Abstract
Combining NFV fast-service deployment and SDN fine-grained control of data flows allows comprehensive network security monitoring. The DOCTOR architecture (The DOCTOR project (http://doctor-project.org) is a collaborative research project partially financed by the French National Research Agency (ANR) under grant <ANR-14-CE28-0001>) allows detecting, assessing, and remediating attacks. DOCTOR is an ANR-funded project designing an NFV platform enabling to securely deploy virtual network functions. The project relies on open-source technologies providing a platform on top of which a Named Data Networking architecture (NDN. Available: https://named-data.net/) is implemented. NDN is an example of an application made possible by SDN and NFV coexistence, since hardware implementation would be too expansive. We show how NDN routers can be implemented and managed as VNFs.
Security monitoring of the DOCTOR architecture is performed at two levels. First, host-level monitoring, provided by CyberCAPTOR, uses an attack-graph approach based on network topology knowledge. It then suggests remediations to cut attack paths. We show how our monitoring tool integrates SDN and NFV specificities and how SDN and NFV make security monitoring more efficient. Then, application-level monitoring relies on the MMT probe. It monitors NDN-specific metrics from inside the VNFs, and a central component can detect attack patterns corresponding to known flaws of the NDN protocol. These attacks are fed to the CyberCAPTOR module to integrate NDN attacks in attack graphs.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Montimage website. Available: http://www.montimage.com/products.html
NDN. Available: https://named-data.net
CNSS, National Information Assurance Glossary. Available: http://www.ncsc.gov/nittf/docs/ CNSSI-4009_National_Information_Assurance.pdf
MulVAL Project at Kansas University. Available: http://people.cs.ksu.edu/~xou/mulval/
ETSI-ISG-NFV, Network Functions Virtualisation (NFV); NFV Security; Problem Statement, 2014. Available: http://www.etsi.org/deliver/etsi_gs/NFVSEC/001_099/001/01.01.01_60/ gs_NFVSEC001v010101p.pdf
Wojtczuk R (2014) Poacher turned gamekeeper: lessons learned from eight years of breaking hypervisors. In: Black Hat USA, 2014
Riddle ARCASM (2015) A survey on the security of hypervisors in cloud computing. In: IEEE 35th International conference on distributed computing systems workshops, 2015
Wang G, Estrada ZJ, Pham C, Kalbarczyk Z, Iyer ARK (2015) Hypervisor introspection: a technique for evading passive virtual machine monitoring. In: WOOT, 2015
Kreutz D, Ramos FMV, Verissimo AP (2013) Towards secure and dependable software-defined networks. In: HotSDN, 2013
Floodlight OpenFlow Controller. Available: http://www.projectfloodlight.org/floodlight/
The OpenDaylight Platform. Available: https://www.opendaylight.org/
Shin S (2014) Rosemary: a robust, secure, and high-performance network operating system. In: CCS, 2014
National Vulnerability Database. Available: https://nvd.nist.gov/download.cfm
Gasti P et al (2013) DoS and DDoS in named data networking. In: Conference on Computer Communications and Networks (ICCCN). IEEE, 2013, pp 1–7
Dai H et al (2013) Mitigate DDoD attacks in NDN by Interest traceback. In: Proceedings of IEEE INFOCOM NOMEN Workshop, 2013
Compagno A et al (2013) Poseidon: mitigating interest flooding DDoS attacks in named data networking. In: International conference on Local Computer Networks (LCN). IEEE, 2013, pp 630–638
Afanasyev A et al (2013) Interest flooding attack and countermeasures in named data networking. In: IFIP networking conference. IEEE. 2013, pp 1–9
Nguyen T, Cogranne R, Doyen G (2015) An optimal statistical test for robust detection against Interest flooding attacks in CCN. In: FIP/IEEE international symposium on Integrated Network Management (IM), I. 2015, pp 252–260
Nguyen TN et al. (2015) Detection of Interest flooding attacks in named data networking using hypothesis testing. In: IEEE international Workshop on Information Forensics and Security (WIFS), . 2015, pp 1–6
Virgilio M., Marchetto G., Sisto R (2013) PIT overload analysis in content centric networks. In: Proceedings of 3rd ACM SIGCOMM workshop on Information-centric networking. ACM. 2013, pp 67–72
Vahlenkamp M, Schneider F, Kutscher D, Seedorf J (2013) Enabling information centric networking in IP networks using SDN. In: IEEE SDN for Future Networks and Services (SDN4FNS), 2013, Trento, pp 1–6
Salsano S., Blefari-Melazzi N., Detti A., Morabito G., Veltri L. (2013) In: Information centric networking over SDN and OpenFlow: Architectural aspects and experiments on the OFELIA testbed, Computer Networks, 57(16), 13 Nov 2013, pp 3207–.3221, ISSN 1389-1286
van Adrichem NLM, Kuipers FA (2015) NDNFlow: software-defined named data networking. In: 2015 1st IEEE conference on Network Softwarization (NetSoft), London, 2015, pp 1–5
Nguyen XN, Saucez D, Turletti T (2013) Efficient caching in content-centric networks using OpenFlow. INFOCOM, Proceedings IEEE, Turin, 2013, pp 1–2
TalebiFard P, Ravindran R, Chakraborti A, Pan J, Mercian A, Wang G, Leung VCM (2015) An information centric networking approach towards contextualized edge service. In: 12th Annual IEEE Consumer Communications and Networking Conference (CCNC), Las Vegas, 2015, pp 250–255
Mai HL , Nguyen NT, Doyen G, Ploix A, Cogranne R (2016) On the readiness of NDN for a secure deployment: the case of pending interest table. In: proceedings of the 10th IFIP WG 6.6 International Conference on Autonomous Infrastructure, Management, and Security, AIMS 2016. pp 98–110. Lecture Notes in Computer Science 9701. Springer International Publishing, 2016
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this chapter
Cite this chapter
Combe, T., Mallouli, W., Cholez, T., Doyen, G., Mathieu, B., Montes de Oca, E. (2017). An SDN and NFV Use Case: NDN Implementation and Security Monitoring. In: Zhu, S., Scott-Hayward, S., Jacquin, L., Hill, R. (eds) Guide to Security in SDN and NFV. Computer Communications and Networks. Springer, Cham. https://doi.org/10.1007/978-3-319-64653-4_12
Download citation
DOI: https://doi.org/10.1007/978-3-319-64653-4_12
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-64652-7
Online ISBN: 978-3-319-64653-4
eBook Packages: Computer ScienceComputer Science (R0)