Search for: All records

One of the main roles of the Domain Name System (DNS) is to map domain names to IP addresses. Despite the importance of this function, DNS traffic often passes without being analyzed, thus making the DNS a center of attacks that keep evolving and growing. Software-based mitigation approaches and dedicated state-of-the-art firewalls can become a bottleneck and are subject to saturation attacks, especially in high-speed networks. The emerging P4-programmable data plane can implement a variety of network security mitigation approaches at high-speed rates without disrupting legitimate traffic. This paper describes a system that relies on programmable switches and their stateful processing capabilities to parse and analyze DNS traffic solely in the data plane, and subsequently apply security policies on domains according to the network administrator. In particular, Deep Packet Inspection (DPI) is leveraged to extract the domain name consisting of any number of labels and hence, apply filtering rules (e.g., blocking malicious domains). Evaluation results show that the proposed approach can parse more domain labels than any state-of-the-art P4-based approach. Additionally, a significant performance gain is attained when comparing it to a traditional software firewall -pfsense-, in terms of throughput, delay, and packet loss. The resources occupied by the implemented P4 program are minimal, which allows for more security functionalities to be added. 

Ever since the inception of the networking industry, routing and switching devices have been limited to tightly-coupled hardware and software components. Vendors provide closed source proprietary stacks, restraining network operators from utilizing customized features, and hence hindering innovation. This aggregated model is costly, time consuming, and unscalable as changes in the devices require vendor's intervention. As a result, the industry started manufacturing white-box switches and developing Network Operating Systems (NOSs) that support multiple vendors and Application Specific Integrated Circuits (ASICs). This model is referred to as ”disaggregated” as the software and hardware are decoupled; essentially, vendors' switching silicons (e.g., Broadcom) are compatible with different NOS (e.g., SONiC). In this paper, we discuss the lessons learned while designing and implementing a testbed that consists of disaggregated network devices. We iterate over several open source Internet Protocol (IP) routing suites and NOSs that are vendor-agnostic. Additionally, we highlight a novel type of forwarding data planes that are programmable and explore their features. The testbed consists of two white-box switches provided by Edgecore that use programmable switching silicon (Tofino) manufactured by Barefoot Networks, an Intel Company. We installed SONiC NOS on top of the switches and tested static and BGP routing protocols. We report the configuration process and the prerequisites needed to deploy a working disaggregated environment. Finally, we discuss how open source NOSs and programmable switches can be extended to support campus networks, rather than being data center-oriented only. 

Blockchain technology is the cornerstone of digital trust and systems’ decentralization. The necessity of eliminating trust in computing systems has triggered researchers to investigate the applicability of Blockchain to decentralize the conventional security models. Specifically, researchers continuously aim at minimizing trust in the well-known Public Key Infrastructure (PKI) model which currently requires a trusted Certificate Authority (CA) to sign digital certificates. Recently, the Automated Certificate Management Environment (ACME) was standardized as a certificate issuance automation protocol. It minimizes the human interaction by enabling certificates to be automatically requested, verified, and installed on servers. ACME only solved the automation issue, but the trust concerns remain as a trusted CA is required. In this paper we propose decentralizing the ACME protocol by using the Blockchain technology to enhance the current trust issues of the existing PKI model and to eliminate the need for a trusted CA. The system was implemented and tested on Ethereum Blockchain, and the results showed that the system is feasible in terms of cost, speed, and applicability on a wide range of devices including Internet of Things (IoT) devices.