenico di mola_2023 i_iot_whole_190613
Domenico di mola_2023 i_iot_whole_190613domenico di mola
 
A Mashup-based Approach for Virtual SDN Management
A Mashup-based Approach for Virtual SDN ManagementA Mashup-based Approach for Virtual SDN Management
A Mashup-based Approach for Virtual SDN ManagementOscar Caicedo
 
A Plan to Control and Protect Data in the Private and Public Cloud
A Plan to Control and Protect Data in the Private and Public CloudA Plan to Control and Protect Data in the Private and Public Cloud
A Plan to Control and Protect Data in the Private and Public CloudRochester Security Summit
 
Securing Cloud from Cloud Drain
Securing Cloud from Cloud DrainSecuring Cloud from Cloud Drain
Securing Cloud from Cloud DrainEswar Publications
 
Cloud Security Strategy
Cloud Security StrategyCloud Security Strategy
Cloud Security StrategyCapgemini
 
Software Defined Network Based Internet on thing Eco System for Shopfloor
Software Defined Network Based Internet on thing Eco System for ShopfloorSoftware Defined Network Based Internet on thing Eco System for Shopfloor
Software Defined Network Based Internet on thing Eco System for ShopfloorIRJET Journal
 
Towards an Open Data Center with an Interoperable Network (ODIN) Volume 3: So...
Towards an Open Data Center with an Interoperable Network (ODIN) Volume 3: So...Towards an Open Data Center with an Interoperable Network (ODIN) Volume 3: So...
Towards an Open Data Center with an Interoperable Network (ODIN) Volume 3: So...IBM India Smarter Computing
 
Software defined networking introduction
Software defined networking introductionSoftware defined networking introduction
Software defined networking introductionEktaSoni20
 
Efficient architectural framework of cloud computing
Efficient architectural framework of cloud computing Efficient architectural framework of cloud computing
Efficient architectural framework of cloud computing Souvik Pal
 
FRAMEWORK FOR SECURE CLOUD COMPUTING
FRAMEWORK FOR SECURE CLOUD COMPUTINGFRAMEWORK FOR SECURE CLOUD COMPUTING
FRAMEWORK FOR SECURE CLOUD COMPUTINGijccsa
 
ICCT2017: A user mode implementation of filtering rule management plane using...
ICCT2017: A user mode implementation of filtering rule management plane using...ICCT2017: A user mode implementation of filtering rule management plane using...
ICCT2017: A user mode implementation of filtering rule management plane using...Ruo Ando
 
Security in Software Defined Networks (SDN): Challenges and Research Opportun...
Security in Software Defined Networks (SDN): Challenges and Research Opportun...Security in Software Defined Networks (SDN): Challenges and Research Opportun...
Security in Software Defined Networks (SDN): Challenges and Research Opportun...Editor IJCATR
 

More Related Content

What's hot

Conceptual Model of Real Time Infrastructure Within Cloud Computing Environment
Conceptual Model of Real Time Infrastructure Within Cloud Computing EnvironmentConceptual Model of Real Time Infrastructure Within Cloud Computing Environment
Conceptual Model of Real Time Infrastructure Within Cloud Computing EnvironmentCSCJournals
 
A Centralized Network Management Application for Academia and Small Business ...
A Centralized Network Management Application for Academia and Small Business ...A Centralized Network Management Application for Academia and Small Business ...
A Centralized Network Management Application for Academia and Small Business ...ITIIIndustries
 
Requirements and Challenges for Securing Cloud Applications and Services
Requirements and Challenges for Securing Cloud Applications and ServicesRequirements and Challenges for Securing Cloud Applications and Services
Requirements and Challenges for Securing Cloud Applications and ServicesIOSR Journals
 
IRJET- Secure Database Management and Privacy Preserving in Cloud Server
IRJET- Secure Database Management and Privacy Preserving in Cloud ServerIRJET- Secure Database Management and Privacy Preserving in Cloud Server
IRJET- Secure Database Management and Privacy Preserving in Cloud ServerIRJET Journal
 
The Impact on Security due to the Vulnerabilities Existing in the network a S...
The Impact on Security due to the Vulnerabilities Existing in the network a S...The Impact on Security due to the Vulnerabilities Existing in the network a S...
The Impact on Security due to the Vulnerabilities Existing in the network a S...IJAEMSJORNAL
 
A Novel SDN Architecture for IoT Security
A Novel SDN Architecture for IoT SecurityA Novel SDN Architecture for IoT Security
A Novel SDN Architecture for IoT Securityijtsrd
 
Re-engineering Engineering: from a cathedral to a bazaar?
Re-engineering Engineering: from a cathedral to a bazaar?Re-engineering Engineering: from a cathedral to a bazaar?
Re-engineering Engineering: from a cathedral to a bazaar?Open Networking Summits
 
Dhana Raj Markandu: Control System Cybersecurity - Challenges in a New Energy...
Dhana Raj Markandu: Control System Cybersecurity - Challenges in a New Energy...Dhana Raj Markandu: Control System Cybersecurity - Challenges in a New Energy...
Dhana Raj Markandu: Control System Cybersecurity - Challenges in a New Energy...Dhana Raj Markandu
 
Cloud computing security- critical infrastructures
Cloud computing security- critical infrastructuresCloud computing security- critical infrastructures
Cloud computing security- critical infrastructuresMohammed Saqib
 
Mashups for Network Management
Mashups for Network ManagementMashups for Network Management
Mashups for Network ManagementOscar Caicedo
 
Domenico di mola_2023 i_iot_whole_190613
Domenico di mola_2023 i_iot_whole_190613Domenico di mola_2023 i_iot_whole_190613
Domenico di mola_2023 i_iot_whole_190613domenico di mola
 
A Mashup-based Approach for Virtual SDN Management
A Mashup-based Approach for Virtual SDN ManagementA Mashup-based Approach for Virtual SDN Management
A Mashup-based Approach for Virtual SDN ManagementOscar Caicedo
 
A Plan to Control and Protect Data in the Private and Public Cloud
A Plan to Control and Protect Data in the Private and Public CloudA Plan to Control and Protect Data in the Private and Public Cloud
A Plan to Control and Protect Data in the Private and Public CloudRochester Security Summit
 
Securing Cloud from Cloud Drain
Securing Cloud from Cloud DrainSecuring Cloud from Cloud Drain
Securing Cloud from Cloud DrainEswar Publications
 
Cloud Security Strategy
Cloud Security StrategyCloud Security Strategy
Cloud Security StrategyCapgemini
 
