Impact of network security on SDN controller performance

Kodzai, Carlton

January 2020

Internet Protocol network architectures are gradually evolving from legacy flat networks to new modern software defined networking approaches. This evolution is crucial as it provides the ideal supporting network structure, architecture and framework that supports the technologies that are also evolving in software-based systems like Network Functions Virtualization (NFV). The connectivity requirements resulting from this paradigm shift in technology is being driven by new bandwidth requirements emanating from the huge number of new use cases from 5G networks and Internet of things (IoT) future technologies. Network security remains a key critical requirement of these new modern network architectures to deliver a highly available, reliable service and guaranteed quality of service. Unprotected networks will usually experience service interruptions and cases of system non-availability due to network attacks such as denial-of services and virus attacks which can render key network components unusable or totally unavailable. With the centralized approach of the Software Defined Networking architecture, the SDN controller becomes a key network point that is susceptible to internal and external attacks from hackers and many forms of network breaches. It being the heart of the SDN network makes it a single point of failure and it is crucial that the security of the controller is guaranteed to avoid unnecessary irrecoverable loss of valuable production time, data and money. The SDN controller design should be guided by a robust security policy framework with a very sound remedy and business continuity plan in the event of any form of a security attack. Security designs and research work in SDN controllers have been done with focus on achieving the most reliable and scalable platforms through self-healing and replication processes. In this dissertation the research that was done proposed a security solution for the SDN controller and evaluated the impact of the security solution on the overall SDN controller performance. As part of the research work literature review of the SDN controller and related technology carried out. The SDN controller interfaces were analyzed and the security threats that attack interfaces were explored. With link to a robust security framework a security solution was used in the experiments that analyzed the attacks from the external network sources which focused on securing the southbound interface by use of a netfilter with iptables firewall on the SDN controller. The SDN controller was subjected to denial service attack packets and the impact of the mitigation action observed on the SDN controller resources. Given that the network security layer introduced an additional overhead on the SDN controller's processors the security feature negatively affected the controller performance. The impact of the security overhead will inform on the future designs and possibly achieve a trade-off point between the level of security of the network and overall system performance due to security policies. The research analyzed and determined the performance impact of this crucial design aspect and how the additional loading due to network security affected the SDN controller normal operation.

Network Architecture

Network Security

A structured approach to network security protocol implementation

Tobler, Benjamin

January 2005

The implementation of network security protocols has not received the same level of attention in the literature as their analysis. Security protocol analysis has successfully used inference logics, like GNY and BAN, and attack analysis, employing state space examination techniques such as model checking and strand spaces, to verify security protocols. Tools, such as the multi-dimensional analysis environment SPEAR II, exist to help automate security protocol specification and verification, however actual implementation of the specification in executable code is a task still largely left to human programmers. Many vulnerabilities have been found in implementations of security protocols such as SSL, PPTP and RADIUS that are incorporated into widely used operating system software, web servers and other network aware applications. While some of these vulnerabilities may be a result of flawed or unclear specifications, many are the result of the failure of programmers to correctly interpret and implement them. The above indicates a gap between security protocol specifications and their concrete implementations, in that there are methodologies and tools that have been established for developing the former, but not the latter. This dissertation proposes an approach to bridging this gap, describes our implementation of that approach and attempts to evaluate its success. The approach is three-fold, providing different measures to improve current ad-hoc implementation approaches: 1. From Informal to Formal Specifications: If a security protocol has been specified using informal standard notation, it can be converted, using automatic translation, to a formal specification language with well defined semantics. The formal protocol specification can then be analysed using formal techniques, to verify that the desired security properties hold. The precise specification of the protocol behaviour further serves to facilitate the concrete implementation of the protocol in code.

