Call Girls Service Nashik Vaishnavi 7001305949 Independent Escort Service Nashik
ICCES_2016_Security Analysis of Software Defined Wireless Network Monitoring with sFlow and FlowVisor
1. Paper ID: COM205
Session I
IEEE International Conference on Communication and Electronics
Systems (ICCES 2016)
October 21st-22nd 1ICCES, Coimbatore, India
2. Mawlana Bhashani Science and Technology University, Bangladesh
BAC IT, Bangladesh
University of Derby, England
Security Analysis of Software Defined Wireless Network
Monitoring with sFlow and FlowVisor
Asma Islam Swapna, MD Rezaul Huda Reza, Mainul Kabir Aion
October 21st-22nd 2ICCES, Coimbatore, India
3. Presentation Summary
SDN ?
SDWN ?
Network Monitoring and Measurement
sFlow DFD
FlowVisor DFD
STRIDE and DFD
sFlow STRIDE Analysis
FlowVisor STRIDE Analysis
Evaluation
Conclusion
References
October 21st-22nd 3ICCES, Coimbatore, India
4. Software Defined Networking (SDN)
Current Network
ICCES, Coimbatore, India October 21st-22nd 4
Specialized Packet
Forwarding Hardware
App App App
Specialized Packet
Forwarding Hardware
App App App
Specialized Packet
Forwarding Hardware
App App App
Specialized Packet
Forwarding Hardware
App App App Specialized Packet
Forwarding Hardware
Operating
System
Operating
System
Operating
System
Operating
System
Operating
System
App App App
Million of lines of source code
Billions of gates
Limitations ?
Source: Open Network Foundation Newsletter
5. Software Defined Networking (SDN)
ICCES, Coimbatore, India October 21st-22nd 5Source: Open Network Foundation Newsletter
Global Network View
Protocols Protocols
Control via
forwarding
interface
Network Operating System
Control Programs
Solution !
Operating System for Networks
SDN providing network
administration
Full hardware accessibility
6. Software Defined Networking (SDN) (Cont.)
• Direct programmability in the network plane
• Decouples the control plane from data
forwarding plane
• Agile
• Open standards-based and vendor-neutral
ICCES, Coimbatore, India October 21st-22nd 6
Enables-
Scalability
Information hiding
Network policy
Complete Resource Utilization
Expands local to global
Spans business network
Source: Open Network Foundation Newsletter
7. Software Defined Wireless Networking
2G 3G 4G 5G Billions of wirelessly
connected mobile devices
Need more wireless capacity !
Heterogeneous network (LTE, wifi, wimax)
Solution SDN for wireless network!
-Interface for controlling mobile nodes
-Customizable Mobility Management
ICCES, Coimbatore, India October 21st-22nd 7
Debut of pop in 2005, 2013
8. ICCES, Coimbatore, India October 21st-22nd 8
Software Defined Wireless Networking
(Cont.)
Underlying Network Security Secured information flow and
Control plane
• Controller collects Mobile
Nodes (MNs) information for
packet transmission
• Composed of North-South and
East-West network dimension
• Border Gateway Protocol (BGP)
enables inter-controller
communication for large
wireless network
• Leverages Wireless mesh
networks
9. Network Monitoring & Measurement
Measure and detect intrusion,
network threats and monitors
network services
ICCES, Coimbatore, India October 21st-22nd 9
sFlow
FlowVisor
BigSwitch
BigTap
SevOne
4D
PCE
SANE-based
SDN
Architectures
Monitoring &
Measuring Tools
Source: McAfee Labs, 2015
Network traffic visibility
Inline and Out-of-bound Monitoring
Leverage SDWN/SDN controller
10. Challenge
Monitoring Large, scale-out, multi-domain, multi-
controller based SDWN
ICCES, Coimbatore, India October 21st-22nd 10
Network
Database
MemCache
Web Server
Load Balancer
Application
Server
Solution !
sFlow - Opensource
- Monitors Switches
- Comprehensive multi-layer
visibility
FlowVisor- Non-vendordependednt
- Proxy Controller between
SDWN switch and Controller
- Isolates SDWN devices into
slices
11. ICCES, Coimbatore, India October 21st-22nd 11
sFlow DFD
Embedded with switch and router in
SDWN
Agents (Linux, Windows, Solaris, AIX)
-Remotely Configured
-Management Information Base (MIB)
-SNMP flow datagrams from switch to
collector
Collectors (sFlow-RT, sFlowTrend,
sflowtool, third party etc.)
-Memcached hit-miss, traffic bytes,
durations, keys in Data Store
-sFlow-RT controller collects traffic data
from collectors, analyse each samples
- understands tcpdump
-CLI operation
sFlow Data Flow Diagram
12. FlowVisor DFD
ICCES, Coimbatore, India October 21st-22nd 12
• OpenFlow proxy controller between SDWN
• Switches and Controllers
• Divides resources into slices and flowspace
for each slice
• Slice Policy configures switches, routing,
packet forwarding
• Production controller manages slice policy
rewrite
FlowVisor Data Flow Diagram
FlowVisor Controller and Slice Policy
SDWN Switch
SDWN
Controller
• CLI allows flowvisor configuration
• Slice processes are owned by the admin and groups of the network
operators
• Isolated slice information: bandwidth, cpu, forwarding table, etc.
13. Threat Models
Elicitations and analysis of security threats, mechanisms in
deployed designs and network
• DREAD – SQL Injections, Microsoft, OpenStack
• Octave – Large system and Application
• STRIDE – Network System and Application, Microsoft
• Generic Risk Model –
• Guerilla Threat Modeling –
• Process for Attack Simulation and Threat Analysis (PASTA) – last stage risk management
• Trike etc.
