Transcription
International Journal of Engineering Research & Technology (IJERT)ISSN: 2278-0181Vol. 3 Issue 4, April - 2014Software Defined Network Based threat DefenceSecurity ModelParthiban AGodwin Ponsam JDepartment of Information Security and Cyber ForensicsSRM UniversityChennai, IndiaII. INTRUSION DETECTION SYSTEMNetwork-based intrusion detection system is apowerful tool to elevate security level of networks. Anetwork-based ID system monitors the traffic on its networksegment for harmful data. It is used to prevent variousattacks in future. This is generally possible by placing thenetwork interface card in promiscuous mode to capture allnetwork traffic that crosses its network segment. Networkbased IDS has some sensors looking at the packets whichpass through it. These sensors are capable of only analyzingthe packets that occur to be carried onto the networksegment it is attached to. Packets are considered to be ofinterest if they match a signature which resides on database.IJERTAbstract— It is generally considered as a challenge to providenetwork security to our network. We require various devicesuch as firewalls, intrusion detection and prevention systems.These network security devices must be constantly monitoredand managed by security operation center [10]. The logs andalerts by various devices has to be analyzed and remedialaction must be taken at real time, hence manual analyst isrequired to inspect the logs and alerts. This method hasconsiderable time lag which might lead to network outbreak atsome emergency situation. In this paper we propose dynamicblocking of critical anomalous traffic using software definednetworking [1] infrastructure. We have adopted OpenFlowprotocol [2] to provide communication between controller andOpenFlow-hybrid switch. Controller [1] runs applications suchas intrusion detection system [3] and rule database. Securityinformation and event management collects all these logs andalerts from network security devices. When a critical incidentis triggered, it is sent to the controller to block criticalanomalous traffic immediately.Department of Information Security and Cyber ForensicsSRM UniversityChennai, IndiaA. Intrusion detection operation modesKeywords- Intrusion detection system, OpenFlow, Flow table,OpenFlow channel, software defined networking.I. INTRODUCTIONNetwork security now a days has becomeindispensable for everyone. Securing our network fromvarious known and unknown attack is a challenging task.Attacks from both internal and external network are threatto information security. Security professionals are necessaryto analyze the various network happening and identifymajor threat to our network. Various security mechanismhas to be deployed to detect and prevent intrusions of ournetwork. Whenever a new technology emerges securityprofessionals are in the position to look for security in it. Inthis paper, the whole idea is about using Software DefinedNetworking technology for providing security to ournetwork. On-path detectionThe IDS is placed on the packet transverse route,so the traffic which goes on that path will be analyzed formalicious data before being forwarded to the device. As it isplaced on the path of a route it affects the performance ofnetwork Off-path detectionIn this approach IDS is a separate node which isconnected to a network switch. Every packet on the networkis mirrored and sent to the IDS for inspecting traffic todetect network intrusions. Unlike on-path detection thisapproach will not affect the performance of network. In thispaper we use this approach for the deployment of IDS todetect the malicious data on the network. Henceperformance of network can be greatly increased.III. SOFTWARE DEFINED NETWORKINGA new paradigm in networking, software definednetworking (SDN), advocates separating the data plane andthe control plane, making network switches in the data planesimple packet forwarding devices and leaving a logicallycentralized software program to control the behavior of theIJERTV3IS040607www.ijert.org250
International Journal of Engineering Research & Technology (IJERT)ISSN: 2278-0181Vol. 3 Issue 4, April - 2014entire network [1]. SDN announces new opportunities fornetwork management and configuration methods. Thecontroller acts as an intelligent module to dictate thebehavior of the network. Despite switching and routingcapabilities, controller can also act as an interface forrunning various applications. These applications facilitatethe management capabilities which are specified in thelayers of SDN as shown in Figure 1.IV. OPENFLOW NETWORKB. Flow tableOpenFlow switch contains number of flow table[2] which are used to process the packet. When handled by aflow table, the packets are matched against the flow entriesof the flow table to select a flow entry. If a flow entry isfound, the instruction set included in that flow entry isexecuted. These instructions may send the packet to anotherflow table, where the same process is repeated again. If thepacket doesn’t match with any flow entries, by defaultunmatched packet is dropped (discarded) but we overridethis default and specify another behavior to process thepacket on table miss. This flow table entries is populated bythe controller. Main components of a flow entry in a flowtable shown in Table 1.Table 1.MatchPriority Counter InstructionsMaifieldsncomponents of a flow entry in a flow tableTimeoutsCookiesEach flow table entry contains:OpenFlow is an open standard that allowsresearchers to run experimental