Software Defined Network Based Internet on thing Eco System for Shopfloor
Software Defined Network Based Internet on thing Eco System for ShopfloorSoftware Defined Network Based Internet on thing Eco System for Shopfloor
Software Defined Network Based Internet on thing Eco System for ShopfloorIRJET Journal
 
Towards an Open Data Center with an Interoperable Network (ODIN) Volume 3: So...
Towards an Open Data Center with an Interoperable Network (ODIN) Volume 3: So...Towards an Open Data Center with an Interoperable Network (ODIN) Volume 3: So...
Towards an Open Data Center with an Interoperable Network (ODIN) Volume 3: So...IBM India Smarter Computing
 
Software defined networking introduction
Software defined networking introductionSoftware defined networking introduction
Software defined networking introductionEktaSoni20
 
Efficient architectural framework of cloud computing
Efficient architectural framework of cloud computing Efficient architectural framework of cloud computing
Efficient architectural framework of cloud computing Souvik Pal
 
FRAMEWORK FOR SECURE CLOUD COMPUTING
FRAMEWORK FOR SECURE CLOUD COMPUTINGFRAMEWORK FOR SECURE CLOUD COMPUTING
FRAMEWORK FOR SECURE CLOUD COMPUTINGijccsa
 

What's hot (20)

Conceptual Model of Real Time Infrastructure Within Cloud Computing Environment
Conceptual Model of Real Time Infrastructure Within Cloud Computing EnvironmentConceptual Model of Real Time Infrastructure Within Cloud Computing Environment
Conceptual Model of Real Time Infrastructure Within Cloud Computing Environment
 
A Centralized Network Management Application for Academia and Small Business ...
A Centralized Network Management Application for Academia and Small Business ...A Centralized Network Management Application for Academia and Small Business ...
A Centralized Network Management Application for Academia and Small Business ...
 
Requirements and Challenges for Securing Cloud Applications and Services
Requirements and Challenges for Securing Cloud Applications and ServicesRequirements and Challenges for Securing Cloud Applications and Services
Requirements and Challenges for Securing Cloud Applications and Services
 
IRJET- Secure Database Management and Privacy Preserving in Cloud Server
IRJET- Secure Database Management and Privacy Preserving in Cloud ServerIRJET- Secure Database Management and Privacy Preserving in Cloud Server
IRJET- Secure Database Management and Privacy Preserving in Cloud Server
 
The Impact on Security due to the Vulnerabilities Existing in the network a S...
The Impact on Security due to the Vulnerabilities Existing in the network a S...The Impact on Security due to the Vulnerabilities Existing in the network a S...
The Impact on Security due to the Vulnerabilities Existing in the network a S...
 
A Novel SDN Architecture for IoT Security
A Novel SDN Architecture for IoT SecurityA Novel SDN Architecture for IoT Security
A Novel SDN Architecture for IoT Security
 
Re-engineering Engineering: from a cathedral to a bazaar?
Re-engineering Engineering: from a cathedral to a bazaar?Re-engineering Engineering: from a cathedral to a bazaar?
Re-engineering Engineering: from a cathedral to a bazaar?
 
Dhana Raj Markandu: Control System Cybersecurity - Challenges in a New Energy...
Dhana Raj Markandu: Control System Cybersecurity - Challenges in a New Energy...Dhana Raj Markandu: Control System Cybersecurity - Challenges in a New Energy...
Dhana Raj Markandu: Control System Cybersecurity - Challenges in a New Energy...
 
Cloud computing security- critical infrastructures
Cloud computing security- critical infrastructuresCloud computing security- critical infrastructures
Cloud computing security- critical infrastructures
 
Mashups for Network Management
Mashups for Network ManagementMashups for Network Management
Mashups for Network Management
 
Domenico di mola_2023 i_iot_whole_190613
Domenico di mola_2023 i_iot_whole_190613Domenico di mola_2023 i_iot_whole_190613
Domenico di mola_2023 i_iot_whole_190613
 
A Mashup-based Approach for Virtual SDN Management
A Mashup-based Approach for Virtual SDN ManagementA Mashup-based Approach for Virtual SDN Management
A Mashup-based Approach for Virtual SDN Management
 
A Plan to Control and Protect Data in the Private and Public Cloud
A Plan to Control and Protect Data in the Private and Public CloudA Plan to Control and Protect Data in the Private and Public Cloud
A Plan to Control and Protect Data in the Private and Public Cloud
 
Securing Cloud from Cloud Drain
Securing Cloud from Cloud DrainSecuring Cloud from Cloud Drain
Securing Cloud from Cloud Drain
 
Cloud Security Strategy
Cloud Security StrategyCloud Security Strategy
Cloud Security Strategy
 
Software Defined Network Based Internet on thing Eco System for Shopfloor
Software Defined Network Based Internet on thing Eco System for ShopfloorSoftware Defined Network Based Internet on thing Eco System for Shopfloor
Software Defined Network Based Internet on thing Eco System for Shopfloor
 
Towards an Open Data Center with an Interoperable Network (ODIN) Volume 3: So...
Towards an Open Data Center with an Interoperable Network (ODIN) Volume 3: So...Towards an Open Data Center with an Interoperable Network (ODIN) Volume 3: So...
Towards an Open Data Center with an Interoperable Network (ODIN) Volume 3: So...
 
Software defined networking introduction
Software defined networking introductionSoftware defined networking introduction
Software defined networking introduction
 
Efficient architectural framework of cloud computing
Efficient architectural framework of cloud computing Efficient architectural framework of cloud computing
Efficient architectural framework of cloud computing
 
FRAMEWORK FOR SECURE CLOUD COMPUTING
FRAMEWORK FOR SECURE CLOUD COMPUTINGFRAMEWORK FOR SECURE CLOUD COMPUTING
FRAMEWORK FOR SECURE CLOUD COMPUTING
 

Similar to csec66 a user mode implementation of filtering rule management plane on virtualized networking environment

ICCT2017: A user mode implementation of filtering rule management plane using...
ICCT2017: A user mode implementation of filtering rule management plane using...ICCT2017: A user mode implementation of filtering rule management plane using...
ICCT2017: A user mode implementation of filtering rule management plane using...Ruo Ando
 
Security in Software Defined Networks (SDN): Challenges and Research Opportun...
Security in Software Defined Networks (SDN): Challenges and Research Opportun...Security in Software Defined Networks (SDN): Challenges and Research Opportun...
Security in Software Defined Networks (SDN): Challenges and Research Opportun...Editor IJCATR
 
Critical Information Infrastructure Systems Worldwide
Critical Information Infrastructure Systems WorldwideCritical Information Infrastructure Systems Worldwide
Critical Information Infrastructure Systems WorldwideAngela Hays
 
