Global ETD Search

31	LEVERAGING SDN AND NFV FOR DNS AMPLIFICATION OR REFLECTION ATTACK DETECTION AND MITIGATION Nesary, Mohammad Mashud 01 August 2023 (has links) (PDF) Domain Name System (DNS) is virtually the distributed directory of the Internet for obtaining the Internet Protocol (IP) addresses to access web resources. DNS has always been one of the prime targets for cyber attackers either to inundate different types of DNS servers with attack traffic and false records or to exploit the DNS protocol to perform targeted attacks to user machines. DNS amplification or reflection attacks are some of the most fundamental types of DNS specific Denial-of-Service (DoS) attacks. In this type of attack, users are denied service as the server needs to process spoofed DNS query from the attackers and victim machines receive unsolicited DNS response. Software Defined Networking (SDN) and Network Function Virtualization (NFV) are the technological breakthroughs which have brought transformational change in operating and maintaining network services. These have also opened new avenues to deal with those cyber-attacks along with introducing a whole new set of security threats or vulnerabilities that need to be taken care of. In this paper, we propose detection and mitigation strategies to combat DNS amplification or reflection attacks leveraging the functionalities of both SDN and NFV. We reviewed the existing literature of related approaches, incorporated Moving Target Defense (MTD) techniques into the security solutions, discussed the deployment options of vDNS (Virtual DNS) servers, and elaborated on the security issues involved with SDN and NFV. This work could potentially augment the security of the DNS infrastructure while improving the scalability and agility and provide future direction in research and practice. DNS DNS Amplification Attack NFV SDN vDNS
32	SDRN : réseau maillé temps réel dynamique défini par logiciel / SDRN : Software-Defined Real-Time Mesh Networking Greff, Florian 16 May 2018 (has links) Dans le cadre d'une thèse CIFRE conjointe entre le Loria et Thales Research & Technology, nous étudions un nouveau type de réseau maillé embarqué temps réel. La mise en réseau maillé des composants des systèmes embarqués concilie les contraintes temps réel des applications avec leurs besoins croissants en termes de bande passante et collaboration. La pluralité des chemins de communication résulte en de meilleures propriétés de flexibilité, résilience, passage à l'échelle et répartition de charge. Cependant, ceci nécessite d'être capable d'allouer dynamiquement les ressources réseau en fonction des besoins des applications. Notre approche consiste à permettre aux applications de faire des requêtes de flux temps réel à l'exécution, puis allouer dynamiquement les ressources correspondant aux besoins en communication. A cette fin, nous avons conçu l'architecture Software-Defined Real-time Networking (SDRN). Elle aborde en même temps les problématiques d'isolation des flux, analyse temporelle, routage, tolérance aux fautes, ainsi que les interfaces avec les couches applicatives et les couches basses du système. Elle est également modulaire, c'est-à-dire que certaines parties de l'architecture peuvent être remplacées sans remettre en cause les autres modules. Enfin, elle a été validée par une implémentation sur plateforme matérielle RapidIO. Ce document restitue les travaux de recherche sur SDRN. Il s'intéresse également à la problématique de l'expérimentation sur les réseaux embarqués et propose une approche originale d'expérimentation, ERICA. Cette approche facilite la mise en place d'expérimentations mêlant aspects réels et simulés. ERICA génère les fichiers nécessaires à la mise en place du scénario défini dans une interface graphique haut niveau. Elle permet ainsi au chercheur d'appliquer une réflexion haut niveau sur ses expérimentations et de réutiliser les couches communes à plusieurs scénarios d'expérimentation / We are studying a new kind of embedded real-time mesh network. Mesh networking of the components of embedded systems reconciles their real-time constraints with the new application needs in terms of bandwidth and tight interactions. The plurality of communication paths results in increased flexibility, resilience, scalability and load balancing characteristics. However, this requires the ability to dynamically allocate network resource with respect to the needs of