Master of Science in Computing

thesisCurrent Intrusion Detection Systems (IDS) in a typical enterprise or campus network are limited by having a number of static monitoring points and static IDS resources deployed. The monitoring points are typically deployed using hardware optical taps or span ports which are directly fed into the IDS. The IDS system is a compute resource requiring dedicated-server-grade hardware, and these are statically configured when installing the network for an enterprise or campus. We designed a framework for making a distributed elastic Intrusion Detection System (IDS) for a Software Defined Network (SDN) capable network, called Distributed Elastic Intrusion DeTECTion (DEIDtect). We combine the flexibility of SDN and the elastic resource usage of a cloud infrastructure with a DEIDtect orchestrating controller to achieve an elastic IDS framework. DEIDtect enables simple and more dynamic management of IDS systems. The flexibility of our approach also enables new IDS use cases and deployment strategies

OneCloud: A Study of Dynamic Networking in an OpenFlow Cloud

Cloud computing is a popular paradigm for accessing computing resources. It provides elastic, on-demand and pay-per-use models that help reduce costs and maintain a flexible infrastructure. Infrastructure as a Service (IaaS) clouds are becoming increasingly popular because users do not have to purchase the hardware for a private cloud, which significantly reduces costs. However, IaaS presents networking challenges to cloud providers because cloud users want the ability to customize the cloud to match their business needs. This requires providers to offer dynamic networking capabilities, such as dynamic IP addressing. Providers must expose a method by which users can reconfigure the networking infrastructure for their private cloud without disrupting the private clouds of other users. Such capabilities have often been provided in the form of virtualized network overlay topologies. In our work, we present a virtualized networking solution for the cloud using the OpenFlow protocol. OpenFlow is a software defined networking approach for centralized control of a network\u27s data flows. In an OpenFlow network, packets not matching a flow entry are sent to a centralized controller(s) that makes forwarding decisions. The controller then installs flow entries on the network switches, which in turn process further network traffic at line-rate. Since the OpenFlow controller can manage traffic on all of the switches in a network, it is ideal for enabling the dynamic networking needs of cloud users. This work analyzes the potential of OpenFlow to enable dynamic networking in cloud computing and presents reference implementations of Amazon EC2\u27s Elastic IP Addresses and Security Groups using the NOX OpenFlow controller and the OpenNebula cloud provisioning engine

Coretic : nouvelle écriture des règles pour améliorer l'isolation et la composition en SDN

SDN (Software Defined Networking) est une nouvelle architecture réseau qui permet d’apporter une solution à la complexité des tâches des équipements réseaux. Cette architecture permet de séparer le plan de données, chargé d’acheminer les données, du plan de contrôle qui fournit les règles de gestion des flux. Au-dessus du plan de contrôle, s’ajoute le plan de gestion qui permet d’envoyer des instructions au plan de données en utilisant un langage évolué. Les travaux de recherche apportent des solutions pour permettre l’isolation des trafics, la composition des plans de contrôle et pour la gestion des flux au niveau du plan de gestion en SDN. Les solutions actuelles d’isolation et de composition présentent des techniques de gestion des entrées de flux ayant des faiblesses. Certaines utilisent des informations de la couche 2 du modèle OSI (Open System Interconnection) (Ahmed, Mohamed Fekih. 2015). Effectuer l’isolation en se servant des informations de la couche 2 entraîne une génération de plusieurs entrées dans les tables de flux, ce qui affecte les performances. D’autres solutions utilisent une seule table de flux pour insérer les règles de plusieurs contrôleurs (Jin, Xin. 2015). Ceci entraîne une cohésion faible des tables concernées. Un couplage élevé est aussi constaté par l’utilisation de plusieurs tables reliées entre elles (Dixit, A. 2014). Quant aux solutions au niveau du plan de gestion, elles ne permettent pas à plusieurs plateformes de programmation de haut niveau d’utiliser un contrôleur commun. Dans ce travail de maîtrise, il est proposé Coretic qui vise à améliorer l’écriture des règles dans le plan de données pour l’isolation et la composition. Étant donné que le rôle du plan de contrôle est confié au plan de gestion utilisant les plateformes de programmation de haut niveau, ce travail propose une solution permettant d’isoler le trafic des plans de gestion en utilisant un contrôleur commun. Coretic pour atteindre ses objectifs se sert des informations de la couche 3 du modèle OSI et de plusieurs tables de flux. Des tests de performance ont permis de montrer que Coretic offre de meilleures performances dans l’isolation et la composition. La solution d’hypervision des plans de gestions ne crée pas une degradation importante des performances. Coretic à la suite des tests effectués apporte les contributions suivantes : • Apport d’une nouvelle approche d’isolation et de composition de plans de contrôles basée sur l’utilisation de tables multiples et de l’utilisation d’adresses IP de la couche 3. • Apport d’une solution d’hypervision des plans de gestion. Ces contributions permettent d’améliorer les performances dans le plan de données. La cohésion des tables de flux est renforcée, car ces tables reçoivent chacune des politiques bien précises. Le couplage devient faible aussi, car Coretic laisse les tables traiter les flux en toute indépendance. Avec Coretic, il est possible d’utiliser qu’un seul contrôleur pour isoler le traffic de plusieurs plans de gestion