Firewall and vpn investigation on cloud computing performance
Firewall and vpn investigation on cloud computing performanceFirewall and vpn investigation on cloud computing performance
Firewall and vpn investigation on cloud computing performanceIJCSES Journal
 
Cloud Computing : Top to Bottom
Cloud Computing : Top to BottomCloud Computing : Top to Bottom
Cloud Computing : Top to BottomIstiyak Siddiquee
 
BIOMETRIC SMARTCARD AUTHENTICATION FOR FOG COMPUTING
BIOMETRIC SMARTCARD AUTHENTICATION FOR FOG COMPUTINGBIOMETRIC SMARTCARD AUTHENTICATION FOR FOG COMPUTING
BIOMETRIC SMARTCARD AUTHENTICATION FOR FOG COMPUTINGIJNSA Journal
 
BIOMETRIC SMARTCARD AUTHENTICATION FOR FOG COMPUTING
BIOMETRIC SMARTCARD AUTHENTICATION FOR FOG COMPUTINGBIOMETRIC SMARTCARD AUTHENTICATION FOR FOG COMPUTING
BIOMETRIC SMARTCARD AUTHENTICATION FOR FOG COMPUTINGIJNSA Journal
 
Software Defined Networking (SDN): A Revolution in Computer Network
Software Defined Networking (SDN): A Revolution in Computer NetworkSoftware Defined Networking (SDN): A Revolution in Computer Network
Software Defined Networking (SDN): A Revolution in Computer NetworkIOSR Journals
 
Software-Defined Networking(SDN):A New Approach to Networking
Software-Defined Networking(SDN):A New Approach to NetworkingSoftware-Defined Networking(SDN):A New Approach to Networking
Software-Defined Networking(SDN):A New Approach to NetworkingAnju Ann
 
TheimplementationofSoftwareDefinedNetworkinginenterprisenetworks.pdf
TheimplementationofSoftwareDefinedNetworkinginenterprisenetworks.pdfTheimplementationofSoftwareDefinedNetworkinginenterprisenetworks.pdf
TheimplementationofSoftwareDefinedNetworkinginenterprisenetworks.pdfFernando Velez Varela
 
Security and risk analysis in the cloud with software defined networking arch...
Security and risk analysis in the cloud with software defined networking arch...Security and risk analysis in the cloud with software defined networking arch...
Security and risk analysis in the cloud with software defined networking arch...IJECEIAES
 
New Threats, New Approaches in Modern Data Centers
New Threats, New Approaches in Modern Data CentersNew Threats, New Approaches in Modern Data Centers
New Threats, New Approaches in Modern Data CentersIben Rodriguez
 
IRJET- An Adaptive Scheduling based VM with Random Key Authentication on Clou...
IRJET- An Adaptive Scheduling based VM with Random Key Authentication on Clou...IRJET- An Adaptive Scheduling based VM with Random Key Authentication on Clou...
IRJET- An Adaptive Scheduling based VM with Random Key Authentication on Clou...IRJET Journal
 
Controller Placement Problem resiliency evaluation in SDN-based architectures
Controller Placement Problem resiliency evaluation in SDN-based architecturesController Placement Problem resiliency evaluation in SDN-based architectures
Controller Placement Problem resiliency evaluation in SDN-based architecturesIJCNCJournal
 
Controller Placement Problem Resiliency Evaluation in SDN-based Architectures
Controller Placement Problem Resiliency Evaluation in SDN-based ArchitecturesController Placement Problem Resiliency Evaluation in SDN-based Architectures
Controller Placement Problem Resiliency Evaluation in SDN-based ArchitecturesIJCNCJournal
 
Implementation of the Open Source Virtualization Technologies in Cloud Computing
Implementation of the Open Source Virtualization Technologies in Cloud ComputingImplementation of the Open Source Virtualization Technologies in Cloud Computing
Implementation of the Open Source Virtualization Technologies in Cloud Computingijccsa
 
Implementation of the Open Source Virtualization Technologies in Cloud Computing
Implementation of the Open Source Virtualization Technologies in Cloud ComputingImplementation of the Open Source Virtualization Technologies in Cloud Computing
Implementation of the Open Source Virtualization Technologies in Cloud Computingneirew J
 
Analyzing the Difference of Cluster, Grid, Utility & Cloud Computing
Analyzing the Difference of Cluster, Grid, Utility & Cloud ComputingAnalyzing the Difference of Cluster, Grid, Utility & Cloud Computing
Analyzing the Difference of Cluster, Grid, Utility & Cloud ComputingIOSRjournaljce
 
Ant colony Optimization: A Solution of Load balancing in Cloud  
Ant colony Optimization: A Solution of Load balancing in Cloud  Ant colony Optimization: A Solution of Load balancing in Cloud  
Ant colony Optimization: A Solution of Load balancing in Cloud  dannyijwest
 

Similar to csec66 a user mode implementation of filtering rule management plane on virtualized networking environment (20)

ICCT2017: A user mode implementation of filtering rule management plane using...
ICCT2017: A user mode implementation of filtering rule management plane using...ICCT2017: A user mode implementation of filtering rule management plane using...
ICCT2017: A user mode implementation of filtering rule management plane using...
 
Security in Software Defined Networks (SDN): Challenges and Research Opportun...
Security in Software Defined Networks (SDN): Challenges and Research Opportun...Security in Software Defined Networks (SDN): Challenges and Research Opportun...
Security in Software Defined Networks (SDN): Challenges and Research Opportun...
 
Critical Information Infrastructure Systems Worldwide
Critical Information Infrastructure Systems WorldwideCritical Information Infrastructure Systems Worldwide
Critical Information Infrastructure Systems Worldwide
 
Firewall and vpn investigation on cloud computing performance
Firewall and vpn investigation on cloud computing performanceFirewall and vpn investigation on cloud computing performance
Firewall and vpn investigation on cloud computing performance
 
Security of software defined networks: evolution and challenges
Security of software defined networks: evolution and challengesSecurity of software defined networks: evolution and challenges
Security of software defined networks: evolution and challenges
 
Cloud Computing : Top to Bottom
Cloud Computing : Top to BottomCloud Computing : Top to Bottom
Cloud Computing : Top to Bottom
 
BIOMETRIC SMARTCARD AUTHENTICATION FOR FOG COMPUTING
BIOMETRIC SMARTCARD AUTHENTICATION FOR FOG COMPUTINGBIOMETRIC SMARTCARD AUTHENTICATION FOR FOG COMPUTING
BIOMETRIC SMARTCARD AUTHENTICATION FOR FOG COMPUTING
 
