Impact of network security on SDN controller performance

Kodzai, Carlton

January 2020

Internet Protocol network architectures are gradually evolving from legacy flat networks to new modern software defined networking approaches. This evolution is crucial as it provides the ideal supporting network structure, architecture and framework that supports the technologies that are also evolving in software-based systems like Network Functions Virtualization (NFV). The connectivity requirements resulting from this paradigm shift in technology is being driven by new bandwidth requirements emanating from the huge number of new use cases from 5G networks and Internet of things (IoT) future technologies. Network security remains a key critical requirement of these new modern network architectures to deliver a highly available, reliable service and guaranteed quality of service. Unprotected networks will usually experience service interruptions and cases of system non-availability due to network attacks such as denial-of services and virus attacks which can render key network components unusable or totally unavailable. With the centralized approach of the Software Defined Networking architecture, the SDN controller becomes a key network point that is susceptible to internal and external attacks from hackers and many forms of network breaches. It being the heart of the SDN network makes it a single point of failure and it is crucial that the security of the controller is guaranteed to avoid unnecessary irrecoverable loss of valuable production time, data and money. The SDN controller design should be guided by a robust security policy framework with a very sound remedy and business continuity plan in the event of any form of a security attack. Security designs and research work in SDN controllers have been done with focus on achieving the most reliable and scalable platforms through self-healing and replication processes. In this dissertation the research that was done proposed a security solution for the SDN controller and evaluated the impact of the security solution on the overall SDN controller performance. As part of the research work literature review of the SDN controller and related technology carried out. The SDN controller interfaces were analyzed and the security threats that attack interfaces were explored. With link to a robust security framework a security solution was used in the experiments that analyzed the attacks from the external network sources which focused on securing the southbound interface by use of a netfilter with iptables firewall on the SDN controller. The SDN controller was subjected to denial service attack packets and the impact of the mitigation action observed on the SDN controller resources. Given that the network security layer introduced an additional overhead on the SDN controller's processors the security feature negatively affected the controller performance. The impact of the security overhead will inform on the future designs and possibly achieve a trade-off point between the level of security of the network and overall system performance due to security policies. The research analyzed and determined the performance impact of this crucial design aspect and how the additional loading due to network security affected the SDN controller normal operation.

Network Architecture

Network Security

A structured approach to network security protocol implementation

Tobler, Benjamin

January 2005

The implementation of network security protocols has not received the same level of attention in the literature as their analysis. Security protocol analysis has successfully used inference logics, like GNY and BAN, and attack analysis, employing state space examination techniques such as model checking and strand spaces, to verify security protocols. Tools, such as the multi-dimensional analysis environment SPEAR II, exist to help automate security protocol specification and verification, however actual implementation of the specification in executable code is a task still largely left to human programmers. Many vulnerabilities have been found in implementations of security protocols such as SSL, PPTP and RADIUS that are incorporated into widely used operating system software, web servers and other network aware applications. While some of these vulnerabilities may be a result of flawed or unclear specifications, many are the result of the failure of programmers to correctly interpret and implement them. The above indicates a gap between security protocol specifications and their concrete implementations, in that there are methodologies and tools that have been established for developing the former, but not the latter. This dissertation proposes an approach to bridging this gap, describes our implementation of that approach and attempts to evaluate its success. The approach is three-fold, providing different measures to improve current ad-hoc implementation approaches: 1. From Informal to Formal Specifications: If a security protocol has been specified using informal standard notation, it can be converted, using automatic translation, to a formal specification language with well defined semantics. The formal protocol specification can then be analysed using formal techniques, to verify that the desired security properties hold. The precise specification of the protocol behaviour further serves to facilitate the concrete implementation of the protocol in code.

