melanie palmer, rob sullivan, john bilberry la-ur-13-25961
TRANSCRIPT
NETWORK SERVICE SECURITY THROUGH SOFTWARE
DEFINED NETWORKING
Melanie Palmer, Rob Sullivan, John Bilberry
LA-UR-13-25961
Overview
Introduction Test Method and Materials Results Conclusion Future Work Questions
LA-UR-13-25961
Software Defined Networking Separate the data plane and the
control plane Software layer between hardware
and admin Virtual networks within a physical
network
LA-UR-13-25961
OpenFlow
Open source SDN Hardware management on a single
platform Exploits a common set of functions
found on most switches OpenFlow Protocol
Flow tableActions
LA-UR-13-25961
Controller
Management software for network Communicates via a secure channel Push and remove flows Determine actions for undefined flows
LA-UR-13-25961
Networks for Security
User
Switch Network 2
Network 1
• User job in Node 1• If User accesses Node 2
• Redirect to Security Node
Security Node
Controller
Rule 1Allow access to
Network 1Rule 2
Redirect to Security Node if access to Network 2 is attempted
LA-UR-13-25961
Networks for Security
User
Network 2
Network 1
Rule 1Allow access to
Network 1Rule 2
Redirect to Security Node if access to Network 2 is attempted
Security Node
Controller
Switch
LA-UR-13-25961
Materials and Test Methods
Melanie Palmer
LA-UR-13-25961
Objective
Performance Reliability Scalability
LA-UR-13-25961
Materials Our Cluster
Seven nodeCentOS 6.4
Arista 7050SOpenFlow 1.0EOS 4.10.4
Floodlight 0.9Open sourceWidely used in
industry Java based
LA-UR-13-25961
Test Suite
Load TestPerformance Reliability
LA-UR-13-25961
Test Suite
Load Test
Start Test
TCPDump
Start 10 Sections
Increment
Pings/Sec
FinishStart Traffic
Change
Flows
IncrementFlows/Sec
Finish
Start
Tests
Sections
Timing Limit
Traffic Limit
LA-UR-13-25961
Load Test
Controller
Node C
Node B
Node A
Rule 1:Connect A and B
Rule 2:Drop Anything to C
Switch
LA-UR-13-25961
Load Test
Controller
Node C
Node B
Node A
Rule 1:Connect A and C
Rule 2:Drop Anything to B
Switch
LA-UR-13-25961
Test Suite
Load Test Speed Test
ScalabilityPerformance
LA-UR-13-25961
Test Suite
Load Test Speed Test
Start Test
TCPDump to File
Send Traffic to Node C
Change Flow
LA-UR-13-25961
Speed Test
Controller
Node C
Node A
Rule 1: Connect A and C
Switch
LA-UR-13-25961
Speed Test
Controller
Node C
Node A
Rule 1: Drop Node C
Switch
LA-UR-13-25961
Test Suite
Load Test Speed Test Analysis Program
Failure!
Expected Behavior
LA-UR-13-25961
Test Suite
Load Test Speed Test Analysis Program
Stage 1 - Extracts○ Error rate○ Flow change speed
Stage 2 - Analyzes○ Averages data○ Standard deviations
Failure!
LA-UR-13-25961
ResultsRob Sullivan
LA-UR-13-25961
Load Test Results
0.1 0.2 0.3 0.6 1.2 2.3 4.3 7.9 13.8 21.9 31.4 40.0 45.8 51.2 53.50
2
4
6
8
10
12
14
16Flow Push Error Rate
250500750
Flows per Second
Err
or
(%)
Pings/Second
LA-UR-13-25961
Speed Test Results
LA-UR-13-25961
ProblemsSome We Overcame Some We Didn’t
OpenFlow 1.0 Volume and nature of
data Human error
Imprecision of some test methods
Meaningful packet redirection
LA-UR-13-25961
Conclusion
LA-UR-13-25961
Will OpenFlow Work?
Pro’s Allows software
reconfiguration of networks
Easy administration Flows can be reliably
pushed up to a measurable rate
Flow push failure is low even at high push rates
Con’s OpenFlow v. 1.0
inadequacies Hardware specific
limits Potential security
issues Controller can get
overwhelmed
LA-UR-13-25961
Future Work
OpenFlow 1.1 Security Controllers and hardware Scale
LA-UR-13-25961
AcknowledgementsInstructors – Dane Gardner and Matthew Broomfield (T.A.)
Mentors – Kyle Lamb (HPC-3) and Ben McClelland (HPC-5)
Special Thanks:
Los Alamos National Laboratory – Gary Grider, Josephine Olivas, Carolyn Connor, Scott Robbins and Carol Hogsett
New Mexico Consortium – Ann Kuiper
PRObE – Andree Jacobson
Our Schools:
University of Texas at El Paso
New Mexico Institute of Mining and Technology
Michigan Technological University
LA-UR-13-25961
Questions?Your turn!
LA-UR-13-25961