BIOMETRIC SMARTCARD AUTHENTICATION FOR FOG COMPUTING
BIOMETRIC SMARTCARD AUTHENTICATION FOR FOG COMPUTINGBIOMETRIC SMARTCARD AUTHENTICATION FOR FOG COMPUTING
BIOMETRIC SMARTCARD AUTHENTICATION FOR FOG COMPUTING
 
Software Defined Networking (SDN): A Revolution in Computer Network
Software Defined Networking (SDN): A Revolution in Computer NetworkSoftware Defined Networking (SDN): A Revolution in Computer Network
Software Defined Networking (SDN): A Revolution in Computer Network
 
Software-Defined Networking(SDN):A New Approach to Networking
Software-Defined Networking(SDN):A New Approach to NetworkingSoftware-Defined Networking(SDN):A New Approach to Networking
Software-Defined Networking(SDN):A New Approach to Networking
 
TheimplementationofSoftwareDefinedNetworkinginenterprisenetworks.pdf
TheimplementationofSoftwareDefinedNetworkinginenterprisenetworks.pdfTheimplementationofSoftwareDefinedNetworkinginenterprisenetworks.pdf
TheimplementationofSoftwareDefinedNetworkinginenterprisenetworks.pdf
 
Security and risk analysis in the cloud with software defined networking arch...
Security and risk analysis in the cloud with software defined networking arch...Security and risk analysis in the cloud with software defined networking arch...
Security and risk analysis in the cloud with software defined networking arch...
 
New Threats, New Approaches in Modern Data Centers
New Threats, New Approaches in Modern Data CentersNew Threats, New Approaches in Modern Data Centers
New Threats, New Approaches in Modern Data Centers
 
IRJET- An Adaptive Scheduling based VM with Random Key Authentication on Clou...
IRJET- An Adaptive Scheduling based VM with Random Key Authentication on Clou...IRJET- An Adaptive Scheduling based VM with Random Key Authentication on Clou...
IRJET- An Adaptive Scheduling based VM with Random Key Authentication on Clou...
 
Controller Placement Problem resiliency evaluation in SDN-based architectures
Controller Placement Problem resiliency evaluation in SDN-based architecturesController Placement Problem resiliency evaluation in SDN-based architectures
Controller Placement Problem resiliency evaluation in SDN-based architectures
 
Controller Placement Problem Resiliency Evaluation in SDN-based Architectures
Controller Placement Problem Resiliency Evaluation in SDN-based ArchitecturesController Placement Problem Resiliency Evaluation in SDN-based Architectures
Controller Placement Problem Resiliency Evaluation in SDN-based Architectures
 
Implementation of the Open Source Virtualization Technologies in Cloud Computing
Implementation of the Open Source Virtualization Technologies in Cloud ComputingImplementation of the Open Source Virtualization Technologies in Cloud Computing
Implementation of the Open Source Virtualization Technologies in Cloud Computing
 
Implementation of the Open Source Virtualization Technologies in Cloud Computing
Implementation of the Open Source Virtualization Technologies in Cloud ComputingImplementation of the Open Source Virtualization Technologies in Cloud Computing
Implementation of the Open Source Virtualization Technologies in Cloud Computing
 
Analyzing the Difference of Cluster, Grid, Utility & Cloud Computing
Analyzing the Difference of Cluster, Grid, Utility & Cloud ComputingAnalyzing the Difference of Cluster, Grid, Utility & Cloud Computing
Analyzing the Difference of Cluster, Grid, Utility & Cloud Computing
 
Ant colony Optimization: A Solution of Load balancing in Cloud  
Ant colony Optimization: A Solution of Load balancing in Cloud  Ant colony Optimization: A Solution of Load balancing in Cloud  
Ant colony Optimization: A Solution of Load balancing in Cloud  
 

More from Ruo Ando

KISTI-NII Joint Security Workshop 2023.pdf
KISTI-NII Joint Security Workshop 2023.pdfKISTI-NII Joint Security Workshop 2023.pdf
KISTI-NII Joint Security Workshop 2023.pdfRuo Ando
 
Gartner 「セキュリティ&リスクマネジメントサミット 2019」- 安藤
Gartner 「セキュリティ&リスクマネジメントサミット 2019」- 安藤Gartner 「セキュリティ&リスクマネジメントサミット 2019」- 安藤
Gartner 「セキュリティ&リスクマネジメントサミット 2019」- 安藤Ruo Ando
 
解説#86 決定木 - ss.pdf
解説#86 決定木 - ss.pdf解説#86 決定木 - ss.pdf
解説#86 決定木 - ss.pdfRuo Ando
 
SaaSアカデミー for バックオフィス アイドルと学ぶDX講座 ~アイドル戦略に見るDXを専門家が徹底解説~
SaaSアカデミー for バックオフィス アイドルと学ぶDX講座 ~アイドル戦略に見るDXを専門家が徹底解説~SaaSアカデミー for バックオフィス アイドルと学ぶDX講座 ~アイドル戦略に見るDXを専門家が徹底解説~
SaaSアカデミー for バックオフィス アイドルと学ぶDX講座 ~アイドル戦略に見るDXを専門家が徹底解説~Ruo Ando
 
解説#83 情報エントロピー
解説#83 情報エントロピー解説#83 情報エントロピー
解説#83 情報エントロピーRuo Ando
 
解説#82 記号論理学
解説#82 記号論理学解説#82 記号論理学
解説#82 記号論理学Ruo Ando
 
解説#81 ロジスティック回帰
解説#81 ロジスティック回帰解説#81 ロジスティック回帰
解説#81 ロジスティック回帰Ruo Ando
 
解説#74 連結リスト
解説#74 連結リスト解説#74 連結リスト
解説#74 連結リストRuo Ando
 
解説#76 福岡正信
解説#76 福岡正信解説#76 福岡正信
解説#76 福岡正信Ruo Ando
 
解説#77 非加算無限
解説#77 非加算無限解説#77 非加算無限
解説#77 非加算無限Ruo Ando
 
解説#1 C言語ポインタとアドレス
解説#1 C言語ポインタとアドレス解説#1 C言語ポインタとアドレス
解説#1 C言語ポインタとアドレスRuo Ando
 
解説#78 誤差逆伝播
解説#78 誤差逆伝播解説#78 誤差逆伝播
解説#78 誤差逆伝播Ruo Ando
 
解説#73 ハフマン符号
解説#73 ハフマン符号解説#73 ハフマン符号
解説#73 ハフマン符号Ruo Ando
 
【技術解説20】 ミニバッチ確率的勾配降下法
【技術解説20】 ミニバッチ確率的勾配降下法【技術解説20】 ミニバッチ確率的勾配降下法
【技術解説20】 ミニバッチ確率的勾配降下法Ruo Ando
 
