SlideShare a Scribd company logo

software defined networks unit 2software defined networks unit 2software defined networks unit 2.docx

Download as DOCX, PDF
S
SatheeshKumar349161

software defined networks unit 2

Education
1 of 33
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
3.1 SDN Application Plane Architecture  SDN application plane contains applications and services that define, monitor, and control network resources and behavior. These applications communicate with the SDN control plane by using application control interface.  The programming of an SDN application makes use of the abstracted view of network resources provided by the SDN control layer by means of information and data models exposed via the application control interface.  Fig. 3.1.1 shows SDN application plane functions and interfaces. Northbound interface
 It provides abstract view of network resources controlled by the software in the SDN control plane. The Northbound API makes the information built from the SDN controller available for applications.  Northbound Interface enables applications to access control plane functions and services without needing to know the details of the underlying network switches. Fig. 3.1 shows northbound interface function.  Northbound interface can be local or remote interface. For local interface, the SDN applications are running on the same server. Remote interface is a protocol or API that connects the applications to the controller network operating system running on central server.  Northbound API which presents a network abstraction interface to the applications and the management systems at the top of the SDN stack. A northbound API is one that puts applications in control of the network.  SDN applications run above the SDN controller. It interfaces to the network via the controller's northbound API. SDN applications are responsible for managing the flow entries. They are programmed on the network devices using the controller’s API to manage flows.
 By using this API, the application can perform: 1. Configure the flows to route packets through the best path between two endpoints; 2. Balance traffic loads across multiple paths or destined to a set of endpoints; 3. React to changes in the network topology such as link failures and the addition of new devices and paths; 4. Redirect traffic for purposes of inspection, authentication, segregation and similar security-related tasks.  Application Programming Interfaces (API) that resides in between the controller and the application layer in SDN is known as the Northbound API.  Northbound API presents a network abstraction interface to the applications and the management systems at the top of the SDN stack. Northbound API implemented by SDN controllers can be regarded as a network abstraction interface to applications, easing network programmability, simplifying control and management tasks and allowing for innovation.  In contrast to the Southbound API, the Northbound API is not supported by an accepted standard.  The northbound interface connects SDN applications to the controller. An application can request information, such as statistics and incoming connections from the controller. An application can also send commands to the controller, in order to control the network, such as added or removed flow rules.  Example of Northbound Interface: REST API for the Ryu SDN network operating system. Network services abstraction layer
 The Network Services Abstraction Layer (NSAL) provides access from services of the control, management and application planes to other services and applications.  Functional concept are as follows: a. This layer provides abstract view of network resources that hides the details of the underlying data plane devices. b. It also provides generalized view of control plane functionality. c. This layer provide a network virtualization capability Network applications  Various applications are as follows: a. Data center networking b. Mobility and wireless c. Traffic engineering d. Measurement and monitoring e. Information centric networking f. Security and dependability User interface  User interface enables a user to configure parameters in SDN applications and to interact with applications that support user interaction. 3.2 Network Services Abstraction Layer  Abstraction is used to hide background details or any unnecessary implementation about the data so that users only see the required information.  Abstraction layer is a mechanism that translates high level request into the low level commands required to perform the request. 3.2.1 SDN Abstraction
 SDN support three types of abstractions: forwarding, distribution and specification.  Fig. 3.2.1 shows SDN architecture and abstraction.
software defined networks unit 2software defined networks unit 2software defined networks unit 2.docx
1. Forwarding abstraction:  Allows control program to specify data plane forwarding behavior.  Supports the data plane forwarding function.  Example: OpenFlow API 2. Distribution abstraction:  This abstraction arises in the context of distributed controller.  Distributed controller maintains a state description of the network and routes through the networks.  Aim is to hide complex distributed mechanism and separating state management from protocol designs and implementation.  Using API, it provides a single coherent global view of the network.  This type of abstraction is implemented in NOS, Ryu and OpenDaylight. 3. Specification abstraction:  It provides abstract view of global network. This view provides enough details for the application to specify goals.  Forwarding interface: An abstract forwarding model that shields higher layers from forwarding hardware.  Distribution interface: Global network view that shields higher layers from state collection.  Specification interface: An abstract network view that shields application program from details of physical network. 3.2.2 Frenetic  Frenetic is a domain-specific language for programming OpenFlow networks. Frenetic is designed to solve major OpenFlow / NOX programming problems.
 It introduces a set of purely functional abstractions that enable modular program development, defines high-level, programmer centric, packet processing operators and eliminates many of the difficulties of the two-tier programming model. Fig. 3.2.2 shows frenetic architecture.  It is embedded in Python and comprises of two levels of abstraction. They are : a) A limited, but high-level and declarative network query language. The query language provides means for reading the state of the network, merging different queries and expressing high level predicates for classifying, filtering, transforming, and aggregating the packets' streams traversing the network. b) A general-purpose, functional and reactive network policy management library. This library allows reasoning about a unified architecture based on the “see every packet” abstraction of Frenetic and describes network programs without the burden of low-level
details. To govern packet forwarding, the functional and reactive based policy management library offers high level packet processing operators that manipulate packets as discrete streams only.  The frenetic implementation has several distinct components: 1. OpenFlowLib: Provides datatypes, parsers and serializers for OpenFlow, the most popular SDN framework. This library makes heavy use of the cstruct package, which provides constructs for manipulating C-style structures in OCaml and greatly simplifies the task of writing binary parsers and serializers. 2. PacketLib: Provides datatypes, parsers and serializers for Ethernet, IP, ARP, TCP and UDP packets. This library also relies heavily on the cstruct package. 3. NetCoreLib: Implements the Frenetic policy language. It defines the abstract syntax, as well as a compiler and run-time system that implements this language using the lower-level interface provided by OpenFlowLib. 4. Main: Provides a number of additional features including natural surface syntax, support for dynamic and stateful policies using Lwt and integrated testing and debugging facilities. 3.3 Traffic Engineering  Traffic engineering is the process of routing data traffic to balance the traffic load on the various links, routers and switches in the network and is most applicable in networks where multiple parallel or alternate paths are available.
 Traffic engineering involves establishing routing and forwarding policies based on QoS requirements. Traffic Engineering in SDN involves the analysis of the network's state by the SDN controller to act on flow data through the rapid change in flow table information for forwarding devices.  Reasons to deploy traffic engineering include the following: a) Congestion in the network due to changing traffic patterns. b) Election news, online trading or major sports events. c) Better utilization of available bandwidth. d) Route on the path that is not the shortest. e) Route around failed links / nodes; fast rerouting around failures, transparently to users like SONET Automatic Protection Switching (APS). f) Building of new services i.e. virtual leased-line services. g) VoIP Toll-Bypass applications, point-to-point bandwidth guarantees. h) Capacity planning traffic engineering improves aggregate availability of the network. 3.3.1 PolicyCop  Network management systems are being continuously challenged to satisfy application QoS requirements. Policy based management can tackle these challenges. Policy based management can be coupled together with SDN to provide autonomic policy based management.  PolicyCop also monitors the network and autonomically readjusts network parameters to meet customer Service Level Agreement (SLA).  PolicyCop is an autonomic QoS policy enforcement framework for software defined networks. It takes benefits of SDN and OpenFlow for: a) Dynamic traffic steering b) Flexible flow level control c) Dynamic traffic classes d) Custom flow aggregation levels.  Fig. 3.3.1 shows PolicyCop architecture.
1.Control plane  It uses the following modules and database for storing control rules: a) Admission control: Accepts or rejects requests from the resource provisioning module for reserving network resources such as queues, flow table entries etc. b) Routing: Find path availability based on the control rules in the rule database. c) Device tracker: Tracks the up/down status of network switches and their port. d) Rule database: The application plane translates high level network wide policies to control rules and stores them in the rule database.  RESTful northbound interface connects these control plane modules to the application plane modules. It is organized into two components: policy validator and policy enforcer.  Policy validator monitors the network to detect policy violations. Policy enforcer adapts control plane rules based on network conditions and high level policies.
 Policy database used by policy validator and policy enforcer. Policy database contains QoS policy rules which is entered by a network manager.  Policy validator uses event handler, policy checker and traffic monitor modules. The policy validator component periodically collects network traffic data and detects policy violations. In case of a violation, it forwards an action request to either the autonomic policy adaptation module or the network manager based on the violation type.  Policy enforcer uses topology manager, resource manager, policy adaptation and resource provisioning modules. The objective of this component is to re- provision network resources to adhere to the network-wide policies once the policy validator component detects a policy violation.  PolicyCop requires four control applications and a database for storing control rules, These components are as follows: 1. Admission control: This application receives resource provisioning requests from the management plane and decides whether to accept or reject the request. It uses the SDN controller's NB-API to provision the requested resources in network devices The NB-API can be used to reserve network resources like queues, flow-table entries, bandwidth, etc. If the network devices have adequate resources then the resources are provisioned and the application accepts the request from the management plane, otherwise the request is rejected.
