CloudWatcher: Network Security Monitoring Using
OpenFlow in Dynamic Cloud Networks or: How to Provide
Security Monitoring as a Service in Clouds?
Seungwon Shin and Guofei GuSUCCESS LAB
Texas A&M University
Contents
• Background• Problem domain• CloudWatcher• Future work• Conclusion
Background
• Cloud is large and complicated– A lot of VMs in a cloud network
• “Amazon seems to operate nearly half million servers for a cloud network”– http://huanliu.wordpress.com/2012/03/13/amazon-data-center-size/
• Each server may run more than 10 VMs inside• Thus, Amazon may operate around 5 million VMs
– A lot of tenants use cloud services• They have different network or server configurations
• Cloud is dynamic– VMs can move any server in a cloud network
Problem Domain
• How to monitor cloud networks for security purposes– Each tenant will want to have different network
configurations– VM can move from a host to a host
– Current flow control methods do not consider security devices
Example Scenario
Routing from VM1 to VM3
Routing from VM1 to VM3 considering NIDS
H1
H1
H2
H2
H3
H3
R1 R2 R3
R4 R5
R1 R2 R3
R4 R5
Goal
• Provide routing algorithms– The algorithms guarantee that specified network
security devices can monitor specific network flows
• Provide a script language– A network administrator can easily register security
devices– Ad network administrator can easily define security
policies
SDN and OpenFlow
• SDN : Software Defined Networking– Separate network control plane and data plane– Intelligent control plane– Simple (and fast) data plane– We can program network• Control network flows (e.g., decide routing paths)
• OpenFlow– One of the popular SDN technologies
OpenFlow Overview
OpenFlowSwitch.org
OpenFlow Switch specification
Controller
OpenFlow Switch
FlowTable
SecureChannel
PCOpenFlow Protocol
SSL
hw
sw
Add/delete flow entries Encapsulated packets Controller discovery
Figure from Stanford OpenFlow tutorial
SDN and OpenFlow
• People try to apply this technology to a cloud network– Network virtualization• E.g., Nicira - NVP
– Network Infrastructure as a Service • E.g., OpenFlow interface with OpenStack
CloudWatcher
• A new framework– Provide monitoring services for large and dynamic
cloud networks– Automatically detours network packets to be
inspected by pre-installed network security devices• OpenFlow
– Provide a script to operate this framework
Operating Scenario
Register Security Devices
Create Security Policies
Parse Security Policies
Create Routing Rules
Enforce Flow Rules into Routers
Translate Routing Rules into OpenFow Rules
Administrator
Router (Device ID = 8)
{ID, TYPE, LOCATION, MODE, Func}{1, NIDS, 8, PASSIVE, Detect HTTP}
NIDS (ID = 1)
{FLOW CONDITON, DEVICE SET}
{10.0.0.1 20.0.0.2, {1}}
How to Control Flows
• 4 approaches– Multipath naïve– Shortest through– Multipath shortest– Shortest inline
- Sample network -S: start node, E: end nodeR: router, C: security device
Simple Shortest Path
• Basic routing scheme (NOT CloudWatcher’s idea)– Find the shortest path between a start host and an
end host– Path: S R1 R5 R6 E
Multipath Naïve (algorithm 1)
• Find multiple paths– Shortest path between S and E– Shortest path between S and C– Path
• S R1 R5 R6 E• S R1 R2 R3 R4
• OpenFlow provides a function to send packets to multiple outputs– E.g., R1 {R2, R5}
Shortest Through (algorithm 2)
• Find the shortest path passing through R4– Shortest path between S and R4– Shortest path between R4 and E– Path: S R1 R2 R4 R4 R6 E
Multipath Shortest (algorithm 3)
• Improved version of multipath naïve• Two phase– Find the shortest path (P1)
• S R1 R5 R6 E
– Find the shortest path between routers on the path P1 and R4• R6 R4• R6 {R4, E}
Shortest Inline (algorithm 4)
• Find a path passing through (a) specific link(s) (not node)
• Good for delivering network packets to inline devices– E.g., IPS (intrusion prevention system)
Summary for Flow Control Methods
Pros Cons When to use
Multipath Naïve
Simple and fast Redundant flows Enough network capacity, delay is important
Shortest Through
Efficient Computation overhead, when multiple devices
Not enough network capacity,delay is not so important
Multipath Shortest
Efficient Computation overhead
Not many hops (e.g., communication between inside VMs)
Shortest Inline
Guarantee passing through a specific link
Computation overhead, when multiple devices
For an inline security device (e.g., IPS)
Implementation and Evaluation
• CloudWatcher is implemented – As an OpenFlow application• Running on NOX controller• Implemented in Python
• Verify each algorithm on emulated networks– Use Mininet to emulate networks supporting
OpenFlow
Evaluation Results
• Flow rule generation time
Flow rule generation time (12 routers)
Shortest: Dijkstra algorithm to find the shortest pathAlgorithm1: Multipath naiveAlgorithm2: Shortest Through
Algorithm3: Multipath ShortestAlgorithm4: Shortest Inline
Future Work
• Optimize algorithms
• Dynamic path selection
• Provide security response strategies
• Verify the proposed ideas on a large scale system
Conclusion
• CloudWacther provides a new framework to monitor cloud networks – With the help of the SDN technology
• A cloud administrator can select algorithms based on network status
• A cloud administrator can monitor his network by writing simple scripts