【技術解説4】assertion failureとuse after-free
【技術解説4】assertion failureとuse after-free【技術解説4】assertion failureとuse after-free
【技術解説4】assertion failureとuse after-freeRuo Ando
 
ITmedia Security Week 2021 講演資料
ITmedia Security Week 2021 講演資料 ITmedia Security Week 2021 講演資料
ITmedia Security Week 2021 講演資料 Ruo Ando
 
ファジングの解説
ファジングの解説ファジングの解説
ファジングの解説Ruo Ando
 
AI(機械学習・深層学習)との協働スキルとOperational AIの事例紹介 @ ビジネス+ITセミナー 2020年11月
AI(機械学習・深層学習)との協働スキルとOperational AIの事例紹介 @ ビジネス+ITセミナー 2020年11月AI(機械学習・深層学習)との協働スキルとOperational AIの事例紹介 @ ビジネス+ITセミナー 2020年11月
AI(機械学習・深層学習)との協働スキルとOperational AIの事例紹介 @ ビジネス+ITセミナー 2020年11月Ruo Ando
 
【AI実装4】TensorFlowのプログラムを読む2 非線形回帰
【AI実装4】TensorFlowのプログラムを読む2 非線形回帰【AI実装4】TensorFlowのプログラムを読む2 非線形回帰
【AI実装4】TensorFlowのプログラムを読む2 非線形回帰Ruo Ando
 
Intel Trusted Computing Group 1st Workshop
Intel Trusted Computing Group 1st WorkshopIntel Trusted Computing Group 1st Workshop
Intel Trusted Computing Group 1st WorkshopRuo Ando
 

More from Ruo Ando (20)

KISTI-NII Joint Security Workshop 2023.pdf
KISTI-NII Joint Security Workshop 2023.pdfKISTI-NII Joint Security Workshop 2023.pdf
KISTI-NII Joint Security Workshop 2023.pdf
 
Gartner 「セキュリティ&リスクマネジメントサミット 2019」- 安藤
Gartner 「セキュリティ&リスクマネジメントサミット 2019」- 安藤Gartner 「セキュリティ&リスクマネジメントサミット 2019」- 安藤
Gartner 「セキュリティ&リスクマネジメントサミット 2019」- 安藤
 
解説#86 決定木 - ss.pdf
解説#86 決定木 - ss.pdf解説#86 決定木 - ss.pdf
解説#86 決定木 - ss.pdf
 
SaaSアカデミー for バックオフィス アイドルと学ぶDX講座 ~アイドル戦略に見るDXを専門家が徹底解説~
SaaSアカデミー for バックオフィス アイドルと学ぶDX講座 ~アイドル戦略に見るDXを専門家が徹底解説~SaaSアカデミー for バックオフィス アイドルと学ぶDX講座 ~アイドル戦略に見るDXを専門家が徹底解説~
SaaSアカデミー for バックオフィス アイドルと学ぶDX講座 ~アイドル戦略に見るDXを専門家が徹底解説~
 
解説#83 情報エントロピー
解説#83 情報エントロピー解説#83 情報エントロピー
解説#83 情報エントロピー
 
解説#82 記号論理学
解説#82 記号論理学解説#82 記号論理学
解説#82 記号論理学
 
解説#81 ロジスティック回帰
解説#81 ロジスティック回帰解説#81 ロジスティック回帰
解説#81 ロジスティック回帰
 
解説#74 連結リスト
解説#74 連結リスト解説#74 連結リスト
解説#74 連結リスト
 
解説#76 福岡正信
解説#76 福岡正信解説#76 福岡正信
解説#76 福岡正信
 
解説#77 非加算無限
解説#77 非加算無限解説#77 非加算無限
解説#77 非加算無限
 
解説#1 C言語ポインタとアドレス
解説#1 C言語ポインタとアドレス解説#1 C言語ポインタとアドレス
解説#1 C言語ポインタとアドレス
 
解説#78 誤差逆伝播
解説#78 誤差逆伝播解説#78 誤差逆伝播
解説#78 誤差逆伝播
 
解説#73 ハフマン符号
解説#73 ハフマン符号解説#73 ハフマン符号
解説#73 ハフマン符号
 
【技術解説20】 ミニバッチ確率的勾配降下法
【技術解説20】 ミニバッチ確率的勾配降下法【技術解説20】 ミニバッチ確率的勾配降下法
【技術解説20】 ミニバッチ確率的勾配降下法
 
【技術解説4】assertion failureとuse after-free
【技術解説4】assertion failureとuse after-free【技術解説4】assertion failureとuse after-free
【技術解説4】assertion failureとuse after-free
 
ITmedia Security Week 2021 講演資料
ITmedia Security Week 2021 講演資料 ITmedia Security Week 2021 講演資料
ITmedia Security Week 2021 講演資料
 
ファジングの解説
ファジングの解説ファジングの解説
ファジングの解説
 
AI(機械学習・深層学習)との協働スキルとOperational AIの事例紹介 @ ビジネス+ITセミナー 2020年11月
AI(機械学習・深層学習)との協働スキルとOperational AIの事例紹介 @ ビジネス+ITセミナー 2020年11月AI(機械学習・深層学習)との協働スキルとOperational AIの事例紹介 @ ビジネス+ITセミナー 2020年11月
AI(機械学習・深層学習)との協働スキルとOperational AIの事例紹介 @ ビジネス+ITセミナー 2020年11月
 
【AI実装4】TensorFlowのプログラムを読む2 非線形回帰
【AI実装4】TensorFlowのプログラムを読む2 非線形回帰【AI実装4】TensorFlowのプログラムを読む2 非線形回帰
【AI実装4】TensorFlowのプログラムを読む2 非線形回帰
 
Intel Trusted Computing Group 1st Workshop
Intel Trusted Computing Group 1st WorkshopIntel Trusted Computing Group 1st Workshop
Intel Trusted Computing Group 1st Workshop
 

Recently uploaded

Git and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITMGit and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITMgdsc13
 
10.pdfMature Call girls in Dubai +971563133746 Dubai Call girls
10.pdfMature Call girls in Dubai +971563133746 Dubai Call girls10.pdfMature Call girls in Dubai +971563133746 Dubai Call girls
10.pdfMature Call girls in Dubai +971563133746 Dubai Call girlsstephieert
 
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)Christopher H Felton
 
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一Fs
 
Sushant Golf City / best call girls in Lucknow | Service-oriented sexy call g...
Sushant Golf City / best call girls in Lucknow | Service-oriented sexy call g...Sushant Golf City / best call girls in Lucknow | Service-oriented sexy call g...
Sushant Golf City / best call girls in Lucknow | Service-oriented sexy call g...akbard9823
 
