scipass securish openflow based science dmz€¦ · – security is a required capability • not...
TRANSCRIPT
![Page 1: SciPass Securish OpenFlow Based Science DMZ€¦ · – security is a required capability • not elephant flow friendly • could just bypass but that doesn’t provide required](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0205cb7e708231d4023143/html5/thumbnails/1.jpg)
SciPass Securish OpenFlow Based Science DMZ
Edward Balas GlobalNOC
Indiana University June 15, 2015
1
![Page 2: SciPass Securish OpenFlow Based Science DMZ€¦ · – security is a required capability • not elephant flow friendly • could just bypass but that doesn’t provide required](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0205cb7e708231d4023143/html5/thumbnails/2.jpg)
Problem• Campus Networks are
enterprise infrastructure – large number of small flows – security is a required
capability • not elephant flow friendly • could just bypass but that
doesn’t provide required security
• what about performance assurance?
2
![Page 3: SciPass Securish OpenFlow Based Science DMZ€¦ · – security is a required capability • not elephant flow friendly • could just bypass but that doesn’t provide required](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0205cb7e708231d4023143/html5/thumbnails/3.jpg)
Science DMZ• design to support high
performance science apps – reduce loss that
impacts TCP perf – appropriate security
for 100Gbps – integrate network test
points • go fast, keep it controlled
3
Not This
I should try rear engine
This
![Page 4: SciPass Securish OpenFlow Based Science DMZ€¦ · – security is a required capability • not elephant flow friendly • could just bypass but that doesn’t provide required](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0205cb7e708231d4023143/html5/thumbnails/4.jpg)
Objective:• reconfigure existing components
for better experience • Correct, Consistent, Performant,
Affordable • 100G Science DMZ with security
features baked in. – adaptive IDS load balancing – hardware block / forward
traffic – controlled bypass of
institutional firewall – integrated measurement
4
Even Better, engine in rear
![Page 5: SciPass Securish OpenFlow Based Science DMZ€¦ · – security is a required capability • not elephant flow friendly • could just bypass but that doesn’t provide required](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0205cb7e708231d4023143/html5/thumbnails/5.jpg)
Approach• Combine
• OpenFlow Switch • Bro • PerfSonar
• create reactive system • default to secure /
slow path • use IDS to control
what goes on fast path
5
![Page 6: SciPass Securish OpenFlow Based Science DMZ€¦ · – security is a required capability • not elephant flow friendly • could just bypass but that doesn’t provide required](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0205cb7e708231d4023143/html5/thumbnails/6.jpg)
Default Behavior• traffic goes through
firewall
6
![Page 7: SciPass Securish OpenFlow Based Science DMZ€¦ · – security is a required capability • not elephant flow friendly • could just bypass but that doesn’t provide required](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0205cb7e708231d4023143/html5/thumbnails/7.jpg)
Default Behavior• In parallel, copies of
packets are sent to IDS ports
• copies are sent to array of IDS
• load balancing techniques
7
![Page 8: SciPass Securish OpenFlow Based Science DMZ€¦ · – security is a required capability • not elephant flow friendly • could just bypass but that doesn’t provide required](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0205cb7e708231d4023143/html5/thumbnails/8.jpg)
IDS detects good• As IDS inspects traffic • identifies science
flows • signals SciPass setup
fast path and not send data to IDS for flow
8
![Page 9: SciPass Securish OpenFlow Based Science DMZ€¦ · – security is a required capability • not elephant flow friendly • could just bypass but that doesn’t provide required](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0205cb7e708231d4023143/html5/thumbnails/9.jpg)
SciPass Bypasses Firewall• Based on IDS input
SciPass installs fast path rule for a transfer – Firewall is
bypassed – Traffic not sent to
IDS
9
![Page 10: SciPass Securish OpenFlow Based Science DMZ€¦ · – security is a required capability • not elephant flow friendly • could just bypass but that doesn’t provide required](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0205cb7e708231d4023143/html5/thumbnails/10.jpg)
Technical Details
• stand alone / appliance SDN Deployment • combines Bro with SciPass to create a
reactive / adaptive system • The new thing here is that we are
fingerprinting GOOD traffic and enhancing its path through the DMZ.
