Several reasons make NFV an attractive paradigm for IT security: lowers costs, agile operations and better isolation as well as fast security updates, improved incident responses and better level of automation. At the same time, the network threats tend to be increasingly complex and distributed, implying huge traffic scale to be monitored and increasingly strict mitigation delay requirements. Considering the current trend of the networking and the requirements to counteract to the evolution of cyber-threats, it is expected that also network monitoring will move towards NFV based solutions. In this paper, we present Distributed StreaMon (D-StreaMon) an orchestration framework for distributed monitoring on NFV network architectures. D-StreaMon has been designed to face the above described challenges. It relies on the StreaMon platform, a solution for network monitoring originally designed for traditional middleboxes. Changes that allow Streamon to be deployed on NFV network architectures are described. The paper reports a performance evaluation of the realized NFV based solutions and discusses potential benefits in monitoring tenants' VMs for Service Providers.
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607
D-STREAMON - NFV-capable distributed framework for network monitoring
1. D-STREAMON - NFV-capable distributed framework for
network monitoring
Davide Palmisano(1,2), Pier Luigi Ventre(2), Alberto Caponi(1), Giuseppe Siracusano(2),
Stefano Salsano(1,2), Marco Bonola(1), Giuseppe Bianchi(1,2)
(1) CNIT – (2) University of Rome “Tor Vergata”
Soft5 Workshop - First International Workshop on Softwarized Infrastructures for
5G and Fog Computing, in conjunction with ITC 29
Genoa, Italy - 8th September, 2017
2. 2
Outline
• SCISSOR project highlights
• Network Monitoring in a Distributed Cloud / NFV environment
• From StreaMon to Distributed StreaMon (D-StreaMon)
• Deployment of D-StreaMon over a Cloud Infrastructure
3. 3
The SCISSOR Project – Security in trusted SCADA and smart-grids
Assystem Engineering and operation services (FR)
AGH University of Science and Technology of Krakow (PL)
UPMC university Pierre and Marie Curie (FR)
SixSq Sàrl (CH)
Consorzio Nazionale Interuniversitario per le Telecomunicazioni (IT)
RADIO6ENSE (IT)
Salzburg Research Forschungsgesellschaft mbH (AT)
Katholieke Universiteit Leuven (BE)
SEA Società Elettrica di Favignana S.p.a. (IT)
The partners
4. 4
SCISSOR in a nutshell
A highly scalable ICS/SCADA security monitoring framework
• Integration of a wide range of heterogeneous sensors
• A dynamically adaptable, distributed data aggregation framework
• Advanced detection and correlation models as extensions to a conventional SIEM
• Exploitation of modern cloud-computing concepts
6. 8
Outline
SCISSOR project highlights
Network Monitoring in a Distributed Cloud / NFV environment
From StreaMon to Distributed StreaMon (D-StreaMon)
Deployment of D-StreaMon over a Cloud Infrastructure
7. 9
Network Monitoring in a Distributed Cloud / NFV environment
•Once upon a time :
- physical servers and hosts, physical network devices and wires to be monitored
•Nowadays :
- Server and hosts are distributed in the cloud
- Security systems or hardware based middleboxes are substituted by virtualized
network function running on commodity hardware
From physical to virtual infrastructure
8. 10
Network Monitoring in a Distributed Cloud / NFV environment
•Cyber-threats can easily break the controls performed by the standard
procedures which aims at monitor the perimeter of an infrastructure
•We need innovative approaches in the defense techniques and the
deployment of a widespread monitoring
New threats
9. 11
Network Monitoring in a Distributed Cloud / NFV environment
Network
core
Cloud Data
Centers
Fog Nodes
Local Nodes
Local
sensors/actuators
For example, in the SCISSOR project testbed we
have a «Cloud in a box» solution, called NuvlaBox
installed in an electric cabin in Favignana island
10. 12
Network Monitoring in a Distributed Cloud / NFV environment
Network
core
Cloud Data
Centers
Fog Nodes
Local Nodes
Local
sensors/actuators
Monitoring probes
distributed on the
Cloud Infrastructure
11. 13
Outline
• SCISSOR project highlights
• Network Monitoring in a Distributed Cloud / NFV environment
• From StreaMon to Distributed StreaMon (D-StreaMon)
• Deployment of D-StreaMon over a Cloud Infrastructure
12. 14
StreaMon : architecture of a single probe
Stream based analysis
• Wire-speed, strict real time
• Memory-efficient operation, no on-board DBs
• Data reduction, mining only data you really need
Very powerful technical approach
• Especially when (controlled) approx is OK
• Multi-hash data structures (Bloom, sketches, etc)
Stream Analysis
(on the fly)
Raw link traffic
(huge rate)
(partial) results,
filtering
13. 15
StreaMon : architecture of a single probe
M1
Metric
Layer
M2
M3
Feature
Layer
F1 = M1+M2
F2 = M3/M2
Decision Layer
if (f1>200) then ACTION
if (f2<.05) then ACTION
Event Layer
Timeouts
Status Table
Capture Engine
incoming packet
state transition
timeout update
timeout
expiration
Logic subsystem
Measurement
subsystem
14. 16
What the programmer describes
Define application-specific STATES
• If/when needed
Specify EVENTS
• Triggered by packet arrival:
i) matching rule (e.g. TCP SYN)
ii) extract flow key
• Timeouts
Instantiate METRICS (sketch-based & DLEFT-based)
Define FEATURES
Define STATE MACHINE: transition events, metric updates, conditions, associated ACTIONS
No need to know HOW all this is implemented inside the box: just an API!