running applications. Our approach is to allow applications to make online real-time flow resource requests and consequently allot network resources according to these requirements. To this end, we have designed the Software-Defined Real-time Networking (SDRN) architecture. It addresses flow isolation, timing analysis, routing, fault tolerance, as well as the interfaces with the application layer and the lower layers of the system. It also allows any module to be replaced without interfering with the remainder of the architecture. It has been validated via an implementation on an in-silicon RapidIO platform. This thesis describes our research on the SDRN architecture. It also proposes an original method for experimenting on embedded networks, ERICA. The ERICA framework automatically generates all what is needed to conduct a network experiment in a selected environment (such as a simulator or a testbed), with both physical and simulated aspects. Hence, it allows the researcher to perform a high-level thinking of the whole experimentation process and to reuse applications and experiment designs from an experimentation stack to another Réseau Temps réel Embarqué SDN Maillé Network Real-time Embedded SDN Mesh 004.6 004.22
33	Nouveaux paradigmes de contrôle de congestion dans un réseau d'opérateur / New paradigms for congestion control in an operator's network Sanhaji, Ali 29 November 2016 (has links) La congestion dans les réseaux est un phénomène qui peut influer sur la qualité de service ressentie par les utilisateurs. L’augmentation continue du trafic sur l’internet rend le phénomène de congestion un problème auquel l’opérateur doit répondre pour satisfaire ses clients. Les solutions historiques à la congestion pour un opérateur, comme le surdimensionnement des liens de son infrastructure, ne sont plus aujourd’hui viables. Avec l’évolution de l’architecture des réseaux et l’arrivée de nouvelles applications sur l’internet, de nouveaux paradigmes de contrôle de congestion sont à envisager pour répondre aux attentes des utilisateurs du réseau de l’opérateur. Dans cette thèse, nous examinons les nouvelles approches proposées pour le contrôle de congestion dans le réseau d’un opérateur. Nous proposons une évaluation de ces approches à travers des simulations, ce qui nous permet d’estimer leur efficacité et leur potentiel à être déployés et opérationnels dans le contexte d’internet, ainsi que de se rendre compte des défis qu’il faut relever pour atteindre cet objectif. Nous proposons également des solutions de contrôle de congestion dans des environnements nouveaux tels que les architectures Software Defined Networking et le cloud déployé sur un ou plusieurs data centers, où la congestion est à surveiller pour maintenir la qualité des services cloud offerts aux clients. Pour appuyer nos propositions d’architectures de contrôle de congestion, nous présentons des plateformes expérimentales qui démontrent le fonctionnement et le potentiel de nos solutions. / Network congestion is a phenomenon that can influence the quality of service experienced by the users. The continuous increase of internet traffic makes this phenomenon an issue that should be addressed by the network operator to satisfy its clients. The usual solutions to congestion, such as overdimensioning the infrastructure, are not viable anymore. With the evolution of the network architecture and the emergence of new internet applications, new paradigms for congestion control have to be considered as a response to the expectations of network users. In this thesis, we examine new approaches to congestion control in an operator’s network. We propose an evaluation of these approaches through simulations, which allows us to estimate their potential to be deployed and used over the internet, and allows us to be aware of the challenges in order to achieve this goal. We also provide solutions for congestion control in new environments such as Software- Defined Networking architectures and cloud computing deployed over many data centers, where congestion is to be monitored to maintain the quality of cloud services to its users. To support our proposals for congestion control architectures, we present experimental platforms that demonstrate the feasibility of our solutions. ConEx Traffic internet Congestion Cloud Data center SDN ConEx Internet traffic Congestion Cloud Data center SDN
