Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

D-STREAMON - NFV-capable distributed framework for network monitoring

213 views

Published on

Several reasons make NFV an attractive paradigm for IT security: lowers costs, agile operations and better isolation as well as fast security updates, improved incident responses and better level of automation. At the same time, the network threats tend to be increasingly complex and distributed, implying huge traffic scale to be monitored and increasingly strict mitigation delay requirements. Considering the current trend of the networking and the requirements to counteract to the evolution of cyber-threats, it is expected that also network monitoring will move towards NFV based solutions. In this paper, we present Distributed StreaMon (D-StreaMon) an orchestration framework for distributed monitoring on NFV network architectures. D-StreaMon has been designed to face the above described challenges. It relies on the StreaMon platform, a solution for network monitoring originally designed for traditional middleboxes. Changes that allow Streamon to be deployed on NFV network architectures are described. The paper reports a performance evaluation of the realized NFV based solutions and discusses potential benefits in monitoring tenants' VMs for Service Providers.

Published in: Internet
  • Be the first to comment

  • Be the first to like this

D-STREAMON - NFV-capable distributed framework for network monitoring

  1. 1. D-STREAMON - NFV-capable distributed framework for network monitoring Davide Palmisano(1,2), Pier Luigi Ventre(2), Alberto Caponi(1), Giuseppe Siracusano(2), Stefano Salsano(1,2), Marco Bonola(1), Giuseppe Bianchi(1,2) (1) CNIT – (2) University of Rome “Tor Vergata” Soft5 Workshop - First International Workshop on Softwarized Infrastructures for 5G and Fog Computing, in conjunction with ITC 29 Genoa, Italy - 8th September, 2017
  2. 2. 2 Outline • SCISSOR project highlights • Network Monitoring in a Distributed Cloud / NFV environment • From StreaMon to Distributed StreaMon (D-StreaMon) • Deployment of D-StreaMon over a Cloud Infrastructure
  3. 3. 3 The SCISSOR Project – Security in trusted SCADA and smart-grids Assystem Engineering and operation services (FR) AGH University of Science and Technology of Krakow (PL) UPMC university Pierre and Marie Curie (FR) SixSq Sàrl (CH) Consorzio Nazionale Interuniversitario per le Telecomunicazioni (IT) RADIO6ENSE (IT) Salzburg Research Forschungsgesellschaft mbH (AT) Katholieke Universiteit Leuven (BE) SEA Società Elettrica di Favignana S.p.a. (IT) The partners
  4. 4. 4 SCISSOR in a nutshell A highly scalable ICS/SCADA security monitoring framework • Integration of a wide range of heterogeneous sensors • A dynamically adaptable, distributed data aggregation framework • Advanced detection and correlation models as extensions to a conventional SIEM • Exploitation of modern cloud-computing concepts
  5. 5. 5 SCISSOR Architecture
  6. 6. 8 Outline SCISSOR project highlights Network Monitoring in a Distributed Cloud / NFV environment From StreaMon to Distributed StreaMon (D-StreaMon) Deployment of D-StreaMon over a Cloud Infrastructure
  7. 7. 9 Network Monitoring in a Distributed Cloud / NFV environment •Once upon a time : - physical servers and hosts, physical network devices and wires to be monitored •Nowadays : - Server and hosts are distributed in the cloud - Security systems or hardware based middleboxes are substituted by virtualized network function running on commodity hardware From physical to virtual infrastructure
  8. 8. 10 Network Monitoring in a Distributed Cloud / NFV environment •Cyber-threats can easily break the controls performed by the standard procedures which aims at monitor the perimeter of an infrastructure •We need innovative approaches in the defense techniques and the deployment of a widespread monitoring New threats
  9. 9. 11 Network Monitoring in a Distributed Cloud / NFV environment Network core Cloud Data Centers Fog Nodes Local Nodes Local sensors/actuators For example, in the SCISSOR project testbed we have a «Cloud in a box» solution, called NuvlaBox installed in an electric cabin in Favignana island
  10. 10. 12 Network Monitoring in a Distributed Cloud / NFV environment Network core Cloud Data Centers Fog Nodes Local Nodes Local sensors/actuators Monitoring probes distributed on the Cloud Infrastructure
  11. 11. 13 Outline • SCISSOR project highlights • Network Monitoring in a Distributed Cloud / NFV environment • From StreaMon to Distributed StreaMon (D-StreaMon) • Deployment of D-StreaMon over a Cloud Infrastructure
  12. 12. 14 StreaMon : architecture of a single probe Stream based analysis • Wire-speed, strict real time • Memory-efficient operation, no on-board DBs • Data reduction, mining only data you really need Very powerful technical approach • Especially when (controlled) approx is OK • Multi-hash data structures (Bloom, sketches, etc) Stream Analysis (on the fly) Raw link traffic (huge rate) (partial) results, filtering
  13. 13. 15 StreaMon : architecture of a single probe M1 Metric Layer M2 M3 Feature Layer F1 = M1+M2 F2 = M3/M2 Decision Layer if (f1>200) then ACTION if (f2<.05) then ACTION Event Layer Timeouts Status Table Capture Engine incoming packet state transition timeout update timeout expiration Logic subsystem Measurement subsystem
