cloudwatcher: network security monitoring using openflow in dynamic cloud networks or: how to...
TRANSCRIPT
![Page 1: CloudWatcher: Network Security Monitoring Using OpenFlow in Dynamic Cloud Networks or: How to Provide Security Monitoring as a Service in Clouds? Seungwon](https://reader034.vdocuments.us/reader034/viewer/2022042821/56649c785503460f9492d22e/html5/thumbnails/1.jpg)
CloudWatcher: Network Security Monitoring Using
OpenFlow in Dynamic Cloud Networks or: How to Provide
Security Monitoring as a Service in Clouds?
Seungwon Shin and Guofei GuSUCCESS LAB
Texas A&M University
![Page 2: CloudWatcher: Network Security Monitoring Using OpenFlow in Dynamic Cloud Networks or: How to Provide Security Monitoring as a Service in Clouds? Seungwon](https://reader034.vdocuments.us/reader034/viewer/2022042821/56649c785503460f9492d22e/html5/thumbnails/2.jpg)
Contents
• Background• Problem domain• CloudWatcher• Future work• Conclusion
![Page 3: CloudWatcher: Network Security Monitoring Using OpenFlow in Dynamic Cloud Networks or: How to Provide Security Monitoring as a Service in Clouds? Seungwon](https://reader034.vdocuments.us/reader034/viewer/2022042821/56649c785503460f9492d22e/html5/thumbnails/3.jpg)
Background
• Cloud is large and complicated– A lot of VMs in a cloud network
• “Amazon seems to operate nearly half million servers for a cloud network”– http://huanliu.wordpress.com/2012/03/13/amazon-data-center-size/
• Each server may run more than 10 VMs inside• Thus, Amazon may operate around 5 million VMs
– A lot of tenants use cloud services• They have different network or server configurations
• Cloud is dynamic– VMs can move any server in a cloud network
![Page 4: CloudWatcher: Network Security Monitoring Using OpenFlow in Dynamic Cloud Networks or: How to Provide Security Monitoring as a Service in Clouds? Seungwon](https://reader034.vdocuments.us/reader034/viewer/2022042821/56649c785503460f9492d22e/html5/thumbnails/4.jpg)
Problem Domain
• How to monitor cloud networks for security purposes– Each tenant will want to have different network
configurations– VM can move from a host to a host
– Current flow control methods do not consider security devices
![Page 5: CloudWatcher: Network Security Monitoring Using OpenFlow in Dynamic Cloud Networks or: How to Provide Security Monitoring as a Service in Clouds? Seungwon](https://reader034.vdocuments.us/reader034/viewer/2022042821/56649c785503460f9492d22e/html5/thumbnails/5.jpg)
Example Scenario
Routing from VM1 to VM3
Routing from VM1 to VM3 considering NIDS
H1
H1
H2
H2
H3
H3
R1 R2 R3
R4 R5
R1 R2 R3
R4 R5
![Page 6: CloudWatcher: Network Security Monitoring Using OpenFlow in Dynamic Cloud Networks or: How to Provide Security Monitoring as a Service in Clouds? Seungwon](https://reader034.vdocuments.us/reader034/viewer/2022042821/56649c785503460f9492d22e/html5/thumbnails/6.jpg)
Goal
• Provide routing algorithms– The algorithms guarantee that specified network
security devices can monitor specific network flows
• Provide a script language– A network administrator can easily register security
devices– Ad network administrator can easily define security
policies
![Page 7: CloudWatcher: Network Security Monitoring Using OpenFlow in Dynamic Cloud Networks or: How to Provide Security Monitoring as a Service in Clouds? Seungwon](https://reader034.vdocuments.us/reader034/viewer/2022042821/56649c785503460f9492d22e/html5/thumbnails/7.jpg)
SDN and OpenFlow
• SDN : Software Defined Networking– Separate network control plane and data plane– Intelligent control plane– Simple (and fast) data plane– We can program network• Control network flows (e.g., decide routing paths)
• OpenFlow– One of the popular SDN technologies
![Page 8: CloudWatcher: Network Security Monitoring Using OpenFlow in Dynamic Cloud Networks or: How to Provide Security Monitoring as a Service in Clouds? Seungwon](https://reader034.vdocuments.us/reader034/viewer/2022042821/56649c785503460f9492d22e/html5/thumbnails/8.jpg)