Computer Science

Network Security

Network Security Tool for a Novice

Ganduri, Rajasekhar

08 1900

Network security is a complex field that is handled by security professionals who need certain expertise and experience to configure security systems. With the ever increasing size of the networks, managing them is going to be a daunting task. What kind of solution can be used to generate effective security configurations by both security professionals and nonprofessionals alike? In this thesis, a web tool is developed to simplify the process of configuring security systems by translating direct human language input into meaningful, working security rules. These human language inputs yield the security rules that the individual wants to implement in their network. The human language input can be as simple as, "Block Facebook to my son's PC". This tool will translate these inputs into specific security rules and install the translated rules into security equipment such as virtualized Cisco FWSM network firewall, Netfilter host-based firewall, and Snort Network Intrusion Detection. This tool is implemented and tested in both a traditional network and a cloud environment. One thousand input policies were collected from various users such as staff from UNT departments' and health science, including individuals with network security background as well as students with a non-computer science background to analyze the tool's performance. The tool is tested for its accuracy (91%) in generating a security rule. It is also tested for accuracy of the translated rule (86%) compared to a standard rule written by security professionals. Nevertheless, the network security tool built has shown promise to both experienced and inexperienced people in network security field by simplifying the provisioning process to result in accurate and effective network security rules.

Network Security

Cloud Computing

OpenStack

Network Security Functions

A quantitative measure of the security risk level of enterprise networks

Munir, Rashid, Pagna Disso, Jules F., Awan, Irfan U., Mufti, Muhammad R.

January 2013

No / Along with the tremendous expansion of information technology and networking, the number of malicious attacks which cause disruption to business processes has concurrently increased. Despite such attacks, the aim for network administrators is to enable these systems to continue delivering the services they are intended for. Currently, many research efforts are directed towards securing network further whereas, little attention has been given to the quantification of network security which involves assessing the vulnerability of these systems to attacks. In this paper, a method is devised to quantify the security level of IT networks. This is achieved by electronically scanning the network using the vulnerability scanning tool (Nexpose) to identify the vulnerability level at each node classified according to the common vulnerability scoring system standards (critical, severe and moderate). Probabilistic approach is then applied to calculate an overall security risk level of sub networks and entire network. It is hoped that these metrics will be valuable for any network administrator to acquire an absolute risk assessment value of the network. The suggested methodology has been applied to a computer network of an existing UK organization with 16 nodes and a switch.

A distributed global-wide security system

Coffey, Thomas

January 1994

No description available.

621.39

Network security; Data security

Web application Security

Charpentier Rojas, Jose Enrique

January 2013

Problems related to web application security comes in many ways, one example is inexperience programmers but not only in the way they code and program but also which language and structure they use to code. Not only programmers but Software companies left holes in the software they developed of course without intention.Because is proven that most of the vulnerabilities start in the web application side, as developers we need to follow certain principles, test our code and learn as much as possible about the subject, as a foundation of web application security in order to know how to prevent issues to the most significant treats.The penetration test aimed to help the IT business to discover vulnerabilities in their system ensure their integrity and continue further in the web application security process. The vulnerability research perform in this report is the introduction of a big work that is under continuity for the company.Finally the success of following security standards, process and methodologies applied on this field is considered the best approach to ensure web application security and priceless information you can benefit from.

Web Application Security

Network Security

Enhancing Network Security in Linux Environment

Mohammed, Ali, Sama, Sachin, Mohammed, Majeed

January 2012

Designing a secured network is the most important task in any enterprise or organization development. Securing a network mainly involves applying policies and procedures to protect different network devices from unauthorized access. Servers such as web servers, file servers, mail servers, etc., are the important devices in a network. Therefore, securing these servers is the first and foremost step followed in every security implementation mechanism. To implement this, it is very important to analyse and study the security mechanisms provided by the operating system. This makes it easier for security implementation in a network. This thesis work demonstrates the tasks needed to enhance the network security in Linux environment. The various security modules existing in Linux makes it different from other operating systems. The security measures which are mainly needed to enhance the system security are documented as a baseline for practical implementation. After analysing the security measures for implementing network security, it is important to understand the role of network monitoring tools and Linux inbuilt log management in maintaining the security of a network. This is accomplished by presenting a detailed discussion on network monitoring tools and log management in Linux. In order to test the network security, a network is designed using Linux systems by configuring different servers and application firewall for packet filtering. The security measures configured on each server to enhance its security are presented as part of the implementation. The results obtained while an unauthorized user accessing the servers from the external network are also documented along with attack information retrieved by different network monitoring tools and Linux inbuilt log messages.

