Paper review about NAC & SDN
-
Upload
kyunghee-univ -
Category
Software
-
view
218 -
download
2
Transcript of Paper review about NAC & SDN
NAC & SDN : about flowNAC with traffic flow
김준호2015.09.23
Mobile Convergence LAB,Department of Computer Engineering,
Kyung Hee University.
About paper & terms
FlowNAC : Flow-based Network Access Con-trol Conference
2014 Third European Work-shop on Software-Defined
Networks2014 Spain
Toward an SDN-Enabled NFV Architecture Magazine IEEE Communications Maga-zine : April 2015 2015 Spain
An Extended SDN Architecture for Network Function Virtualization with a Case Study
on Intrusion PreventionMagazine IEEE Network May/June 2015 2015 Taiwan
1. IEEE 802.1X- port-based network access control(PNAC) 에 관한 IEEE 의 표준- 유선 or 무선랜에 연결하고자 하는 장치에 대한 인증 메커니즘을 설명 (Layer 2)
2. Granularity ( 입도 – 암석을 이루고 있는 광물 입자 크기 )
A. Fine-grained – 결이 고운 ( 세부적인 기능으로 나뉘어 있는 )
B. Coarse-grained – 결이 거친 ( 큰 기능으로 나뉘어 있는 )
3. Proactive <-> ReactiveA. 앞서 주도하는 <-> 반응을 보이는
4. AAAA. Authentication - 인증B. Authorization – 권한 부여C. Accounting – 과금
About paper & terms
5. NAC(Network Access Control)- 단말이 네트워크에 접근하기 전 보안정책 준수여부를 검사하여 네트워크 사용을 제어하는
것- 광범위함- OpensourceNAC
About paper & terms
Packetfence Opennac Coovachilli Chillispot Wifidog
기능 Webserver, DHCPserver, RADIUSserver, IDS, Firewall
DHCPreader, RA-DIUSserver, Antivirus, Firewall, Bulk Configura-tion/backup
RADIUSserver, Webserver, Cap-tivePortal
RADIUSserver, Webserver
CaptivePortal(Gateway & Au-thentication server)
H/WOpenWRT with hostapd 지원 , HP, Cisco 등 기타 switch & AP
Cisco, Alcatel, 3Com, etc CoovaAP(OpenWRT-based) Nothing special
OpenWRT, FreeWRT, DD-WRT
O/SUbuntu12.04LTS, De-bian7.0, CentOS 6.x, Red-HatEnterpriseLinux6.xServer
Windows, Linux, Mac, mobile device
Ubuntu, Open-moko, OpenWRT
Redhat, Fedora, Debian, Man-drake, OpenWRT
Linux
6. Stateless <-> StatefulA. Design Concept
A. Server side 에 Client 와 server 의 연속된 동작 상태정보를 저장 X <-> 저장 O
B. Functional Concept
A. 같은 argument 에 대해 항상 같은 값을 반환 <-> 다른 값을 반환 ( 이전 값을 가지고 있기 때문에 이전 값에 의해 반환되는 값이 변동 될 수 있다 .)
About paper & terms
FlowNAC - IEEE 802.1X
• 위의 과정에서 인증 메시지 교환 시 EAP(Extensible Authentication Protocol) 라는 프로토콜 사용• EAPoL(EAP over LAN) -> LAN, WAN 을 통해 EAP 인증 메시지 패킷을 캡슐화하여 전달하는 프로토콜
– IEEE 802.1X 에서 정의
FlowNAC - IEEE 802.1X
EAPoL frame
1. PAE(Policy Access Entity)
- Policy 가 적용되는 곳
1. Binary decisionA. When the users are granted to access the
network(identified by source MAC)
B. Access or Deny
C. Coarse-grained granularity
2. Layer 2 protocol
3. DHCP, DNS are not needed
Flow-based Network Access Control solution,
allows to grant users the rights to access the network de-
pending on the target service requested.
FlowNAC
1. Focusing A. Managing the identity of end users
B. Applying a policy, based on identity
2. Fine-grained granularityA. Based on flows (associated to services) to control the access to the network
B. Able to authorize independently access to specific services
C. Multiple services independently controlled for the same user(i.e. identity)
3. Rely on a modified version of IEEE 802.1XA. Supporting EAPoL-in-EAPoL encapsulation
B. Does not need IP address -> DHCP, DNS are not needed
4. Proactive modeA. Flow entries are deployed in advance to the actual traffic
B. NAI(Network Access Identifier) – RFC2486 -> must be included the service
C. AA process is supported at the same time
FlowNAC - Property
5. Not Focusing A. Monitoring
B. Dynamic policies
FlowNAC - Property
Supplicant(user) Authentica-
tor(PEP)
Authentica-tion server
(PDP)
• PEP(Policy Enforcement Point) – point where policy decisions are actually enforced
• PDP(Policy Decision Point) – point where policy decisions are maded
• PRP(Policy Retrieval Point) – access authorization policies are stored(policy repository)
Policy Repos-itory(PRP)
1. Deferent protocolA. Between supplicant and authenticator
B. Between multiple authentication and authorization processes from the same user
FlowNAC - Architecture
• Identifier – identifies up to 64K different process
• Outer EAPoL
• Inner EAPoL
2. Identifier A. Must contain at least three different namespace
B. Username, service and domain
C. RFC 2486 – NAI(Network Access Identifier) has two namespaces
a. username or username@realm
3. Policy definitionA. Include the request service as a parameter to be evaluated (not only user but ser-
vice)
B. User must be associated to one or several roles
C. XACML(eXtensible Access Control Markup Language)
4. Service MUST be univocally definedD. Supporting EAPoL-in-EAPoL encapsulation
E. One request -> one action
FlowNAC - Architecture
5. Transmission of the set of authorized flows A. Between authentication server and the authenticator
B. Currently not support
C. New JSON REST interface
6. Authenticator must enforce the access controlD. Based on the set of flows
FlowNAC - Architecture
FlowNAC – Authenticator(PEP)
• PAE(Port Access Entity)
• PAC(Port Access Controller)
• LMI(Layer Management Interface) – communicate PAE with PAC and control port status
FlowNAC – Authenticator(PEP)
1. SDN DataPathA. Defined by the Open Networking Foundation
B. Matching fields and action. (Stateless, do not
depend on previous matched frames)
2. ANF(Authenticator Network Function)A. Implements the functions performed by the PAE.
B. It receives and parse the EAPoL frames and
encapsulates them in the appropriate
protocol(communicate with the authentication
server)
C. AA control traffic is not encapsulated by Open-
Flow -> avoiding the overhead and consolidation
of the AA processing in the controller3. SDN ControllerA. Adding and removing the flow en-tries at the SDN datapath
NAC & SDN
• Stateful network function & Stateless data path processing component
• To keep data processing in hardware as much as possible
• Only forward the data traffic to the stateful component when processing is also stateful
• Avoiding data traffic going up/down to/from a VM
• Independent scalability of each component
NAC & SDN
• A-type -> Authentication and authorization(AA) traffic
• B-type -> Data traffic for the authorized services
• C-type -> Data traffic for non-authorized services
NEXT
An Extended SDN Architecture for Network Function Virtualization
with a Case Study on Intrusion Prevention
Intrusion Prevention
• CLA Module – located on the switch
• DPI Module – too expansive to be performed on the switch
• SR Module – decision maker for the policies maintained on the data plane