Wonkyu Han

FLOWGUARD: building robust firewalls for software-defined networks

Software-Defined Networking (SDN) introduces significant granularity, visibility and flexibility to networking, but at the same time brings forth new security challenges. One of the fundamental challenges is to build robust firewalls for protecting OpenFlow-based networks where network states and traffic are frequently changed. To address this challenge, we introduce FlowGuard, a comprehensive framework, to facilitate not only accurate detection but also effective resolution of firewall policy violations in dynamic OpenFlow-based networks. FlowGuard checks network flow path spaces to detect firewall policy violations when network states are updated. In addition, FlowGuard conducts automatic and real-time violation resolutions with the help of several innovative resolution strategies designed for diverse network update situations. We also implement our framework and demonstrate the efficacy and efficiency of the proposed detection and resolution approaches in FlowGuard through experiments with a real-world network topology.

Poster: On the Safety and Efficiency of Virtual Firewall Elasticity Control

Firewalls have been typically used to enforce network access control. Network Functions Virtualization (NFV) envisions to implement firewall function as software instance (a.k.a virtual firewall). Virtual firewall provides great flexibility and elasticity, which are necessary to protect virtualized environments. In this poster, we propose an innovative virtual firewall controller, VFW Controller, which enables safe, efficient and cost-effective virtual firewall elasticity control. In addition, we implement the core components of VFW Controller on top of NFV and SDN environments. Our experimental results demonstrate that VFW Controller is efficient to provide safe elasticity control of virtual firewalls.

LPM: Layered Policy Management for Software-Defined Networks

Software-Defined Networking SDN as an emerging paradigm in networking divides the network architecture into three distinct layers such as application, control, and data layers. The multi-layered network architecture in SDN tremendously helps manage and control network traffic flows but each layer heavily relies on complex network policies. Managing and enforcing these network policies require dedicated cautions since combining multiple network modules in an SDN application not only becomes a non-trivial job, but also requires considerable efforts to identify dependencies within a module and between modules. In addition, multi-tenant SDN applications make network management tasks more difficult since there may exist unexpected interferences between traffic flows. In order to accommodate such complex network dynamics in SDN, we propose a novel policy management framework for SDN, called layered policy management LPM. We also articulate challenges for each layer in terms of policy management and describe appropriate resolution strategies. In addition, we present a proof-of-concept implementation and demonstrate the feasibility of our approach with an SDN-based simulated network.

State-aware Network Access Management for Software-Defined Networks

OpenFlow, as the prevailing technique for Software-Defined Networks (SDNs), introduces significant programmability, granularity, and flexibility for many network applications to effectively manage and process network flows. However, because OpenFlow attempts to keep the SDN data plane simple and efficient, it focuses solely on L2/L3 network transport and consequently lacks the fundamental ability of stateful forwarding for the data plane. Also, OpenFlow provides a very limited access to connection-level information in the SDN controller. In particular, for any network access management applications on SDNs that require comprehensive network state information, these inherent limitations of OpenFlow pose significant challenges in supporting network services. To address these challenges, we propose an innovative connection tracking framework called STATEMON that introduces a global state-awareness to provide better access control in SDNs. STATEMON is based on a lightweight extension of OpenFlow for programming the stateful SDN data plane, while keeping the underlying network devices as simple as possible. To demonstrate the practicality and feasibility of STATEMON, we implement and evaluate a stateful network firewall and port knocking applications for SDNs, using the APIs provided by STATEMON. Our evaluations show that STATEMON introduces minimal message exchanges for monitoring active connections in SDNs with manageable overhead (3.27% throughput degradation).

Simulation-based validation for Smart Grid environments: Framework and experimental results

Large and complex systems, such as the Smart Grid, are often best understood through the use of modeling and simulation. In particular, the task of assessing a complex system’s risks and testing its tolerance and recovery under various attacks has received considerable attention. However, such tedious tasks still demand a systematic approach to model and evaluate each component in complex systems. In other words, supporting a formal validation and verification without needing to implement the entire system or accessing the existing physical infrastructure is critical since many elements of the Smart Grid are still in the process of becoming standardized for widespread use. In this chapter, we describe our simulation-based approach to understanding and examining the behavior of various components of the Smart Grid in the context of verification and validation. To achieve this goal, we adopt the discrete event system specification (DEVS) modeling methodology, which allows the generalization and specialization of entities in the model and supports a customized simulation with specific variables. In addition, we articulate metrics for supporting our simulation-based verification and validation and demonstrate the feasibility and effectiveness of our approach with a real-world use case.

HoneyProxy: Design and implementation of next-generation honeynet via SDN

Honeynet is a network architecture that utilizes multiple honeypots to deceive attackers and analyze their malicious behaviors. However, existing honeynet has not evolved much since its latest architecture, Gen-III, which was proposed in 2004. Meanwhile, security threats and techniques used by adversaries have been continuously advanced. As a result, honeypot architecture is suffering from its limited functionalities of ‘data control’ and ‘data capture’. Existing data control mechanism does not monitor internal propagation of malwares in the network and also does not support honeypot transition from one to another (e.g., a low-interaction honeypot to a high-interaction honeypot). The data capture capability of traditional honeynet is also insufficient as it is vulnerable to fingerprinting attacks. To address these challenges, we design and implement an innovative SDN-based honeynet named HoneyProxy as a next generation honeynet. To prevent internal propagation of malwares within honeynet, HoneyProxy globally monitors all internal traffic with the help of Software-defined Network (SDN) controller. HoneyProxy utilizes a novel connection management mechanism across different honeypots in the network to support honeypot transitions. To this end, a HoneyProxy-enabled SDN controller centrally programs the reverse proxy module that operates in three specific modes. In addition, HoneyProxy improves the data capture capability in the existing honeynet by circumventing fingerprinting attacks through multicasting malicious traffic to relevant honeypots and selecting the response which does not contain fingerprinting indicator(s). Experimental results show that HoneyProxy can support almost line rate throughput (8.23 Gbps) on 10 Gbps link with a negligible latency overhead (0.5–1.2 milliseconds)

Simulation-based validation for smart grid environments

Large and complex systems, such as the Smart Grid, are often best understood through the use of modeling and simulation. In particular, the task of assessing a complex systems risks and testing its tolerance and recovery under various attacks has received considerable attention. However, such tedious tasks still demand a systematic approach to model and evaluate each component in complex systems. In other words, supporting a formal validation and verification without needing to implement the entire system or accessing the existing physical infrastructure is critical since many elements of the Smart Grid are still in the process of becoming standardized for widespread use. In this paper, we describe our simulation-based approach to understanding and examining the behavior of various components of the Smart Grid in the context of verification and validation. To achieve this goal, we adopt the discrete event system specification (DEVS) modeling methodology, which allows generalization and specialization of the entities in the model for a customized simulation with specific scenarios. In addition, we articulate metrics for supporting our simulation-based verification and validation and demonstrate the feasibility and effectiveness of our approach with a real-world use case.