The document discusses FlowNAC, which is a flow-based network access control solution that allows granting users access to the network depending on the requested service. It operates at a fine-grained level based on traffic flows and can authorize access to specific services independently. FlowNAC relies on a modified version of IEEE 802.1X and does not require IP addresses or DHCP. It uses encapsulated EAPoL frames between the supplicant, authenticator, and authentication server. The authenticator enforces access control based on authorized flows defined in the SDN controller. The document also discusses how SDN and network function virtualization can be combined for intrusion prevention by processing some traffic in the data plane and forwarding other

1. NAC & SDN
: about flowNAC with traffic flow
김준호
2015.09.23
Mobile Convergence LAB,
Department of Computer Engineering,
Kyung Hee University.

2. 1. About paper & terms
2. FlowNAC
3. NAC & SDN
4. Intrusion Prevention
5. Q&A
Contents

3. About paper & terms
FlowNAC : Flow-based Network Access Control Conference
2014 Third European Workshop
on Software-Defined Networks
2014 Spain
Toward an SDN-Enabled NFV Architecture Magazine
IEEE Communications Magazine
: April 2015
2015 Spain
An Extended SDN Architecture for Network
Function Virtualization with a Case Study
on Intrusion Prevention
Magazine IEEE Network May/June 2015 2015 Taiwan

4. 1. IEEE 802.1X
- port-based network access control(PNAC)에 관한 IEEE의 표준
- 유선 or 무선랜에 연결하고자 하는 장치에 대한 인증 메커니즘을 설명(Layer 2)
2. Granularity (입도 – 암석을 이루고 있는 광물 입자 크기)
A. Fine-grained – 결이 고운(세부적인 기능으로 나뉘어 있는)
B. Coarse-grained – 결이 거친(큰 기능으로 나뉘어 있는)
3. Proactive <-> Reactive
A. 앞서 주도하는 <-> 반응을 보이는
4. AAA
A. Authentication - 인증
B. Authorization – 권한 부여
C. Accounting – 과금
About paper & terms

5. 5. NAC(Network Access Control)
- 단말이 네트워크에 접근하기 전 보안정책 준수여부를 검사하여 네트워크 사용을 제
어하는 것
- 광범위함
- OpensourceNAC
About paper & terms
Packetfence Opennac Coovachilli Chillispot Wifidog
기능
Webserver, DHCPserver, RADI
USserver, IDS, Firewall
DHCPreader, RADIUSserver,
Antivirus, Firewall, Bulk Confi
guration/backup
RADIUSserver, Webs
erver, CaptivePortal
RADIUSserver, We
bserver
CaptivePortal(Gate
way & Authentica
tion server)
H/W
OpenWRT with hostapd 지원,
HP, Cisco 등 기타 switch & A
P
Cisco, Alcatel, 3Com, etc
CoovaAP(OpenWRT-
based)
Nothing special
OpenWRT, FreeW
RT, DD-WRT
O/S
Ubuntu12.04LTS, Debian7.0, C
entOS 6.x, RedHatEnterpriseLi
nux6.xServer
Windows, Linux, Mac, mobile
device
Ubuntu, Openmoko,
OpenWRT
Redhat, Fedora, De
bian, Mandrake, O
penWRT
Linux

6. 6. Stateless <-> Stateful
A. Design Concept
A. Server side에 Client와 server의 연속된 동작 상태정보를 저장 X <-> 저장O
B. Functional Concept
A. 같은 argument에 대해 항상 같은 값을 반환 <-> 다른 값을 반환(이전 값을 가
지고 있기 때문에 이전 값에 의해 반환되는 값이 변동 될 수 있다.)
About paper & terms

7. NEXT
FlowNAC :
Flow-based Network Access Control

8. FlowNAC - IEEE 802.1X
• 위의 과정에서 인증 메시지 교환 시 EAP(Extensible Authentication Protocol)라는 프로토콜 사용
• EAPoL(EAP over LAN) -> LAN, WAN을 통해 EAP 인증 메시지 패킷을 캡슐화하여 전달하는 프로토
콜 – IEEE 802.1X에서 정의

