Upload File

leveraging sdn & nfv to achieve software-defined security · • “a first step towards...

  • Home
  • Documents
  • Leveraging SDN & NFV to Achieve Software-Defined Security · • “A First Step Towards Security Extension for NFV Orchestrator,” by Montida Pattaranantakul, Yuchia Tseng, Ruan
12
Leveraging SDN & NFV to Achieve Software-Defined Security Zonghua Zhang @imt-lille-douai.fr

Upload: others

Post on 17-Mar-2020

2 views

Category:

Documents


0 download

Report

TRANSCRIPT

Page 1: Leveraging SDN & NFV to Achieve Software-Defined Security · • “A First Step Towards Security Extension for NFV Orchestrator,” by Montida Pattaranantakul, Yuchia Tseng, Ruan

Leveraging SDN & NFV to Achieve

Software-Defined Security

Zonghua Zhang

@imt-lille-douai.fr

Page 2: Leveraging SDN & NFV to Achieve Software-Defined Security · • “A First Step Towards Security Extension for NFV Orchestrator,” by Montida Pattaranantakul, Yuchia Tseng, Ruan

2NEPS: NEtwork Performance and Security Group

Topics• Anomaly detection, root cause analysis • Security evaluation and management • Trust and reputation management • Security protocols

Areas• Enterprise networks • Wireless ad hoc networks • Emerging computer & communications networks (SDN/NFV, DCN, CPS, etc.)

• Machine learning • Statistics & Probability • Graph theory • Applied crypto • Networking • Software engineering • Simulations and testbed

Tools

Threat analysis: Performance goals vs. security properties

Prototype: Validation, Evaluation

Analysis, modeling and design

Page 3: Leveraging SDN & NFV to Achieve Software-Defined Security · • “A First Step Towards Security Extension for NFV Orchestrator,” by Montida Pattaranantakul, Yuchia Tseng, Ruan

LEVERAGING SDN/NFV FOR ACHIEVING SOFTWARE-DEFINED SECURITY

3

Self-Protection ►Security protocols ►Trust and reputation

system

Autonomic Cyberdefense: Mission Impossible ?

Attack

Defense

Self-Optimization ►Cost-effective security

hardening or response

Self-Configuration ►Adaptive security policy ►Self-adaptive software ►Software-Defined

Networking (SDN)

Self-Healing ►Automated vulnerability

analysis and patching

Page 4: Leveraging SDN & NFV to Achieve Software-Defined Security · • “A First Step Towards Security Extension for NFV Orchestrator,” by Montida Pattaranantakul, Yuchia Tseng, Ruan

4Cost-Effective Security Hardening

Partially ObservableMarkov Decision Process

Attack Graph & HiddenMarkovModel

Network sates

• “Exploring attack graph for cost-benefit security hardening: A probabilistic approach,” by Shuzhen Wang, Zonghua Zhang, and Youki Kadobayashi, Computers & Security 32: 158-169 (2013)

• “Measuring IDS-estimated attack impacts for rational incident response: A decision theoretic approach,” by Zonghua Zhang, Pin-Han Ho, Liwen He, Computers & Security 28(7): 605-614 (2009)

Network Storage Computing

Page 5: Leveraging SDN & NFV to Achieve Software-Defined Security · • “A First Step Towards Security Extension for NFV Orchestrator,” by Montida Pattaranantakul, Yuchia Tseng, Ruan

LEVERAGING SDN/NFV FOR ACHIEVING SOFTWARE-DEFINED SECURITY

5

Data plane

Control plane

Southbound APIs, e.g, OpenFlow

Northbound APIs

Access ControlIPS/IDS Deception

Application plane

Programmability

Global visibility

SDN Based Security Management

MonitoringIsolation

Page 6: Leveraging SDN & NFV to Achieve Software-Defined Security · • “A First Step Towards Security Extension for NFV Orchestrator,” by Montida Pattaranantakul, Yuchia Tseng, Ruan

6SDN Based Security Functions

• “Enabling security functions with SDN: A feasibility study,” by Changhoon Yoon, Taejune Park, Seungsoo Lee, Heedo Kang, Seungwon Shin, and Zonghua Zhang, Computer Networks 85: 19-35 (2015)

NIPSAnomaly detector

Stateful firewallHoneynet

► Hardware matters (e.g., multi-port-forwarding, picket header modification) ► Performance bottleneck is due to control messages (packet-in) ► Data plane has a rich set of network status information (SDN as database)

Page 7: Leveraging SDN & NFV to Achieve Software-Defined Security · • “A First Step Towards Security Extension for NFV Orchestrator,” by Montida Pattaranantakul, Yuchia Tseng, Ruan

