Professional Documents
Culture Documents
Cheng Guo-zhen
National Digital Switching System Engineering & Technological R&D Center
Zhengzhou, China
e-mail: chengguozhen1986@163.com
Abstract—The rise of Bring Your Own Device (BYOD) now persistent threat (APT), social engineering attacks, and zero-
poses new challenges to the traditional intranet, which used to day exploits. These behaviors cannot be detected effectively
deploy boundary-based defenses to guarantee internal security. by the traditional security detection system; On the other
The bringing of personal devices has threatened the internal hand, the boundaries of the intranet tend to be blurred,
security. Based on the idea of isolation and dynamic, this paper especially in recent years. With the development of the
designs and implements a Software-defined Intranet Dynamic mobile Internet, Bring Your Own Device (BYOD) [1] has
Defense System (SIDD) to harass cyber kill chain. Firstly, to become a new model for enterprises, governments, and other
solve the issue that network can be easily reconnoitered due to workplaces. It enables enterprises to allow their employees'
its static attributes, we allocate virtual IP address space for
own devices to connect to the internal networks. While this
intranet terminals and implement the dynamic mapping
between real IP addresses and virtual IP addresses to hide the
model reduces enterprise costs, it exposes enterprise intranets
real IP address. Secondly, we propose a software-defined to significant security risks. Attackers can easily penetrate
dynamic defense architecture scheme, which manages to the internal network through these devices. Therefore, there
provide a general control of the intranet, including three core is an urgent need to study internal cyber threats.
modules (e.g. DNS, virtual & real address assignment and The zero-trust network model was created by John
virtual address maneuvering). Finally, we implement a Kindervag [2] in 2010. In short, the zero-trust strategy holds
dynamic defense system oriented to the production rejection unless the network determines the identity of the
environment, based on the OpenDaylight controller. Our user. But zero-trust migration needs to equip employees with
experiments indicate that this method can achieve a definable the new concept of thinking, system building requires a lot of
IP address, which frequency and space are maneuverable, thus manpower and resources. Google spent two years creating a
it could significantly reduce the availability of network trusted library for users and devices before migrating from
reconnaissance and increase the difficulties of attacker's real- traditional corporate networks to BeyondCorp, it’s a
time attack without affecting network applications. relatively lengthy process.
In response to these challenges, this paper aims to harass
Keywords-intranet defense; software-defined network; cyber kill chain and increases the difficulty of attackers. We
isolation; dynamic design and implement a Software-defined Intranet Dynamic
I. INTRODUCTION Defense System (SIDD)with isolation and dynamic. It can
enable the system to maintain the integrity of the original
The internal network of enterprises, institutions, and network configuration and minimize operation management.
governments, including a large number of high-value We hide the real IP address (rIP) of the terminal in the
information assets, is one of the main targets for attackers to intranet and assign the virtual IP address (vIP) to the terminal
infiltrate and control. At present, there are two main types of for isolation between users. It can realize network topology
defense against the internal network: one is the traditional and IP address random maneuvering while normal network
defense scheme based on the boundary, and the other is a applications are unaffected.
zero-trust mechanism which has arisen in recent years. The The main contributions of this paper are as follows:
traditional intranet defense scheme mainly deploys a large We propose a software-defined dynamic defense
number of firewalls, IDSs, and other devices on the borders scheme for intranet;
to build a DMZ area between the internal and external We implement a network dynamic address
networks, which increases the security of the intranet to maneuvering system based on Opendaylight;
some extent. We build an experimental platform to verify the
But defenses face new challenges. On the one hand, the performance of the system against attacks.
attack means to become more complex, e.g. advanced
850
effectively prevent attacks such as reconnaissance, and characteristic, realizes the flexible control to the underlying
greatly improve the network security capability. device network behavior change. Therefore, the SDN-based
IP maneuvering system can be implemented at the software
config
level cooperate with the SDN switch and is easier to manage
Dynamic IP Virtual IP
Change
get
Assignment
and configure. The actual physical device requirements are
relatively small.
Control modify
plane Manage- A. System State Diagram
Terminal table ment
Session get
plane
As shown in Figure 2, the system mainly has four
inquire
modules: DHCP module, Flow module, ARP module and
store inquire inquire store DNS module:
Flow Processing
DHCP module: It is mainly responsible for allocating
DNS ARP DHCP config real and virtual IP to the terminal. If the DISCOVER packet
of the terminal is up, this module generates terminal’s rIP,
and sends the OFFER packet back after querying the
General Switche
initialization configuration.
The initialization configuration is configured by the
Data management front-end. In this system, according to user's
plane
Internet demand, real IP can have multiple subnet domains. With the
Intranet gateway External Gateway
front-end configuration, we can bind a subnet to each switch
in the intranet to divide the switch into multiple domains. So,
Figure 1. System framework. the terminal's real IP is selected from the bounded switch
subnet.
