CloudWatcher: Network Security Monitoring Using

OpenFlow in Dynamic Cloud Networks or: How to Provide

Security Monitoring as a Service in Clouds?

Seungwon Shin and Guofei GuSUCCESS LAB

Texas A&M University

Contents

• Background• Problem domain• CloudWatcher• Future work• Conclusion

Background

• Cloud is large and complicated– A lot of VMs in a cloud network

• “Amazon seems to operate nearly half million servers for a cloud network”– http://huanliu.wordpress.com/2012/03/13/amazon-data-center-size/

• Each server may run more than 10 VMs inside• Thus, Amazon may operate around 5 million VMs

– A lot of tenants use cloud services• They have different network or server configurations

• Cloud is dynamic– VMs can move any server in a cloud network

Problem Domain

• How to monitor cloud networks for security purposes– Each tenant will want to have different network

configurations– VM can move from a host to a host

– Current flow control methods do not consider security devices

Example Scenario

Routing from VM1 to VM3

Routing from VM1 to VM3 considering NIDS

H1

H1

H2

H2

H3

H3

R1 R2 R3

R4 R5

R1 R2 R3

R4 R5

Goal

• Provide routing algorithms– The algorithms guarantee that specified network

security devices can monitor specific network flows

• Provide a script language– A network administrator can easily register security

devices– Ad network administrator can easily define security

policies

SDN and OpenFlow

• SDN : Software Defined Networking– Separate network control plane and data plane– Intelligent control plane– Simple (and fast) data plane– We can program network• Control network flows (e.g., decide routing paths)

• OpenFlow– One of the popular SDN technologies

OpenFlow Overview

OpenFlowSwitch.org

OpenFlow Switch specification

Controller

OpenFlow Switch

FlowTable

SecureChannel

PCOpenFlow Protocol

SSL

hw

sw

Add/delete flow entries Encapsulated packets Controller discovery

Figure from Stanford OpenFlow tutorial

SDN and OpenFlow

• People try to apply this technology to a cloud network– Network virtualization• E.g., Nicira - NVP

– Network Infrastructure as a Service • E.g., OpenFlow interface with OpenStack

CloudWatcher

• A new framework– Provide monitoring services for large and dynamic

cloud networks– Automatically detours network packets to be

inspected by pre-installed network security devices• OpenFlow

– Provide a script to operate this framework

Operating Scenario

Register Security Devices

Create Security Policies

Parse Security Policies

Create Routing Rules

Enforce Flow Rules into Routers

Translate Routing Rules into OpenFow Rules

Administrator

Router (Device ID = 8)

{ID, TYPE, LOCATION, MODE, Func}{1, NIDS, 8, PASSIVE, Detect HTTP}

NIDS (ID = 1)

{FLOW CONDITON, DEVICE SET}

{10.0.0.1 20.0.0.2, {1}}

How to Control Flows

• 4 approaches– Multipath naïve– Shortest through– Multipath shortest– Shortest inline

- Sample network -S: start node, E: end nodeR: router, C: security device

Simple Shortest Path

• Basic routing scheme (NOT CloudWatcher’s idea)– Find the shortest path between a start host and an

end host– Path: S R1 R5 R6 E

Multipath Naïve (algorithm 1)

• Find multiple paths– Shortest path between S and E– Shortest path between S and C– Path

• S R1 R5 R6 E• S R1 R2 R3 R4

• OpenFlow provides a function to send packets to multiple outputs– E.g., R1 {R2, R5}

Shortest Through (algorithm 2)

• Find the shortest path passing through R4– Shortest path between S and R4– Shortest path between R4 and E– Path: S R1 R2 R4 R4 R6 E

Multipath Shortest (algorithm 3)

• Improved version of multipath naïve• Two phase– Find the shortest path (P1)

• S R1 R5 R6 E

– Find the shortest path between routers on the path P1 and R4• R6 R4• R6 {R4, E}

Shortest Inline (algorithm 4)

• Find a path passing through (a) specific link(s) (not node)

• Good for delivering network packets to inline devices– E.g., IPS (intrusion prevention system)

Summary for Flow Control Methods

Pros Cons When to use

Multipath Naïve

Simple and fast Redundant flows Enough network capacity, delay is important

Shortest Through

Efficient Computation overhead, when multiple devices

Not enough network capacity,delay is not so important

Multipath Shortest

Efficient Computation overhead

Not many hops (e.g., communication between inside VMs)

Shortest Inline

Guarantee passing through a specific link

Computation overhead, when multiple devices

For an inline security device (e.g., IPS)

Implementation and Evaluation

• CloudWatcher is implemented – As an OpenFlow application• Running on NOX controller• Implemented in Python

• Verify each algorithm on emulated networks– Use Mininet to emulate networks supporting

OpenFlow

Evaluation Results

• Flow rule generation time

Flow rule generation time (12 routers)

Shortest: Dijkstra algorithm to find the shortest pathAlgorithm1: Multipath naiveAlgorithm2: Shortest Through

Algorithm3: Multipath ShortestAlgorithm4: Shortest Inline

Future Work

• Optimize algorithms

• Dynamic path selection

• Provide security response strategies

• Verify the proposed ideas on a large scale system

Conclusion

• CloudWacther provides a new framework to monitor cloud networks – With the help of the SDN technology

• A cloud administrator can select algorithms based on network status

• A cloud administrator can monitor his network by writing simple scripts