9. FlowNAC - IEEE 802.1X
EAPoL frame
1. PAE(Policy Access Entity)
- Policy가 적용되는 곳
1. Binary decision
A. When the users are granted to access the
network(identified by source MAC)
B. Access or Deny
C. Coarse-grained granularity
2. Layer 2 protocol
3. DHCP, DNS are not needed

10. Flow-based Network Access Control solution,
allows to grant users the rights to access the network
depending on the target service requested.
FlowNAC

11. 1. Focusing
A. Managing the identity of end users
B. Applying a policy, based on identity
2. Fine-grained granularity
A. Based on flows (associated to services) to control the access to the network
B. Able to authorize independently access to specific services
C. Multiple services independently controlled for the same user(i.e. identity)
3. Rely on a modified version of IEEE 802.1X
A. Supporting EAPoL-in-EAPoL encapsulation
B. Does not need IP address -> DHCP, DNS are not needed
4. Proactive mode
A. Flow entries are deployed in advance to the actual traffic
B. NAI(Network Access Identifier) – RFC2486 -> must be included the service
C. AA process is supported at the same time
FlowNAC - Property

12. 5. Not Focusing
A. Monitoring
B. Dynamic policies
FlowNAC - Property
Supplicant
(user)
Authenticator
(PEP)
Authentication
server
(PDP)
• PEP(Policy Enforcement Point) – point where policy decisions are actually enforced
• PDP(Policy Decision Point) – point where policy decisions are maded
• PRP(Policy Retrieval Point) – access authorization policies are stored(policy repository)
Policy
Repository
(PRP)

13. 1. Deferent protocol
A. Between supplicant and authenticator
B. Between multiple authentication and authorization processes from the same user
FlowNAC - Architecture
• Identifier – identifies up to 64K different process
• Outer EAPoL
• Inner EAPoL

14. 2. Identifier
A. Must contain at least three different namespace
B. Username, service and domain
C. RFC 2486 – NAI(Network Access Identifier) has two namespaces
a. username or username@realm
D. username@service.domain
3. Policy definition
A. Include the request service as a parameter to be evaluated (not only user but
service)
B. User must be associated to one or several roles
C. XACML(eXtensible Access Control Markup Language)
4. Service MUST be univocally defined
A. Supporting EAPoL-in-EAPoL encapsulation
B. One request -> one action
FlowNAC - Architecture

15. 5. Transmission of the set of authorized flows
A. Between authentication server and the authenticator
B. Currently not support
C. New JSON REST interface
6. Authenticator must enforce the access control
A. Based on the set of flows
FlowNAC - Architecture

16. FlowNAC – Authenticator(PEP)
• PAE(Port Access Entity)
• PAC(Port Access Controller)
• LMI(Layer Management Interface) – communicate PAE with PAC and control port status

17. FlowNAC – Authenticator(PEP)
1. SDN DataPath
A. Defined by the Open Networking Foundation
B. Matching fields and action. (Stateless, do not
depend on previous matched frames)
2. ANF(Authenticator Network Function)
A. Implements the functions performed by the
PAE.
B. It receives and parse the EAPoL frames and
encapsulates them in the appropriate
protocol(communicate with the authentication
server)
C. AA control traffic is not encapsulated by
OpenFlow -> avoiding the overhead and
consolidation of the AA processing in the
controller
3. SDN Controller
A. Adding and removing the flow entries
at the SDN datapath

18. NEXT
Toward an SDN-Enabled NFV Architecture

19. NAC & SDN
• Stateful network function & Stateless data path processing component
• To keep data processing in hardware as much as possible
• Only forward the data traffic to the stateful component when processing is also stateful
• Avoiding data traffic going up/down to/from a VM
• Independent scalability of each component

20. NAC & SDN
• A-type -> Authentication and authorization(AA) traffic
• B-type -> Data traffic for the authorized services
• C-type -> Data traffic for non-authorized services

21. NEXT
An Extended SDN Architecture for
Network Function Virtualization
with a Case Study
on Intrusion Prevention

22. Intrusion Prevention
• CLA Module – located on the switch
• DPI Module – too expansive to be performed on the switch
• SR Module – decision maker for the policies maintained on the data plane

23. Intrusion Prevention
• Modify the OpenFlow message

24. Intrusion Prevention

25. Q&A
Thank you so much