“Secure Network Monitoring Using Programmable Data Planes”
in Third International Workshop on Security in NFV-SDN (IEEE NFV-SDN 2017), Nov. 2017.
Abstract: The accuracy provided by traditional sampling-based monitoring approaches, such as NetFlow, is increasingly being considered insufficient to meet the requirements of today’s networks. By summarizing all traffic for specific statistics of interest, sketch-based alternatives have been shown to achieve higher levels of accuracy for the same cost. Existing switches, however, lack the necessary capability to perform the sort of processing required by this approach. The emergence of programmable switches and the processing they enable in the data plane has recently led sketch-based solutions to be made possible in switching hardware. One limitation of existing solutions is that they lack security. At the scale of the datacenter networks that power cloud computing, this limitation becomes a serious concern. For instance, there is evidence of security incidents perpetrated by malicious insiders inside cloud infrastructures. By compromising the monitoring algorithm, such an attacker can render the monitoring process useless, leading to undesirable actions (such as routing sensitive traffic to disallowed locations). In this paper we propose, for the first time, a secure sketch-based monitoring solution that can run in programmable switches. Our algorithm – a secure version of the well-known count-min sketch – was implemented in P4, a programming language for switches. The evaluation of our solution demonstrates the performance penalty introduced by security to be negligible.
Research line(s): Fault and Intrusion Tolerance in Open Distributed Systems (FIT)