Network Security

Linux

Computer Networks

Design of Efficient FPGA Circuits For Matching Complex Patterns in Network Intrusion Detection Systems

Clark, Christopher R.

03 March 2004

The objective of this research is to design and develop a reconfigurable string matching co-processor using field-programmable gate array (FPGA) technology that is capable of matching thousands of complex patterns at gigabit network rates for network intrusion detection systems (NIDS). The motivation for this work is to eliminate the most significant bottleneck in current NIDS software, which is the pattern matching process. The tasks involved with this research include designing efficient, high-performance hardware circuits for pattern matching and integrating the pattern matching co-processor with other NIDS components running on a network processor. The products of this work include a system to translate standard intrusion detection patterns to FPGA pattern matching circuits that support all the functionality required by modern NIDS. The system generates circuits efficient enough to enable the entire ruleset of a popular NIDS containing over 1,500 patterns and 17,000 characters to fit into a single low-end FPGA chip and process data at an input rate of over 800 Mb/s. The capacity and throughput both scale linearly, so larger and faster FPGA devices can be used to further increase performance. The FPGA co-processor allows the task of pattern matching to be completely offloaded from a NIDS, significantly improving the overall performance of the system.

Network security

Intrusion detection

IDS

Network Security Planning for New Generation Network Service Providers

Huang, Shao-Chuan

25 July 2009

The internet network and e- commerce become more and more popular currently. Various applications of the network and services already become the indispensable important tools to most enterprises, such as the application of e mail , to establish the entry website of company, installing server to provide employees with information sharing, etc.. As the internet network providing the convenience and business opportunity , as well as e commerce be further developed, all of such IT applications created unbelievable values to enterprises. However, the security of the internet network becomes an endless issues. The external attacks , such as the electronic virus , the worm, special Lip river depends on the hobbyhorse ( Trojan Horse), procedure of back door, spy's software, the network hacker's depend event and activities have never been stopped. From which, the enterprises suffered with great losses. Therefore, the IT people of company are requested to develop and installed a suitable protection system to guarantee the security of company information assets. The case company specified in my paper is the biggest ISP in Taiwan. It owns more than three millions of customers. The company also provides its over 20,000 staffs with internal network and management network equipment for conducting routine jobs. The network and information security concerns are more complicated than that of regular commercial companies. This research will discuss the management & Network Security planning of this company from the structure and system views. Not only to create potential benefit of rigid information Security for existing network, but also to offer IT planning people with valuable reference as they are performing the related works.

Information Security

Network Security Planning

Blockchain and Distributed Consensus: From Security Analysis to Novel Applications