2. Routing: The routing application determines path availability. It calculates route(s) based on the control rules in Rule database. Suitability of a route to serve a request is determined by network topology and a collection of performance metrics like latency, throughput, error-rate, jitter and redundancy. The management plane collects these data using the Statistics Collector and Device Tracker applications. 3. Device tracker: This application tracks the up/down status of network switches and their ports by listening to the asynchronous status messages exchanged between the OpenFlow controller and switches. The data collected by this application helps the management plan to maintain a global view of the network. 4. Statistics collector: This application uses a mix of passive and active monitoring techniques to measure different network metrics, like bandwidth usage, residual capacity and number of dropped packets, at different aggregation levels, e.g., per flow, per switch port/link, per user, etc. It also measures per flow latency, error rate and jitter by inserting packet probes in the network. 5. Rule DB: The management plane translates high level network-wide policies tc control rules and stores them in the rule DB. The controller and other control applications (e.g., routing) use these rules to compute the flow table entries for each switch. Process workflow in PolicyCop:  Fig. 3.3.2 shows process workflow in PolicyCop.  The traffic monitoring module collects network statistics through the statistics collector application in the control plane. This data is used by the policy checker module to detect policy violations. If no violation is detected then the policy validator just keeps monitoring the network without taking any action. If a violation is detected then the event is forward to the event handler module.
 The event handler examines the violation event and forwards it either to the network manager or to the policy adaptation module. If the event requires manual intervention, then the network manager chooses appropriate actions based on the event, its corresponding data and current network condition.  On the other hand, if the event can be handled by the autonomic handler in the policy adaptation module, the violation event is directly forwarded to the policy adaptation module. This module determines the appropriate action based on the event type, current network topology, resource allocation, traffic condition and informs the resource provisioning module to reallocate network resources.  The resource provisioning module makes the appropriate changes in the network devices to enforce the contracted policy.
3.4 Measurement and Monitoring  Measurement and monitoring application are divided into two class: a) Applications that provide new functionality for other networking services. b) Applications that add value to OpenFlow based SDNS.  Example of first type is in the area of broadband home connections. For example, new functions can be added easily to measurement systems such as BISmark in an SDN based broadband connection, which enables the system to respond to change in network conditions.  A second class of these applications aim to improve the existing features of SDNs using OpenFlow such as reducing the load on the control plane arising from collection of dat plane statistics using various sampling and estimation techniques. OpenSketch is southbound API that offers flexibility for network measurements. OpenSample an PayLess are examples of monitoring frameworks. 3.5 Security  One of the more common SDN security concerns include attack. architecture layers. The typical deployment consists of a lower layer of SDN-capau network devices, a middle layer of SDN controller(s) and a higher layer that includes th applications and services that request or configure the SDN. 1. SDN threats * Fig. 3.5.1 shows SDN security attack surface.
 Threat can occur at any of three layer or in the communication between layers. Data plane  Risk with data plane is southbound API, such as OpenFlow and Open VSwitch Database Management Protocol (OVSDB). This API is a powerful tool for managing the data plane network elements and increases the attack surface of the network infrastructure.  The forwarding nodes rely mainly on the controller for taking the decision how to forward flows, but they have the fast-forwarding capabilities. OpenFlow acts as one of the Southbound protocols used by the controller to communicate with the forwarding plane. At the forwarding plane, flow tables forward already known traffic; for new flows, the forwarding devices have to consult the controller to make the routing decisions.  One way to enhance security is the use of Transport Layer Security (TLS). Fig. 3.5.2 shows role of TLS in the TCP IP architecture.
 TLS provides three categories of security: a) Confidentiality: All data that pass between two applications are encrypted so that they cannot be eavesdropped. b) Integrity: TLS ensure that the message is not altered for route. c) Authentication: TLS can validate the identity of one or both partners to the exchange using public key certificate.  TLS consists of two phases: handshake and data transfer.  During handshake, two sides perform an authentication function and establish an encryption key to be used for data transfer. During data transfer, two sides use the encryption key to encrypt all transmitted data. Control plane  If an attacker can successfully penetrate controller, the attacker can gain a considerable measure of control over the entire network. Protection of controller involves following techniques: a) Prevention against Distributed Denial of Service (DDoS) attacks. b) Access control methods like role based access control and attribute based acces control may be used.
c) Use antivirus techniques. d) Use firewall, Intrusion Detection System (IDS) and Intrusion Prevention System (IPS). Application plane  Northbound API and protocol present a likely target for attackers. A successful attack here could allow the attacker to gain control of the networking infrastructure.  SDN security focus on preventing unauthorized users and applications from exploiting the controller. 3.5.1 NFV Security  NFV is an innovative way to deliver network services, which involves decouplin software from hardware. SDN balances NFV by providing a platform to implement chain of Virtualized Network Services (VNS). Both NFV and SDN can be used to make security processes and controls easier.  With NFV and SDN, encryption software can be launched on a switch within the network rather on a hardware appliance. This feature would be particularly beneficial data centers, where reports of data security breaches seemingly make news headline every month.  Security needs to address multiple levels and domains and their interaction, including following: a) NFV infrastructure: This is domain of underlying network, compute and storag system. b) VNF: These are network function running on NFVI virtual machine. c) MANO and OSS/BSS: Users employ the NFV management and orchestration facility as well as OSS/BSS facilities to manage the network. d) Management interface: Critical interface between major domains of an NFV deployment. 3.5.2 Cloud Security
 Cloud security is the protection of data stored online via cloud computing platforms from theft, leakage and detection. Methods of providing cloud security include firewalls, penetration testing, tokenization, Virtual Private Networks (VPN) and avoiding public internet connections.  Cloud security refers to an array of policies, technological procedures, services and solutions designed to support safe functionality when building, deploying and managing cloud-based applications and associated data.  Cloud security is designed to protect the following, regardless of your responsibilities: a) Physical networks - Routers, electrical power, cabling, climate controls, etc. b) Data storage - Hard drives, etc. c) Data servers - Core network computing hardware and software. d) Computer virtualization frameworks - Virtual machine software, host machines and guest machines. e) Operating Systems (OS) - Software that houses. f) Middleware - Application Programming Interface (API) management. g) Runtime environments - Execution and upkeep of a running program. h) Data - All the information stored, modified and accessed. i) Applications - Traditional software services (email, tax software, productivity suites, etc.) j) End-user hardware - Computers, mobile devices, Internet of Thing (IoT) devices, etc.  Cloud computing security addresses both physical and logical security issues across all the different service models of software, platform and infrastructure. It also addresses how these services are delivered in the public, private, hybrid and community delivery models.  Secure cloud computing architecture encompasses three core capabilities : Confidentiality, Integrity and Availability.
1. Confidentiality is the ability to keep information secret and unreadable to the people who shouldn't have access to that data. 2. Integrity is the idea that the systems and applications are exactly what you expect them to be and function exactly as you expect them to function. 3. Availability speaks to Denial-of-Service (DoS) attacks. Perhaps an attacker can't see or change your data. But if an attacker can make systems unavailable to you or your customers, then you can't carry out tasks that are essential to maintain your business.  Secure chellenges for cloud service customer : 1. Ambiguity in responsibility: A CSC uses services based on different service categories as well as different deployment models. If the responsibilities are not clearly defined in any of these cases, then it may result in inconsistency or may leave an open gate for attacks. 2. Loss of trust: Because of the abstraction of the security implementation details between a CSC and a CSP, it is difficult for a CSC to get details of the security mechanisms that the CSP has implemented to keep the cloud data secure. 3. Loss of governance: When the CSC uses cloud services, it has to move its data onto the cloud and provide certain privileges to the CSP for handling the data in the cloud. This may result in misconfiguration or an attack due to the abstraction of the CSP's cloud practices and the privileges that need to be given to the CSP. 4. Loss of privacy: CSC's privacy may be violated due to the leakage of private information while the CSP is processing CSC's private data or using the private information for a purpose that the CSP and CSC haven't agreed upon. 5. Cloud service provider lock-in: This issue arises if a CSP doesn't abide by the standard functions or frameworks of cloud computing and hence makes it difficult for a CSC using its services to migrate to any other CSP. The use of
non-standard functions and cloud frameworks makes the CSP non- interoperable with other CSPs and also leaves the CSC open to security attacks. 6. Misappropriation of intellectual property: A CSC may face this challenge due to the possibility that a CSC's data on the cloud might leak to third parties that are using the same CSP for their cloud services. This leakage may violate the CSC's copyrights and may result in the disclosure of CSC's private data. 7. Loss of software integrity: A CSC encounters this challenge due to the fact that its software is running in the cloud once it is given to the CSP. It is possible that the software might be tampered with or might be affected while the software is running in the CSP and is not in the CSC's control, resulting in the CSC's loss over its software. Cloud security risks and countermeasures:  The Cloud Security Alliance lists the following as the cloud-specific security threats: 1. Malicious insiders 2. Abuse and nefarious use of cloud computing 3. Unsecure interfaces and APIs 4. Loss or leakage of data 5. Service hijacking Cloud security as a service  Cloud security as a service, also known as Security as a Service (SECaaS), is a cloud-based solution that delivers outsourced cyber security services. Fig. 3.5.3 shows elements of cloud security as a service.
 Important cloud security solution is to implement an intrusion management system, something that many cloud security providers offer. Intrusion management refers to the possibility of identifying in real-time who has access to your network through the use of Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS). Having clear information on who the perpetrator of a system is can help manage security threats. Thus, these tools are very useful in identifying and preventing cyber-attacks.  Cloud security is focused on securing resources and workloads that are deployed on public infrastructure; SECaaS is focused on delivering security solutions as a service to customers.  Cloud security alliance has identified the following SECaaS categories of service: a. Identity and access management b. We security
