Residential Network Security: Using Software-defined Networking to Inspect and Label Traffic

Liu, Yu

Etd

Residential Network Security: Using Software-defined Networking to Inspect and Label Traffic

Pubblico

With more households subscribing to Internet services, and the growth of the Smart Home paradigm and the Internet of Things (IoT), there are more assets that need protection in home networks. However, many manufacturers produce devices with weak security. From hardware to software, these devices have attack surfaces that can be easily utilized by attackers. Attacks may cause sensitive information exposure and even physical device damage. Further, compromised devices can join a botnet to launch attacks on other targets, such as distributed denial-of-service attacks (DDoS). Those attacks, under today's Internet infrastructure, are hard to effectively track and block from the victim side, and they also harm residents' service at the origin. Finally, home network owners usually lack expert computer security knowledge. With the limited security features provided by home network gateways, home network security tools are unable to provide adequate protection. Prior work proposes to increase home network security by outsourcing management to the cloud, where experts can help. With the assistance of software-defined networking (SDN) technology, enterprise-grade security benefits can be achieved in home networks. This dissertation focuses on utilizing SDN and network function virtualization (NFV) techniques to achieve such benefits. To optimize the deployability, we try to minimize modifications to legacy network systems, the Internet backbone and Internet Service Providers (ISPs). Along with prior works, we continue using SDN for home network security. This dissertation focus on traffic inspection and labeling. These methods can secure home network security from two angles: inside the home (the individual network) and outside (the collaboration of home networks in the Internet environment). Looking at the inner home network, we propose a series of methods to enhance security for devices and their communications. First, we provide additional authentication between the controlling devices and IoT devices. Since the SDN controller is able to inspect inside networks, we show that vetting simple IoT device protocols can be used as a traffic filtering technique. Mobile devices such as smartphones, tablets and laptops are common in a home network. To better secure this part of the home network, we explore host-based SDN architectures to achieve fine-grained network management on these devices. With system-level information infused networking data provided to the controller, the controller can understand the network better. Thinking individual home networks as a part of the Internet, we explore methods to evolve home networks into responsible and collaborative traffic origins. We provide the basis for effective authentication and control in modern network environments. Since SDN controllers are able to see into the NAT of home networks, we use this feature to insert identifiers into network flows, based on the destination, to provide device-level and flow-level access control. These identifiers could be unique tokens or cryptographic cookies. Since home network devices can be compromised, and then export unwanted traffic to other networks to launch DDoS attacks, we design a protocol that uses the identifiers in the flows to allow the home network controller to stop the attacks upon receiving a trusted filter request from the victim. This method reduces the defense burden on the victim's end and effectively stops the DDoS attack. Further, this flow identifier that is inserted by the SDN controller can provide information that is only known by the user and enterprise network. The enterprise network can then utilize this information to perform better access control. An account lockout attack is a concern of home network users who need to access enterprise networks remotely. Attackers may abuse the account lockout mechanism to deliberately lock accounts and launch denial-of-service attacks. With our mechanism, when an account is under attack, we verify the inserted flow identifier, and the enterprise network can unlock the account to ensure the largest resource accessibility for this trusted user. Our flow control method outperforms VPN since we provide lightweight computation and flexible flow control, while keeping a similar level of security.

Creator