15. 17
State machine description in XML
<event type="packet" selector="proto tcp and dst_port 502 and modbus_fc 8" primary-key="ip_src">
<state id="default">
<use-metric id="m1" vd_update="ip_src-ip_dst" vm_update="ip_src"/>
<condition>
expression="rate > 10"
action=”Publish(log, Suspected scan from %ip_src)"
next_state="suspect">
</condition>
</state>
<state id=”suspect”>
<use-metric id=”m1” vd_update=”ip_src-ip_dst” vm_update=”ip_src” />
<condition>
expression="rate > 20"
action=”Publish(log, Detected scan from %ip_src); Publish(raw, raw)"
next_state=""
</condition>
</state>
</event>
16. 18
StreaMon life-cycle is static & on the probe
• Designed for a single host
• All the steps run on the platform
• Static XML configurations
• StreaMon is re-compiled at each run
• No dynamic re-configuration of parameters
• Metric/Feature changes need restart
• Hard to retrieve monitoring informations
• Monitoring logs at screen
Host Host Host Host Host Host
Probe Probe Probe
18. 20
Controller (Management)
TITRE DE LA PARTIE
•Design and deploy the distributed monitoring network (probes)
•Customize probe configuration
•Dynamically re-configure probes
•Centralized compilation
Probes (Execution)
•Just run the logic without compilation overhead!
•Publish monitoring data on Ømq channels
D-StreaMon: decoupling StreaMon management from execution
19. 21
Implementation
• Easily configure deployment actions defining playbooks
• Playbooks express configurations, deployment, and
orchestration
• Each Playbook maps a group of hosts to a set of roles
• Each role is represented by calls to Ansible call tasks
• Abstraction library for sockets
• Simple publish/subscribe network communication
• Easily aggregate monitoring information using proxy
21. 23
Outline
• SCISSOR project highlights
• Network Monitoring in a Distributed Cloud / NFV environment
• From StreaMon to Distributed StreaMon (D-StreaMon)
• Deployment of D-StreaMon over a Cloud Infrastructure
22. 24
Network Monitoring in a Distributed Cloud / NFV environment
Network
core
Cloud Data
Centers
Fog Nodes
Local Nodes
Local
sensors/actuators
Monitoring probes
distributed on the
Cloud Infrastructure
23. 25
Network Monitoring in a Distributed Cloud / NFV environment
Network
core
Cloud Data
Centers
Fog Nodes
Local Nodes
Local
sensors/actuators
OS and Drivers
Cloud
Platform
+
Container
Manager
App
VM
App
Container
OS and Drivers
Cloud
Platform
+
Container
Manager
App
VM
App
Container
24. Neutron bridge
D-StreaMon Orchestration framework
Probes and VMs
instantiation
Configuration
and
Management
Decisions
And
Actions
Legacy or SDN network (data plane)
D-StreaMon
SDN
Controller
Virtual
Infrastructure
Manager
REST
Mirroring
SSH
0mqLegacy (management plane)
VM Probe
Cloud
Infrastructure
Virtual
Switch
25. Neutron bridge
D-StreaMon Orchestration framework
Probes and VMs
instantiation
Configuration
and
Management
Decisions
And
Actions
Legacy or SDN network (data plane)
D-StreaMon
SDN
Controller
Virtual
Infrastructure
Manager
REST
Mirroring
SSH
0mqLegacy (management plane)
VM Probe
Cloud
Infrastructure
Virtual
Switch
26. 28
Probes as processes vs. probes as containers
Probes as processes Probes as containers
Pros Cons
Better performance Less isolation
No mirroring overhead Process management
Pros Cons
Better isolation Performance
Simple deployment Mirroring overhead
28. 30
Thank you. Questions?
Contacts
Stefano Salsano
University of Rome Tor Vergata / CNIT
stefano.salsano@uniroma2.it
http://scissor-project.com /
The work presented here only covers a subset of the work performed in the project
29. 31
References
• SCISSOR project Home Page http://superfluidity.eu/
• D. Palmisano, P. L. Ventre, A. Caponi, G. Siracusano, S. Salsano, M. Bonola, G. Bianchi,
“D-STREAMON – NFV-capable distributed framework for network monitoring”,
Soft5 Workshop, 1st International Workshop on Softwarized Infrastructures for 5G and Fog
Computing, in conjunction with 29th ITC conference, Genoa, Italy, 8th September 2017
• P. L. Ventre, A. Caponi, G. Siracusano, D. Palmisano, S. Salsano, M. Bonola, G. Bianchi,
“D-STREAMON: from middlebox to distributed NFV framework for network monitoring”,
demo paper, IEEE International Symposium on Local and Metropolitan Area Networks (LANMAN
2017), Osaka, Japan, 2017
30. 32
The SCISSOR project has received funding from the European Union’s Horizon 2020
research and innovation programme under grant agreement No. 644425 (Research
and Innovation Action).
The information given is the author’s view and does not necessarily represent the view
of the European Commission (EC). No liability is accepted for any use that may be
made of the information contained.