IV. IMPLEMENTATION OF SIDD When the terminal sends a REQUEST packet, this
IP allocation and maneuvering mechanisms need the module generates a vIP and random domain name randomly
general configuration space and routing information. If for the terminal and sends ACK information. Then the rIP
consider the implement of the system based on the common and vIP information is stored to the database path
network, we need to rely on custom physical devices to corresponding to the switch port bound to the terminal.
Flow module: It is mainly responsible for establishing
achieve, and its practicality and economic efficiency are not
communication paths for both parties. It determines the
high. Because the SDN architecture has the characteristics of
source and destination address of the packet and establish the
separation of control plane and data plane, and the control
path. Only packets matching the rule can reach the peer. It
plane can centrally manage the network devices, and
can block other scans and attack packets.
accurately define the forwarding of the data packets by the
underlying device; The data plane has the programmable
System
RESTCONF Initialization
startup
Listen
DNS ARP Ip
DHCP_OFFER rIP Select Analyze Response Analyze
Intranet query Extranet query Source is rIP,
DHCP_REQUEST ARP Destination is vIP
DNS DNS
rIP Request Route
Response Forward
Planning
DNS
DHCP_ACK path generate
D
H Create
C vIP Select Mutation cycle
Session
P
vIP generate Wait Match & Action
generate
851
ARP module: It is mainly responsible for storing the representing the source’s rIP, vIP, the destination’s rIP, vIP,
gateway address of each real subnet. Because the communication protocol, and lifetime, respectively. The vIP
communication messages of both peers must be a in the array is the current virtual address of the terminals
combination of "rIP + vIP", the real IP domain and the when the session is established. It is destroyed until the end
virtual IP domain configured are not on one network of the session’s lifetime TTL.
segment to ensure security. Messages to be emitted from the
terminal must have their own rIP subnet domain's gateway Terminal2
mac. There are two functions in the ARP module: 1)
Disallow broadcast of ARP packets on the intranet (ARP
<rIP2,vIP1>
broadcast packets are the best helper for network sniffing on
the intranet); 2) Respond to the terminal's gateway MAC Access
request. End ④<rIP2→vIP2,vIP1→rIP1>
DNS module: It is mainly responsible for reverse
<vIP2,rIP1>
domain name lookup and rIP query. For reverse domain
name lookups, only the terminal can find its own domain Transmission
name and cannot obtain other terminal domain names. The Domain
Controller
terminal can find the corresponding rIP through the domain
name. Such communication sessions can only be established ⑤<vIP1,rIP2>
End ④<rIP1→vIP1,vIP2→rIP2>
B. Communication Protocols
③<rIP1,vIP2>
The communication process in this paper adopts the way ①<n2 ,?>
of source virtual address and destination real address, which
has the following advantages: Terminal1
The packets from the terminal and modified by the
access end, can be directly received by the
Figure 3. Communication process.
destination terminal and do not need to make any
changes. This can improve the efficiency of switch
The vIP of this session is unchanged, even the terminal's
packet processing;
assigned vIP has been updated. The purpose of this is to
It also relaxes the packet on the switch requirements ensure a good user experience and improve the efficiency of
in the transmission domain, that is, you can use the the use of network resources. In this way, when the new
switch that does not support SDN. the actual packet arrives, the controller first checks whether the session
application of the system can play a good role in exist, and uses the existing virtual configuration to distribute
promoting. the flows.
As shown in Figure 3, the communication process steps
are as follows: V. EVALUATION
Step 1: Host 1 sends a packet <n2, ?> to the DNS server
in controller to request the Host 2’s address; In this section, we provide an experimental evaluation of
Step 2: The DNS server responds Host 1’s request by SIDD defense effectiveness and overhead. The experimental
sending a packet <n2, v2> with the Host 2’s vIP; topology is shown in Figure 4.
step 3: Host 1 sends a packet to Host 2 using its rIP and For example, if H2 wants to communicate with H1, it has
host 2's current virtual address v2 in the format of <r1, v2>; to inform H1 first. H1 queries its own domain name by using
Step 4: When the packet passes through the access end reverse-DNS lookup, and then tells H2 by out of band.
of host 1, if the packet arrives for the first time and there is Finally, H2 obtains H1’s rIP through the domain name, and a
no matching flow table, it will be sent to the controller for communication is completed. The actual process is shown in
processing. The controller establishes a transmission path Figure 5, and the switch's flow table information is shown in
and delivers the flow table processing packet to the Table I.