OpenFlow Overview
OpenFlowSwitch.org
OpenFlow Switch specification
Controller
OpenFlow Switch
FlowTable
SecureChannel
PCOpenFlow Protocol
SSL
hw
sw
Add/delete flow entries Encapsulated packets Controller discovery
Figure from Stanford OpenFlow tutorial
![Page 9: CloudWatcher: Network Security Monitoring Using OpenFlow in Dynamic Cloud Networks or: How to Provide Security Monitoring as a Service in Clouds? Seungwon](https://reader034.vdocuments.us/reader034/viewer/2022042821/56649c785503460f9492d22e/html5/thumbnails/9.jpg)
SDN and OpenFlow
• People try to apply this technology to a cloud network– Network virtualization• E.g., Nicira - NVP
– Network Infrastructure as a Service • E.g., OpenFlow interface with OpenStack
![Page 10: CloudWatcher: Network Security Monitoring Using OpenFlow in Dynamic Cloud Networks or: How to Provide Security Monitoring as a Service in Clouds? Seungwon](https://reader034.vdocuments.us/reader034/viewer/2022042821/56649c785503460f9492d22e/html5/thumbnails/10.jpg)
CloudWatcher
• A new framework– Provide monitoring services for large and dynamic
cloud networks– Automatically detours network packets to be
inspected by pre-installed network security devices• OpenFlow
– Provide a script to operate this framework
![Page 11: CloudWatcher: Network Security Monitoring Using OpenFlow in Dynamic Cloud Networks or: How to Provide Security Monitoring as a Service in Clouds? Seungwon](https://reader034.vdocuments.us/reader034/viewer/2022042821/56649c785503460f9492d22e/html5/thumbnails/11.jpg)
Operating Scenario
Register Security Devices
Create Security Policies
Parse Security Policies
Create Routing Rules
Enforce Flow Rules into Routers
Translate Routing Rules into OpenFow Rules
Administrator
Router (Device ID = 8)
{ID, TYPE, LOCATION, MODE, Func}{1, NIDS, 8, PASSIVE, Detect HTTP}
NIDS (ID = 1)
{FLOW CONDITON, DEVICE SET}
{10.0.0.1 20.0.0.2, {1}}
![Page 12: CloudWatcher: Network Security Monitoring Using OpenFlow in Dynamic Cloud Networks or: How to Provide Security Monitoring as a Service in Clouds? Seungwon](https://reader034.vdocuments.us/reader034/viewer/2022042821/56649c785503460f9492d22e/html5/thumbnails/12.jpg)
How to Control Flows
• 4 approaches– Multipath naïve– Shortest through– Multipath shortest– Shortest inline
- Sample network -S: start node, E: end nodeR: router, C: security device
![Page 13: CloudWatcher: Network Security Monitoring Using OpenFlow in Dynamic Cloud Networks or: How to Provide Security Monitoring as a Service in Clouds? Seungwon](https://reader034.vdocuments.us/reader034/viewer/2022042821/56649c785503460f9492d22e/html5/thumbnails/13.jpg)
Simple Shortest Path
• Basic routing scheme (NOT CloudWatcher’s idea)– Find the shortest path between a start host and an
end host– Path: S R1 R5 R6 E
![Page 14: CloudWatcher: Network Security Monitoring Using OpenFlow in Dynamic Cloud Networks or: How to Provide Security Monitoring as a Service in Clouds? Seungwon](https://reader034.vdocuments.us/reader034/viewer/2022042821/56649c785503460f9492d22e/html5/thumbnails/14.jpg)
Multipath Naïve (algorithm 1)
• Find multiple paths– Shortest path between S and E– Shortest path between S and C– Path
• S R1 R5 R6 E• S R1 R2 R3 R4
• OpenFlow provides a function to send packets to multiple outputs– E.g., R1 {R2, R5}
![Page 15: CloudWatcher: Network Security Monitoring Using OpenFlow in Dynamic Cloud Networks or: How to Provide Security Monitoring as a Service in Clouds? Seungwon](https://reader034.vdocuments.us/reader034/viewer/2022042821/56649c785503460f9492d22e/html5/thumbnails/15.jpg)
Shortest Through (algorithm 2)
• Find the shortest path passing through R4– Shortest path between S and R4– Shortest path between R4 and E– Path: S R1 R2 R4 R4 R6 E