34	MultiFlow: uma solução para distribuição de subfluxos MPTCP em Redes OpenFlow / Multiflow: a solution for distribute MPTC subflows in OpenFlow networks Sandri, Marcus 10 June 2015 (has links) Made available in DSpace on 2016-06-02T19:07:10Z (GMT). No. of bitstreams: 1 SANDRI_Marcus_2015.pdf: 2702736 bytes, checksum: 227059d931183af24cbcab4cc7a1eb19 (MD5) Previous issue date: 2015-06-10 / Financiadora de Estudos e Projetos / This Master s thesis shows a solution for splitting MPTCP subflows in an Openflow network. MPTCP is a network protocol designed to branch a single TCP connection into many subflows. The main idea is to forward subflows th- rough disjointed paths. Commonly, ECMP protocol is adopted together to split flows through distinct paths. Nevertheless, there are many issues that shows that ECMP is not pareto-optimal, such as: ECMP can easily set two subflows from the same TCP connection on the same path and/or set a distinct forward and back forward route to the same subflow. To solve these issues, it is designed MultiFlow, a module which uses a controller for guarantee multipath routing by setting subflows from the same MPTCP connection so that such subflows are forwarded through distinct paths. MultiFlow is evaluated in experimentation where is analyzed throughput and resilience comparing it with Spanning-Tree (STP) and ECMP. The experiments were done by using Mininet: An OpenFlow emulator for experimenting with a set of topologies. / Esta dissertação apresenta uma solução para distribuir subfluxos Multipath-TCP (MPTCP) em redes OpenFlow. MPTCP é um protocolo desenvolvido para derivar um fluxo TCP em diversos subfluxos e estes serem roteados por caminhos disjuntos ao longo da rede. Convencionalmente, adota-se em conjunto o protocolo Equal-Cost Multipath (ECMP), do qual distribui fluxos de todos os tipos de protocolos ao longo de uma rede com múltiplos caminhos. Entretanto, existem diversas questões que mostram que o ECMP não é um protocolo altamente eficiente. Dentre elas, o ECMP comumente pode alocar dois subfluxos de uma mesma conexão em um mesmo caminho e/ou distribuir um caminho de ida diferente do caminho de volta. A fim de solucionar estes problemas, é desenvolvido o MultiFlow, um módulo para o controlador POX a fim de garantir que subfluxos pertencentes a uma mesma conexão MPTCP possam ser encaminhados em caminhos disjuntos, em uma rede OpenFlow. MultiFlow é validado em experimentos de desempenho onde são analisados taxa de transferência (throughput) e resiliência em experimentos comparativos com os protocolos Spanning-Tree (STP) e ECMP. Para isso, utilizamos o Mininet: Um emulador de rede OpenFlow que permite a criação de diferentes topologias para experimentação. MultiFlow MPTCP Multipath-TCP OpenFlow SDN MultiFlow SDN OpenFlow Multipath-MPTCP
35	Wi-Flow: uma arquitetura baseada em SDN para o gerenciamento e mobilidade em redes Wi-Fi com suporte à autenticação 802.1x ALBUQUERQUE JÚNIOR, Edivaldo Cavalcante de 30 August 2016 (has links) Submitted by Fabio Sobreira Campos da Costa (fabio.sobreira@ufpe.br) on 2017-04-19T14:37:00Z No. of bitstreams: 2 license_rdf: 1232 bytes, checksum: 66e71c371cc565284e70f40736c94386 (MD5) Proposta de dissertação - Completa - vFinal_entrega.pdf: 3978842 bytes, checksum: bfd74789ed1d6b8fb83c52919ed64fe3 (MD5) / Made available in DSpace on 2017-04-19T14:37:00Z (GMT). No. of bitstreams: 2 license_rdf: 1232 bytes, checksum: 66e71c371cc565284e70f40736c94386 (MD5) Proposta de dissertação - Completa - vFinal_entrega.pdf: 3978842 bytes, checksum: bfd74789ed1d6b8fb83c52919ed64fe3 (MD5) Previous issue date: 2016-08-30 / As redes corporativas têm evoluído para um ambiente heterogêneo (rede sem fio e cabeada). Estas redes consideram a autenticação do usuário um elemento primordial para garantir níveis adequados de segurança no acesso aos serviços estratégicos da organização. Nas instituições de ensino e pesquisa, o sistema federado baseado na autenticação 802.1x chamado Eduroam (Education Roaming) permite que estudantes e pesquisadores obtenham conectividade sem fio utilizando as mesmas credenciais de suas instituições em qualquer lugar do mundo com suporte a este sistema. Contudo, a qualidade de serviço (QoS) percebida pelo usuário pode ser degradada quando da necessidade de mudança do ponto de acesso sem fio (handover) devido à mobilidade e necessidade de reautenticação de uma sessão em andamento. Apesar das inúmeras soluções existentes na literatura para o gerenciamento de mobilidade, o