7SDN Based DDoS Mitigation

• “ArOMA: An SDN based autonomic DDoS mitigation framework,” by Rishikesh Sahay, Gregory Blanc, Zonghua Zhang, and Hervé Debar, Computers & Security 70: 482-499 (2017)

► Collaborative ► On-demand

Page 8: Leveraging SDN & NFV to Achieve Software-Defined Security · • “A First Step Towards Security Extension for NFV Orchestrator,” by Montida Pattaranantakul, Yuchia Tseng, Ruan

LEVERAGING SDN/NFV FOR ACHIEVING SOFTWARE-DEFINED SECURITY

8NFV based Security Management and Orchestration

Page 9: Leveraging SDN & NFV to Achieve Software-Defined Security · • “A First Step Towards Security Extension for NFV Orchestrator,” by Montida Pattaranantakul, Yuchia Tseng, Ruan

9NFV based Security Management and Orchestration

NFV Infrastructure as a Service

Virtualized Network Functions (VNF) as a Service

Business Apps

NFV Orchestrator

Security Extension

Identity & Access Management

IDS/IPSNetwork Isolation

Data Protection

Access Control

• Project SecMANO: NFV based Security Management and Orchestration, CRE of Orange Labs

Page 10: Leveraging SDN & NFV to Achieve Software-Defined Security · • “A First Step Towards Security Extension for NFV Orchestrator,” by Montida Pattaranantakul, Yuchia Tseng, Ruan

10Security Orchestrator

► Policy-driven ► Centralized control ► Programmable ► Cross-layer ► Tenant-specific

• “A First Step Towards Security Extension for NFV Orchestrator,” by Montida Pattaranantakul, Yuchia Tseng, Ruan He, Zonghua Zhang, Ahmed Meddahi, ACM 2nd Workshop on SDN-NFV Security (Best paper), March 2017

• “SoDAC: A New Software-Defined Access Control Paradigm for Cloud-based Systems,” by Ruan He, Montida Pattaranantakul, Zonghua Zhang, Thomas Duval, the 19th international Conference on Information and Communications Security (ICICS), Dec. 2017

Page 11: Leveraging SDN & NFV to Achieve Software-Defined Security · • “A First Step Towards Security Extension for NFV Orchestrator,” by Montida Pattaranantakul, Yuchia Tseng, Ruan

11Perspectives

Multi-cloud & cross-layer ►Tenant-specific ►VNF, service, app ►Scalable, agile

Controllability ►Automated reaction ►Fine-grained policy enforcement

Intelligence & decision making ►Monitoring, detection ►Access control ►Security policy

In-depth defense ►Global visibility ► Isolation ►Trustworthiness

• Open Security Controller, by Huawei, Intel, McAfee etc., https://www.opensecuritycontroller.org/

Page 12: Leveraging SDN & NFV to Achieve Software-Defined Security · • “A First Step Towards Security Extension for NFV Orchestrator,” by Montida Pattaranantakul, Yuchia Tseng, Ruan

Thanks !

Zonghua Zhang

@imt-lille-douai.fr


NFV Security Gateway for Communications Service … Brief | NFV Security Gateway for Communications Service Providers Mobile traffic is expected to grow at a compound annual growth

SDN AND NFV - coinsrs.no · sdn and nfv security dr. sandra scott-hayward, queen’s university belfastcoins summer school, 23 july 2018

FORTINET AND CLOUDIFY SECURITY SOLUTION · FORTINET AND CLOUDIFY SECURITY SOLUTION Comprehensive Security supported by Advanced NFV Orchestration Network Function Virtualization (NFV)

NETWORK FUNCTIONS VIRTUALIZATION FOR SECURITY … Whitepaper NFV-S-06032014.pdfNetwork Functions Virtualization for Security (NFV-S) Page 5 The Benefits NFV-S is a new approach through

Delivering Security Virtually Everywhere with SDN and NFV

A survey on emerging SDN and NFV security mechanisms for ... › publications › A_survey_on...to SDN and NFV paradigms. In [23], [24], [25], SDN-based security solutions are proposed

Virtual CPE NFV Solution Development for Security Servicessdn.calsoftlabs.com/downloads/CaseStudies/VirtualCPE-FV... · 2018-03-14 · Virtual CPE NFV solution targeting telecom operators

Ruan Transportation Management Systems | Ruan PDFs/408... · .3PL news BECOMING THE 3PL OF CHOICE RUAN NEWS WELCOME TO 3PL NEWS! Second Quarter 2016 Ruan is working hard to become

SDN and NFV integrated OpenStack Cloud - Birds eye view on Security

Virtual Security as a Service for 5G Verticals · SDN, NFV and cloud computing. ETSI NFV [20] has defined a reference architecture for enabling NFV orchestration and VNF management