c. Data loss prevention d. Encryption e. E-mail security f. Intrusion management g. Network security h. Security information and event management.  Identity and Access Management (IAM) can help a user to manage to compute, stor manage and application services in the AWS cloud. It uses access control technique through which a user is familiar with which includes users, groups and permission.  Web security is real time protection offered either on premise through softwar installation or redirecting web traffic to the cloud providers.  Data loss prevention is monitoring, protecting and verifying the security of data at res in motion and in use.  Encryption is a pervasive service that can be provided for data at rest in the clou identity information, client specific information management.  E-mail security provides control over inbound and outbound email.  Intrusion management encompasses intrusion detection, prevention and response.  Network security consists of security services that allocates access, monitor, distribut and protect underlying resources services.  Security information and event management aggregates log and event data from virtu and real networks, applications and system. 3.5.3 loT Security  The Internet of Things (IoT) refers to a concept of connected objects and devices of al types over the Internet wired or wireless. The popularity of IoT or the Internet of Thing has increased rapidly, as these technologies are used for various purposes, includin communication, transportation, education and business development.  IoT security covers both physical device security and network security and impacts the processes, technologies and measures necessary to protect IoT devices and networks.
 It spans industrial machines, smart energy grids, building automation systems entertainment devices and more, including devices that often aren't designed fo network security.  IoT device security must protect systems, networks and data from a broad spectrum of loT security attacks, which target various types of vulnerabilities.  Communication attacks on the data transmitted between loT devices and servers. Lifecycle attacks on the IoT device as it changes hands from user to maintenance. Attacks on the device software. Physical attacks, which directly target the chip in the device.  loT system functionalities: 1. Security patch must be upload time to time in microprocessor firmware. 2. Monitor the access and usage of public network. 3. User authentication is necessary. 4. Only after authentication can the controller direct commands for things control that are present in the system.  The Intemet of Things (IoT) has become a ubiquitous term to describe the tens of billions of devices that have sensing or actuation capabilities and are connected to each other via the Internet.  The key requirements for any IoT security solution are: 1. Device and data security, including authentication of devices and confidentiality and integrity of data. 2. Implementing and running security operations at IoT scale. 3. Meeting compliance requirements and requests. 4. Meeting performance requirements as per the use case. 3.5.4 Opendaylight DDoS Applications  OpenDaylight is an open source SDN controller/framework, hosted by the Linux foundation. Defense4All, is the the industry's first open SDN security application to be integrated into OpenDaylight.  Radware's Defense4All offers carriers and cloud providers DoS and DDOS detection and mitigation as a native network service. Utilizing the OpenDaylight SDN Controller that programs SDN-enabled networks to become part of the DoS / DDoS protection service itself, Defense4All allows
operators to provision a DoS / DDoS protection service per virtual network segment or per customer.  Defense4All is an SDN application for detecting and mitigating DDoS attacks. The Fig. 3.5.4 shows the positioning of Defense4All in OpenDaylight environment.  The application communicates with the OpenDaylight Controller through the ODL northbound REST API. Using this REST API, Defense4All performs the following tasks: a) Monitoring the behavior of protected traffic – The application sets flow entries at selected network locations to collect traffic statistics for each of the PNs ( These statistics are aggregated from multiple locations for a given PN). c) Diverting attacked traffic to selected AMSS – The application sets flow entries at selected network locations to divert traffic to selected Attack Mitigation Security Systems (AMSS). When the attack is over, the application removes these flow entries, thereby resuming normal operation and traffic monitoring.
3.6Data Center Networking  Data centers are facilities that house multiple servers and communication equipment. They are designed to meet common environmental requirements, ensure physical security, and simplify maintenance. These specialized environments safeguard a company’s most valuable equipment and intellectual property.  Data centers support the following functions: 1. Processing users’ business transactions. 2. Hosting the company website. 3. Processing and storing intellectual property. 4. Maintain financial records 5. Route electronic mails  The data center infrastructure is central to the IT architecture, from which all content is sourced or passes through. Proper planning of the data center infrastructure design is critical and performance, resiliency and scalability need to be carefully considered.  Data center uses five core elements for processing. These elements are application, database, network, storage array, operating system and server.  The main purpose of a data center is running the applications that handle the core business and operational data of the organization. Data centers are the facilities that will house the equipment in order to secure, store and exchange data.  Data center operators face challenges when it comes to space and power along with complexity of managing large data center. It given rise to a new category of tools called Data Center Infrastructure Management (DCIM).  Key management activities include: 1. Monitoring 2. Reporting 3. Provisioning * Monitoring : It requires continuous collection of information. After collecting information, review is taken by data center administrator. It provides security, capacity and performance.
* Reporting: It depends upon the behavior of the resources. Reporting is related to the performance, capacity of the data center resources. * Provisioning: Data center requires hardware, software and other resources to operate. Planning of these resources is required for good utilization of components.  Key requirement for data centers are high and flexible cross section bandwidth, low latency, QoS on the application requirements, high levels of resilience, improve overall efficiency etc. 3.6.1 Big Data over SDN  Big data can be defined as very large volumes of data available at various sources, in varying degrees of complexity, generated at different speed i.e., velocities and varying degrees of ambiguity, which cannot be processed using traditional technologies, processing methods, algorithms or any commercial off-the-shelf solutions.  Big data is a term used to describe a collection of data that is huge in size and is growing exponentially over time. In short, such data is so large and complex that traditional data management tools are unable to store or process it efficiently.  The processing of big data begins with raw, unaggregated, and unorganized data, which is often impossible to store in the memory of a single computer.  Big data processing involves a set of techniques or programming models used to access large-scale data and extract useful information to support and inform decision-making. Hadoop, an open-source implementation of MapReduce, is widely used for big data processing.  By combining an understanding of big data computation patterns with the dynamic capabilities of Software-Defined Networking (SDN), efficient data center networking configurations can support the increasing demands of big data.
 Big data is usually processed in cloud data centers. Because the resource requirements of big data applications change dynamically in these centers, it is important to assign and manage cloud resources efficiently to meet the Service Level Agreements (SLAs) of different applications.  The SLA of a big data application is an agreement between the service provider and its users. It defines the characteristics of the provided service, including service level objectives and the expected Quality of Service (QoS).  Data storage forms the foundation of big data networking. SDN, as the critical transport medium for big data, also plays a key role in enabling effective big data networking.  Figure 3.6.1 shows a simple hybrid electrical and optical data center network, in which OpenFlow-enabled Top-of-Rack (ToR) switches are connected to two aggregation switches: an Ethernet switch and an optical switch.
 All the switches are controlled by a SDN controller that manages physical connectivity among TOR switches over optical circuits by configuring the optical switch. It can also manage the forwarding at ToR switches using OpenFlow rules.  The SDN controller is also connected to the Hadoop scheduler, which forms queues of jobs to be scheduled and the Hbase Master controller of a relational database holding data for the big data applications.  Hadoop integrates data storage, data processing, system management and other modules to form a powerful system-level solution, which is becoming the mainstay in handling big data challenges.  SDN controller is also connected to the Mesos cluster manager. Mesos is an open source cluster management tool and it provides efficient physical resource isolation across distributed environments or applications.  Mesos cluster manager can handle workloads and shares resources across distributed applications and environments. It can run applications like Kafka, Hadoop, Jenkins, Spark and many other in a dynamically shared pool of nodes. It seamlessly integrates with Apache Spark and behaves as a kernel for the data center.  key features of apache Mesos open source cluster management tool to manage big data infrastructures are listed: a) A Web UI to monitor cluster state. b) Highly available and fault tolerance. c) Linear scalability to thousands of nodes. d) Isolation for tasks with Linux containers. e) Multiple resource scheduling model. f) REST API for easy integration applications development. g) Ability to share resources across many frameworks.  SDN controller accepts traffic demand request from Mesos managers. 3.6.2 Cloud Networking over SDN
 Cloud Network as a Service (CloudNaaS) is a cloud networking system that exploits OpenFlow SDN capabilities to provide greater degree of control over cloud network functions by the cloud customer.  Fig. 3.6.2 shows the sequence of main operations in CloudNaaS.
software defined networks unit 2software defined networks unit 2software defined networks unit 2.docx
 First, a cloud customer or tenant uses a simple policy language to specify the network services required by his application (Fig. 3.6.2 (a)).  Next, the network policy is translated from the high level constructs into a canonical description of the desired network communication patterns and network services; we refer to this as the "communication matrix" (Fig. 3.6.2 (b)).  This represents the logical view of the resource demand of the customer. At the end of this step, the communication matrix is used to determine the optimal placement of the new VMs such that the cloud is able to satisfy the largest number of global policies in an efficient manner. This is done based on the knowledge of other customers' requirements and/or their current levels of activity.  This step determines whether it is possible to map the new customer's logical requirements into the cloud's physical resources.  We then translate the logical communication matrix along with knowledge of the placement of VM locations into network-level directives (i.e., configuration commands or rules) for devices in the cloud (Fig. 3.6.2 (c)). The customer's VM instances are deployed by creating and placing the specified number of VMs.  The final step is to install the configuration commands or rules into the devices within the network (Fig. 3.6.2 (d)), thereby creating the necessary physical communication paths that satisfy the customer's needs. In addition, address-rewriting rules are instantiated within appropriate network locations to ensure that applications can use custom IP addresses within the cloud.
 Fig. 3.6.3 shows CloudNaaS architecture.  The CloudNaaS architecture consists of two primary communicating components, namely the cloud controller and the network controller. The cloud controller manages both the virtual resources and the physical hosts and supports APIs for setting network policies.  The network controller is responsible for monitoring and managing the configuration of network devices as well as for deciding placement of VMs within the cloud.

