NAC & SDN : about flowNAC with traffic flow

김준호2015.09.23

Mobile Convergence LAB,Department of Computer Engineering,

Kyung Hee University.

1. About paper & terms

2. FlowNAC

3. NAC & SDN

4. Intrusion Prevention

5. Q&A

Contents

About paper & terms

FlowNAC : Flow-based Network Access Con-trol Conference

2014 Third European Work-shop on Software-Defined

Networks2014 Spain

Toward an SDN-Enabled NFV Architecture Magazine IEEE Communications Maga-zine : April 2015 2015 Spain

An Extended SDN Architecture for Network Function Virtualization with a Case Study

on Intrusion PreventionMagazine IEEE Network May/June 2015 2015 Taiwan

1. IEEE 802.1X- port-based network access control(PNAC) 에 관한 IEEE 의 표준- 유선 or 무선랜에 연결하고자 하는 장치에 대한 인증 메커니즘을 설명 (Layer 2)

2. Granularity ( 입도 – 암석을 이루고 있는 광물 입자 크기 )

A. Fine-grained – 결이 고운 ( 세부적인 기능으로 나뉘어 있는 )

B. Coarse-grained – 결이 거친 ( 큰 기능으로 나뉘어 있는 )

3. Proactive <-> ReactiveA. 앞서 주도하는 <-> 반응을 보이는

4. AAAA. Authentication - 인증B. Authorization – 권한 부여C. Accounting – 과금

About paper & terms

5. NAC(Network Access Control)- 단말이 네트워크에 접근하기 전 보안정책 준수여부를 검사하여 네트워크 사용을 제어하는

것- 광범위함- OpensourceNAC

About paper & terms

Packetfence Opennac Coovachilli Chillispot Wifidog

기능 Webserver, DHCPserver, RADIUSserver, IDS, Firewall

DHCPreader, RA-DIUSserver, Antivirus, Firewall, Bulk Configura-tion/backup

RADIUSserver, Webserver, Cap-tivePortal

RADIUSserver, Webserver

CaptivePortal(Gateway & Au-thentication server)

H/WOpenWRT with hostapd 지원 , HP, Cisco 등 기타 switch & AP

Cisco, Alcatel, 3Com, etc CoovaAP(OpenWRT-based) Nothing special

OpenWRT, FreeWRT, DD-WRT

O/SUbuntu12.04LTS, De-bian7.0, CentOS 6.x, Red-HatEnterpriseLinux6.xServer

Windows, Linux, Mac, mobile device

Ubuntu, Open-moko, OpenWRT

Redhat, Fedora, Debian, Man-drake, OpenWRT

Linux

6. Stateless <-> StatefulA. Design Concept

A. Server side 에 Client 와 server 의 연속된 동작 상태정보를 저장 X <-> 저장 O

B. Functional Concept

A. 같은 argument 에 대해 항상 같은 값을 반환 <-> 다른 값을 반환 ( 이전 값을 가지고 있기 때문에 이전 값에 의해 반환되는 값이 변동 될 수 있다 .)

About paper & terms

NEXT

FlowNAC : Flow-based Network Access Control

FlowNAC - IEEE 802.1X

• 위의 과정에서 인증 메시지 교환 시 EAP(Extensible Authentication Protocol) 라는 프로토콜 사용• EAPoL(EAP over LAN) -> LAN, WAN 을 통해 EAP 인증 메시지 패킷을 캡슐화하여 전달하는 프로토콜

– IEEE 802.1X 에서 정의

FlowNAC - IEEE 802.1X

EAPoL frame

1. PAE(Policy Access Entity)

- Policy 가 적용되는 곳

1. Binary decisionA. When the users are granted to access the

network(identified by source MAC)

B. Access or Deny

C. Coarse-grained granularity

2. Layer 2 protocol

3. DHCP, DNS are not needed

Flow-based Network Access Control solution,

allows to grant users the rights to access the network de-

pending on the target service requested.

FlowNAC

1. Focusing A. Managing the identity of end users

B. Applying a policy, based on identity

2. Fine-grained granularityA. Based on flows (associated to services) to control the access to the network

B. Able to authorize independently access to specific services

C. Multiple services independently controlled for the same user(i.e. identity)

3. Rely on a modified version of IEEE 802.1XA. Supporting EAPoL-in-EAPoL encapsulation

B. Does not need IP address -> DHCP, DNS are not needed

4. Proactive modeA. Flow entries are deployed in advance to the actual traffic

B. NAI(Network Access Identifier) – RFC2486 -> must be included the service

C. AA process is supported at the same time

FlowNAC - Property

5. Not Focusing A. Monitoring

B. Dynamic policies

FlowNAC - Property

Supplicant(user) Authentica-

tor(PEP)

Authentica-tion server

(PDP)

• PEP(Policy Enforcement Point) – point where policy decisions are actually enforced

• PDP(Policy Decision Point) – point where policy decisions are maded

• PRP(Policy Retrieval Point) – access authorization policies are stored(policy repository)

Policy Repos-itory(PRP)

1. Deferent protocolA. Between supplicant and authenticator

B. Between multiple authentication and authorization processes from the same user

FlowNAC - Architecture

• Identifier – identifies up to 64K different process

• Outer EAPoL

• Inner EAPoL

2. Identifier A. Must contain at least three different namespace

B. Username, service and domain

C. RFC 2486 – NAI(Network Access Identifier) has two namespaces

a. username or username@realm

D. username@service.domain

3. Policy definitionA. Include the request service as a parameter to be evaluated (not only user but ser-

vice)

B. User must be associated to one or several roles

C. XACML(eXtensible Access Control Markup Language)

4. Service MUST be univocally definedD. Supporting EAPoL-in-EAPoL encapsulation

E. One request -> one action

FlowNAC - Architecture

5. Transmission of the set of authorized flows A. Between authentication server and the authenticator

B. Currently not support

C. New JSON REST interface

6. Authenticator must enforce the access controlD. Based on the set of flows

FlowNAC - Architecture

FlowNAC – Authenticator(PEP)

• PAE(Port Access Entity)

• PAC(Port Access Controller)

• LMI(Layer Management Interface) – communicate PAE with PAC and control port status

FlowNAC – Authenticator(PEP)

1. SDN DataPathA. Defined by the Open Networking Foundation

B. Matching fields and action. (Stateless, do not

depend on previous matched frames)

2. ANF(Authenticator Network Function)A. Implements the functions performed by the PAE.

B. It receives and parse the EAPoL frames and

encapsulates them in the appropriate

protocol(communicate with the authentication

server)

C. AA control traffic is not encapsulated by Open-

Flow -> avoiding the overhead and consolidation

of the AA processing in the controller3. SDN ControllerA. Adding and removing the flow en-tries at the SDN datapath

NEXT

Toward an SDN-Enabled NFV Architecture

NAC & SDN

• Stateful network function & Stateless data path processing component

• To keep data processing in hardware as much as possible

• Only forward the data traffic to the stateful component when processing is also stateful

• Avoiding data traffic going up/down to/from a VM

• Independent scalability of each component

NAC & SDN

• A-type -> Authentication and authorization(AA) traffic

• B-type -> Data traffic for the authorized services

• C-type -> Data traffic for non-authorized services

NEXT

An Extended SDN Architecture for Network Function Virtualization

with a Case Study on Intrusion Prevention

Intrusion Prevention

• CLA Module – located on the switch

• DPI Module – too expansive to be performed on the switch

• SR Module – decision maker for the policies maintained on the data plane

Intrusion Prevention

• Modify the OpenFlow message

Intrusion Prevention

Q&A

Thank you so much