Proposta de arquitetura para provedores de serviços de redes fixas e móveis utilizando SDN OpenFlow

Tese (doutorado)—Universidade de Brasília, Faculdade de Tecnologia, Departamento de Engenharia Elétrica, 2019.As redes de grande porte, como Provedores de Serviço, são arquiteturas robustas, capazes de dar suporte a grandes volumes de tráfego com características muito diferentes. Seus equipamentos dão suporte a cargas elevadas de processamento e ao mesmo tempo, são responsáveis por construir a lógica de roteamento e por encaminhar o tráfego. Por terem o controle implementado de forma distribuída e por serem construídas com equipamentos de um limitado número de fabricantes, estas redes apresentam limitações de controle e engenharia de tráfego, dificultando assim, a diferenciação entre os serviços que os diversos provedores fornecem. Adicionalmente, a inteligência da rede está oculta nos equipamentos, tornando as inovações muito lentas e amarradas aos interesses dos fabricantes. Como alternativa a este cenário, este trabalho propõe uma arquitetura de rede SDN-OpenFlow para redes móveis e redes de transporte que tenta solucionar os problemas previamente mencionados, bem como os inconvenientes da característica centralizadora que o OpenFlow possui. É apresentada uma arquitetura de rede OpenFlow robusta, capaz de dar suporte a tempos de resposta elevados e a quedas do Controlador, sem adição de tempos de espera no estabelecimento de novos fluxos e com significativa redução na carga submetida ao Controlador. Como prova de conceito, é implementado um protótipo utilizando o OpenvSwitch como software para a virtualização dos clientes OpenFlow, o Mininet para a criação da topologia e o Ryu como Controlador, todos com suporte OpenFlow 1.3. ou superior.Large scale networks, such as Service Providers, are robust architectures, capable of supporting large volumes of traffic with very different characteristics. Their network equipment have significant processing load, being responsible for building both a routing logic and a routing traffic at the same time. By having the network control implemented in a distributed manner and being built with a limited number of vendors, these networks have limitations of control and traffic engineering, hindering the differentiation between Service Providers. Additionally, the network intelligence is hidden in the network equipment, making the innovations very slow and conditioned to the vendors interests. As an alternative option, this work proposes an SDN-OpenFlow network architecture to transport and mobile networks that tries to improve the previously mentioned problems, and at the same time solves the arising difficulties related to the SDN network centralizing feature. With the proposed architecture, a robust OpenFlow network is created to support high Controller response times and Controller shut down, without additional delays in the creation of flows and with significant reduction of Controller’s load. A prototype has been constructed using Open vSwitch as a virtualization software for OpenFlow clients, Mininet for the topology construction and Ryu as the Controller, all with OpenFlow 1.3 support or higher

An OpenFlow based network virtualization framework for the Cloud

The Cloud computing paradigm entails a challenging networking scenario. Due to the economy of scale, the Cloud is mainly supported by Data Center infrastructures. Therefore, virtualized environment manageability, seamless migration of virtual machines, inter-domain communication issues and scalability problems are some of the main concerns that should be addressed. A recently proposed abstract model is used as a reference for the Cloud computing architecture. This paper introduces a network virtualization framework for the Cloud based on this model. Accordingly, a proper abstraction of network elements (vhost, vnode and vlink) is defined in order to virtualize the physical infrastructure. Moreover, a novel Layer 2 network virtualization approach based on a new MAC addressing scheme is presented: we propose to build locally administered MAC addresses that hold context information, such as virtual operator, domain, node and host identifiers. In addition, implementation details are suggested, describing how the Open Flow technology can lead to an implementation of the proposed approach