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With RoomVIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Roomdivyansh0kumar0
 
Denver Web Design brochure for public viewing
Denver Web Design brochure for public viewingDenver Web Design brochure for public viewing
Denver Web Design brochure for public viewingbigorange77
 
How is AI changing journalism? (v. April 2024)
How is AI changing journalism? (v. April 2024)How is AI changing journalism? (v. April 2024)
How is AI changing journalism? (v. April 2024)Damian Radcliffe
 
Call Girls In Mumbai Central Mumbai ❤️ 9920874524 👈 Cash on Delivery
Call Girls In Mumbai Central Mumbai ❤️ 9920874524 👈 Cash on DeliveryCall Girls In Mumbai Central Mumbai ❤️ 9920874524 👈 Cash on Delivery
Call Girls In Mumbai Central Mumbai ❤️ 9920874524 👈 Cash on Deliverybabeytanya
 
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
VIP Kolkata Call Girls Salt Lake 8250192130 Available With Room
VIP Kolkata Call Girls Salt Lake 8250192130 Available With RoomVIP Kolkata Call Girls Salt Lake 8250192130 Available With Room
VIP Kolkata Call Girls Salt Lake 8250192130 Available With Roomgirls4nights
 
AlbaniaDreamin24 - How to easily use an API with Flows
AlbaniaDreamin24 - How to easily use an API with FlowsAlbaniaDreamin24 - How to easily use an API with Flows
AlbaniaDreamin24 - How to easily use an API with FlowsThierry TROUIN ☁
 
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call GirlVIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girladitipandeya
 
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls KolkataVIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkataanamikaraghav4
 
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)Dana Luther
 
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012rehmti665
 
Complet Documnetation for Smart Assistant Application for Disabled Person
Complet Documnetation for Smart Assistant Application for Disabled PersonComplet Documnetation for Smart Assistant Application for Disabled Person
Complet Documnetation for Smart Assistant Application for Disabled Personfurqan222004
 

Recently uploaded (20)

Git and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITMGit and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITM
 
Rohini Sector 26 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 26 Call Girls Delhi 9999965857 @Sabina Saikh No AdvanceRohini Sector 26 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 26 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
 
10.pdfMature Call girls in Dubai +971563133746 Dubai Call girls
10.pdfMature Call girls in Dubai +971563133746 Dubai Call girls10.pdfMature Call girls in Dubai +971563133746 Dubai Call girls
10.pdfMature Call girls in Dubai +971563133746 Dubai Call girls
 
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
 
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
 
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
 
Sushant Golf City / best call girls in Lucknow | Service-oriented sexy call g...
Sushant Golf City / best call girls in Lucknow | Service-oriented sexy call g...Sushant Golf City / best call girls in Lucknow | Service-oriented sexy call g...
Sushant Golf City / best call girls in Lucknow | Service-oriented sexy call g...
 
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With RoomVIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
 
Denver Web Design brochure for public viewing
Denver Web Design brochure for public viewingDenver Web Design brochure for public viewing
Denver Web Design brochure for public viewing
 
How is AI changing journalism? (v. April 2024)
How is AI changing journalism? (v. April 2024)How is AI changing journalism? (v. April 2024)
How is AI changing journalism? (v. April 2024)
 
Call Girls In Mumbai Central Mumbai ❤️ 9920874524 👈 Cash on Delivery
Call Girls In Mumbai Central Mumbai ❤️ 9920874524 👈 Cash on DeliveryCall Girls In Mumbai Central Mumbai ❤️ 9920874524 👈 Cash on Delivery
Call Girls In Mumbai Central Mumbai ❤️ 9920874524 👈 Cash on Delivery
 
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
 
VIP Kolkata Call Girls Salt Lake 8250192130 Available With Room
VIP Kolkata Call Girls Salt Lake 8250192130 Available With RoomVIP Kolkata Call Girls Salt Lake 8250192130 Available With Room
VIP Kolkata Call Girls Salt Lake 8250192130 Available With Room
 
AlbaniaDreamin24 - How to easily use an API with Flows
AlbaniaDreamin24 - How to easily use an API with FlowsAlbaniaDreamin24 - How to easily use an API with Flows
AlbaniaDreamin24 - How to easily use an API with Flows
 
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call GirlVIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
 
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls KolkataVIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
 
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
 
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
 
Call Girls In South Ex 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SERVICE
Call Girls In South Ex 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SERVICECall Girls In South Ex 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SERVICE
Call Girls In South Ex 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SERVICE
 
Complet Documnetation for Smart Assistant Application for Disabled Person
Complet Documnetation for Smart Assistant Application for Disabled PersonComplet Documnetation for Smart Assistant Application for Disabled Person
Complet Documnetation for Smart Assistant Application for Disabled Person
 

csec66 a user mode implementation of filtering rule management plane on virtualized networking environment