More Related Content

PPTX
Foundation of Modern Network- william stalling
JonathanWallace46
 
PPTX
An overview of SDN & Openflow
Peyman Faizian
 
PPTX
FIOT_Uni4.pptx
RishikeshPathak10
 
PPTX
lect1_intro_SDN introductionpptnew1.pptx
anchitaa1
 
PPTX
Sdn Networking
Mhd Khaled Alhalai
 
PDF
Sdn&security
Cristiano Monteiro
 
DOCX
Software Defined Networking Attacks and Countermeasures .docx
rosemariebrayshaw
 
PPTX
Software defined networking
Prof. Dr. Noman Islam
 
Foundation of Modern Network- william stalling
JonathanWallace46
 
An overview of SDN & Openflow
Peyman Faizian
 
FIOT_Uni4.pptx
RishikeshPathak10
 
lect1_intro_SDN introductionpptnew1.pptx
anchitaa1
 
Sdn Networking
Mhd Khaled Alhalai
 
Sdn&security
Cristiano Monteiro
 
Software Defined Networking Attacks and Countermeasures .docx
rosemariebrayshaw
 
Software defined networking
Prof. Dr. Noman Islam
 

Similar to software defined networks unit 2software defined networks unit 2software defined networks unit 2.docx (20)

PPTX
Software-Defined Networking Layers presentation
Abdullah Salama
 
PDF
Security sdn
Priya Singh
 
PPTX
SDN & NFV.pptx
RUKESHK1
 
PPTX
Network programmability: an Overview
Aymen AlAwadi
 
PDF
IRJET- SDN Simulation in Mininet to Provide Security Via Firewall
IRJET Journal
 
PPTX
Software-Defined Networking(SDN):A New Approach to Networking
Anju Ann
 
PDF
Security of software defined networks: evolution and challenges
International Journal of Reconfigurable and Embedded Systems
 
PPTX
Lqsqsssssssssssssssssssssssssssssssssssq18.pptx
pfeprojet
 
PPTX
Sdn ppt
Pallavi Chhikara
 
PDF
Report-SDN
Deeptiman Mallick
 
PPTX
Lect12-13_MS_Networks.pptx
MuhammadMazharBashir
 
PPTX
TE581-Software Defined Networking-2019aaaaaaaaaaaaaaaa.pptx
NanaAgyeman13
 
PPTX
btNOG 9 presentation Introduction to Software Defined Networking
APNIC
 
PPT
Software defined networking
Google
 
PDF
SDN Security Talk - (ISC)2_3
Wen-Pai Lu
 
PPTX
sdnppt-140325015756-phpapp01.pptx
AamirMaqsood8
 
PPTX
Software Defined Networking(SDN) and practical implementation_trupti
trups7778
 
PPTX
Sdn not just a buzzword
Jorge Bonilla
 
PDF
Light Reading BTE_SDNtoolbox_June_2015
Deborah Porchivina
 
PPTX
Software Defined networking (SDN)
Milson Munakami
 
Software-Defined Networking Layers presentation
Abdullah Salama
 
Security sdn
Priya Singh
 
SDN & NFV.pptx
RUKESHK1
 
Network programmability: an Overview
Aymen AlAwadi
 
IRJET- SDN Simulation in Mininet to Provide Security Via Firewall
IRJET Journal
 
Software-Defined Networking(SDN):A New Approach to Networking
Anju Ann
 
Security of software defined networks: evolution and challenges
International Journal of Reconfigurable and Embedded Systems
 
Lqsqsssssssssssssssssssssssssssssssssssq18.pptx
pfeprojet
 
Sdn ppt
Pallavi Chhikara
 
Report-SDN
Deeptiman Mallick
 
Lect12-13_MS_Networks.pptx
MuhammadMazharBashir
 
TE581-Software Defined Networking-2019aaaaaaaaaaaaaaaa.pptx
NanaAgyeman13
 
btNOG 9 presentation Introduction to Software Defined Networking
APNIC
 
Software defined networking
Google
 
SDN Security Talk - (ISC)2_3
Wen-Pai Lu
 
sdnppt-140325015756-phpapp01.pptx
AamirMaqsood8
 
Software Defined Networking(SDN) and practical implementation_trupti
trups7778
 
Sdn not just a buzzword
Jorge Bonilla
 
Light Reading BTE_SDNtoolbox_June_2015
Deborah Porchivina
 
Software Defined networking (SDN)
Milson Munakami
 
Ad

Recently uploaded (20)