ETSI GR NFV-SEC 005 V1.1 · 2019-01-16 · ETSI 2 ETSI GR NFV-SEC 005 V1.1.1 (2019-01) Reference DGR/NFV-SEC005 Keywords certificate, NFV, security ETSI 650 Route des Lucioles F-06921

ETSI GS NFV-SEC 003 V1.1 · 2014. 12. 22. · ETSI 2 ETSI GS NFV-SEC 003 V1.1.1 (2014-12) Reference DGS/NFV-SEC003 Keywords NFV, security ETSI 650 Route des Lucioles F-06921 Sophia

ETSI GS NFV-SEC 009 V1.1 · The Security Problem Statement, ETSI GS NFV-SEC 001 [i.1] identifies an issue with multi-layer administration for NFV. Multi-layer administration seeks

Uniform IoT security using NFV based policy enforcement gateways

Delivering Security Virtually Everywhere with SDN … ROLE OF SECURITY IN SDN AND NFV ... Delivering Security Virtually Everywhere with SDN and NFV NFV AND SECURITY: DELIVERING SERVICES

Dennis ruan portfolio

Design Patterns submitted - events.static.linuxfound.org · Security Design Patterns for NFV. Foundational Security Applying Zero Trust* to NFV n * No More Chewy Centers: The Zero

SDN+NFV: Algorithmic and Security Challenges

SDN+NFV: Algorithmic and Security Challengesstefan/forth17.pdf · SDN/NFV Opportunities: Programmability, (logical) centralization and virtualization (multi-tenancy). Some (often

2.NFV(17)000251r1 ETSI NFV Concepts and MANO details - NFV ...17)000251r1_ETSI_NFV_Conce… · NFV/IFA0073 NFV/SOL0033(API) NFV/IFA008 NFV/SOL0023(API) ETSI3GSNFV /IFA011 VNF’Package’&’VNFD

Ascension - Ruan - Score.pdf

Security Challenges and Guidance for Protecting NFV on ... · HUAWEI TECHNOLOGIES CO., LTD. Security Challenges and Guidance for Protecting NFV on Cloud IaaS ... therefore cause possible

NFV Security Opportunities and Challenges (Slides for ...grouper.ieee.org/groups/srpsdv/meetings/2014 October/SRPSDVE... · 1 NFV Security – Opportunities and Challenges (Slides

Inherent Security Design Patterns for SDN/NFV Deployments

Protecting Your SDN and NFV Network from ... - Telco Systems · Security challenges with distributed-NFV Data Center Controller NFV/Cloud Computing Compute Nodes OpenStack is the

Virtual CPE NFV Solution for Security service | Technology · VIRTUAL CPE NFV SOLUTION FOR SECURITY SERVICES ... ALTEN Calsoft Labs designed and developed a Virtual CPE NFV solution

The Time is NOW for NFV - WordPress.comThe Time is NOW for NFV ... VMware vCloud NFV™ Platform and vCloud NFVTM Bundle 22 COMPUTE NETWORK & SECURITY STORAGE AND ... Manager vSAN

ETSI GS NFV-SEC 001 V1.1 - Home Page of Bob Briscoe · PDF fileETSI GS NFV-SEC 001 V1.1.1 (2014-10) Network Functions Virtualisation (NFV); NFV Security; Problem Statement Disclaimer

Semantic-Aware Security Orchestration in SDN/NFV-Enabled

Security Challenges and Opportunities in SDN/NFV … · Security Challenges and Opportunities in SDN/NFV Networks ... MGCF, 3G-MSC, MGW ) Mj Attacks via ... Security Challenges and

ETSI GR NFV-SEC 003 V1.2 · PDF fileETSI GR NFV-SEC 003 V1.2.1 (2016-08) Network Functions Virtualisation (NFV); NFV Security; Security and Trust Guidance Disclaimer The present document

ETSI GS NFV-SEC 013 V3.1 · ETSI GS NFV-SEC 013 V3.1.1 (2017-02) Network Functions Virtualisation (NFV) Release 3; Security; Security Management and Monitoring specification Disclaimer

ETSI GR NFV-SEC 005 V1.1 · 2019. 1. 16. · ETSI 2 ETSI GR NFV-SEC 005 V1.1.1 (2019-01) Reference DGR/NFV-SEC005 Keywords certificate, NFV, security ETSI 650 Route des Lucioles F-06921

ETSI GS NFV-SEC 003 V1.1 · ETSI GS NFV-SEC 003 V1.1.1 (2014-12) Network Functions Virtualisation (NFV); NFV Security; Security and Trust Guidance Disclaimer This …

ETSI GS NFV-SEC 014 V0.0.6 - Directory Listing / · Web viewETSI GS NFV-SEC 014 V0.0.8 (2017-05) Network Functions Virtualisation (NFV); NFV Security; Security Specification for MANO