protocols in the SDNinfrastructure. The OpenFlow Switch [2] and Controllercommunicate via the OpenFlow protocol, which definesmessages, such as packet-received, send-packet-out,modify-forwarding-table, and get-stats. It enables onecontroller to manage all OpenFlow switches remotely. Themain component OpenFlow network consists of thefollowing, A. OpenFlow switch An OpenFlow Switch consists of one or moretables and a group table, which performs packet lookups,forwarding and an OpenFlow channel [2] to the externalcontroller (Figure 3). The switch communicates with thecontroller and the controller manages the switch via theOpenFlow protocol.Types of OpenFlow switch OpenFlow-hybrid switchThe OpenFlow switches support both OpenFlowoperation and normal operation such as switching, routing,ACL and QOS in traditional network [2].IJERTFigure 1. Layers of SDN Match fields: To match against packets. This fieldconsists of the ingress port packet headers andoptional metadata specified by a previous table.Priority: Matching parameter of the flow entry.Counters: Updated when packets are matched.Instructions: To modify the action set or pipelineprocessing.Timeouts: Maximum amount of time that flowentry exist in the flow table.Cookie: Opaque data value chosen by thecontroller. May be used by the controller to filterflow statistics, flow modification and flowdeletion. Not used when the packets are processed.C. OpenFlow channelOpenFlow channel [2] is an interface throughwhich the data is transferred between OpenFlow switch andcontroller. It should be a secure channel to prevent the manin the middle attack.OpenFlow-only switchD. OpenFlow protocolThe OpenFlow switches supports only OpenFlowoperation. In such switches, all the packets are processed byOpenFlow pipelines, and cannot be processed otherwise.IJERTV3IS040607The OpenFlow protocol provides an open andstandard way for controller to communicate with anOpenFlow switch. Using the OpenFlow protocol, thecontroller can update, add and delete flow entries in theflow tables, both reactively (in response to packets) andproactively. OpenFlow specification [2] provides excellentwww.ijert.org251
International Journal of Engineering Research & Technology (IJERT)ISSN: 2278-0181Vol. 3 Issue 4, April - 2014source of information about OpenFlow protocol and itsusage. The scope of OpenFlow switch specification isshown in Figure 2.In Table 2. Access control flow entry checks for any packetwhich has source IP address 6.6.6.6 trying to connect withdestination machine on 3389 port. If the criteria specified bythe access control flow table matches with the specifiedcriteria the packet is dropped. These entries are generallypopulated by the controller using OpenFlow protocol.B. Content Addressable Memory tablePrimarily when packet is entering the switch, it hasto be processed by access control flow table. If the packetdoesn’t match with any entries in access control flow tablethen it will be forwarded to the CAM [9] table for normalL2 switching. Pipeline instructions are used to control theflow between access control flow table and CAM table.Figure 2. Scope of OpenFlow switch specificationC. IDSE. OpenFlow pipelineV.METHODOLOGYController has various applications which run on init, one such application is IDS. Every packet entering intoswitch will be mirrored and sent to the IDS to detect themalicious data on the network. Basically IDS will detectintrusions in two ways; one is Signature-based IDS whichchecks the database of previous attack signatures and knownsystem vulnerabilities. The meaning of word signature is arecorded indication of an intrusion or an attack. Eachintrusion leaves a footprint behind (e.g., data packets nature,attempt failed to run an application, failed logins, folder andfile access etc.), these footprints are called signatures andcan be used to recognize and prevent the same attacks in thefuture. Another one is Anomaly-based Intrusion which isused to identify active Intrusion Detection Systems (IDS)using references as a baseline or using the learned pattern ofnormal system activity. Deviations from this baseline orpattern trigger an alarm. The alerts generated by the IDSsent to the security information and event management [8](SIEM).security information and management is responsiblefor event management and incident generation.IJERTThe OpenFlow pipeline [2] of every OpenFlowswitch encompasses multiple flow tables, each flow tablecontaining multiple flow entries. The OpenFlow pipelineprocessing defines how packets interact with those flowtables. An OpenFlow switch should have at least one flowtable and can optionally have more than one flow table. AnOpenFlow switch with only a single flow table is valid, inthis case pipeline processing is greatly reduced. Usingpipeline, instruction packets are directed to the other flowtable.In recent days many research has been in progressto make OpenFlow switch perform efficient switching androuting using software defined network. In this paper we usehybrid OpenFlow switch which has two tables, first one isaccess control flow table which is used to only block thecritical traffic of our network and another is normal contentaddressable memory table which is used for L2 switching.D. Security Information and Event ManagementA. Access Control flow tableAccess control flow table is used to block themalicious packet before being forwarded for normalswitching. This table blocks the traffic with some matchingconditions which is placed as access control flow entrieswhich