ICCES_2016_Security Analysis of Software Defined Wireless Network Monitoring with sFlow and...
-
Upload
asma-swapna -
Category
Engineering
-
view
177 -
download
5
Transcript of ICCES_2016_Security Analysis of Software Defined Wireless Network Monitoring with sFlow and...
Paper ID: COM205
Session I
IEEE International Conference on Communication and Electronics Systems (ICCES 2016)
October 21st-22nd 1ICCES, Coimbatore, India
Mawlana Bhashani Science and Technology University, BangladeshBAC IT, Bangladesh
University of Derby, England
Security Analysis of Software Defined Wireless Network Monitoring with sFlow and FlowVisor
Asma Islam Swapna, MD Rezaul Huda Reza, Mainul Kabir Aion
October 21st-22nd 2ICCES, Coimbatore, India
Presentation Summary
SDN ?
SDWN ?
Network Monitoring and Measurement
sFlow DFD
FlowVisor DFD
STRIDE and DFD
sFlow STRIDE Analysis
FlowVisor STRIDE Analysis
Evaluation
Conclusion
References
October 21st-22nd 3ICCES, Coimbatore, India
Software Defined Networking (SDN)
Current Network
ICCES, Coimbatore, India October 21st-22nd 4
Specialized Packet Forwarding Hardware
App App App
Specialized Packet Forwarding Hardware
App App App
Specialized Packet Forwarding Hardware
App App App
Specialized Packet Forwarding Hardware
App App App Specialized Packet Forwarding Hardware
OperatingSystem
OperatingSystem
OperatingSystem
OperatingSystem
OperatingSystem
App App App
Million of lines of source code
Billions of gates
Limitations ?
Source: Open Network Foundation Newsletter
Software Defined Networking (SDN)
ICCES, Coimbatore, India October 21st-22nd 5Source: Open Network Foundation Newsletter
Global Network View
Protocols Protocols
Control via forwarding interface
Network Operating System
Control Programs
Solution !Operating System for Networks
SDN providing network administration
Full hardware accessibility
Software Defined Networking (SDN) (Cont.)• Direct programmability in the network plane
• Decouples the control plane from data forwarding plane
• Agile
• Open standards-based and vendor-neutral
ICCES, Coimbatore, India October 21st-22nd 6
Enables-ScalabilityInformation hidingNetwork policy
Complete Resource UtilizationExpands local to globalSpans business network
Source: Open Network Foundation Newsletter
Software Defined Wireless Networking
2G 3G 4G 5G Billions of wirelessly connected mobile devices
Need more wireless capacity !
Heterogeneous network (LTE, wifi, wimax)
Solution SDN for wireless network!
-Interface for controlling mobile nodes
-Customizable Mobility Management
ICCES, Coimbatore, India October 21st-22nd 7Debut of pop in 2005, 2013
ICCES, Coimbatore, India October 21st-22nd 8
Software Defined Wireless Networking (Cont.)
Underlying Network Security Secured information flow andControl plane
• Controller collects Mobile Nodes (MNs) information for packet transmission
• Composed of North-South and East-West network dimension
• Border Gateway Protocol (BGP) enables inter-controller communication for large wireless network
• Leverages Wireless mesh networks
Network Monitoring & MeasurementMeasure and detect intrusion,network threats and monitorsnetwork services
ICCES, Coimbatore, India October 21st-22nd 9
sFlowFlowVisorBigSwitchBigTapSevOne
4DPCESANE-based
SDN Architectures
Monitoring & Measuring Tools
Source: McAfee Labs, 2015
Network traffic visibilityInline and Out-of-bound MonitoringLeverage SDWN/SDN controller
Challenge
Monitoring Large, scale-out, multi-domain, multi-controller based SDWN
ICCES, Coimbatore, India October 21st-22nd 10
Network
Database
MemCacheWeb Server
Load Balancer
ApplicationServer
Solution !sFlow - Opensource
- Monitors Switches- Comprehensive multi-layer
visibility
FlowVisor- Non-vendordependednt- Proxy Controller between
SDWN switch and Controller - Isolates SDWN devices into
slices
ICCES, Coimbatore, India October 21st-22nd 11
sFlow DFDEmbedded with switch and router in SDWNAgents (Linux, Windows, Solaris, AIX)
-Remotely Configured-Management Information Base (MIB)-SNMP flow datagrams from switch tocollector
Collectors (sFlow-RT, sFlowTrend, sflowtool, third party etc.)
-Memcached hit-miss, traffic bytes, durations, keys in Data Store
-sFlow-RT controller collects traffic data from collectors, analyse each samples
- understands tcpdump-CLI operation
sFlow Data Flow Diagram
FlowVisor DFD
ICCES, Coimbatore, India October 21st-22nd 12
• OpenFlow proxy controller between SDWN• Switches and Controllers• Divides resources into slices and flowspace
for each slice• Slice Policy configures switches, routing,
packet forwarding• Production controller manages slice policy
rewrite
FlowVisor Data Flow Diagram
FlowVisor Controller and Slice Policy
SDWN Switch
SDWN Controller
• CLI allows flowvisor configuration • Slice processes are owned by the admin and groups of the network
operators• Isolated slice information: bandwidth, cpu, forwarding table, etc.
