layout: default

About this book

Part I: Foundations of Virtual Networking and Security

In the first part of this book, we will focus on the foundation of computer networks. Particularly, we first present basic concepts of computer networks in Chapter 1: Introduction to Computer Networks, covering layered network architecture, services and packet encapsulation. Addresses such as MAC addresses, IP addresses, and port numbers play very important roles in network layers, and thus we put a lot emphases on these fundamental concepts for novel readers in computer network areas. In order to help understand computer networks, we provide a comprehensive description for relations between physical networks, logical networks, and virtual networks. Moreover, several important computer network services such as ARP, DHCP, DNS, and NAT are presented. Finally, network routing in IP networks and software-defined networks are described. In summary, this chapter provide a foundation for novice readers in networking area, and the presented concepts and descriptions are necessary to understand the rest of this book.

Both SDN and NFV are heavily built on network virtualization technologies. Thus, in Chapter 2: Virtual Networking, we provide a comprehensive view of existing network virtualization solutions. This chapter starts with basic virtualization concepts and technologies including OpenFlow, OPNFV and virtual networking embedding problems. Then, layer-2 virtual networking solutions such as Linux bridge, open virtual switches are described in details. Tunneling solutions such as VLAN, VxLAN, and GRE are widely used to build existing virtual and programmable networks, which are also presented. Finally, virtual routing and forwarding are described. Understanding materials provided in this chapter is critical to understand modern computer networking solutions.

In Chapter 3: SDN and NFV, SDN and NFV are introduced and described in more detail. Motivation for both these paradigms, their benefits, challenges and use cases are described. Leading frameworks that implement NFV and SDN are also discussed. This is followed by a discussion of the symbiotic nature of these two paradigms and their interworking. Finally, an introduction of P4 and PISA are presented as advanced topics for deep programmable SDN.

This book focuses on security aspects of using SDN and NFV solutions. To understand the basics of computer network security, in Chapter 4: Network Security Preliminaries, we first describe several important security concepts to understand differences between threat model and attack model, defense in depth, cyber killer chain, and their limitations. Then, several network exploration approaches such as network mapping, port scanning, vulnerability scanning and penetration testing are presented. Later, we focus the discussion on preventive techniques such as firewalls and intrusion prevention. Next, detection and monitoring techniques are presented. Finally, we briefly discussed what is network security assessment. All the presented basic security concepts and mechanisms builds the fundamental network security services and they can be implemented in SDN/NFV networking environment and controlled by using the programmable features.

Finally, in the first partition, the Chapter 5: SDN and NFV Security we analyze the threat model and attack vectors that are part of traditional network and new threats that are introduced as a part of SDN/NFV framework. As part of NFV security we discuss Intra-VNF, Extra-VNF security threats and countermeasures that can help in addressing NFV security challenges. The SDN security has been distributed into threat vectors targeting different layers of SDN infrastructure, i.e., SDN data plane and control plane. Additionally, we discuss challenges specific to SDN, OpenFlow protocol (one of the most common SDN protocol), OpenFlow switch, and attack countermeasures to deal with SDN threats.

Part II: Advanced Topics on Software-Defined and Virtual Network Security

In the second part of this book, we will focus on the advanced topics on how to build a secure networking solution by utilizing SDN and NFV. Particularly, the presentation focus on a new Moving Target Defense (MTD) concept, which utilizing the programmability capability of SDN to automate the defense-in-depth control in terms of security monitoring and analysis, security countermeasure services selection and deployment. Advanced topics such as security policy management and machine learning models involving SDN/NFV are also presented in this partition.

In Chapter 6: Microsegmentation, we present the security microsegmentation concept and its realization, which is illustrated by using VMware’s NSX service model. We explained how security service model such as firewall is transited to a more scrutinized approach, i.e., microsegmentation. A highly related security service – distributed firewall – is discussed in details followed by illustrations of microsegmentation concepts. Finally, a microsegmentaion case study is discussed in details. Microsegmentation is a good starting point to improve the programmability and agility of network security services. It is the trend; however it faces high network and security state management challenge to be overcome to make microsegmentation practical.

In Chapter 7: Moving Target Defense, we discuss proactive security mechanisms to reduce the attack surface and limit the capabilities of the attacker, as compared to a static defense mechanism, where the attacker has asymmetric advantage of time. We discuss different Moving Target Defense (MTD) techniques such as random host mutation, port hopping, and their impact on the service availability and resources (compute and storage) in the network. SDN helps in deployment of different MTD techniques in an automated fashion, hence we have dedicated one section of this chapter to SDN based MTD. We analyze the attack-defense scenarios as a dynamic game between the attacker and the defender, and evaluate different MTD frameworks from a qualitative and quantitative perspective in this chapter.

Chapter 8: Attack Representation is dedicated to cybersecurity metrics utilized for quantification of the attack. Most common metric Common Vulnerability Scoring System (CVSS) has been discussed in detail in the first section of this chapter. We dedicate rest of the chapter to attack graphs and attack trees, which are used to represent the dependencies between network services and vulnerabilities. The attack representation methods discussed in this chapter help in representing multi-hop attacks and possible countermeasures (attack countermeasure trees) in a simplified and intuitive fashion. We also address the limitations associated with different ARMs in this chapter.

The end-to-end delivery of network traffic requires the packets to be processed by different security and optimization virtual network functions (VNFs), such as application firewall, load balancer, etc. This chaining of VNFs - Service Function Chaining is discussed in the Chapter 9: Service Function Chaining. The key challenges associated with incorporation of SFC, the role of SDN as an enabler of SFC, in identification of dependencies between VNFs and compilation into policy aware SFC has been discussed in this chapter. The research and industry SDN/NFV based SFC testbeds and their architecture has been discussed in detail. Additionally, policy aware SFC and secured SFC have been discussed with illustrative examples in this chapter.

In Chapter 10: Security Policy Management in Distributed SDN Environments, policy conflicts in security implementations are discussed, with emphasis on flow rule conflicts in SDN environments. A formalism for flow rule conflicts in SDN environments is described. A conflict detection and resolution model is discussed, that ensure no two flow rules in a distributed SDN-based cloud environment have conflicts at any layer; thereby assuring consistent conflict-free security policy implementation and preventing information leakage.

Chapter 11: Intelligent Software Defined Security is dedicated to analysis of advancements in the fields of intelligent security, such as application of machine learning (ML) and artificial intelligence (AI) in the field of cybersecurity, witch use cases such as role AI can play in improvement of current intrusion detection system (IDS). We discuss the SDN based intelligent network security solution that can incorporate these advancements in the field of intelligent cybersecurity. We discuss the Advanced Persistent Threats (APTs) and different stages of APT in the cyberkill chain, along with suggestions for mitigation of APT using SDN enabled microsegmentation and secured SFC. In the last section of this chapter we discuss some key challenges that limit the application of ML and AI in cybersecurity, such as high cost of errors, semantic gap, highly variant network traffic, etc.