shown fig 4. This table simply acts as a firewall toblock the critical traffic using flow entries. This is shown inTable 2.Table 2. Access control flow table with sample entryRule 6.6.6.6*(any)*(any)3389DROPSecurity information and event management (SIEM) is amethod of security management that provides a completeview of an organizations information technology (IT)security. SIEM systems collect security associated eventsfrom end user devices, servers, network devices and evenspecialized security devices like antivirus firewallsor intrusion prevention systems. This system is mainly usedto create an incident from collected security event usingsome pre-defined rule. From SIEM critical incident will besent to the rule database. Other critical incidents will be sentto the SOC (security operation center).E. Rule databaseIJERTV3IS040607The rule database has some pre-defined format to createaccess control rule which will be populated in access controlflow table to block the critical anomalous traffic. Only forcritical incidents it will have a rule format. Whenever thatcritical incident is triggered, the rule database will parse thepacket header information and create access control rulewww.ijert.org252
International Journal of Engineering Research & Technology (IJERT)ISSN: 2278-0181Vol. 3 Issue 4, April - 2014according to the fine-tuned format which are assigned forthat particular critical incident. Other incidents will be sentto the security operation center for further analysis.Example: Bot activity with external source IP address(4.5.5.5) incident – predefined format will be like block anypacket with IP address (4.5.5.5) the flow entries of accesscontrol looks like Table 3.Table 3. Sample flow entries for critical incident.Rule destinationaddress*(any)G. Redundancy checkOnce the rule is generated from the rule database itwill send that rule to redundancy check module. Module hasto be completely updated with access control flow entriesinformation. Before forwarding the access control flowentries to controller, it is checked for the particular rulewhich might have been already implemented. If it is a newrule then it will be forwarded to the controller. Thecontroller will then update the access control flow table withthe current rule it has. Overall architecture of our proposal isshown in the Figure ionStep 1: Whenever the packet is coming inside the OpenFlowswitch, send the mirrored copy of packet to the IDS.DROPStep 2: Then processes the packet through the access controlflow table.H. Proposed Pseudo codeAs specified in Table 5. With the combination of differentaddress and port we can block critical traffic successively.Step 3: If the parsed packet header field matches with therule then drop the packet.F. Security Operation CenterStep 4: If the packet does not matches with any rule thenforward the packet to CAM table for normal L2 switching.Step 5: When the critical incident from SIEM is triggeredsend that incident to rule database.IJERTA SOC is the people, procedures and technologies involvedin creating situational awareness through detection,containment, and remediation of IT threats. A SOC managesincidents for the enterprise, ensuring that they are properlyidentified, analyzed, communicated, actioned/defended,investigated and reported. The SOC holds analysts whoanalyses the incidents and comes up with remedial action.Step 6: If that critical incident has pre-defined rule format,then create a rule by parsing the packet.Step 7: check whether the rule has already beenimplemented, if not send it to controller.Step 8: Update that rule in access control flow table througha centralized controller.VI. CONCLUSION AND FUTURE WORKIn this paper we have proposed dynamic blockingof critical anomalous traffic which hence prevents thenetwork outbreaks during emergency condition. Before thecritical incidents are forwarded to analysis, access controlrules are implemented at the device level, this prevents thespreading of malicious traffic in our network. Since thecentralized controller also behaves as an IDS, the cost ofdeploying IDS sensors for capturing packet will be greatlyreduced. Future enhancements includes implementation ofOpenFlow-only switch with dynamic packet forwardingcapability and access control mechanisms.REFERENCES[1][2]Figure 3.Architecture diagramIJERTV3IS040607[3][4]www.ijert.orgHyojoon Kim and Nick Feamster, Georgia Institute ofTechnology“Improving Network Management using SoftwareDefined Network “OpenFlow Switch Specification version: en Northcutt, Judy Novak “Network Intrusion Detection SystemN.McKeown, et. al., "OpenFlow: Enabling Innovation in CampusNetworks", SIGCOMM CCR, Vol. 38, Issue 2, march 2008.253
International Journal of Engineering Research & Technology (IJERT)ISSN: 2278-0181Vol. 3 Issue 4, April - 2014Stephen Northcutt, Mark T. Edmead “inside network perimetersecurity”[6] www.openflow.org[7] www.sdncentral.com[8] http://en.wikipedia.org/wiki/Security information and event management[9] http://en.wikipedia.org/wiki/CAM Table[10] http://en.wikipedia.org/wiki/Information security operations center[11] http://en.wikipedia.org/wiki/Computer security incident management[12] 040607www.ijert.org254
D. OpenFlow protocol The OpenFlow protocol provides an open and standard way for controller to communicate with an OpenFlow switch. Using the OpenFlow protocol, the update, add and delete flow entries in the flow tables, both reactively (in response to packets) and OpenFlow specification [2] provides excellent Match
