SDN as Active Measurement Infrastructure

Active measurements are integral to the operation and management of networks, and invaluable to supporting empirical network research. Unfortunately, it is often cost-prohibitive and logistically difficult to widely deploy measurement nodes, especially in the core. In this work, we consider the feasibility of tightly integrating measurement within the infrastructure by using Software Defined Networks (SDNs). We introduce "SDN as Active Measurement Infrastructure" (SAAMI) to enable measurements to originate from any location where SDN is deployed, removing the need for dedicated measurement nodes and increasing vantage point diversity. We implement ping and traceroute using SAAMI, as well as a proof-of-concept custom measurement protocol to demonstrate the power and ease of SAAMI's open framework. Via a large-scale measurement campaign using SDN switches as vantage points, we show that SAAMI is accurate, scalable, and extensible

A survey of intrusion detection techniques in Cloud

Cloud computing provides scalable, virtualized on-demand services to the end users with greater flexibility and lesser infrastructural investment. These services are provided over the Internet using known networking protocols, standards and formats under the supervision of different managements. Existing bugs and vulnerabilities in underlying technologies and legacy protocols tend to open doors for intrusion. This paper, surveys different intrusions affecting availability, confidentiality and integrity of Cloud resources and services. It examines proposals incorporating Intrusion Detection Systems (IDS) in Cloud and discusses various types and techniques of IDS and Intrusion Prevention Systems (IPS), and recommends IDS/IPS positioning in Cloud architecture to achieve desired security in the next generation networks

Recommended Practices Guide Securing WLANs using 802.11i

This paper addresses design principles and best practices regarding the implementation and operation of Wireless LAN (WLAN) communication networks based on the 802.11i security standard. First, a general overview of WLAN technology and standards is provided in order to ground the discussion in the evolution of WLAN standards and security approaches. This is followed by a detailed explanation of the 802.11i standard for securing WLAN networks. Principles for designing secure WLAN networks are then presented, followed by a list of specific best practices that can be used as a guideline for organizations considering the deployment of WLAN networks for non-critical control and monitoring applications. Finally, a section on technical issues and considerations for deploying WLAN networks in critical environments is presented

AEGIS: Validating Execution Behavior of Controller Applications in Software-Defined Networks

The software-defined network (SDN) controller provides an application programming interface (API) for network applications and controller modules. Malicious applications and network attackers can misuse these APIs to cause outbreaks on the controller. The controller is the heart of the SDN and should be secured from such API misuse scenarios and network attacks. Most of the prior research in security for SDN controllers focuses on a defense mechanism for a particular attack scenario that requires changes in the controller code. This research proposes dynamic access control and a policy engine-based approach for protecting the SDN controller from network attacks and application bugs, thus defending against the misuse of the controller APIs. The proposed AEGIS protects controller APIs and defines a set of access, semantic, syntactic and communication policy rules and a permission set for accessing controller APIs. It utilizes the traditional API hooking technique to control API usage. We generated various attack scenarios that included application bugs and network attacks on the Floodlight SDN controller and showed that applying AEGIS secured the Floodlight controller APIs and hence protected them from network attacks and application bugs. Finally, we discuss performance comparison tests of the new AEGIS controller implementation for memory usage, API execution time and boot-up time and conclude that AEGIS effectively protects the SDN controller for trustworthy operations

Trustworthy Wireless Personal Area Networks

In the Internet of Things (IoT), everyday objects are equipped with the ability to compute and communicate. These smart things have invaded the lives of everyday people, being constantly carried or worn on our bodies, and entering into our homes, our healthcare, and beyond. This has given rise to wireless networks of smart, connected, always-on, personal things that are constantly around us, and have unfettered access to our most personal data as well as all of the other devices that we own and encounter throughout our day. It should, therefore, come as no surprise that our personal devices and data are frequent targets of ever-present threats. Securing these devices and networks, however, is challenging. In this dissertation, we outline three critical problems in the context of Wireless Personal Area Networks (WPANs) and present our solutions to these problems. First, I present our Trusted I/O solution (BASTION-SGX) for protecting sensitive user data transferred between wirelessly connected (Bluetooth) devices. This work shows how in-transit data can be protected from privileged threats, such as a compromised OS, on commodity systems. I present insights into the Bluetooth architecture, Intel’s Software Guard Extensions (SGX), and how a Trusted I/O solution can be engineered on commodity devices equipped with SGX. Second, I present our work on AMULET and how we successfully built a wearable health hub that can run multiple health applications, provide strong security properties, and operate on a single charge for weeks or even months at a time. I present the design and evaluation of our highly efficient event-driven programming model, the design of our low-power operating system, and developer tools for profiling ultra-low-power applications at compile time. Third, I present a new approach (VIA) that helps devices at the center of WPANs (e.g., smartphones) to verify the authenticity of interactions with other devices. This work builds on past work in anomaly detection techniques and shows how these techniques can be applied to Bluetooth network traffic. Specifically, we show how to create normality models based on fine- and course-grained insights from network traffic, which can be used to verify the authenticity of future interactions

Securing an Application Layer Gateway: An Industrial Case Study

Application Layer Gateways (ALGs) play a crucial role in securing critical systems, including railways, industrial automation, and defense applications, by segmenting networks at different levels of criticality. However, they require rigorous security testing to prevent software vulnerabilities, not only at the network level but also at the application layer (e.g., deep traffic inspection components). This paper presents a vulnerability-driven methodology for the comprehensive security testing of ALGs. We present the methodology in the context of an industrial case study in the railways domain, and a simulation-based testing environment to support the methodology