Nicholas Gray

An SDN/NFV-Enabled Enterprise Network Architecture Offering Fine-Grained Security Policy Enforcement

In recent years, the number of attacks and threat vectors against enterprise networks have been constantly increasing in numbers and variety. Despite these attacks, the main security systems, for example network firewalls, have remained rather unchanged. In addition, new challenges arise not only to the level of provided security, but also to the scalability and manageability of the deployed countermeasures such as firewalls and intrusion detection systems. Due to the tight integration into the physical networks infrastructure, a dynamic resource allocation to adapt the security measures to the current network conditions is a difficult undertaking. This article covers different architectural design patterns for the integration of SDN/NFV-based security solutions into enterprise networks.

A priori state synchronization for fast failover of stateful firewall VNFs

Network Functions Visualization (NFV) replaces physical middleboxes with software instances running network functions in cloud environments. To support this new paradigm, it is necessary to port the code basis from highly specialized hardware devices to virtual machines running on COTS hardware. In order to fully exploit the inherent capabilities of cloud environments it is further necessary to redesign the software to support a large amount of distributed, cooperating function instances instead of single, isolated and monolithic instances. This development can be observed for network functions like stateful firewalling. Until now, available software firewalls lack support for active/active operation in clustered environments, which hinders horizontal scalability. This is due to the fact that the required synchronization of connection states among the clusters instances is an impediment that still has to be resolved. Therefore, this work investigates different synchronization strategies and mechanisms, which allow to share connection states among the cluster to maintain scalability and high-availability.

SDN/NFV-enabled Security Architecture for Fine-grained Policy Enforcement and Threat Mitigation for Enterprise Networks

ACM Reference format: Benedikt Pfaff, Johann Scherer, David Hock, Nicholas Gray, Thomas Zinner, Phuoc Tran-Gia, Raphael Durner, Wolfgang Kellerer, and Claas Lorenz. 2017. SDN/NFV-enabled Security Architecture for Fine-grained Policy Enforcement and Threat Mitigation for Enterprise Networks. In Proceedings of SIGCOMM Posters and Demos ’17, Los Angeles, CA, USA, August 22–24,2017, 2 pages. https://doi.org/10.1145/3123878.3131970

Processing Time Comparison of a Hardware-Based Firewall and Its Virtualized Counterpart

The network functions virtualization (NFV) paradigm promises higher flexibility, vendor-independence, and higher cost-efficiency for network operators. Its key concept consists of virtualizing the functions of specialized hardware-based middleboxes like load balancers or firewalls and running them on commercial off-the-shelf (COTS) hardware.

Enhancing SDN security by device fingerprinting

Software-defined Networking (SDN) provides an increased flexibility and cost savings by separating the data from the control plane. Despite these benefits, this separation also results in a greater attack surface as new devices and protocols are deployed. OpenFlow is one of these protocols and enables the communication between the switch and the controller. Ideally this connection takes place over an encrypted TLS channel, but as this feature is marked optional, it is not supported by all devices. This allows an attacker to eavesdrop and alter the communication, hence resulting in a comprised network. In this work, we demonstrate a new approach for authentication based on device fingerprinting to enhance the security in scenarios, where cryptographic mechanisms are unavailable.

Demonstrating a Personalized Secure-by-Default Bring Your Own Device Solution Based on Software Defined Networking

Network virtualization is one classical use-case for Software Defined Networks (SDN). By programmatically instantiating virtual networks, traffic from one or more devices can be separated or connectivity can be established as needed. S-BYOD, which is presented in this demonstration, applies the SDN concept to Bring Your Own Device (BYOD) scenarios and offers personalized virtual networks that are set up and extended on demand. This is done once the user authenticates, activates access to additional applications, or as soon as applications scale out and involve more servers. The described proof-of-concept implementation explores, to what degree an agent-less BYOD solution, based only on SDN, can lower the attack surface by explicit user opt-ins for particular services. Further, an assessment of the number of required rules within the flow tables of switches completes this work.