ICCES, Coimbatore, India October 21st-22nd 13
14. DFD elements can be vulnerable
to one or many STRIDE threats.
ICCES, Coimbatore, India October 21st-22nd 14
STRIDE & Data Flow Diagram (DFD)
FlowVisor Data Flow Diagram
Spoofing
Information
DIsclosure
Rrepudiation
Temparing
Denial of
Service
Elevation of
Privilege
STRIDE
Name STRIDE
vulnerability
Definition
Data Flow Yes Data sent among
network elements
Data Store Yes Stable Data
Process Yes
Programs or
applications that
configures the system
Interactors Yes
Endpoints out of
system scope to
control
Trust
Boundaries
Yes
Separation between
trusted and untrusted
elements of the
system
15. sFlow Stride Analysis
Threat Data
Flow
Data
Store
Solution
Tampering Yes Yes
ACL/RBAC/DAC
for CLI, SNPMv3,
TLS
Information
Disclosure
Yes Yes TLS
Denial of
Services
(DoS)
Yes Yes
AC in CLI for MIB
security, TLS
ICCES, Coimbatore, India October 21st-22nd 15
• Third party deployment
environment for data flow
security
• Transport Layer security
among agents to encrypt
traffic information
• Access control mechanism,
SNMP3 can leverage securing
MIB
• Direct traffic information
using SNMP
• DoS vulnerabilities in data
store can cause
unauthorized access to
SDWN devices
• No Interactors for one way
SNMP communication
16. FlowVisor Stride Analysis
Threat Data Flow Solution
Tampering Yes TLS
Information
Disclosure Yes TLS
Denial of Services
(DoS)
Yes
Access Control in
CLI for policy
rewrite, TLS
ICCES, Coimbatore, India October 21st-22nd 16
• Transport Layer security
among agents to defend
policy rewrite
• Access control mechanism
can leverage policy rewrite
• Attack on Production
Control avails rewriting slice
policy
• Switch configuration in data
is secured with authentic
flow entries store
• CLI secures slice policy with
port number, host id and
destination address
17. Evaluation
Threat Data Flow Data Store
Tampering FlowVisor,
sFlow
sFlow
Information
Disclosure
FlowVisor,
sFlow
sFlow
Denial of
Service
FlowVisor,
sFlow
sFlow
October 21st-22nd 17ICCES, Coimbatore, India
sFlow providing no security in
data flow and data store and
vulnerable to spoofing, DoS
and information disclosure
threat
Flowspace CLI secures switch
configuration data store
Inherits security threat
vulnerabilities in isolated
slices and prone to Spoofing,
Tampering and Information
disclosure, even delay and
Denial of Service threats in
data flow.Comparison among sFlow and Flowvisor
18. Conclusion
• Studied STRIDE security model for SDWN
• Analyzed packet flow in SDWN environment using sFlow
• Analyzed packet flow in SDWN environment using FlowVisor
• Performed comparative side-by-side analysis of SDWN security risks in
using sFLow and FlowVisor
• Research outcome finds FlowVisor providing security in data storage
• sFlow is vulnerable to spoofing, switch information temparing and DoS
risk
October 21st-22nd 18ICCES, Coimbatore, India
19. Future Work
ICCES, Coimbatore, India October 21st-22nd 19
Real time Prototyping of SDWN environment and monitoring
performance
SDWN appliance in largeer network, i. e. data center
FlowVIsor Slicing and Isolation impact on real time SDWN
prototyping
20. References
[1] C. J. Bernardos, A. De La Oliva, P. Serrano, A. Banchs, L. M. Contreras, H. Jin, and C. Juan, “An architecture for software
defined wireless networking,” IEEE Wireless Communications, vol. 21, no. 3, pp. 52–61, 2014.
[2] M. R. Sama, L. M. Contreras, J. Kaippallimalil, I. Akiyoshi, H. Qian, and H. Ni, “Software-defined control of the virtualized
mobile packet core,” IEEE Communications Magazine, vol. 53, no. 2, pp. 107–115, 2015.
[3] Y. Wang, J. Bi, and K. Zhang, “Design and implementation of a software-defined mobility architecture for ip networks,”
Mobile Networks and Applications, vol. 20, no. 1, pp. 40–52, 2015.
[4] D. Klingel, R. Khondoker, R. Marx, and K. Bayarou, “Security analysis of software defined networking architectures: Pce, 4d
and sane,” in Proceedings of the AINTEC 2014 on Asian Internet Engineering Conference. ACM, 2014, p. 15.
[5] M. Tasch, R. Khondoker, R. Marx, and K. Bayarou, “Security analysis of security applications for software defined
networks,” in Proceedings of the AINTEC 2014 on Asian Internet Engineering Conference. ACM, 2014, p. 23.
[6] K. Giotis, C. Argyropoulos, G. Androulidakis, D. Kalogeras, and V. Maglaris, “Combining openflow and sflow for an effective
and scalable anomaly detection and mitigation mechanism on sdn environments,” Computer Networks, vol. 62, pp. 122–136,
2014.
[7] A. Zaalouk, R. Khondoker, R. Marx, and K. Bayarou, “Orchsec: An orchestrator-based architecture for enhancing network-
security using network monitoring and sdn control functions,” in 2014 IEEE Network Operations and Management
Symposium (NOMS). IEEE, 2014, pp. 1–9.
October 21st-22nd 20ICCES, Coimbatore, India