Xiao, Yang

13 May 2022

Blockchain, the technology behind cryptocurrency, enables decentralized and distrustful parties to maintain a unique and consistent transaction history through consensus, without involving a central authority. The decentralization, transparency, and consensus-driven security promised by blockchain are unprecedented and can potentially enable a wide range of new applications that prevail in the decentralized zero-trust model. While blockchain represents a secure-by-design approach to building zero-trust applications, there still exist outstanding security bottlenecks that hinder the technology's wider adoption, represented by the following two challenges: (1) blockchain as a distributed networked system is multi-layered in nature which has complex security implications that are not yet fully understood or addressed; (2) when we use blockchain to construct new applications, especially those previously implemented in the centralized manner, there often lack effective paradigms to customize and augment blockchain's security offerings to realize domain-specific security goals. In this work, we provide answers to the above two challenges in two coordinated efforts. In the first effort, we target the fundamental security issues caused by blockchain's multi-layered nature and the consumption of external data. Existing analyses on blockchain consensus security overlooked an important cross-layer factor---the heterogeneity of the P2P network's connectivity. We first provide a comprehensive review on notable blockchain consensus protocols and their security properties. Then we focus one class of consensus protocol---the popular Nakamoto consensus---for which we propose a new analytical model from the networking perspective that quantifies the impact of heterogeneous network connectivity on key consensus security metrics, providing insights on the actual "51% attack" threshold (safety) and mining revenue distribution (fairness). The external data truthfulness challenge is another fundamental challenge concerning the decentralized applications running on top of blockchain. The validity of external data is key to the system's operational security but is out of the jurisdiction of blockchain consensus. We propose DecenTruth, a system that combines a data mining technique called truth discovery and Byzantine fault-tolerant consensus to enable decentralized nodes to collectively extract truthful information from data submitted by untrusted external sources. In the second effort, we harness the security offerings of blockchain's smart contract functionality along with external security tools to enable two domain-specific applications---data usage control and decentralized spectrum access system. First, we use blockchain to tackle a long-standing privacy challenge of data misuse. Individual data owners often lose control on how their data can be used once sharing the data with another party, epitomized by the Facebook-Cambridge Analytica data scandal. We propose PrivacyGuard, a security platform that combines blockchain smart contract and hardware trusted execution environment (TEE) to enable individual data owner's fine-grained control over the usage (e.g., which operation, who can use on what condition/price) of their private data. A core technical innovation of PrivacyGuard is the TEE-based execution and result commitment protocol, which extends blockchain's zero-trust security to the off-chain physical domain. Second, we employ blockchain to address the potential security and performance issues facing dynamic spectrum sharing in the 5G or next-G wireless networks. The current spectrum access system (SAS) designated by the FCC follows a centralized server-client service model which is vulnerable to single-point failures of SAS service providers and also lacks an efficient, automated inter-SAS synchronization mechanism. In response, we propose a blockchain-based decentralized SAS architecture dubbed BD-SAS to provide SAS service efficiently to spectrum users and enable automated inter-SAS synchronization, without assuming trust on individual SAS service providers. We hope this work can provide new insights into blockchain's fundamental security and applicability to new security domains. / Doctor of Philosophy / Blockchain, the technology behind cryptocurrency, enables decentralized and distrustful parties to maintain a unique and consistent transaction history through consensus, without involving a central authority. The decentralization, transparency, and consensus-driven security promised by blockchain are unprecedented and can potentially enable zero-trust applications in a wide range of domains. While blockchain's secure-by-design vision is truly inspiring, there still remain outstanding security challenges that hinder the technology's wider adoption. They originate from the blockchain system's complex multi-layer nature and the lack of effective paradigms to customize blockchain for domain-specific applications. In this work, we provide answers to the above two challenges in two coordinated efforts. In the first effort, we target the fundamental security issues caused by blockchain's multi-layered nature and the consumption of external data. We first provide a comprehensive review on existing notable consensus protocols and their security issues. Then we propose a new analytical model from a novel networking perspective that quantifies the impact of heterogeneous network connectivity on key consensus security metrics. Then we address the external data truthfulness challenge concerning the decentralized applications running on top of blockchain which consume the real-world data, by proposing DecenTruth, a system that combines data mining and consensus to allow decentralized blockchain nodes to collectively extract truthful information from untrusted external sources. In the second effort, we harness the security offerings of blockchain's smart contract functionality along with external security tools to enable two domain-specific applications. First, eyeing on our society's data misuse challenge where data owners often lose control on how their data can be used once sharing the data with another party, we propose PrivacyGuard, a security platform that combines blockchain smart contract and hardware security tools to give individual data owner's fine-grained control over the usage over their private data. Second, targeting the lack of a fault-tolerant spectrum access system in the domain of wireless networking, we propose a blockchain-based decentralized spectrum access system dubbed BD-SAS to provide spectrum management service efficiently to users without assuming trust on individual SAS service providers. We hope this work can provide new insights into blockchain's fundamental security and applicability to new security domains.

Blockchain

distributed consensus

network security