  • 1. A user mode implementation of filtering rule management plane on virtualized networking environment Network Security Research Institute, National Institute of Information and Communications Technology Ruo Ando 情報通信研究機構 ネットワークセキュリティ研究所 安藤類央 CSEC66 2014-07-04 第66回CSEC・第10回SPT合同研究発表会 セッションC-5(13:25 - 14:40) http://starbed.nict.go.jp/
  • 2. Abstract: Towards alternative access control model 仮想ネットワーク環境での新しいアクセス制御モデル [A] The emergence of network virtualization and related technologies such as SDN and Cloud computing make us face the new challenge of new alternative access control model. (1) ネットワーク仮想化(抽象化)とその周辺技術(Software Defined Network, クラウドコンピューティング)の発達 により、アクセス制御技術にも革新と修正が求められている。 (2) アクセス制御技術の近年の傾向としてはカーネル空間での実装と一元化 (Centrazlization) が問題領域とネット ワークの大規模に伴い様々な問題が生じている。 [B] Particularly, besides flexibility, fine-grained traffic engineering functionality for coping with scalability and diversified networks is required for the deployments of SDN and Cloud Computing. [C] Our architecture leverages NoSQL data store for handling a large scale of filtering rules. By adopting NoSQL, we can achieve scalability, availability and tolerance to network partition. Besides, separating management plane and control plane, we can achieve responsiveness and strong consistency at the same time. (3) 提案システムには大規模なフィルタリングルールの処理のためにNoSQLデータストアを用いて、スケーラビリ ティを確保し、従来のSDNのアーキテクチャを修正し、management planeをcontrol planeから明示的に分離し、 ネットワークのレスポンスを向上させた。 [D] In experiment, we have prototyped a lightweight management plane for IP filtering. Access filtering rules including target IP address, prefix and gateway is represented as radix tree. It is shown that proposed method can achieve reasonable utilization in filtering IP packets (4) 評価実験では、radix treeを用いたIPフィルタリングを実装し、10~100以内のフィルタリングルールセットでは許 容可能な負荷率で稼動する(CPU負荷率では3%以内)ことを示した。
  • 3. Related works: Long-term trend Centralized access control model 2000 2005 2010 2014 Virtualization Technology (hypervisor) Cloud computing Domain Specific / Declarative Language Open Flow DSL for IDS and access control New Security Concerns DSL for SDN Rules and conflict management sHype Pyretic Xen Chimera ForNox RuleBricks Remote Attestation Attack on multi-tenant アクセス制御の 一元化 ネットワーク 抽象化 アクセス制御の 表現方法の問題 Open vSwitch vMAC sandbox xenprobe subvirt 仮想化、ハイパーバイザー内でのAC一元化 スケーラブル、合成可能な 観測システムの構築BGP attack ネットワークのスライシング 仮想化技術を用いた 動的解析 ConfAid BotMiner 解析の大規模化 大規模システムでの設定・ Access Ctrlの検査 Flowvisor HyperDex Ensenble
  • 4. Avenues of Attack Sensitive data Enterprise Network Missing Security Patches Misconfigured Database Advanced Attacks Sensitive Data Leaks Escalating User Privileges Default Passwords Weak Passwords Unauthorized Database Weak PRNG CDP:Functional & Operational Firewall Pattern - AWS-CloudDesignPattern Nemesis: preventing authentication & access control vulnerabilities in web applications, SSYM'09 Proceedings of the 18th conference on USENIX security symposium Detecting BGP configuration faults with static analysis, NSDI'05 Proceedings of the 2nd conference on Symposium on Networked Systems Design & Implementation A security enforcement kernel for OpenFlow networks, HotSDN '12 Proceedings of the first workshop on Hot topics in software defined networks Misconfigured Filtering
  • 5. proposed system (設計方針):building management plane for scalability and manageability DataStoreの 適用 Scalabilityを 確保する 一元管理: 設定管理 ミスをなくす Data planeとControl planeは 同一ホスト(インスタンス)内で 分離しない。 フィルタリング・設定情報の 管理用にManagement planeを 設置して管理。 全てのcomponentをuser modeで実装することでdeploymentのコストを下げ、迅速にする。
  • 6. Alternative access control model for virtualized computing environment 仮想ネットワーク • Virtualized Networking environment = SDN + Cloud computing. • Instance is virtualized • Network is also virtualized hypervisor VM VM hypervisor VM VM SDN controller Network operating system Routing Traffic Engineering Load Balancing Open Flow Switch Open Flow Switch Data Plane Control Plane 各ノードは仮想化 され、マルチテナント として同一物理NIC 上に配置される。 ネットワークも仮想化 され、フィルタリングと マッチング処理が分離 一元化される。 Open vSwitch. B. Pfaff, J. Pettit, K. Amidon, M. Casado, T. Koponen, an d S. Shenker. Extending Networking into the Virtualization Layer. In HotNets, 2009 Operational / Functional FW Amazon EC2 Design Pattern
  • 7. What is SDN and network virtualization ? Myth: “SDN is network virtualization” x86 / ARM Virtualization Layer Windows Linux Open Flow Virtualization Or Slicing NOX NOX CPU, Hardisk, PIC, IO X86 instruction set Xen, QEMU, etc Windows Linux Hardware Resources Abstraction layer Virtualization Layer slice slice Bandwidth, CPU, FIB OpenFlow FlowVisor Controller Contoller Definition of a slice • Slice is a set of flows (called flowspace) running on a topology of switches. https://www.clear.rice.edu/comp529/.../tutorial_4.pdf
  • 8. 設計上の問題:仮想化環境とスケーラビリティ Centralized access control model 2000 2005 2010 2014 Virtualization Technology (hypervisor) Cloud computing Domain Specific / Declarative Language Open Flow DSL for IDS and access control New Security Concerns DSL for SDN Rules and conflict management sHype Pyretic Xen Chimera ForNox RuleBricks Remote Attestation Attack on multi-tenant アクセス制御の 一元化 ネットワーク 抽象化 アクセス制御の 表現方法の問題 Open vSwitch vMAC sandbox xenprobe subvirt 仮想化、ハイパーバイザー内でのAC一元化 スケーラブル、合成可能な 観測システムの構築BGP attack ネットワークのスライシング 仮想化技術を用いた 動的解析 ConfAid BotMiner 解析の大規模化 大規模システムでの設定・ Access Ctrlの検査 Flowvisor HyperDex Ensenble
  • 9. “when virtual is harder than real” drawbacks of virtualized network Tal Garfinkel , Mendel Rosenblum, When virtual is harder than real: Security challenges in virtual machine based computing environments, HotOS 2005 Scalability. Growth in physical machines is ultimately limited by setup time and bounded by organization‘s capital equipment budget. In contrast creating a new VM is as easy as copying file. Users will frequently have several or even dozens of special purpose VMs . Thus,total number of VMs in an organization can grow at an explosive rate.Rarely all administrative tasks completely automated. Diversity. Many IT organizations tackle security problems by enforcing homogenity. all machines must run the most current patched software. This creates a range of problems as one must try and maintain patches or other protection for a wide range of OS and deal with the risk posed by having many unpatched machines on the network. Access Control should be centralized ! CloudPolice: Taking access control out of the network Lucian Popa, Minlan Yu, Steven Y. Ko, Ion Stoica, Sylvia Ratnasamy 9th ACM Workshop on Hot Topics in Networks (HotNets-IX). Monterey, CA, October 2010. Jonathan M McCune, Stefan Berger, Trent Jaeger, Reiner Sailer: Shamon -- A System for Distributed Mandatory Access Control. 22nd Annual Computer Security Applications Conference (ACSAC), Miami Beach, Florida, December 2006