![Page 16: CloudWatcher: Network Security Monitoring Using OpenFlow in Dynamic Cloud Networks or: How to Provide Security Monitoring as a Service in Clouds? Seungwon](https://reader034.vdocuments.us/reader034/viewer/2022042821/56649c785503460f9492d22e/html5/thumbnails/16.jpg)
Multipath Shortest (algorithm 3)
• Improved version of multipath naïve• Two phase– Find the shortest path (P1)
• S R1 R5 R6 E
– Find the shortest path between routers on the path P1 and R4• R6 R4• R6 {R4, E}
![Page 17: CloudWatcher: Network Security Monitoring Using OpenFlow in Dynamic Cloud Networks or: How to Provide Security Monitoring as a Service in Clouds? Seungwon](https://reader034.vdocuments.us/reader034/viewer/2022042821/56649c785503460f9492d22e/html5/thumbnails/17.jpg)
Shortest Inline (algorithm 4)
• Find a path passing through (a) specific link(s) (not node)
• Good for delivering network packets to inline devices– E.g., IPS (intrusion prevention system)
![Page 18: CloudWatcher: Network Security Monitoring Using OpenFlow in Dynamic Cloud Networks or: How to Provide Security Monitoring as a Service in Clouds? Seungwon](https://reader034.vdocuments.us/reader034/viewer/2022042821/56649c785503460f9492d22e/html5/thumbnails/18.jpg)
Summary for Flow Control Methods
Pros Cons When to use
Multipath Naïve
Simple and fast Redundant flows Enough network capacity, delay is important
Shortest Through
Efficient Computation overhead, when multiple devices
Not enough network capacity,delay is not so important
Multipath Shortest
Efficient Computation overhead
Not many hops (e.g., communication between inside VMs)
Shortest Inline
Guarantee passing through a specific link
Computation overhead, when multiple devices
For an inline security device (e.g., IPS)
![Page 19: CloudWatcher: Network Security Monitoring Using OpenFlow in Dynamic Cloud Networks or: How to Provide Security Monitoring as a Service in Clouds? Seungwon](https://reader034.vdocuments.us/reader034/viewer/2022042821/56649c785503460f9492d22e/html5/thumbnails/19.jpg)
Implementation and Evaluation
• CloudWatcher is implemented – As an OpenFlow application• Running on NOX controller• Implemented in Python
• Verify each algorithm on emulated networks– Use Mininet to emulate networks supporting
OpenFlow
![Page 20: CloudWatcher: Network Security Monitoring Using OpenFlow in Dynamic Cloud Networks or: How to Provide Security Monitoring as a Service in Clouds? Seungwon](https://reader034.vdocuments.us/reader034/viewer/2022042821/56649c785503460f9492d22e/html5/thumbnails/20.jpg)
Evaluation Results
• Flow rule generation time
Flow rule generation time (12 routers)
Shortest: Dijkstra algorithm to find the shortest pathAlgorithm1: Multipath naiveAlgorithm2: Shortest Through
Algorithm3: Multipath ShortestAlgorithm4: Shortest Inline
![Page 21: CloudWatcher: Network Security Monitoring Using OpenFlow in Dynamic Cloud Networks or: How to Provide Security Monitoring as a Service in Clouds? Seungwon](https://reader034.vdocuments.us/reader034/viewer/2022042821/56649c785503460f9492d22e/html5/thumbnails/21.jpg)
Future Work
• Optimize algorithms
• Dynamic path selection
• Provide security response strategies
• Verify the proposed ideas on a large scale system
![Page 22: CloudWatcher: Network Security Monitoring Using OpenFlow in Dynamic Cloud Networks or: How to Provide Security Monitoring as a Service in Clouds? Seungwon](https://reader034.vdocuments.us/reader034/viewer/2022042821/56649c785503460f9492d22e/html5/thumbnails/22.jpg)
Conclusion
• CloudWacther provides a new framework to monitor cloud networks – With the help of the SDN technology
• A cloud administrator can select algorithms based on network status
• A cloud administrator can monitor his network by writing simple scripts
![Page 23: CloudWatcher: Network Security Monitoring Using OpenFlow in Dynamic Cloud Networks or: How to Provide Security Monitoring as a Service in Clouds? Seungwon](https://reader034.vdocuments.us/reader034/viewer/2022042821/56649c785503460f9492d22e/html5/thumbnails/23.jpg)