Browse > Article
http://dx.doi.org/10.7840/kics.2015.40.6.1070

SDN-Based Intrusion Prevention System for Science DMZ  

Jo, Jinyong (Korea Institute of Science and Technology Information)
Jang, Heejin (Korea Institute of Science and Technology Information)
Lee, Kyungmin (Korea Institute of Science and Technology Information)
Kong, JongUk (Korea Institute of Science and Technology Information)
Publication Information
The Journal of Korean Institute of Communications and Information Sciences / v.40, no.6, 2015 , pp. 1070-1080 More about this Journal
Abstract
In this paper, we introduce an SDN-based intrusion prevention system for more secure Science DMZ with no performance limits. The proposed system is structured with intrusion-prevention, intrusion-detection, and prevention-decision subsystems which are physically distributed but informationally connected by an SDN interface. The functional distribution and the application of SDN technology increase the flexibility and extensibility of the proposed system and prevent performance degradation possibly caused by network security equipments on Science DMZ. We verified the feasibility and performance of the proposed system over a testbed set up at KREONET.
Keywords
Software defined networking; science DMZ; intrusion detection and prevention;
Citations & Related Records
연도 인용수 순위
  • Reference
1 E. Dart, L. Rotman, B. Tierney, M. Hester, and J. Zurawski, "The science DMZ: A network design pattern for data-intensive science," Scientific Programming, vol. 22, no. 2, pp. 173-185, 2014.   DOI
2 N. McKeown, "Software-defined networking," Keynote Talk at IEEE INFOCOM 2009, Retrieved Aug., 27, 2014, from http://tiny-tera.stanford.-edu/-nickm/talks/
3 I. Monga, E. Pouyoul, and C. Guok, "Software defined networking for big-data science - Architectural models from campus to the WAN," in Proc. High Perf. Comput., Netw. Storage and Anal. (SCC), pp. 1629- 1635, Salt Lake City, USA, Nov. 2012.
4 J. Zurawski, "The science DMZ - introduction and architecture," in Proc. Operating Innovative Netw. (OIN), Oct. 2013.
5 P. Calym, A. Berryman, E. Saule, H. Subramoni, P. Schopis, G. Springer, U. Catalyurek, and D. K. Panda, "Wide-area overlay networking to manage science DMZ accelerated flows," in Proc. IEEE Int. Conf. Comput. Netw. Commun. (ICNC), pp. 269- 275, Feb. 2014.
6 B. Allen, J. Bresnahan, L. Childers, I. Foster, G. Kandaswamy, R. Kettimuthu, J. Kordas, M. Link, S. Martin, K. Pickett, and S. Tuecke, "Software as a service for data scientists," ACM Commun. Mag., vol. 55, no. 2, pp. 81- 88, Feb. 2012.
7 N. Mckeown, T. Anderson, H. Balakrishnan, G. Parulkar, L. Peterson, J. Rexford, S. Shenker, and J. Turner, "OpenFlow: enabling innovation in campus networks," ACM SIGCOMM Comput. Commun. Rev., vol. 38, no. 2, pp. 69-74, Apr. 2008.   DOI
8 K. Curran, "An online collaboration environment," Edu. Inf. Technol., vol. 7, no. 1, pp. 41-53, Mar. 2002.   DOI   ScienceOn
9 X. Gou and W. Jin, "Multi-agent system for multimedia communications traversing NAT/firewall in next generation networks," in Proc. CNSR, pp. 99-104, May 2004.
10 A. Nayak, A. Reimers, N. Feamster, and R. Clark, "Resonance: dynamic access control for enterprise networks," in Proc. 1st ACM Workshop on Research on Enterprise Netw., pp. 11-18, 2009.
11 Z. A. Qazi, C. Tu, L. Chiang, R. Miao, V. Sekar, and M. Yu, "SIMPLE-fying middlebox policy enforcement using SDN," in Proc. ACM SIGCOMM, vol. 43, no. 4, pp. 27-38, Oct. 2013.
12 H. Hu, W. Han, G. Ahn, and Z. Zhao, "FLOWGUARD: building roubust firewalls for software-defined networks," in Proc. HotSDN, pp. 97-102, Aug. 2014.
13 R. Berthier, W. H. Sanders, and H. Khurana, "Intrusion detection for advanced metering infrastructures: requirements and architectural directions," in Proc. IEEE SmartGridComm, pp. 350-355, Oct. 2010.
14 J. Mirkovic and P. Reiher, "A taxonomy of DDoS attack and DDoS defense mechanisms," ACM SIGCOMM Comput. Commun. Rev., vol. 32, no. 2, pp. 39-53, Apr. 2004.
15 Sourcefire, Snort, Retrieved June 2, 2015, from https://www.snort.org/
16 TrendMicro, OSSEC(open source host-based intrusion detection system), Retrieved June 2, 2015, from http://www.ossec.net/
17 Trustwave, Modsecurity, Retrieved June 2, 2015, from http://www.modsecurity.org/
18 D. Hoffman, D. Prabhakar, and P. Strooper, "Testing iptables," in Proc. CASCON, pp. 80-91, 2003.
19 B. Astuto, A. Nunes, M. Mendonca, X. Nguyen, K. Obraczka, and T. Turletti, "A survey of software-defined networking: past, present, and future of programmable networks," IEEE Commun. Survey & Tutorials, vol. 16, no. 3, pp. 1617-1634, Feb. 2014.   DOI   ScienceOn
20 A. Broder and M. Mitzenmacher, "Network applications of bloom filters: a survey," Internet Math., vol. 1, no. 4, pp. 485-509, 2004.   DOI
21 F. Bonomi, M. Mitzenmacher, R. Panigraphy, S. Singh, and G. Varghese, "An improved construction for counting bloom filters," in Proc. 14th Conf. Annu. Eur. Symp., vol. 14, pp. 684-695, 2006.
22 K. Bauer, Logwatch, Retrieved June 2, 2015, from http://www.logwatch.org/
23 D. B. Cid, Log analysis using OSSEC, Retrieved June 2, 2015, from http://www.ossec.net/ossecdocs/auscert-2007-dcid.pdf
24 J. W. Lockwood, N. McKeown, G. Watson, G. Gibb, P. Hartke, J. Naous, R. Raghuraman, and L. Jianying, "NetFPGA - An open platform for Gigabit-rate network switching and routing," in Proc. IEEE Conf. Microelectronic Syst. Edu. (MSE '07), pp. 160-161, San Diego, Jun. 2007.
25 L. Fan, P. Cao, J. Almeida, and A. Z. Broder, "Summary cache: a scalable wide-area Web cache sharing protocol," IEEE/ACM Trans. Netw., vol. 8, no. 3, pp. 281-293, Jun. 2000.   DOI
26 J. Jo, S. Lee, and J. Kim, "Programmable IP service gateway for software-defined networking: assisting easy composition of service overlays," IEICE Trans. Commun., vol. E96-B, no. 7, pp. 1918-1929, Jul. 2013.   DOI
27 R. C. Andrew, C. M. Jeffrey, T. Jean, Y. Praveen, S. Puneet, and B. Sujata, "DevoFlow: scaling flow management for high-performance networks," in Proc. ACM SIGCOMM, vol. 41, no. 4, pp. 254-265, Aug. 2011.
28 L. Dan, W. Andreas, H. Brandon, H. Nikhil, and F. Anja, "Logically centralized?: state distribution trade-off in software defined networks," in Proc. Hot Topics in Software Defined Netw., pp. 1-6, Jan. 2012.