  • 10. Design requirement: fine grained traffic functioning for scalability, diversity and flexibility. [1] Scalability and diversity: Garfinkel pointed that creating a new virtual instance is far easier than physical environment. the rapid and unpredictable growth can exacerbate management tasks and in worse case the impact of catastorophic events can be multiplied where all instances should be patched. Enforcing homogenity is difficult in the situation that users can have their own special purpose VM easily without expensive cost, like copying files. [2] Flexibility: In SDN, networks are diversified, programmable and elastic. For a long period, from active networks to advanced network technologies like cloud and SDN, one of the general goals of net working research has been arrived at a network which is flexible. [3] Fine-grained traffic functioning: commercial corporations,private Enterprises and universities emplos datacenters to run variety of applications and cloud based services. Their study reveals that existing traffic engineering perform 15%to 20% worse than the optimal solution. MicroTE: fine grained traffic engineering for data centers, CoNEXT '11 Proceedings of the Seventh COnference on emerging Networking EXperiments and Technologies Lucian Popa, Ion Stoica, Sylvia Ratnasamy: Rule-based Forwarding(RBF): Improving Internet’s flexibility and security. HotNets 2009
  • 11. Tradeoffs between manageability and performance "Logically centralized?: state distribution trade-offs in software defined networks", Dan Levin, Andreas Wundsam, Brandon Heller, Nikhil Handigol and Anja Feldmann, HotSDN '12 Proceedings of the first workshop on Hot topics in software defined networks Controller component choices: [1] Strongly consistent – controller components always operate on the same world view. Imposes delay and overhead. [2] Eventually consistent – controller components incorporate information as it becomes available but may make decisions on different world views. http://www.richardclegg.org/node/21 C A P NoSQLRDBMS Consistency Availability Tolerance to network partition CAP Theorem (Eric Brewer 2000) Enforced Consistency Eventual Consistency パケットフィルタなどの処理では Strongly Consistentであることが 求められる(望ましい) NoSQLを用いることで A (availability) P (Tolerance to network partition) S (Scalability) が達成される。
  • 12. Basic SDN architecture and proposed system Node (VM) Node (VM) Node (VM) Flow Table ControllerSecure Channel Node (VM) Node (VM) Node (VM) Filtering rule Table Data store match match 判定処理(match)はノード側で行い、パケットは転送 しない。→ これにより、フィルタリングの一元管理を 達成しつつ、Control/Management Planeの負荷を下 げる。 Ingress packets Ingress packets Data plane Control plane Control and Data plane Management plane VCRIB: Virtualized rule management in the cloud Masoud Moshref, Minlan Yu, Abhishek Sharma, Ramesh Govindan the 4th USENIX Workshop on Hot Topics in Cloud Computing (HotCloud). Boston, MA, June 2012. Basic SDN 提案手法
  • 13. Adopting datastore (NoSQL) on management plane auto_ptr<mongo::DBClientCursor> cursor = client.query(ns, mongo::BSONObj()); while(cursor->more()) { mongo::BSONObj p = cursor->next(); mongo::OID oid = p["_id"].OID(); string dest = p["dest"].str(); int mask = p["mask"].numberInt(); string gateway = p["gateway"].str(); const char *p0 = dest.c_str(); const char *p1 = gateway.c_str(); add_rtentry(p0, mask, p1); int res; res = find_route(dstAddress); if(res==0) printf("route find n"); /* flush entry /* rm_rtentry(p0, mask); {"_id": "$oid":"53370eaeb1f58908a9837910" "dest":"10.0.0.0","mask": 8,"gateway":"192.168.0.2"} Radix treeのエントリを動的に読み出すことで リモート(management plane)から任意の タイミングでフィルタリングルールを変更できる ようにする。 Filtering ruleはBSON (JSON)で記述 a radix tree (also patricia trie or radix trie or compact prefix tree) is a space-optimized trie data structure where each node with only one child is merged with its parent. 14 entry.addr = ntohl(addr dst.s addr); 15 entry.prefix len = 32; 17 radix tree<rtentry, in addr>::iterator it; 18 19 it = rttable.longest match(entry); 20 if (it == rttable.end()) f 21 std::cout << ‘‘no route to ‘‘ << dst << std::endl; 22 return 1;
  • 14. Experimental result on Amazon VPC We compiled our system on ubuntu12 LTS with Linux kernel 3.2.0. proposed system is hosted on Intel Xeon E5645 with 2.4 GHZ clock. ルール数が10~100以内であれば、CPU負 荷率(3%以内)、コンテキストスイッチ(5000 回以内)とも許容範囲内で稼動。 設定した環境内では、1000~10000のルール を用いるケースは稀なため、提案手法は妥当。 vNIC1 vNIC2 Bridge IP capture 1 2 3 MongoDB 5 8 7 8 Radix Module 6 0 Management plane Control plane Python module パケットキャプチャは ユーザモードでの pcapを利用。ルールは Pythonを用いて設定
  • 15. Further works Centralized access control model 2000 2005 2010 2014 Virtualization Technology (hypervisor) Cloud computing Domain Specific / Declarative Language Open Flow DSL for IDS and access control New Security Concerns DSL for SDN Rules and conflict management sHype Pyretic Xen Chimera ForNox RuleBricks Remote Attestation Attack on multi-tenant アクセス制御の 一元化 ネットワーク 抽象化 アクセス制御の 表現方法の問題 Open vSwitch vMAC sandbox xenprobe subvirt 仮想化、ハイパーバイザー内でのAC一元化 スケーラブル、合成可能な 観測システムの構築BGP attack ネットワークのスライシング 仮想化技術を用いた 動的解析 ConfAid BotMiner 解析の大規模化 大規模システムでの設定・ Access Ctrlの検査 Flowvisor HyperDex Ensenble
  • 16. Conclusions [A] The emergence of network virtualization and related technologies such as SDN and Cloud computing make us face the new challenge of new alternative access control model. (1) ネットワーク仮想化(抽象化)とその周辺技術(Software Defined Network, クラウドコンピューティング)の発達によ り、アクセス制御技術にも革新と修正が求められている。 (2) アクセス制御技術の近年の傾向としてはカーネル空間での実装と一元化 (Centrazlization) が問題領域とネット ワークの大規模に伴い様々な問題が生じている。 [B] Particularly, besides flexibility, fine-grained traffic engineering functionality for coping with scalability and diversified networks is required for the deployments of SDN and Cloud Computing. [C] Our architecture leverages NoSQL data store for handling a large scale of filtering rules. By adopting NoSQL, we can achieve scalability, availability and tolerance to network partition. Besides, separating management plane and control plane, we can achieve responsiveness and strong consistency at the same time. (3) 提案システムには大規模なフィルタリングルールの処理のためにNoSQLデータストアを用いて、スケーラビリティを 確保し、従来のSDNのアーキテクチャを修正し、management planeをcontrol planeから明示的に分離し、ネットワーク のレスポンスを向上させた。 [D] In experiment, we have prototyped a lightweight management plane for IP filtering. Access filtering rules including target IP address, prefix and gateway is represented as radix tree. It is shown that proposed method can achieve reasonable utilization in filtering IP packets (4) 評価実験では、radix treeを用いたIPフィルタリングを実装し、10~100以内のフィルタリングルールセットでは許容 可能な負荷率で稼動する(CPU負荷率では3%以内)ことを示した。 www.slideshare.net/RuoAndo https://github.com/RuoAndo/cBridge