PPTX
202450812 BayCHI UCSC-SV 20250812 v17.pptx
home
 
PDF
Trump Administration's workforce development strategy
Mebane Rash
 
PDF
O7-L3 Supply Chain Operations - ICLT Program
labyankof
 
PDF
Chinmaya Tiranga quiz Grand Finale.pdf
Nitin Suresh
 
PPTX
IMMUNITY IMMUNITY refers to protection against infection, and the immune syst...
shilpa939953
 
PDF
Abdominal Access Techniques with Prof. Dr. R K Mishra
mohitsuren827
 
PPTX
Tissue processing ( HISTOPATHOLOGICAL TECHNIQUE
mathiasmelwyn7
 
PDF
Weekly quiz Compilation Jan -July 25.pdf
Nitin Suresh
 
PPTX
Cell Structure & Organelles in detailed.
DHANASHREESIVAKUMAR
 
PDF
VCE English Exam - Section C Student Revision Booklet
jpinnuck
 
PPTX
school management -TNTEU- B.Ed., Semester II Unit 1.pptx
NihumathunnisaH
 
PDF
A GUIDE TO GENETICS FOR UNDERGRADUATE MEDICAL STUDENTS
DrBincy A. S
 
PDF
FourierSeries-QuestionsWithAnswers(Part-A).pdf
Raji Murugan
 
DOC
Soft-furnishing-By-Architect-A.F.M.Mohiuddin-Akhand.doc
ArchitectAFMMohiuddi
 
PDF
Classroom Observation Tools for Teachers
Nicaramirez
 
PPTX
Lesson notes of climatology university.
sgladness67
 
PDF
OBE - B.A.(HON'S) IN INTERIOR ARCHITECTURE -Ar.MOHIUDDIN.pdf
ArchitectAFMMohiuddi
 
PDF
Microbial disease of the cardiovascular and lymphatic systems
KeyaSharma
 
PPTX
GDM (1) (1).pptx small presentation for students
shrawanbpkihs
 
PDF
grade 11-chemistry_fetena_net_5883.pdf teacher guide for all student
banteamlakmebratu738
 
202450812 BayCHI UCSC-SV 20250812 v17.pptx
home
 
Trump Administration's workforce development strategy
Mebane Rash
 
O7-L3 Supply Chain Operations - ICLT Program
labyankof
 
Chinmaya Tiranga quiz Grand Finale.pdf
Nitin Suresh
 
IMMUNITY IMMUNITY refers to protection against infection, and the immune syst...
shilpa939953
 
Abdominal Access Techniques with Prof. Dr. R K Mishra
mohitsuren827
 
Tissue processing ( HISTOPATHOLOGICAL TECHNIQUE
mathiasmelwyn7
 
Weekly quiz Compilation Jan -July 25.pdf
Nitin Suresh
 
Cell Structure & Organelles in detailed.
DHANASHREESIVAKUMAR
 
VCE English Exam - Section C Student Revision Booklet
jpinnuck
 
school management -TNTEU- B.Ed., Semester II Unit 1.pptx
NihumathunnisaH
 
A GUIDE TO GENETICS FOR UNDERGRADUATE MEDICAL STUDENTS
DrBincy A. S
 
FourierSeries-QuestionsWithAnswers(Part-A).pdf
Raji Murugan
 
Soft-furnishing-By-Architect-A.F.M.Mohiuddin-Akhand.doc
ArchitectAFMMohiuddi
 
Classroom Observation Tools for Teachers
Nicaramirez
 
Lesson notes of climatology university.
sgladness67
 
OBE - B.A.(HON'S) IN INTERIOR ARCHITECTURE -Ar.MOHIUDDIN.pdf
ArchitectAFMMohiuddi
 
Microbial disease of the cardiovascular and lymphatic systems
KeyaSharma
 
GDM (1) (1).pptx small presentation for students
shrawanbpkihs
 
grade 11-chemistry_fetena_net_5883.pdf teacher guide for all student
banteamlakmebratu738
 
Ad

software defined networks unit 2software defined networks unit 2software defined networks unit 2.docx

