a security enforcement kernel for openflow networks

1、A Security Enforcement Kernel forOpenFlow NetworksHotSDN 2012Phillip Porras, Vinod Yegneswaran, Martin Fong, Mabry Tyson (SRI International)Seungwon Shin, Guofei Gu(Texas A&M University)Classic Network Perimeter DefenseSecurity Policy Enforcement Methodology Well-defined static security policytantia

2、ted for a target topology Deployed consistently across the network Policy can only be altered by a small set of trusted elements Policy modification events are audited and monitored for complianceThe OpenFlow SDN Network ModelSDN / OpenFlow Network ModelProvides a set of continually and dynamically

3、defined flow policiesFlow policies are embodied in the current set of flow rulesinto the switchtantiatedFlow rules are produced from OpenFlow applications that monitor andreact to in and outbound packet flows OF apps can compete, contradict, override one another, incorporate vulnerabilities Worst ca

4、se: an adversary can use the deterministic OF app to control the state of all OF switches in the networkOpenFlow Evasion Scenario.Dynamic Flow TunnelingOpenFlow Security Policy EnforcementDynamic control plane (policies) and data plane (flows)introduces new enforcement challengesOpenFlow could benef

5、it from better mechanisms for specifying and authenticating policies dealing with rewrite rules detecting and auditing policy violations.Research Objectives and ContributionsBroad Objective Provide mechanisms that support the development and integration of traditional and new security applications i

6、nto Software-Defined NetworksSpecific ContributionsDevelopment of a security enforcement kernel for the NOXOpenFlow controllerRole-based authorizationRule conflict detection Security directive translationMotivating Security ApplicationsTarpits: A Tarpit is an advanced anti-attack countermeasure desi

7、gned to hold (reverse-DoS) inboundTCP connections from attackersReflector Nets (*): A security app that reprograms the OF network to forward an external entity into aremote honeynetPhantom Nets: A technique in which a scanner is mislead into producing a false topology map for thenetwork being scanne

8、dEmergency Broadcast: When a switch-wide exceptional state is detected, this security app auto-erts a high-priority forward rule for all connections originating from network operator ownedaddresses, whileerting drop filters to reject detected flooding sources/portsWhite holes: A strategy for defeati

9、ng sophisticated density-aware IP scanning techniques used byscan-and-infect malware to increase the rate at which viable infection targets are discoveredBotHunter: A method for diagnosing infections in internal network assets using dialog correlation todiscover flow sequences that match coordinatio

10、n centric malware infectionsMany More:TRW (*),BotMiner (*), P2P Plotter (*)Prerequisites for a Secure OpenFlow PlatformMust be resilient toVulnerabilities in OF applicationsMalicious code in 3rd party OF appsComplex interaction that arise between OF appinteractionsState inconsistencies due to switch

11、 garbage collection or policy coordination acrossdistributed switchesSophisticated OF applications that employ packet modification actionsAdversaries who might directly target our security services to harm the networkClassic NOX ArchitecturePython SWIGNative COF AppsNOXSend_OpenFlow_Command()PY OFAp

12、psThe FortNOX Security Enforcement KernelFortNOX:A Non-bypassable mediation service that performs inline vettingof the OpenFlow Application flow rules agat the current set of network flow constraints defined by administrators or OpenFlow Security applicationsLeast privilege mediation of flowertions

13、for policy consistencyThe FortNOX controller executes independently, in a separate process space (and ideally from a separate user account), from that of the OpenFlow applications it servicesNOX C libraries are wrapped using a Proxy App. They must not be run within the FortNOX process spaceAll inter

14、actions between the controller and the switch must be mediated by the controller 500 lines of C+ extension of the NOX source codeAuthenticating Rule ProducersFortNOX implements source authentication through the use ofdigital signaturesRule producers export a public key, which administrators may choo

15、se totall into FortNOX, assigning this key to an authorization roleFortNOX accepts FLOW_MOD commands with an extra digital signatureLegacy OF application rules assigned default roles and lowest prioritiesRole-Based AuthorizationFortNOX extends the controller to recognize 3 standardauthorization role

16、s among flow rule producersOF Operator Role define authoritative security policyOF Security Role - add flow constraints to combat live threat activityOF Application Role legacy OF Apps, may remaecurity unawareAuthorization roles inform rule priority assignments conflict resolution when conflicts are

17、 detectedRule Conflict AnalysisFortNOX incorporates a live rule conflict detection engine Rule Conflict: arises when a new candidate rule enables or disables a network flow that isotherwise inverselyprohibited (or allowed) by existing rules Alias set rule reduction a method detecting flow rule confl

18、icts, even when OF set operations are usedRule Conflict AnalysisConflict ResolutionCandidate RulesDerive ARRs per candidate ruleMatch:a bActions:a a b c forwardCompare each ARR agaAggregate Flow Tablet FortNoxsIF ARR intersects with registered ruleThen flag candidate rule if ARR conflictsPossible Re

19、solutionBased on role-based priorityAlias Set Rule ReductionEQ - policyGR - DEL, ADD LT - REJECTaliased reduced ruleARR:(a,a) (b,c)forwardSecurity Directive Translation Python interface for translating high level mitigationdirectives into flow rules Seven new OF security directives currently impleme

20、nted block, deny, allow, redirect, quarantine, undo, constrain and infoFortNOX ArchitectureSeparateProcessPython SWIGSwitch Callback trackingDirective TranslatorIPC InterfaceAggregate Flow TableOF Mod CommandsAdd (conflict enforced) Modify (conflict enforced) Delete (priority enforced)FortNOXOperato

21、r RulesSECURITY RulesOF App RulesFT_Send_OpenFlow_CommandRole-based Source AuthState Table Manager Conflict AnalyzerSwitch Callback TrackingActuatorSecurity AppsPY OFAppsOF IPC ProxyNative C OF AppsPerformance.Other IssuesDistributed Policy SynchronizationFortNOX extends NOX to use barrier messages

22、and switch callbacks totrack flow rule removalDistributed policyertion must be atomically synchronizedDistributed policy removal must be atomically committed: harderAccountability: Audit accountability is a requirement for most sensitivecomputing environments. FortNOX produces a security audit trail for all flow rule commands, with authenticated producer IDs detected rule conflicts and resolution outcomesSummary and Future WorkFortNOX A new secur