suporte à autenticação do usuário no processo de handover é um aspecto negligenciado. Esta dissertação propõe um arcabouço para o gerenciamento integrado de redes cabeadas e sem fio baseado em software de código aberto e de baixo custo. A proposta visa tornar o gerenciamento mais simples e centralizado utilizando o paradigma de redes definidas por software (SDN – Software Defined Networking) através do protocolo OpenFlow (OF). Via interface Web é possível obter informações da rede, gerenciar fluxos e controladores OF, criar slices de rede e aplicar políticas de QoS. No contexto do gerenciamento de mobilidade, a proposta implementa e avalia uma estratégia de cache de autenticação que otimiza a qualidade de experiência (QoE) durante o processo de handover e ambiente com autenticação 802.1x/Eduroam. A avaliação foi realizada num ambiente de experimentação e a proposta obteve como resultados os seguintes ganhos: 15,8% na vazão, 25% no atraso médio e 20,5% no PSNR em relação ao cenário de não utilização da proposta de cache de autenticação. Os resultados obtidos demonstram a aplicabilidade da proposta no gerenciamento mobilidade seguro, bem como sua eficácia no suporte aos requisitos de QoS/QoE para sessões de tráfego de vídeo de usuários móveis. / Corporate networks have evolved into a heterogeneous environment (wired and wireless networks). These networks consider user authentication as a key element to ensure adequate levels of security access to the organization's strategic services. In educational and research institutions, the federated system based on 802.1x authentication called Eduroam (Education Roaming) allows students and researchers to gain wireless connectivity using the same credentials of their institutions anywhere in the world that supports this system. However, the quality of service (QoS) perceived by the user can be degraded when they need to change the wireless access point (handover) due to mobility and re-authenticate a session in progress. Despite numerous existing solutions in the literature for mobility management, support for user authentication in the handover process is a neglected aspect. This dissertation proposes a framework for the integrated management of wired and wireless networks based on low cost and open source software. The proposal aims to make simpler and centralized management using the SDN (Software Defined Networking) paradigm via OpenFlow protocol (OF). Through web interface is possible to obtain information from the network, manage flows and OF controllers, create network slices, and apply QoS policies. In the mobility management context, this proposal implements and evaluates a strategy that improves the quality of experience (QoE) environment with 802.1x authentication / Eduroam. In the evaluated experimental environments, the proposed technique achieved gains up to 15.8% on throughput, 25% on average delay and 20.5% on PSNR in comparison to the baseline scenario without authentication cache. Thus, the obtained results demonstrate the applicability of the integrated network management, as well as its effectiveness in supporting of QoS / QoE requirements for video traffic sessions of the mobile users. Gerenciamento de Rede Eduroam Handover OpenFlow SDN QoS QoE Network Manager Eduroam Handover OpenFlow SDN QoS QoE
36	Aumentando a resiliência em SDN quando o plano de controle se encontra sob ataque Peixoto, Thiago Moratori 31 August 2017 (has links) Submitted by Geandra Rodrigues (geandrar@gmail.com) on 2018-03-19T18:30:08Z No. of bitstreams: 1 thiagomoratoripeixoto.pdf: 1522862 bytes, checksum: 2b9c7bb0b1cc14e0e951ed58750d7534 (MD5) / Approved for entry into archive by Adriana Oliveira (adriana.oliveira@ufjf.edu.br) on 2018-03-19T18:39:21Z (GMT) No. of bitstreams: 1 thiagomoratoripeixoto.pdf: 1522862 bytes, checksum: 2b9c7bb0b1cc14e0e951ed58750d7534 (MD5) / Made available in DSpace on 2018-03-19T18:39:21Z (GMT). No. of bitstreams: 1 thiagomoratoripeixoto.pdf: 1522862 bytes, checksum: 2b9c7bb0b1cc14e0e951ed58750d7534 (MD5) Previous issue date: 2017-08-31 / SDN (Software Defined Networks) é um paradigma de redes que permite aos operadores gerenciar os elementos de rede usando software que executa em um servidor externo sendo possível fazer a divisão do plano de controle e do plano de dados. Contudo, como em toda tecnologia, principalmente as mais incipientes, existem problemas de segurança e vulnerabilidades a serem investigadas. Por