  14. 14. 16 What the programmer describes Define application-specific STATES • If/when needed Specify EVENTS • Triggered by packet arrival: i) matching rule (e.g. TCP SYN) ii) extract flow key • Timeouts Instantiate METRICS (sketch-based & DLEFT-based) Define FEATURES Define STATE MACHINE: transition events, metric updates, conditions, associated ACTIONS No need to know HOW all this is implemented inside the box: just an API!
  15. 15. 17 State machine description in XML <event type="packet" selector="proto tcp and dst_port 502 and modbus_fc 8" primary-key="ip_src"> <state id="default"> <use-metric id="m1" vd_update="ip_src-ip_dst" vm_update="ip_src"/> <condition> expression="rate > 10" action=”Publish(log, Suspected scan from %ip_src)" next_state="suspect"> </condition> </state> <state id=”suspect”> <use-metric id=”m1” vd_update=”ip_src-ip_dst” vm_update=”ip_src” /> <condition> expression="rate > 20" action=”Publish(log, Detected scan from %ip_src); Publish(raw, raw)" next_state="" </condition> </state> </event>
  16. 16. 18 StreaMon life-cycle is static & on the probe • Designed for a single host • All the steps run on the platform • Static XML configurations • StreaMon is re-compiled at each run • No dynamic re-configuration of parameters • Metric/Feature changes need restart • Hard to retrieve monitoring informations • Monitoring logs at screen Host Host Host Host Host Host Probe Probe Probe
  17. 17. 19 StreaMon becomes distributed: D-StreaMon Config. Repository Host Host Host Host Host Host Probe Probe Probe Controller Aggregated Logs Logs Logs Logs Deploy Execute Configure & Compile Deploy Deploy
  18. 18. 20 Controller (Management) TITRE DE LA PARTIE •Design and deploy the distributed monitoring network (probes) •Customize probe configuration •Dynamically re-configure probes •Centralized compilation Probes (Execution) •Just run the logic without compilation overhead! •Publish monitoring data on Ømq channels D-StreaMon: decoupling StreaMon management from execution
  19. 19. 21 Implementation • Easily configure deployment actions defining playbooks • Playbooks express configurations, deployment, and orchestration • Each Playbook maps a group of hosts to a set of roles • Each role is represented by calls to Ansible call tasks • Abstraction library for sockets • Simple publish/subscribe network communication • Easily aggregate monitoring information using proxy
  20. 20. 22 Semaphore based GUI for the control component
  21. 21. 23 Outline • SCISSOR project highlights • Network Monitoring in a Distributed Cloud / NFV environment • From StreaMon to Distributed StreaMon (D-StreaMon) • Deployment of D-StreaMon over a Cloud Infrastructure
  22. 22. 24 Network Monitoring in a Distributed Cloud / NFV environment Network core Cloud Data Centers Fog Nodes Local Nodes Local sensors/actuators Monitoring probes distributed on the Cloud Infrastructure
  23. 23. 25 Network Monitoring in a Distributed Cloud / NFV environment Network core Cloud Data Centers Fog Nodes Local Nodes Local sensors/actuators OS and Drivers Cloud Platform + Container Manager App VM App Container OS and Drivers Cloud Platform + Container Manager App VM App Container
  24. 24. Neutron bridge D-StreaMon Orchestration framework Probes and VMs instantiation Configuration and Management Decisions And Actions Legacy or SDN network (data plane) D-StreaMon SDN Controller Virtual Infrastructure Manager REST Mirroring SSH 0mqLegacy (management plane) VM Probe Cloud Infrastructure Virtual Switch
  25. 25. Neutron bridge D-StreaMon Orchestration framework Probes and VMs instantiation Configuration and Management Decisions And Actions Legacy or SDN network (data plane) D-StreaMon SDN Controller Virtual Infrastructure Manager REST Mirroring SSH 0mqLegacy (management plane) VM Probe Cloud Infrastructure Virtual Switch
  26. 26. 28 Probes as processes vs. probes as containers Probes as processes Probes as containers Pros Cons Better performance Less isolation No mirroring overhead Process management Pros Cons Better isolation Performance Simple deployment Mirroring overhead
  27. 27. 29 Probes as processes vs. probes as containers
  28. 28. 30 Thank you. Questions? Contacts Stefano Salsano University of Rome Tor Vergata / CNIT stefano.salsano@uniroma2.it http://scissor-project.com / The work presented here only covers a subset of the work performed in the project
  29. 29. 31 References • SCISSOR project Home Page http://superfluidity.eu/ • D. Palmisano, P. L. Ventre, A. Caponi, G. Siracusano, S. Salsano, M. Bonola, G. Bianchi, “D-STREAMON – NFV-capable distributed framework for network monitoring”, Soft5 Workshop, 1st International Workshop on Softwarized Infrastructures for 5G and Fog Computing, in conjunction with 29th ITC conference, Genoa, Italy, 8th September 2017 • P. L. Ventre, A. Caponi, G. Siracusano, D. Palmisano, S. Salsano, M. Bonola, G. Bianchi, “D-STREAMON: from middlebox to distributed NFV framework for network monitoring”, demo paper, IEEE International Symposium on Local and Metropolitan Area Networks (LANMAN 2017), Osaka, Japan, 2017
  30. 30. 32 The SCISSOR project has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement No. 644425 (Research and Innovation Action). The information given is the author’s view and does not necessarily represent the view of the European Commission (EC). No liability is accepted for any use that may be made of the information contained.

×