  • 1. 3.1 SDN Application Plane Architecture  SDN application plane contains applications and services that define, monitor, and control network resources and behavior. These applications communicate with the SDN control plane by using application control interface.  The programming of an SDN application makes use of the abstracted view of network resources provided by the SDN control layer by means of information and data models exposed via the application control interface.  Fig. 3.1.1 shows SDN application plane functions and interfaces. Northbound interface
  • 2.  It provides abstract view of network resources controlled by the software in the SDN control plane. The Northbound API makes the information built from the SDN controller available for applications.  Northbound Interface enables applications to access control plane functions and services without needing to know the details of the underlying network switches. Fig. 3.1 shows northbound interface function.  Northbound interface can be local or remote interface. For local interface, the SDN applications are running on the same server. Remote interface is a protocol or API that connects the applications to the controller network operating system running on central server.  Northbound API which presents a network abstraction interface to the applications and the management systems at the top of the SDN stack. A northbound API is one that puts applications in control of the network.  SDN applications run above the SDN controller. It interfaces to the network via the controller's northbound API. SDN applications are responsible for managing the flow entries. They are programmed on the network devices using the controller’s API to manage flows.
  • 3.  By using this API, the application can perform: 1. Configure the flows to route packets through the best path between two endpoints; 2. Balance traffic loads across multiple paths or destined to a set of endpoints; 3. React to changes in the network topology such as link failures and the addition of new devices and paths; 4. Redirect traffic for purposes of inspection, authentication, segregation and similar security-related tasks.  Application Programming Interfaces (API) that resides in between the controller and the application layer in SDN is known as the Northbound API.  Northbound API presents a network abstraction interface to the applications and the management systems at the top of the SDN stack. Northbound API implemented by SDN controllers can be regarded as a network abstraction interface to applications, easing network programmability, simplifying control and management tasks and allowing for innovation.  In contrast to the Southbound API, the Northbound API is not supported by an accepted standard.  The northbound interface connects SDN applications to the controller. An application can request information, such as statistics and incoming connections from the controller. An application can also send commands to the controller, in order to control the network, such as added or removed flow rules.  Example of Northbound Interface: REST API for the Ryu SDN network operating system. Network services abstraction layer
  • 4.  The Network Services Abstraction Layer (NSAL) provides access from services of the control, management and application planes to other services and applications.  Functional concept are as follows: a. This layer provides abstract view of network resources that hides the details of the underlying data plane devices. b. It also provides generalized view of control plane functionality. c. This layer provide a network virtualization capability Network applications  Various applications are as follows: a. Data center networking b. Mobility and wireless c. Traffic engineering d. Measurement and monitoring e. Information centric networking f. Security and dependability User interface  User interface enables a user to configure parameters in SDN applications and to interact with applications that support user interaction. 3.2 Network Services Abstraction Layer  Abstraction is used to hide background details or any unnecessary implementation about the data so that users only see the required information.  Abstraction layer is a mechanism that translates high level request into the low level commands required to perform the request. 3.2.1 SDN Abstraction
  • 5.  SDN support three types of abstractions: forwarding, distribution and specification.  Fig. 3.2.1 shows SDN architecture and abstraction.
  • 7. 1. Forwarding abstraction:  Allows control program to specify data plane forwarding behavior.  Supports the data plane forwarding function.  Example: OpenFlow API 2. Distribution abstraction:  This abstraction arises in the context of distributed controller.  Distributed controller maintains a state description of the network and routes through the networks.  Aim is to hide complex distributed mechanism and separating state management from protocol designs and implementation.  Using API, it provides a single coherent global view of the network.  This type of abstraction is implemented in NOS, Ryu and OpenDaylight. 3. Specification abstraction:  It provides abstract view of global network. This view provides enough details for the application to specify goals.  Forwarding interface: An abstract forwarding model that shields higher layers from forwarding hardware.  Distribution interface: Global network view that shields higher layers from state collection.  Specification interface: An abstract network view that shields application program from details of physical network. 3.2.2 Frenetic  Frenetic is a domain-specific language for programming OpenFlow networks. Frenetic is designed to solve major OpenFlow / NOX programming problems.
  • 8.  It introduces a set of purely functional abstractions that enable modular program development, defines high-level, programmer centric, packet processing operators and eliminates many of the difficulties of the two-tier programming model. Fig. 3.2.2 shows frenetic architecture.  It is embedded in Python and comprises of two levels of abstraction. They are : a) A limited, but high-level and declarative network query language. The query language provides means for reading the state of the network, merging different queries and expressing high level predicates for classifying, filtering, transforming, and aggregating the packets' streams traversing the network. b) A general-purpose, functional and reactive network policy management library. This library allows reasoning about a unified architecture based on the “see every packet” abstraction of Frenetic and describes network programs without the burden of low-level
  • 9. details. To govern packet forwarding, the functional and reactive based policy management library offers high level packet processing operators that manipulate packets as discrete streams only.  The frenetic implementation has several distinct components: 1. OpenFlowLib: Provides datatypes, parsers and serializers for OpenFlow, the most popular SDN framework. This library makes heavy use of the cstruct package, which provides constructs for manipulating C-style structures in OCaml and greatly simplifies the task of writing binary parsers and serializers. 2. PacketLib: Provides datatypes, parsers and serializers for Ethernet, IP, ARP, TCP and UDP packets. This library also relies heavily on the cstruct package. 3. NetCoreLib: Implements the Frenetic policy language. It defines the abstract syntax, as well as a compiler and run-time system that implements this language using the lower-level interface provided by OpenFlowLib. 4. Main: Provides a number of additional features including natural surface syntax, support for dynamic and stateful policies using Lwt and integrated testing and debugging facilities. 3.3 Traffic Engineering  Traffic engineering is the process of routing data traffic to balance the traffic load on the various links, routers and switches in the network and is most applicable in networks where multiple parallel or alternate paths are available.
  • 10.  Traffic engineering involves establishing routing and forwarding policies based on QoS requirements. Traffic Engineering in SDN involves the analysis of the network's state by the SDN controller to act on flow data through the rapid change in flow table information for forwarding devices.  Reasons to deploy traffic engineering include the following: a) Congestion in the network due to changing traffic patterns. b) Election news, online trading or major sports events. c) Better utilization of available bandwidth. d) Route on the path that is not the shortest. e) Route around failed links / nodes; fast rerouting around failures, transparently to users like SONET Automatic Protection Switching (APS). f) Building of new services i.e. virtual leased-line services. g) VoIP Toll-Bypass applications, point-to-point bandwidth guarantees. h) Capacity planning traffic engineering improves aggregate availability of the network. 3.3.1 PolicyCop  Network management systems are being continuously challenged to satisfy application QoS requirements. Policy based management can tackle these challenges. Policy based management can be coupled together with SDN to provide autonomic policy based management.  PolicyCop also monitors the network and autonomically readjusts network parameters to meet customer Service Level Agreement (SLA).  PolicyCop is an autonomic QoS policy enforcement framework for software defined networks. It takes benefits of SDN and OpenFlow for: a) Dynamic traffic steering b) Flexible flow level control c) Dynamic traffic classes d) Custom flow aggregation levels.  Fig. 3.3.1 shows PolicyCop architecture.
  • 11. 1.Control plane  It uses the following modules and database for storing control rules: a) Admission control: Accepts or rejects requests from the resource provisioning module for reserving network resources such as queues, flow table entries etc. b) Routing: Find path availability based on the control rules in the rule database. c) Device tracker: Tracks the up/down status of network switches and their port. d) Rule database: The application plane translates high level network wide policies to control rules and stores them in the rule database.  RESTful northbound interface connects these control plane modules to the application plane modules. It is organized into two components: policy validator and policy enforcer.  Policy validator monitors the network to detect policy violations. Policy enforcer adapts control plane rules based on network conditions and high level policies.
  • 12.  Policy database used by policy validator and policy enforcer. Policy database contains QoS policy rules which is entered by a network manager.  Policy validator uses event handler, policy checker and traffic monitor modules. The policy validator component periodically collects network traffic data and detects policy violations. In case of a violation, it forwards an action request to either the autonomic policy adaptation module or the network manager based on the violation type.  Policy enforcer uses topology manager, resource manager, policy adaptation and resource provisioning modules. The objective of this component is to re- provision network resources to adhere to the network-wide policies once the policy validator component detects a policy violation.  PolicyCop requires four control applications and a database for storing control rules, These components are as follows: 1. Admission control: This application receives resource provisioning requests from the management plane and decides whether to accept or reject the request. It uses the SDN controller's NB-API to provision the requested resources in network devices The NB-API can be used to reserve network resources like queues, flow-table entries, bandwidth, etc. If the network devices have adequate resources then the resources are provisioned and the application accepts the request from the management plane, otherwise the request is rejected.