exemplo interrupções de rede causadas por erro humano. Um administrador que configura um controlador de maneira errada pode facilmente incorrer em diminuição de desempenho da rede, mesmo que o controlador funcione corretamente e não haja problemas com as regras. A esse cenário dá-se o nome de problema do administrador mal configurado, onde um administrador configura de maneira equivocada um controlador em plenas capacidades de maneira tal que prejudica o desempenho da rede. O trabalho proposto nessa dissertação tem dois objetivos: primeiro, avaliar o impacto no desempenho do plano de dados decorrentes de problemas causados por um sistema mal configurado; e segundo, propor, através do desenvolvimento de um módulo adjacente ao controlador, medidas para mitigar esses impactos. Os resultados obtidos por experimentação em um cenário realista mostram que a utilização desse módulo é capaz de melhorar o desempenho médio do sistema em 4,82%. / SDN (Software Defined Networks) is a network paradigm that allow operators to ma-nage network elements using software that executes on an external server making possible to divide the control plane from the data plane. However, as in all technologies, mainly the newer ones, there are security problems and vulnerabilities to be investigated. Network outages caused by human error for instance. An administrator that misconfigures a con-troller can easily reduce the network performance, even if the controller works properly and there are no errors with the installed rules. This scenario is also called the mis-configured administrator problem, where the administrator misconfigures a full capacity controller in a way that impairs the network performance. The work proposed in this dis-sertation has two objectives: first, to evaluate the impact on the performance of the data plan resulting from problems caused by a misconfigured system; And second, propose, through the development of a module adjacent to the controller, measures to mitigate these impacts. The results obtained by experimentation in a realistic scenario show that the use of this module is capable of improving the average performance of the system by 4,82%. SDN Segurança Desempenho SDN Security Performance
37	Software Defined Networking for Smart Grid Communications Aydeger, Abdullah 07 July 2016 (has links) Emerging Software Defined Networking (SDN) technology has provided excellent flexibility to large-scale networks in terms of control, management, security, and maintenance. On the other hand, recent years witnessed a tremendous growth of the critical infrastructure networks, namely the Smart-Grid, in terms of its underlying communication infrastructure. Such large local networks requires significant effort in terms of network management and security. We explore the potential utilization of the SDN technology over the Smart Grid communication architecture. Specifically, we introduce three novel SDN deployment scenarios in local networks of Smart Grid. Moreover, we also investigate the pertinent security aspects with each deployment scenario along with possible solutions. On the other hand, we conducted experiments by using actual Smart Grid communication data to assess the recovery performance of the proposed SDN-based system. The results show that SDN is a viable technology for the Smart Grid communications with almost negligible delays in switching to backup wireless links. Software Defined Networking SDN Smart Grid Smart Grid Communication SDN Security Computer Engineering
38	Moving towards software-defined security in the era of NFV and SDN / Vers une programmabilité de la sécurité dans les environnements réseaux logiciels et virtualisés (NFV et SDN) Pattaranantakul, Montida 20 June 2019 (has links) Ce travail de thèse, vise à explorer les problèmes de sécurité et les solutions, dans les environnements réseaux logiciels et virtualisés, avec les deux hypothèses suivantes:(1) Les changements de paradigmes introduits par les réseaux SDN et NFV permettent de développer de nouvelles approches en matière de gestion de la sécurité; (2) L’ensemble des menaces et vulnérabilités dans les environnements NFV/SDN doivent être intégralement pris en compte. Donc, dans une première partie, nous proposons une étude détaillée et complète, du point de vue de la sécurité, des architectures et protocoles SDN/NFV, mais aussi de la gestion et de l’orchestration des fonctions réseaux dans ces environnements (architecture MANO). Plusieurs cas d’usage sont spécifiés et proposés, en guise d’illustrations. Cette première étude a conduit à deux contributions majeures: (1) une architecture complète pour la gestion et l’orchestration de la sécurité (appelé SecMANO) basé sur NFV MANO. SecMANO permet de gérer un ensemble de fonctions service, de mécanismes de sécurité (contrôle d’accès, IDS/IPS, isolation, protection) basées sur un ensemble de règles; (2) une analyse complète des menaces et vulnérabilités dans le contexte NFV, à partir de cinq cas d'usage spécifiques, et des contre-mesures associées. Cette analyse a permis de proposer, une classification (taxonomie) complète et détaillée, des différents types de menace spécifique, associés à un ensemble de recommandations, pour une meilleure sécurité des services NFV. Nous estimons que ces deux premières contributions ouvrent des perspectives de recherche intéressantes, dans le domaine de la sécurité des réseaux NFV/SDN.Cette première étude, nous a amenés à proposer en guise de troisième contribution, une nouvelle architecture pour l’orchestration de fonctions de sécurité dans les environnements virtualisés. Cet orchestrateur de sécurité a été spécifié et développé comme un module d’extension pour les orchestrateurs existants. L’objectif est d’assurer un déploiement dynamique, flexible, à la demande, ainsi qu’une orchestration efficace des différents services de sécurité de base. Plus précisément, un mécanisme de contrôle d’accès, défini et appliqué à partir d’un langage de haut niveau, basé sur les piles "Tacker" (un service OpenStack pour orchestrateur NFV utilisant le modèle de donnés TOSCA), a été prototypé, implanté et testé. Ce prototype, permet de personnaliser et d’adapter dynamiquement, le modèle et la stratégie de contrôle d’accès, pour différents domaines utilisateurs concurrents. Ces domaines de sécurité indépendants, restent potentiellement protégés et isolés, dans les environnements à grande échelle, multi-opérateurs et multi-clouds. Le prototype et les expérimentations menées dans des conditions pratiques, montrent la faisabilité et l'efficacité de l’approche proposé.L’étude proposées dans la première partie, à partir d’une approche "cross-layer", mettent en évidence de nouveaux types de menaces et vulnérabilités et démontrent que dans ces environnements logiciels, virtualisés, la sécurité est l’élément critique. La quatrième contribution (SecSFC) vise à sécuriser et à fiabiliser, la composition et le chaînage de fonctions service (Service Function Chaining, SFC) dans les environnements NFV/SDN. SecSFC s’appuie sur un mécanisme de type "identity-based ordered multisignature" pour garantir les propriétés suivantes: (1) L’authentification de chaque fonction service, associée à une chaîne de fonctions service particulière; (2) La cohérence et le séquencement de l’ensemble des fonctions service associées à une composition ou à un chaînage particulier de fonctions service ("VNF forwarding graph"). L’analyse théorique du modèle proposé "SecSFC" et les résultats expérimentaux, montrent le caractère résilient de l’approche, en particulier face à un certain nombre d’attaques spécifiques (ex. modification des règles ou de la topologie) avec un temps de traitement et une latence, limités / This thesis is intended to explore security issues in the virtualized and software-defined world, and starts with two important hypotheses: (1) SDN and NFV offer plenty of opportunities for us to rethink security management in the new networking paradigms; (2) both legacy and new security threats and vulnerabilities in NFV/SDN enabled environments need to be sufficiently addressed in order to pave the way for their further development and deployment. To validate the hypotheses, we carry out an in-depth study on NFV/SDN from security perspective, including its architecture, management and orchestration (MANO) framework, and use cases, leading to two major contributions, (1) a security management and orchestration framework (called SecMANO) based on NFV MANO, which has the potential to manage a set of policy-driven security mechanisms, such as access control, IDS/IPS, network isolation, data protection; (2) a comprehensive threat analysis on five NFV use cases and the state-of-the-art security countermeasures, resulting in a NFV layer-specific threat taxonomy and a set of security recommendations on securing NFV based services.We believe that both