The Journal of Korean Institute of Communications and Information Sciences (한국통신학회논문지)

The Korean Institute of Commucations and Information Sciences (한국통신학회)
권호 표지
DOI QR코드

DOI QR Code

SDN-Based Intrusion Prevention System for Science DMZ

Science DMZ 적용을 위한 SDN 기반의 네트워크 침입 방지 시스템

  • Jo, Jinyong (Korea Institute of Science and Technology Information) ;
  • Jang, Heejin (Korea Institute of Science and Technology Information) ;
  • Lee, Kyungmin (Korea Institute of Science and Technology Information) ;
  • Kong, JongUk (Korea Institute of Science and Technology Information)
  • Received : 2015.04.06
  • Accepted : 2015.06.12
  • Published : 2015.06.30
Download PDF
⟨ Previous Next ⟩

Abstract

In this paper, we introduce an SDN-based intrusion prevention system for more secure Science DMZ with no performance limits. The proposed system is structured with intrusion-prevention, intrusion-detection, and prevention-decision subsystems which are physically distributed but informationally connected by an SDN interface. The functional distribution and the application of SDN technology increase the flexibility and extensibility of the proposed system and prevent performance degradation possibly caused by network security equipments on Science DMZ. We verified the feasibility and performance of the proposed system over a testbed set up at KREONET.

본 논문은 Science DMZ(Demilitarized Zone) 적용을 위한 SDN(Software Defined Networking) 기반의 네트워크 침입 방지 시스템을 소개한다. 제안된 시스템은 침입 탐지 기능을 침입 방지 장치로부터 분리하고 SDN 기술을 확장해 탐지 기능과 방어 기능을 상호 연동시킴으로써 네트워크 보안 장비의 유연성(flexibility)과 확장성(extensibility)을 높이고 패킷 검사(packet inspection) 등으로 야기되는 패킷 손실을 방지하는데 목적이 있다. 본 논문에서는 제안한 프레임워크의 한 응용 시나리오를 소개하고 국가과학기술연구망에 구축된 네트워킹 DMZ환경에 시험 적용함으로써 활용 가능성을 검증한다.