Computer Science

Network Security

Network Security Tool for a Novice

Ganduri, Rajasekhar

08 1900

Network security is a complex field that is handled by security professionals who need certain expertise and experience to configure security systems. With the ever increasing size of the networks, managing them is going to be a daunting task. What kind of solution can be used to generate effective security configurations by both security professionals and nonprofessionals alike? In this thesis, a web tool is developed to simplify the process of configuring security systems by translating direct human language input into meaningful, working security rules. These human language inputs yield the security rules that the individual wants to implement in their network. The human language input can be as simple as, "Block Facebook to my son's PC". This tool will translate these inputs into specific security rules and install the translated rules into security equipment such as virtualized Cisco FWSM network firewall, Netfilter host-based firewall, and Snort Network Intrusion Detection. This tool is implemented and tested in both a traditional network and a cloud environment. One thousand input policies were collected from various users such as staff from UNT departments' and health science, including individuals with network security background as well as students with a non-computer science background to analyze the tool's performance. The tool is tested for its accuracy (91%) in generating a security rule. It is also tested for accuracy of the translated rule (86%) compared to a standard rule written by security professionals. Nevertheless, the network security tool built has shown promise to both experienced and inexperienced people in network security field by simplifying the provisioning process to result in accurate and effective network security rules.

Network Security

Cloud Computing

OpenStack

Network Security Functions

A quantitative measure of the security risk level of enterprise networks

Munir, Rashid, Pagna Disso, Jules F., Awan, Irfan U., Mufti, Muhammad R.

January 2013

No / Along with the tremendous expansion of information technology and networking, the number of malicious attacks which cause disruption to business processes has concurrently increased. Despite such attacks, the aim for network administrators is to enable these systems to continue delivering the services they are intended for. Currently, many research efforts are directed towards securing network further whereas, little attention has been given to the quantification of network security which involves assessing the vulnerability of these systems to attacks. In this paper, a method is devised to quantify the security level of IT networks. This is achieved by electronically scanning the network using the vulnerability scanning tool (Nexpose) to identify the vulnerability level at each node classified according to the common vulnerability scoring system standards (critical, severe and moderate). Probabilistic approach is then applied to calculate an overall security risk level of sub networks and entire network. It is hoped that these metrics will be valuable for any network administrator to acquire an absolute risk assessment value of the network. The suggested methodology has been applied to a computer network of an existing UK organization with 16 nodes and a switch.

A distributed global-wide security system

Coffey, Thomas

January 1994

No description available.

621.39

Network security; Data security

Web application Security

Charpentier Rojas, Jose Enrique

January 2013

Problems related to web application security comes in many ways, one example is inexperience programmers but not only in the way they code and program but also which language and structure they use to code. Not only programmers but Software companies left holes in the software they developed of course without intention.Because is proven that most of the vulnerabilities start in the web application side, as developers we need to follow certain principles, test our code and learn as much as possible about the subject, as a foundation of web application security in order to know how to prevent issues to the most significant treats.The penetration test aimed to help the IT business to discover vulnerabilities in their system ensure their integrity and continue further in the web application security process. The vulnerability research perform in this report is the introduction of a big work that is under continuity for the company.Finally the success of following security standards, process and methodologies applied on this field is considered the best approach to ensure web application security and priceless information you can benefit from.

Web Application Security

Network Security

Enhancing Network Security in Linux Environment

Mohammed, Ali, Sama, Sachin, Mohammed, Majeed

January 2012

Designing a secured network is the most important task in any enterprise or organization development. Securing a network mainly involves applying policies and procedures to protect different network devices from unauthorized access. Servers such as web servers, file servers, mail servers, etc., are the important devices in a network. Therefore, securing these servers is the first and foremost step followed in every security implementation mechanism. To implement this, it is very important to analyse and study the security mechanisms provided by the operating system. This makes it easier for security implementation in a network. This thesis work demonstrates the tasks needed to enhance the network security in Linux environment. The various security modules existing in Linux makes it different from other operating systems. The security measures which are mainly needed to enhance the system security are documented as a baseline for practical implementation. After analysing the security measures for implementing network security, it is important to understand the role of network monitoring tools and Linux inbuilt log management in maintaining the security of a network. This is accomplished by presenting a detailed discussion on network monitoring tools and log management in Linux. In order to test the network security, a network is designed using Linux systems by configuring different servers and application firewall for packet filtering. The security measures configured on each server to enhance its security are presented as part of the implementation. The results obtained while an unauthorized user accessing the servers from the external network are also documented along with attack information retrieved by different network monitoring tools and Linux inbuilt log messages.