of the two contributions lay down a foundation for security research in NFV/SDN domain. In particular, based on the two contributions, we further develop a security orchestrator as an extension of available NFV orchestrator, with an objective to enabling the basic security functions to be effectively orchestrated and provided as on-demand services to the customers, meanwhile allowing high-level security policies to be specified and enforced in a dynamic and flexible way. Specifically, a software-defined access control paradigm is implemented and prototyped with OpenStack and Tacker (a NFV orchestrator using TOSCA model), which allows the security administrators to dynamically customize the access control models and policies for different tenant domains, eventually achieving flexible and scalable protection across different layers and multiple cloud data centers. Both prototype of concept and real-life experiments on testbed have been carried out, clearly demonstrating the feasibility and effectiveness of our security orchestrator.In addition, as our NFV cross-layer threat taxonomy indicates, a large set of novel threats will be introduced, among which VNF (Virtualized Network Function) is a unique and important asset that deserves careful protection. The fourth contribution of this thesis is therefore devoted to achieving secure and dependable SFC (Service Function Chaining) in NFV and SDN environment. Specifically, an identity-based ordered multisignature scheme called SecSFC is designed and applied to ensure that, (1) each service function involved in a particular service chain is authenticated and legitimate; (2) all the service functions are chained in a consistent, optimal, and reliable way, meeting with the pre-defined high-level specifications like VNF Forwarding Graph. Both theoretical security analysis and experimental results demonstrate that our scheme can effectively defend against a large set of destructive attacks like rule modification and topology tempering, moving an important step towards secure and dependable SFC. Importantly, the signature construction and validation process is lightweight, generating compact and constant-size keys and signatures, thereby only incurring minimal computational overhead and latency NFV SDN Orchestration de service Gestion de la sécurité NFV SDN Service orchestration Security management
39	Architecture du plan de contrôle SDN et placement des services réseaux dans les infrastructures des opérateurs / SDN control plane architecture and placement of network services in TelCo infrastructures Sanner, Jean-Michel 23 July 2019 (has links) Le contexte de l'évolution des infrastructures des opérateurs de télécommunications vers les paradigmes SDN et NFV nécessite de lever différents verrous techniques, liés d'une part à la centralisation des fonctions de contrôle, d'autre part aux contraintes d'approches qui s'inspirent directement du Cloud Computing. Dans cette thèse, nous avons abordés deux problématiques. Dans la première nous cherchons à définir une architecture SDN plus adaptée et performante par rapport aux besoins des opérateurs. Pour cela, nous avons proposé un plan de contrôle SDN distribué et flexible visant à dépasser les limites du protocole OpenFlow centralisé ainsi que les contraintes de la virtualisation des fonctions réseaux. L'architecture proposée permet la composition, puis la validation et le déploiement différenciés de services réseaux composables et reconfigurables dynamiquement en prenant en compte les SLA associés aux services. Nous avons illustré certaines propriétés de cette architecture, distribution, composition, dynamicité dans une preuve de concepts. Dans la deuxième, pour réaliser les SLA attendus, nous cherchons à optimiser le placement des services réseaux dans cette infrastructure. Nous avons d'abord traité la problématique du placement de contrôleurs SDN en optimisant des métriques de latence, de charge et de fiabilité, puis de manière plus générale le placement de chaînes de fonctions réseaux virtualisées. Nous avons démontré pour cela les potentialités et les performances des algorithmes évolutionnaires pour tenter de proposer un outil de résolution générique de placement de fonctions réseaux. / The evolution of telecommunications operators’ infrastructures towards the SDN and NFV paradigms requires to surmount various technical barriers. On one hand, it is necessary to deal with the centralization