Software Defined Perimeter (SDP) is a new network framework that allows to define a dynamic security perimeter on network resources. It simplifies both access and protection to in premise or remote internal networks and cloud resources. Access to a SDP network is based on a need-to-know model: a user must be authorised and authenticated before gaining access to the protected services and must know their locations. In fact the application infrastructure is invisible to the outside, providing protection to a various number of attacks. Given these conditions, we wanted to improve this framework by integrating it in modern network solutions and see if an implementation is possible with new Software Defined Networking technologies. In particular we wanted to see how SDP could benefit of data plane programmability with the P4 language. The SDP framework has been tested in a virtual network, where a behavioral model v2 switch has been emulated and programmed. SDP functionalities have been implemented in the switch by programming a specific P4 pipeline controlled through P4Runtime-Shell. In particular, considering the client-to-gateway SDP architecture model, the possibility to offload the SDP gateway capabilities directly to the programmable switch has been verified. We've managed to preserve it's firewall-like functionalities and the complete framework operation. Although a performance improvement is expected with the offloading of these capabilities to the network components, we have observed that current P4-programmable architectures do not implement the required cryptographic functions to guarantee all operations with the SDP framework at line rate. But we envision a significant improvement in the performance and the scalability of SDP if this type of dedicated hardware will be developed.
Software Defined Perimeter (SDP) è un nuovo framework di rete che consente di sviluppare infrastrutture di rete con un perimetro di sicurezza dinamico. Semplifica sia l'accesso che la protezione delle reti interne, in locale o remoto, e alle risorse nel cloud. L'accesso a una rete SDP si basa su un modello need-to-know: un utente deve essere autorizzato e autenticato prima di poter accedere ai servizi protetti e conoscervi la loro ubicazione. Infatti, l'infrastruttura nella quale girano gli applicativi è invisibile all'esterno, fornendo protezione da un vasto numero di attacchi informatici. Date queste condizioni, abbiamo voluto migliorare questo framework integrandolo nelle moderne soluzioni di rete ed osservare se fosse possibile un'implementazione con le nuove tecnologie di Software Defined Networking. In particolare, desideravamo evincere come SDP potesse trarre vantaggio del data plane programmabile con il linguaggio P4. Il framework SDP è stato simulato in una rete virtuale, dove è stato emulato e programmato uno switch behavioral model v2. Le funzionalità SDP sono state implementate nello switch programmando una specifica pipeline P4 controllata tramite P4Runtime-Shell. In particolare, considerando il modello di architettura SDP client-to-gateway, è stata verificata la possibilità di realizzare le funzionalità del gateway SDP direttamente sullo switch programmabile. Siamo riusciti a preservare il suo comportamento equiparabile a quello di un firewall e il funzionamento col resto del framework. Sebbene sia previsto un miglioramento delle prestazioni spostando l'esecuzione di queste funzionalità sui componenti di rete, abbiamo osservato che le architetture programmabili in P4 attualmente disponibili non implementano funzioni crittografiche adeguate per poter garantire tutte le operazioni con il framework SDP alla velocità della linea. Ma prevediamo un miglioramento significativo delle prestazioni e nella scalabilità di SDP se questo tipo di hardware dedicato verrà sviluppato.
Software defined perimeter implementation on P4-enabled hardware networks
NASCIMBEN, MATTEO
2019/2020
Abstract
Software Defined Perimeter (SDP) is a new network framework that allows to define a dynamic security perimeter on network resources. It simplifies both access and protection to in premise or remote internal networks and cloud resources. Access to a SDP network is based on a need-to-know model: a user must be authorised and authenticated before gaining access to the protected services and must know their locations. In fact the application infrastructure is invisible to the outside, providing protection to a various number of attacks. Given these conditions, we wanted to improve this framework by integrating it in modern network solutions and see if an implementation is possible with new Software Defined Networking technologies. In particular we wanted to see how SDP could benefit of data plane programmability with the P4 language. The SDP framework has been tested in a virtual network, where a behavioral model v2 switch has been emulated and programmed. SDP functionalities have been implemented in the switch by programming a specific P4 pipeline controlled through P4Runtime-Shell. In particular, considering the client-to-gateway SDP architecture model, the possibility to offload the SDP gateway capabilities directly to the programmable switch has been verified. We've managed to preserve it's firewall-like functionalities and the complete framework operation. Although a performance improvement is expected with the offloading of these capabilities to the network components, we have observed that current P4-programmable architectures do not implement the required cryptographic functions to guarantee all operations with the SDP framework at line rate. But we envision a significant improvement in the performance and the scalability of SDP if this type of dedicated hardware will be developed.| File | Dimensione | Formato | |
|---|---|---|---|
|
2021_6_Nascimben.pdf
non accessibile
Descrizione: Testo tesi
Dimensione
5.8 MB
Formato
Adobe PDF
|
5.8 MB | Adobe PDF | Visualizza/Apri |
I documenti in POLITesi sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
https://hdl.handle.net/10589/176151