Threat Models
Elicitations and analysis of security threats, mechanisms in deployed designs and network• DREAD – SQL Injections, Microsoft, OpenStack
• Octave – Large system and Application
• STRIDE – Network System and Application, Microsoft
• Generic Risk Model –
• Guerilla Threat Modeling –
• Process for Attack Simulation and Threat Analysis (PASTA) – last stage risk management
• Trike etc.
ICCES, Coimbatore, India October 21st-22nd 13
DFD elements can be vulnerableto one or many STRIDE threats.
ICCES, Coimbatore, India October 21st-22nd 14
STRIDE & Data Flow Diagram (DFD)
FlowVisor Data Flow Diagram
Spoofing
Information DIsclosure
Rrepudiation
Temparing
Denial of Service
Elevation of Privilege
STRIDE
Name STRIDE
vulnerability
Definition
Data Flow Yes Data sent among
network elements
Data Store Yes Stable Data
Process Yes
Programs or
applications that
configures the system
Interactors Yes
Endpoints out of
system scope to
control
Trust
Boundaries
Yes
Separation between
trusted and untrusted
elements of the
system
sFlow Stride Analysis
Threat Data Flow
DataStore
Solution
Tampering Yes Yes
ACL/RBAC/DAC for CLI, SNPMv3,
TLS
Information Disclosure
Yes Yes TLS
Denial of Services
(DoS)Yes Yes
AC in CLI for MIB security, TLS
ICCES, Coimbatore, India October 21st-22nd 15
• Third party deployment environment for data flow security
• Transport Layer security among agents to encrypt traffic information
• Access control mechanism, SNMP3 can leverage securing MIB
• Direct traffic information using SNMP
• DoS vulnerabilities in data store can cause unauthorized access to SDWN devices
• No Interactors for one way SNMP communication
FlowVisor Stride Analysis
Threat Data Flow Solution
Tampering Yes TLS
InformationDisclosure Yes TLS
Denial of Services (DoS)
Yes
Access Control in CLI for policy rewrite, TLS
ICCES, Coimbatore, India October 21st-22nd 16
• Transport Layer security among agents to defend policy rewrite
• Access control mechanism can leverage policy rewrite
• Attack on Production Control avails rewriting slice policy
• Switch configuration in data is secured with authentic flow entries store
• CLI secures slice policy with port number, host id and destination address
Evaluation
Threat Data Flow Data Store
Tampering FlowVisor, sFlow
sFlow
InformationDisclosure
FlowVisor, sFlow
sFlow
Denial of Service
FlowVisor, sFlow
sFlow
October 21st-22nd 17ICCES, Coimbatore, India
sFlow providing no security in data flow and data store and vulnerable to spoofing, DoSand information disclosure threat
Flowspace CLI secures switch configuration data store
Inherits security threat vulnerabilities in isolated slices and prone to Spoofing, Tampering and Information disclosure, even delay and Denial of Service threats in data flow.Comparison among sFlow and Flowvisor
Conclusion
• Studied STRIDE security model for SDWN
• Analyzed packet flow in SDWN environment using sFlow
• Analyzed packet flow in SDWN environment using FlowVisor
• Performed comparative side-by-side analysis of SDWN security risks in using sFLow and FlowVisor
• Research outcome finds FlowVisor providing security in data storage
• sFlow is vulnerable to spoofing, switch information temparing and DoSrisk
October 21st-22nd 18ICCES, Coimbatore, India
Future Work
ICCES, Coimbatore, India October 21st-22nd 19
Real time Prototyping of SDWN environment and monitoring performance
SDWN appliance in largeer network, i. e. data center
FlowVIsor Slicing and Isolation impact on real time SDWN prototyping
References
[1] C. J. Bernardos, A. De La Oliva, P. Serrano, A. Banchs, L. M. Contreras, H. Jin, and C. Juan, “An architecture for software defined wireless networking,” IEEE Wireless Communications, vol. 21, no. 3, pp. 52–61, 2014.
[2] M. R. Sama, L. M. Contreras, J. Kaippallimalil, I. Akiyoshi, H. Qian, and H. Ni, “Software-defined control of the virtualized mobile packet core,” IEEE Communications Magazine, vol. 53, no. 2, pp. 107–115, 2015.
[3] Y. Wang, J. Bi, and K. Zhang, “Design and implementation of a software-defined mobility architecture for ip networks,” Mobile Networks and Applications, vol. 20, no. 1, pp. 40–52, 2015.
[4] D. Klingel, R. Khondoker, R. Marx, and K. Bayarou, “Security analysis of software defined networking architectures: Pce, 4d and sane,” in Proceedings of the AINTEC 2014 on Asian Internet Engineering Conference. ACM, 2014, p. 15.
[5] M. Tasch, R. Khondoker, R. Marx, and K. Bayarou, “Security analysis of security applications for software defined networks,” in Proceedings of the AINTEC 2014 on Asian Internet Engineering Conference. ACM, 2014, p. 23.
[6] K. Giotis, C. Argyropoulos, G. Androulidakis, D. Kalogeras, and V. Maglaris, “Combining openflow and sflow for an effective and scalable anomaly detection and mitigation mechanism on sdn environments,” Computer Networks, vol. 62, pp. 122–136, 2014.
[7] A. Zaalouk, R. Khondoker, R. Marx, and K. Bayarou, “Orchsec: An orchestrator-based architecture for enhancing network-security using network monitoring and sdn control functions,” in 2014 IEEE Network Operations and Management Symposium (NOMS). IEEE, 2014, pp. 1–9.
October 21st-22nd 20ICCES, Coimbatore, India