of control functions, and on the other hand with the constraints of approaches coming directly from Cloud Computing. In this thesis, we addressed two issues. Firstly, we tried to define a SDN architecture more suited to the requirement of operators. For this purpose, we proposed a distributed and flexible SDN control plane to overcome the limitations of the centralized OpenFlow protocol, as well as the constraints of network function virtualization. The proposed architecture allows for the differentiated composition, validation and deployment of dynamically reconfigurable network services, taking into account the SLAs associated with the services. We have illustrated some of its characteristics, namely, distribution, composition, dynamicity in a proof of concept. Secondly, to achieve the expected SLAs, we try to optimize the placement of network services in this infrastructure. We first dealt with the issue of SDN controllers placement seeking for the optimization of latency, load and reliability metrics. Then, we considered the placement of virtualized network functions chains. We have therefore demonstrated the potentialities and performances of evolutionary algorithms with the perspective to propose a generic resolution tool for placement of network functions. SDN NVF Services réseaux Contrôleurs Placement SDN NVF Controllers Networks services Placement
40	Gestion dynamique et évolutive de règles de sécurité pour l'Internet des Objets / Dynamic and scalable management of security rules for the Internet of Things Mahamat charfadine, Salim 02 July 2019 (has links) Avec l'évolution exponentielle de l'Internet des Objets (IoT), assurer la sécurité des réseaux est devenue un grand défi pour les administrateurs réseaux. La sécurité des réseaux est basée sur de multiples équipements indépendants tels que Firewall, IDS/IPS, NAC dont le rôle principal est de contrôler les informations échangées entre le réseau de l'entreprise et l'extérieur. Or, l'administration de ces équipements peut s'avérer très complexe et fastidieuse si elle est réalisée manuellement, équipement après équipement. L'introduction du concept de Software Defined Networking (SDN) depuis ces dernières années, et du protocole OpenFlow, offre beaucoup d'opportunités pour l'amélioration de la sécurité des réseaux en proposant une administration centralisée et programmable.Dans le cadre de cette thèse, nous avons proposé une nouvelle approche de sécurisation des échanges dans un réseau en fonction des événements détectés et de manière automatisée. Cette solution basée sur l'approche SDN couplé avec un système de détection d'intrusion permet d’analyser, de détecter et de supprimer des menaces de sécurité dans un réseau et de manière automatisée. En implémentant cette solution, nous contribuons à faire évoluer la manière de sécuriser les échanges dans un réseau avec du SDN couplé avec un IDS à travers la mise en place d'une architecture réelle de cas d'usage. Ainsi, la gestion de la sécurité du réseau devient simplifiée, dynamique et évolutive. / With the exponential evolution of the Internet of Things (IoT), ensure the network security has become a big challenge for networkadministrators. Traditionally, the network security is based on multiple independent devices such as firewall, IDS/IPS, NAC where the main role is to monitor the information exchanged between the inside and the outside perimeters of the enterprises networks. However, the administration of these network devices can be complex and tedious with an independent manual configuration. Recently, with the introduction of the Software Defined Networking concept (SDN) and the OpenFlow protocol offers many opportunities by providing a centralized and programmable network administration.As part of this research work, we proposed a new approach to secure the network traffic flows exchanges based on a method of events detection, in an automated manner. This solution is based on the SDN approach coupled to an intrusion detection system which allows analyze, detect and remove security threats. With the implementation, we contribute to change the paradigm of secure the network traffic flows exchanges using the SDN principle, coupled with an IDS in a real use case architecture. In this way, the management of network security becomes simplified, dynamic and scalable. IoT Sdn Sécurité OpenFlow Firewall Ids/ips IoT Sdn Security OpenFlow Firewall Ids/ips 004.6

Search results