Keywords

References

  1. E. Dart, L. Rotman, B. Tierney, M. Hester, and J. Zurawski, "The science DMZ: A network design pattern for data-intensive science," Scientific Programming, vol. 22, no. 2, pp. 173-185, 2014. https://doi.org/10.1155/2014/701405
  2. N. McKeown, "Software-defined networking," Keynote Talk at IEEE INFOCOM 2009, Retrieved Aug., 27, 2014, from http://tiny-tera.stanford.-edu/-nickm/talks/
  3. I. Monga, E. Pouyoul, and C. Guok, "Software defined networking for big-data science - Architectural models from campus to the WAN," in Proc. High Perf. Comput., Netw. Storage and Anal. (SCC), pp. 1629- 1635, Salt Lake City, USA, Nov. 2012.
  4. J. Zurawski, "The science DMZ - introduction and architecture," in Proc. Operating Innovative Netw. (OIN), Oct. 2013.
  5. P. Calym, A. Berryman, E. Saule, H. Subramoni, P. Schopis, G. Springer, U. Catalyurek, and D. K. Panda, "Wide-area overlay networking to manage science DMZ accelerated flows," in Proc. IEEE Int. Conf. Comput. Netw. Commun. (ICNC), pp. 269- 275, Feb. 2014.
  6. B. Allen, J. Bresnahan, L. Childers, I. Foster, G. Kandaswamy, R. Kettimuthu, J. Kordas, M. Link, S. Martin, K. Pickett, and S. Tuecke, "Software as a service for data scientists," ACM Commun. Mag., vol. 55, no. 2, pp. 81- 88, Feb. 2012.
  7. N. Mckeown, T. Anderson, H. Balakrishnan, G. Parulkar, L. Peterson, J. Rexford, S. Shenker, and J. Turner, "OpenFlow: enabling innovation in campus networks," ACM SIGCOMM Comput. Commun. Rev., vol. 38, no. 2, pp. 69-74, Apr. 2008. https://doi.org/10.1145/1355734.1355746
  8. K. Curran, "An online collaboration environment," Edu. Inf. Technol., vol. 7, no. 1, pp. 41-53, Mar. 2002. https://doi.org/10.1023/A:1015358508034
  9. X. Gou and W. Jin, "Multi-agent system for multimedia communications traversing NAT/firewall in next generation networks," in Proc. CNSR, pp. 99-104, May 2004.
  10. A. Nayak, A. Reimers, N. Feamster, and R. Clark, "Resonance: dynamic access control for enterprise networks," in Proc. 1st ACM Workshop on Research on Enterprise Netw., pp. 11-18, 2009.
  11. Z. A. Qazi, C. Tu, L. Chiang, R. Miao, V. Sekar, and M. Yu, "SIMPLE-fying middlebox policy enforcement using SDN," in Proc. ACM SIGCOMM, vol. 43, no. 4, pp. 27-38, Oct. 2013.
  12. H. Hu, W. Han, G. Ahn, and Z. Zhao, "FLOWGUARD: building roubust firewalls for software-defined networks," in Proc. HotSDN, pp. 97-102, Aug. 2014.
  13. R. Berthier, W. H. Sanders, and H. Khurana, "Intrusion detection for advanced metering infrastructures: requirements and architectural directions," in Proc. IEEE SmartGridComm, pp. 350-355, Oct. 2010.
  14. Sourcefire, Snort, Retrieved June 2, 2015, from https://www.snort.org/
  15. TrendMicro, OSSEC(open source host-based intrusion detection system), Retrieved June 2, 2015, from http://www.ossec.net/
  16. Trustwave, Modsecurity, Retrieved June 2, 2015, from http://www.modsecurity.org/
  17. J. Mirkovic and P. Reiher, "A taxonomy of DDoS attack and DDoS defense mechanisms," ACM SIGCOMM Comput. Commun. Rev., vol. 32, no. 2, pp. 39-53, Apr. 2004.
  18. D. Hoffman, D. Prabhakar, and P. Strooper, "Testing iptables," in Proc. CASCON, pp. 80-91, 2003.
  19. B. Astuto, A. Nunes, M. Mendonca, X. Nguyen, K. Obraczka, and T. Turletti, "A survey of software-defined networking: past, present, and future of programmable networks," IEEE Commun. Survey & Tutorials, vol. 16, no. 3, pp. 1617-1634, Feb. 2014. https://doi.org/10.1109/SURV.2014.012214.00180
  20. A. Broder and M. Mitzenmacher, "Network applications of bloom filters: a survey," Internet Math., vol. 1, no. 4, pp. 485-509, 2004. https://doi.org/10.1080/15427951.2004.10129096
  21. F. Bonomi, M. Mitzenmacher, R. Panigraphy, S. Singh, and G. Varghese, "An improved construction for counting bloom filters," in Proc. 14th Conf. Annu. Eur. Symp., vol. 14, pp. 684-695, 2006.
  22. K. Bauer, Logwatch, Retrieved June 2, 2015, from http://www.logwatch.org/
  23. D. B. Cid, Log analysis using OSSEC, Retrieved June 2, 2015, from http://www.ossec.net/ossecdocs/auscert-2007-dcid.pdf
  24. J. W. Lockwood, N. McKeown, G. Watson, G. Gibb, P. Hartke, J. Naous, R. Raghuraman, and L. Jianying, "NetFPGA - An open platform for Gigabit-rate network switching and routing," in Proc. IEEE Conf. Microelectronic Syst. Edu. (MSE '07), pp. 160-161, San Diego, Jun. 2007.
  25. J. Jo, S. Lee, and J. Kim, "Programmable IP service gateway for software-defined networking: assisting easy composition of service overlays," IEICE Trans. Commun., vol. E96-B, no. 7, pp. 1918-1929, Jul. 2013. https://doi.org/10.1587/transcom.E96.B.1918
  26. R. C. Andrew, C. M. Jeffrey, T. Jean, Y. Praveen, S. Puneet, and B. Sujata, "DevoFlow: scaling flow management for high-performance networks," in Proc. ACM SIGCOMM, vol. 41, no. 4, pp. 254-265, Aug. 2011.
  27. L. Dan, W. Andreas, H. Brandon, H. Nikhil, and F. Anja, "Logically centralized?: state distribution trade-off in software defined networks," in Proc. Hot Topics in Software Defined Netw., pp. 1-6, Jan. 2012.
  28. L. Fan, P. Cao, J. Almeida, and A. Z. Broder, "Summary cache: a scalable wide-area Web cache sharing protocol," IEEE/ACM Trans. Netw., vol. 8, no. 3, pp. 281-293, Jun. 2000. https://doi.org/10.1109/90.851975

Cited by

  1. SD-WAN 기반의 사용자 중심 가상 전용 네트워크 시스템 설계 및 구현 vol.41, pp.9, 2015, https://doi.org/10.7840/kics.2016.41.9.1081
  2. 광범위한 단말 정보 식별을 위한 스캔 모델링 및 성능 분석 vol.42, pp.4, 2015, https://doi.org/10.7840/kics.2017.42.4.785