  • 13. 2. Routing: The routing application determines path availability. It calculates route(s) based on the control rules in Rule database. Suitability of a route to serve a request is determined by network topology and a collection of performance metrics like latency, throughput, error-rate, jitter and redundancy. The management plane collects these data using the Statistics Collector and Device Tracker applications. 3. Device tracker: This application tracks the up/down status of network switches and their ports by listening to the asynchronous status messages exchanged between the OpenFlow controller and switches. The data collected by this application helps the management plan to maintain a global view of the network. 4. Statistics collector: This application uses a mix of passive and active monitoring techniques to measure different network metrics, like bandwidth usage, residual capacity and number of dropped packets, at different aggregation levels, e.g., per flow, per switch port/link, per user, etc. It also measures per flow latency, error rate and jitter by inserting packet probes in the network. 5. Rule DB: The management plane translates high level network-wide policies tc control rules and stores them in the rule DB. The controller and other control applications (e.g., routing) use these rules to compute the flow table entries for each switch. Process workflow in PolicyCop:  Fig. 3.3.2 shows process workflow in PolicyCop.  The traffic monitoring module collects network statistics through the statistics collector application in the control plane. This data is used by the policy checker module to detect policy violations. If no violation is detected then the policy validator just keeps monitoring the network without taking any action. If a violation is detected then the event is forward to the event handler module.
  • 14.  The event handler examines the violation event and forwards it either to the network manager or to the policy adaptation module. If the event requires manual intervention, then the network manager chooses appropriate actions based on the event, its corresponding data and current network condition.  On the other hand, if the event can be handled by the autonomic handler in the policy adaptation module, the violation event is directly forwarded to the policy adaptation module. This module determines the appropriate action based on the event type, current network topology, resource allocation, traffic condition and informs the resource provisioning module to reallocate network resources.  The resource provisioning module makes the appropriate changes in the network devices to enforce the contracted policy.
  • 15. 3.4 Measurement and Monitoring  Measurement and monitoring application are divided into two class: a) Applications that provide new functionality for other networking services. b) Applications that add value to OpenFlow based SDNS.  Example of first type is in the area of broadband home connections. For example, new functions can be added easily to measurement systems such as BISmark in an SDN based broadband connection, which enables the system to respond to change in network conditions.  A second class of these applications aim to improve the existing features of SDNs using OpenFlow such as reducing the load on the control plane arising from collection of dat plane statistics using various sampling and estimation techniques. OpenSketch is southbound API that offers flexibility for network measurements. OpenSample an PayLess are examples of monitoring frameworks. 3.5 Security  One of the more common SDN security concerns include attack. architecture layers. The typical deployment consists of a lower layer of SDN-capau network devices, a middle layer of SDN controller(s) and a higher layer that includes th applications and services that request or configure the SDN. 1. SDN threats * Fig. 3.5.1 shows SDN security attack surface.
  • 16.  Threat can occur at any of three layer or in the communication between layers. Data plane  Risk with data plane is southbound API, such as OpenFlow and Open VSwitch Database Management Protocol (OVSDB). This API is a powerful tool for managing the data plane network elements and increases the attack surface of the network infrastructure.  The forwarding nodes rely mainly on the controller for taking the decision how to forward flows, but they have the fast-forwarding capabilities. OpenFlow acts as one of the Southbound protocols used by the controller to communicate with the forwarding plane. At the forwarding plane, flow tables forward already known traffic; for new flows, the forwarding devices have to consult the controller to make the routing decisions.  One way to enhance security is the use of Transport Layer Security (TLS). Fig. 3.5.2 shows role of TLS in the TCP IP architecture.
  • 17.  TLS provides three categories of security: a) Confidentiality: All data that pass between two applications are encrypted so that they cannot be eavesdropped. b) Integrity: TLS ensure that the message is not altered for route. c) Authentication: TLS can validate the identity of one or both partners to the exchange using public key certificate.  TLS consists of two phases: handshake and data transfer.  During handshake, two sides perform an authentication function and establish an encryption key to be used for data transfer. During data transfer, two sides use the encryption key to encrypt all transmitted data. Control plane  If an attacker can successfully penetrate controller, the attacker can gain a considerable measure of control over the entire network. Protection of controller involves following techniques: a) Prevention against Distributed Denial of Service (DDoS) attacks. b) Access control methods like role based access control and attribute based acces control may be used.
  • 18. c) Use antivirus techniques. d) Use firewall, Intrusion Detection System (IDS) and Intrusion Prevention System (IPS). Application plane  Northbound API and protocol present a likely target for attackers. A successful attack here could allow the attacker to gain control of the networking infrastructure.  SDN security focus on preventing unauthorized users and applications from exploiting the controller. 3.5.1 NFV Security  NFV is an innovative way to deliver network services, which involves decouplin software from hardware. SDN balances NFV by providing a platform to implement chain of Virtualized Network Services (VNS). Both NFV and SDN can be used to make security processes and controls easier.  With NFV and SDN, encryption software can be launched on a switch within the network rather on a hardware appliance. This feature would be particularly beneficial data centers, where reports of data security breaches seemingly make news headline every month.  Security needs to address multiple levels and domains and their interaction, including following: a) NFV infrastructure: This is domain of underlying network, compute and storag system. b) VNF: These are network function running on NFVI virtual machine. c) MANO and OSS/BSS: Users employ the NFV management and orchestration facility as well as OSS/BSS facilities to manage the network. d) Management interface: Critical interface between major domains of an NFV deployment. 3.5.2 Cloud Security
  • 19.  Cloud security is the protection of data stored online via cloud computing platforms from theft, leakage and detection. Methods of providing cloud security include firewalls, penetration testing, tokenization, Virtual Private Networks (VPN) and avoiding public internet connections.  Cloud security refers to an array of policies, technological procedures, services and solutions designed to support safe functionality when building, deploying and managing cloud-based applications and associated data.  Cloud security is designed to protect the following, regardless of your responsibilities: a) Physical networks - Routers, electrical power, cabling, climate controls, etc. b) Data storage - Hard drives, etc. c) Data servers - Core network computing hardware and software. d) Computer virtualization frameworks - Virtual machine software, host machines and guest machines. e) Operating Systems (OS) - Software that houses. f) Middleware - Application Programming Interface (API) management. g) Runtime environments - Execution and upkeep of a running program. h) Data - All the information stored, modified and accessed. i) Applications - Traditional software services (email, tax software, productivity suites, etc.) j) End-user hardware - Computers, mobile devices, Internet of Thing (IoT) devices, etc.  Cloud computing security addresses both physical and logical security issues across all the different service models of software, platform and infrastructure. It also addresses how these services are delivered in the public, private, hybrid and community delivery models.  Secure cloud computing architecture encompasses three core capabilities : Confidentiality, Integrity and Availability.
  • 20. 1. Confidentiality is the ability to keep information secret and unreadable to the people who shouldn't have access to that data. 2. Integrity is the idea that the systems and applications are exactly what you expect them to be and function exactly as you expect them to function. 3. Availability speaks to Denial-of-Service (DoS) attacks. Perhaps an attacker can't see or change your data. But if an attacker can make systems unavailable to you or your customers, then you can't carry out tasks that are essential to maintain your business.  Secure chellenges for cloud service customer : 1. Ambiguity in responsibility: A CSC uses services based on different service categories as well as different deployment models. If the responsibilities are not clearly defined in any of these cases, then it may result in inconsistency or may leave an open gate for attacks. 2. Loss of trust: Because of the abstraction of the security implementation details between a CSC and a CSP, it is difficult for a CSC to get details of the security mechanisms that the CSP has implemented to keep the cloud data secure. 3. Loss of governance: When the CSC uses cloud services, it has to move its data onto the cloud and provide certain privileges to the CSP for handling the data in the cloud. This may result in misconfiguration or an attack due to the abstraction of the CSP's cloud practices and the privileges that need to be given to the CSP. 4. Loss of privacy: CSC's privacy may be violated due to the leakage of private information while the CSP is processing CSC's private data or using the private information for a purpose that the CSP and CSC haven't agreed upon. 5. Cloud service provider lock-in: This issue arises if a CSP doesn't abide by the standard functions or frameworks of cloud computing and hence makes it difficult for a CSC using its services to migrate to any other CSP. The use of
  • 21. non-standard functions and cloud frameworks makes the CSP non- interoperable with other CSPs and also leaves the CSC open to security attacks. 6. Misappropriation of intellectual property: A CSC may face this challenge due to the possibility that a CSC's data on the cloud might leak to third parties that are using the same CSP for their cloud services. This leakage may violate the CSC's copyrights and may result in the disclosure of CSC's private data. 7. Loss of software integrity: A CSC encounters this challenge due to the fact that its software is running in the cloud once it is given to the CSP. It is possible that the software might be tampered with or might be affected while the software is running in the CSP and is not in the CSC's control, resulting in the CSC's loss over its software. Cloud security risks and countermeasures:  The Cloud Security Alliance lists the following as the cloud-specific security threats: 1. Malicious insiders 2. Abuse and nefarious use of cloud computing 3. Unsecure interfaces and APIs 4. Loss or leakage of data 5. Service hijacking Cloud security as a service  Cloud security as a service, also known as Security as a Service (SECaaS), is a cloud-based solution that delivers outsourced cyber security services. Fig. 3.5.3 shows elements of cloud security as a service.
  • 22.  Important cloud security solution is to implement an intrusion management system, something that many cloud security providers offer. Intrusion management refers to the possibility of identifying in real-time who has access to your network through the use of Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS). Having clear information on who the perpetrator of a system is can help manage security threats. Thus, these tools are very useful in identifying and preventing cyber-attacks.  Cloud security is focused on securing resources and workloads that are deployed on public infrastructure; SECaaS is focused on delivering security solutions as a service to customers.  Cloud security alliance has identified the following SECaaS categories of service: a. Identity and access management b. We security