• Oh and we can do fine grained 5-tuple based blocking
10
![Page 11: SciPass Securish OpenFlow Based Science DMZ€¦ · – security is a required capability • not elephant flow friendly • could just bypass but that doesn’t provide required](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0205cb7e708231d4023143/html5/thumbnails/11.jpg)
Simple Load Balancing• Similar to binary search 1.Divide IP space into the number of sensors on start 2.check the sensor load, if above threshold
a. split prefix with largest load but leave on same sensor b. observe load by subnet c. if highest load subnet too big to move to other sensor,
goto 3 d. if subnet will fit on other, move subnet to less loaded
sensor 3.repeat periodically
11
![Page 12: SciPass Securish OpenFlow Based Science DMZ€¦ · – security is a required capability • not elephant flow friendly • could just bypass but that doesn’t provide required](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0205cb7e708231d4023143/html5/thumbnails/12.jpg)
Who is doing this?
• Indiana University – GlobalNOC – Indiana University Security Office
• Collaborating with – Bro Team
• Looking for other participants
12
![Page 13: SciPass Securish OpenFlow Based Science DMZ€¦ · – security is a required capability • not elephant flow friendly • could just bypass but that doesn’t provide required](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0205cb7e708231d4023143/html5/thumbnails/13.jpg)
Testing
• DMZ deployed in Indianapolis lab • Brocade MLXe switch • Netscreen 5200 • IBM G8264
• Tested to ESnet well known test points • 7ms of delay to the Argonne server • http://fasterdata.es.net/performance-testing/DTNs/
13
![Page 14: SciPass Securish OpenFlow Based Science DMZ€¦ · – security is a required capability • not elephant flow friendly • could just bypass but that doesn’t provide required](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0205cb7e708231d4023143/html5/thumbnails/14.jpg)
Manual Bypass after 8 sec
14
![Page 15: SciPass Securish OpenFlow Based Science DMZ€¦ · – security is a required capability • not elephant flow friendly • could just bypass but that doesn’t provide required](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0205cb7e708231d4023143/html5/thumbnails/15.jpg)
Reactive Bypass Performance• 64 ms - time to detect and bypass • 250 ms - doubled throughput of firewall • 1.5 sec - same throughput as no firewall
15
![Page 16: SciPass Securish OpenFlow Based Science DMZ€¦ · – security is a required capability • not elephant flow friendly • could just bypass but that doesn’t provide required](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0205cb7e708231d4023143/html5/thumbnails/16.jpg)
IU Campus Trial
• Deployed temporarily for IDS load balance • Mix of Bro and Snort • 8 sensor groups
• each group contains 1 bro + 1 snort • 18,000,000 possible local addresses • 10 to 20Gbps of traffic avg • Test effectiveness of balance
16
![Page 17: SciPass Securish OpenFlow Based Science DMZ€¦ · – security is a required capability • not elephant flow friendly • could just bypass but that doesn’t provide required](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0205cb7e708231d4023143/html5/thumbnails/17.jpg)
Trial Results
• 20% traffic load delta after 10 balancing rounds
• 10% traffic load delta after 20 rounds • stopped short of 5% due to traffic patterns • results encouraging
17
![Page 18: SciPass Securish OpenFlow Based Science DMZ€¦ · – security is a required capability • not elephant flow friendly • could just bypass but that doesn’t provide required](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0205cb7e708231d4023143/html5/thumbnails/18.jpg)
Status
• IDS load balancer deployment in July • Planning for field trials of DMZ use case • First “production” release available • Investigating non-sampled flow at 100g
• netsage project • IDS load balancer deployment
18
![Page 19: SciPass Securish OpenFlow Based Science DMZ€¦ · – security is a required capability • not elephant flow friendly • could just bypass but that doesn’t provide required](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0205cb7e708231d4023143/html5/thumbnails/19.jpg)
More Info
• Project Page • http://globalnoc.iu.edu/sdn/scipass.html
• Code Repository • https://github.com/GlobalNOC/SciPass
• email •[email protected]
19