corresponding switch. After the flow table matches, the
TABLE I. RELEASED FLOW
switch replaces the source address of the packet with the
current virtual address v1 of host 1, and the destination Match Action
address is replaced with the real address of host 2. The LLDP,DHCP,
controller
message format is <v1, r2>; ARP,DNS
Step 5: The packet is transmitted in the network in the mod_dl_dst:c2:32:f7:4a:12:72,
tcp,
mod_nw_src: 182.92.251.111,
format of <v1, r2> until reaching host 2; nw_src=100.0.0.42,
mod_nw_dst: 100.0.0.40,
Step 6: The packets of host 2 are returned with steps 3, 4 nw_dst=171.11.201.38
output:1
and 5. mod_dl_dst:06:23:f7:b9:bd:98,
In this paper, we establish a session for each tcp,
mod_nw_src: 171.11.201.38,
nw_src=100.0.0.40,
communication process and store it. The session is a six- nw_dst=182.92.251.111
mod_nw_dst: 100.0.0.42,
element array, 𝑆 = {𝑠𝑅𝑖𝑝, 𝑠𝑉𝑖𝑝, 𝑑𝑅𝑖𝑝, 𝑑𝑉𝑖𝑝, 𝑃𝑟𝑜𝑡𝑜𝑐𝑜𝑙, 𝑇𝑇𝐿}, output:1
852
FTP Server
OF Switch
H1
OF Switch Controller
Mail Server
H2 Switch
OF Switch
853
B. Overhead Evaluation [2] Kindervag J. “Build Security Into Your Network's DNA: The Zero
Trust Network Architecture,” Forrester Research Inc, 2010: 1-26.
Because SIDD establishes a pair of flows for every [3] Escobedo V, Beyer B, Saltonstall M, et al. “BeyondCorp: The User
session, the amount of flows stored by the switch is very Experience,” 2017.
large. As shown in the Figure 7, when the switch is [4] Beske C M C, Peck J, Saltonstall M. “Migrating to BeyondCorp:
processing sessions of 100 terminals at the same time, the Maintaining Productivity While Improving Security,” 2017.
delivery flows can reach [5] https://duo.com/docs.
up to 4954, which is a huge challenge to the [6] Atighetchi M, Pal P, Webber F, et al. “Adaptive use of network-
performance of the switch. In comparison, the switch only centric mechanisms in cyber-defense,” IEEE International
needs 100 flows in normal circumstances. Symposium on Object-Oriented Real-Time Distributed Computing.
IEEE, 2003:183-192.
VI. SUMMARY [7] Kewley D, Fink R, Lowry J, et al. “Dynamic approaches to thwart
adversary intelligence gathering,” DARPA Information Survivability
This paper aims at the existing intranet security issues. Conference & Exposition II, 2001. DISCEX '01. Proceedings. IEEE,
From the perspective of harassing cyber kill chain, we design 2001:176-185 vol.1.
and implement a Software-defined Intranet Dynamic [8] Antonatos S, Anagnostakis K G. “TAO: Protecting Against Hitlist
Defense System (SIDD) to prevent the availability of Worms Using Transparent Address Obfuscation,” Ifip Tc-6 Tc-11
detection by using the random and unpredictable host IP International Conference on Communications and Multimedia
Security. Springer-Verlag, 2006:12-21.
address maneuvering. Our experimental results show that
SIDD can invalidate the information collection of external [9] Jafarian J H, Al-Shaer E, Duan Q. “An Effective Address Mutation
Approach for Disrupting Reconnaissance Attacks,” IEEE
scans by up to 99% and can block large-scale network Transactions on Information Forensics & Security, 2015,
attacks e.g. zero-day, worms, DoS. In the future, we plan to 10(12):2562-2577.
study the effect of SIDD on other attack models (such as [10] Jafarian J H, Al-Shaer E, Duan Q. “Openflow random host
application layer attacks). mutation:transparent moving target defense using software defined
networking,” The Workshop on Hot Topics in Software Defined
ACKNOWLEDGMENT Networks. ACM, 2012:127-132.
[11] Hassan W, Omar T. “Future Controller Design and Implementation
This work was supported by Information Engineering Trends in Software Defined Networking,” Journal of
University Emerging Direction Nurturing Fund Communications, 2018, 13(5):209-217.
(2016610708), the Foundation of the National Natural [12] Zhu X, Chen B, Qian H. HawkFlow: “Scheme for Scalable
Science Foundation of China (61602509), the National Key Hierarchically Distributed Control in Software Defined Network,”
Research and Development Program of China Journal of Communications, 2016, 11(10):910-917.
(2016YFB0800100, 2016YFB0800101), and the Key [13] Xu C, Chen B, Qian H. “Quality of Service Guaranteed Resource
Technologies Research and Development Program of Henan Management Dynamically in Software Defined Network,” Journal of
Communications, 2015, 10(11): 843-850.
Province of China (172102210615).
REFERENCES
[1] Flores D A, Qazi F, Jhumka “A. Bring Your Own Disclosure:
Analysing BYOD Threats to Corporate Information,”
Trustcom/bigdatase/I spa. IEEE, 2017.
854