Network Security

Linux

Computer Networks

Design of Efficient FPGA Circuits For Matching Complex Patterns in Network Intrusion Detection Systems

Clark, Christopher R.

03 March 2004

The objective of this research is to design and develop a reconfigurable string matching co-processor using field-programmable gate array (FPGA) technology that is capable of matching thousands of complex patterns at gigabit network rates for network intrusion detection systems (NIDS). The motivation for this work is to eliminate the most significant bottleneck in current NIDS software, which is the pattern matching process. The tasks involved with this research include designing efficient, high-performance hardware circuits for pattern matching and integrating the pattern matching co-processor with other NIDS components running on a network processor. The products of this work include a system to translate standard intrusion detection patterns to FPGA pattern matching circuits that support all the functionality required by modern NIDS. The system generates circuits efficient enough to enable the entire ruleset of a popular NIDS containing over 1,500 patterns and 17,000 characters to fit into a single low-end FPGA chip and process data at an input rate of over 800 Mb/s. The capacity and throughput both scale linearly, so larger and faster FPGA devices can be used to further increase performance. The FPGA co-processor allows the task of pattern matching to be completely offloaded from a NIDS, significantly improving the overall performance of the system.

Network security

Intrusion detection

IDS

Network Security Planning for New Generation Network Service Providers

Huang, Shao-Chuan

25 July 2009

The internet network and e- commerce become more and more popular currently. Various applications of the network and services already become the indispensable important tools to most enterprises, such as the application of e mail , to establish the entry website of company, installing server to provide employees with information sharing, etc.. As the internet network providing the convenience and business opportunity , as well as e commerce be further developed, all of such IT applications created unbelievable values to enterprises. However, the security of the internet network becomes an endless issues. The external attacks , such as the electronic virus , the worm, special Lip river depends on the hobbyhorse ( Trojan Horse), procedure of back door, spy's software, the network hacker's depend event and activities have never been stopped. From which, the enterprises suffered with great losses. Therefore, the IT people of company are requested to develop and installed a suitable protection system to guarantee the security of company information assets. The case company specified in my paper is the biggest ISP in Taiwan. It owns more than three millions of customers. The company also provides its over 20,000 staffs with internal network and management network equipment for conducting routine jobs. The network and information security concerns are more complicated than that of regular commercial companies. This research will discuss the management & Network Security planning of this company from the structure and system views. Not only to create potential benefit of rigid information Security for existing network, but also to offer IT planning people with valuable reference as they are performing the related works.

Information Security

Network Security Planning

Privacy Preserving Network Security Data Analytics

DeYoung, Mark E.

24 April 2018

The problem of revealing accurate statistics about a population while maintaining privacy of individuals is extensively studied in several related disciplines. Statisticians, information security experts, and computational theory researchers, to name a few, have produced extensive bodies of work regarding privacy preservation. Still the need to improve our ability to control the dissemination of potentially private information is driven home by an incessant rhythm of data breaches, data leaks, and privacy exposure. History has shown that both public and private sector organizations are not immune to loss of control over data due to lax handling, incidental leakage, or adversarial breaches. Prudent organizations should consider the sensitive nature of network security data and network operations performance data recorded as logged events. These logged events often contain data elements that are directly correlated with sensitive information about people and their activities -- often at the same level of detail as sensor data. Privacy preserving data publication has the potential to support reproducibility and exploration of new analytic techniques for network security. Providing sanitized data sets de-couples privacy protection efforts from analytic research. De-coupling privacy protections from analytical capabilities enables specialists to tease out the information and knowledge hidden in high dimensional data, while, at the same time, providing some degree of assurance that people's private information is not exposed unnecessarily. In this research we propose methods that support a risk based approach to privacy preserving data publication for network security data. Our main research objective is the design and implementation of technical methods to support the appropriate release of network security data so it can be utilized to develop new analytic methods in an ethical manner. Our intent is to produce a database which holds network security data representative of a contextualized network and people's interaction with the network mid-points and end-points without the problems of identifiability. / Ph. D.

Privacy

Data Analytics

Network Security