  • 23. c. Data loss prevention d. Encryption e. E-mail security f. Intrusion management g. Network security h. Security information and event management.  Identity and Access Management (IAM) can help a user to manage to compute, stor manage and application services in the AWS cloud. It uses access control technique through which a user is familiar with which includes users, groups and permission.  Web security is real time protection offered either on premise through softwar installation or redirecting web traffic to the cloud providers.  Data loss prevention is monitoring, protecting and verifying the security of data at res in motion and in use.  Encryption is a pervasive service that can be provided for data at rest in the clou identity information, client specific information management.  E-mail security provides control over inbound and outbound email.  Intrusion management encompasses intrusion detection, prevention and response.  Network security consists of security services that allocates access, monitor, distribut and protect underlying resources services.  Security information and event management aggregates log and event data from virtu and real networks, applications and system. 3.5.3 loT Security  The Internet of Things (IoT) refers to a concept of connected objects and devices of al types over the Internet wired or wireless. The popularity of IoT or the Internet of Thing has increased rapidly, as these technologies are used for various purposes, includin communication, transportation, education and business development.  IoT security covers both physical device security and network security and impacts the processes, technologies and measures necessary to protect IoT devices and networks.
  • 24.  It spans industrial machines, smart energy grids, building automation systems entertainment devices and more, including devices that often aren't designed fo network security.  IoT device security must protect systems, networks and data from a broad spectrum of loT security attacks, which target various types of vulnerabilities.  Communication attacks on the data transmitted between loT devices and servers. Lifecycle attacks on the IoT device as it changes hands from user to maintenance. Attacks on the device software. Physical attacks, which directly target the chip in the device.  loT system functionalities: 1. Security patch must be upload time to time in microprocessor firmware. 2. Monitor the access and usage of public network. 3. User authentication is necessary. 4. Only after authentication can the controller direct commands for things control that are present in the system.  The Intemet of Things (IoT) has become a ubiquitous term to describe the tens of billions of devices that have sensing or actuation capabilities and are connected to each other via the Internet.  The key requirements for any IoT security solution are: 1. Device and data security, including authentication of devices and confidentiality and integrity of data. 2. Implementing and running security operations at IoT scale. 3. Meeting compliance requirements and requests. 4. Meeting performance requirements as per the use case. 3.5.4 Opendaylight DDoS Applications  OpenDaylight is an open source SDN controller/framework, hosted by the Linux foundation. Defense4All, is the the industry's first open SDN security application to be integrated into OpenDaylight.  Radware's Defense4All offers carriers and cloud providers DoS and DDOS detection and mitigation as a native network service. Utilizing the OpenDaylight SDN Controller that programs SDN-enabled networks to become part of the DoS / DDoS protection service itself, Defense4All allows
  • 25. operators to provision a DoS / DDoS protection service per virtual network segment or per customer.  Defense4All is an SDN application for detecting and mitigating DDoS attacks. The Fig. 3.5.4 shows the positioning of Defense4All in OpenDaylight environment.  The application communicates with the OpenDaylight Controller through the ODL northbound REST API. Using this REST API, Defense4All performs the following tasks: a) Monitoring the behavior of protected traffic – The application sets flow entries at selected network locations to collect traffic statistics for each of the PNs ( These statistics are aggregated from multiple locations for a given PN). c) Diverting attacked traffic to selected AMSS – The application sets flow entries at selected network locations to divert traffic to selected Attack Mitigation Security Systems (AMSS). When the attack is over, the application removes these flow entries, thereby resuming normal operation and traffic monitoring.
  • 26. 3.6Data Center Networking  Data centers are facilities that house multiple servers and communication equipment. They are designed to meet common environmental requirements, ensure physical security, and simplify maintenance. These specialized environments safeguard a company’s most valuable equipment and intellectual property.  Data centers support the following functions: 1. Processing users’ business transactions. 2. Hosting the company website. 3. Processing and storing intellectual property. 4. Maintain financial records 5. Route electronic mails  The data center infrastructure is central to the IT architecture, from which all content is sourced or passes through. Proper planning of the data center infrastructure design is critical and performance, resiliency and scalability need to be carefully considered.  Data center uses five core elements for processing. These elements are application, database, network, storage array, operating system and server.  The main purpose of a data center is running the applications that handle the core business and operational data of the organization. Data centers are the facilities that will house the equipment in order to secure, store and exchange data.  Data center operators face challenges when it comes to space and power along with complexity of managing large data center. It given rise to a new category of tools called Data Center Infrastructure Management (DCIM).  Key management activities include: 1. Monitoring 2. Reporting 3. Provisioning * Monitoring : It requires continuous collection of information. After collecting information, review is taken by data center administrator. It provides security, capacity and performance.
  • 27. * Reporting: It depends upon the behavior of the resources. Reporting is related to the performance, capacity of the data center resources. * Provisioning: Data center requires hardware, software and other resources to operate. Planning of these resources is required for good utilization of components.  Key requirement for data centers are high and flexible cross section bandwidth, low latency, QoS on the application requirements, high levels of resilience, improve overall efficiency etc. 3.6.1 Big Data over SDN  Big data can be defined as very large volumes of data available at various sources, in varying degrees of complexity, generated at different speed i.e., velocities and varying degrees of ambiguity, which cannot be processed using traditional technologies, processing methods, algorithms or any commercial off-the-shelf solutions.  Big data is a term used to describe a collection of data that is huge in size and is growing exponentially over time. In short, such data is so large and complex that traditional data management tools are unable to store or process it efficiently.  The processing of big data begins with raw, unaggregated, and unorganized data, which is often impossible to store in the memory of a single computer.  Big data processing involves a set of techniques or programming models used to access large-scale data and extract useful information to support and inform decision-making. Hadoop, an open-source implementation of MapReduce, is widely used for big data processing.  By combining an understanding of big data computation patterns with the dynamic capabilities of Software-Defined Networking (SDN), efficient data center networking configurations can support the increasing demands of big data.
  • 28.  Big data is usually processed in cloud data centers. Because the resource requirements of big data applications change dynamically in these centers, it is important to assign and manage cloud resources efficiently to meet the Service Level Agreements (SLAs) of different applications.  The SLA of a big data application is an agreement between the service provider and its users. It defines the characteristics of the provided service, including service level objectives and the expected Quality of Service (QoS).  Data storage forms the foundation of big data networking. SDN, as the critical transport medium for big data, also plays a key role in enabling effective big data networking.  Figure 3.6.1 shows a simple hybrid electrical and optical data center network, in which OpenFlow-enabled Top-of-Rack (ToR) switches are connected to two aggregation switches: an Ethernet switch and an optical switch.
  • 29.  All the switches are controlled by a SDN controller that manages physical connectivity among TOR switches over optical circuits by configuring the optical switch. It can also manage the forwarding at ToR switches using OpenFlow rules.  The SDN controller is also connected to the Hadoop scheduler, which forms queues of jobs to be scheduled and the Hbase Master controller of a relational database holding data for the big data applications.  Hadoop integrates data storage, data processing, system management and other modules to form a powerful system-level solution, which is becoming the mainstay in handling big data challenges.  SDN controller is also connected to the Mesos cluster manager. Mesos is an open source cluster management tool and it provides efficient physical resource isolation across distributed environments or applications.  Mesos cluster manager can handle workloads and shares resources across distributed applications and environments. It can run applications like Kafka, Hadoop, Jenkins, Spark and many other in a dynamically shared pool of nodes. It seamlessly integrates with Apache Spark and behaves as a kernel for the data center.  key features of apache Mesos open source cluster management tool to manage big data infrastructures are listed: a) A Web UI to monitor cluster state. b) Highly available and fault tolerance. c) Linear scalability to thousands of nodes. d) Isolation for tasks with Linux containers. e) Multiple resource scheduling model. f) REST API for easy integration applications development. g) Ability to share resources across many frameworks.  SDN controller accepts traffic demand request from Mesos managers. 3.6.2 Cloud Networking over SDN
  • 30.  Cloud Network as a Service (CloudNaaS) is a cloud networking system that exploits OpenFlow SDN capabilities to provide greater degree of control over cloud network functions by the cloud customer.  Fig. 3.6.2 shows the sequence of main operations in CloudNaaS.
  • 32.  First, a cloud customer or tenant uses a simple policy language to specify the network services required by his application (Fig. 3.6.2 (a)).  Next, the network policy is translated from the high level constructs into a canonical description of the desired network communication patterns and network services; we refer to this as the "communication matrix" (Fig. 3.6.2 (b)).  This represents the logical view of the resource demand of the customer. At the end of this step, the communication matrix is used to determine the optimal placement of the new VMs such that the cloud is able to satisfy the largest number of global policies in an efficient manner. This is done based on the knowledge of other customers' requirements and/or their current levels of activity.  This step determines whether it is possible to map the new customer's logical requirements into the cloud's physical resources.  We then translate the logical communication matrix along with knowledge of the placement of VM locations into network-level directives (i.e., configuration commands or rules) for devices in the cloud (Fig. 3.6.2 (c)). The customer's VM instances are deployed by creating and placing the specified number of VMs.  The final step is to install the configuration commands or rules into the devices within the network (Fig. 3.6.2 (d)), thereby creating the necessary physical communication paths that satisfy the customer's needs. In addition, address-rewriting rules are instantiated within appropriate network locations to ensure that applications can use custom IP addresses within the cloud.
  • 33.  Fig. 3.6.3 shows CloudNaaS architecture.  The CloudNaaS architecture consists of two primary communicating components, namely the cloud controller and the network controller. The cloud controller manages both the virtual resources and the physical hosts and supports APIs for setting network policies.  The network controller is responsible for monitoring and managing the configuration of network devices as well as for deciding placement of VMs within the cloud.