Klienditugi: 7440010 (E-R 10-18)

Software-Defined Networking and Security: From Theory to Practice [Pehme köide]

2.00/5 (1 hinnangut Goodreads-ist)

Dijiang Huang (Arizona State University, Tempe, USA), Ankur Chowdhary (Arizona State University), Sandeep Pisharody (Arizona State University)

Formaat: Paperback / softback, 356 pages, kõrgus x laius: 234x156 mm, kaal: 453 g
Sari: Data-Enabled Engineering
Ilmumisaeg: 31-Mar-2021
Kirjastus: CRC Press
ISBN-10: 036778064X
ISBN-13: 9780367780647

Teised raamatud teemal:

Computer security - (Hetkel poes: 4 nimetust)
Software Engineering
Network security

Pehme köide
Hind: 68,94 €
Raamatu kohalejõudmiseks kirjastusest kulub orienteeruvalt 2-4 nädalat
Kogus:
- - 1
  - 2
  - 3
  - 4
  - 5
  - 6
  - 7
  - 8
  - 9
  - 10
Lisa ostukorvi
Tasuta tarne
Tellimisaeg 2-4 nädalat
Lisa soovinimekirja
Raamatukogudele

Formaat: Paperback / softback, 356 pages, kõrgus x laius: 234x156 mm, kaal: 453 g
Sari: Data-Enabled Engineering
Ilmumisaeg: 31-Mar-2021
Kirjastus: CRC Press
ISBN-10: 036778064X
ISBN-13: 9780367780647

Teised raamatud teemal:

Computer security - (Hetkel poes: 4 nimetust)
Software Engineering
Network security

Püsilink: https://www.kriso.ee/db/9780367780647.html

Märksõnad:

Software-defined networking Computer network technology

This book provides readers insights into cyber maneuvering or adaptive and intelligent cyber defense. It describes the required models and security supporting functions that enable the analysis of potential threats, detection of attacks, and implementation of countermeasures while expending attacker resources and preserving user experience. This book not only presents significant education-oriented content, but uses advanced content to reveal a blueprint for helping network security professionals design and implement a secure Software-Defined Infrastructure (SDI) for cloud networking environments. These solutions are a less intrusive alternative to security countermeasures taken at the host level and offer centralized control of the distributed network.

The concepts, techniques, and strategies discussed in this book are ideal for students, educators, and security practitioners looking for a clear and concise text to avant-garde cyber security installations or simply to use as a reference.

Hand-on labs and lecture slides are located at http://virtualnetworksecurity.thothlab.com/.

Features

Discusses virtual network security concepts

Considers proactive security using moving target defense

Reviews attack representation models based on attack graphs and attack trees

Examines service function chaining in virtual networks with security considerations

Recognizes machine learning and AI in network security

Preface

xvii

Acknowledgments

xxiii

About the Authors

xxv

Part I Foundations of Virtual Networking and Security

1 Introduction of Computer Networks

(32)

1.1 Foundations of Computer Networks

(3)

1.1.1 Protocol Layers

(1)

1.1.2 Networking Services and Packet Encapsulation

(2)

1.2 Addresses

(13)

1.2.1 MAC Address

(1)

1.2.2 IP Address (IPv4)

(1)

1.2.2.1 Classless Inter-Domain Routing

(5)

1.2.2.2 Private IPs

(1)

1.2.3 IP Address (IPv6)

(1)

1.2.3.1 Address Representation

(1)

1.2.3.2 Address Uniqueness

(1)

1.2.3.3 Link-local Address

(1)

1.2.3.4 Global Addressing

(1)

1.2.4 Port Number

(1)

1.3 Physical, Logical, and Overlay Networks

(3)

1.3.1 Physical Networks

(1)

1.3.2 Logical Networks

(2)

1.3.3 Overlay Networks

(1)

1.4 Computer Networking Services

(9)

1.4.1 Address Resolution Protocol

(2)

1.4.2 Dynamic Host Configuration Protocol

(1)

1.4.3 Domain Name System

(1)

1.4.4 Network Address Translation

(1)

1.4.4.1 What is NAT

(1)

1.4.4.2 PREROUTING and POSTROUTING

(1)

1.4.4.3 Netfilter and NAT

(1)

1.4.5 iptables

(1)

1.4.5.1 Tables in iptables

(1)

1.4.5.2 Chains in iptables

(1)

1.4.5.3 Targets in iptables' Chains

(1)

1.5 IP Network Routing

(3)

Summary

(1)

2 Virtual Networking

(42)

2.1 Virtual Networks

(8)

2.1.1 Basis of Virtual Networks

(2)

2.1.2 Abstraction vs. Virtualization

(1)

2.1.3 Benefits of Virtualizing Networks

(2)

2.1.4 Orchestration and Management of Virtual Networks

(1)

2.1.5 Virtual Networking Embedding Problems

(1)

2.1.5.1 VNE Problem Description

(1)

2.1.5.2 VNE Formal Definition

(1)

2.2 Layer-2 Virtual Networking

(14)

2.2.1 Linux Bridge

(1)

2.2.1.1 Data Structures of Linux Bridge

(1)

2.2.1.2 Linux Bridge Configuration

(1)

2.2.1.3 Linux Bridge Frame Processing

(2)

2.2.1.4 Use Cases of Linux Bridge

(3)

2.2.2 Open Virtual Switches

(1)

2.2.2.1 Linux Bridge vs. Open Virtual Switch

(1)

2.2.2.2 Open Virtual Switch Supporting Features

(1)

2.2.2.3 Open Virtual Switch Internal Modules

(1)

2.2.2.4 Packet Processing in OVS

(1)

2.3 Tunneling Protocols and Virtual Private Networks

(15)

2.3.1 VLAN

(1)

2.3.1.1 Types of VLANs

(3)

2.3.1.2 IEEE802.1Q

(5)

2.3.2 Virtual Extensible LAN

(1)

2.3.2.1 VXLAN Design Requirements and Challenges

(1)

2.3.2.2 VXLAN Frame

(2)

2.3.3 Generic Routing Encapsulation

(1)

2.3.3.1 GRE Header

(1)

2.3.3.2 GRE Packet Flow

(1)

2.4 Virtual Routing and Forwarding

(5)

Summary

(3)

3 SDN and NFV

(28)

3.1 Introduction

(1)

3.2 Network Functions Virtualization

(6)

3.2.1 Background and Motivation behind NFV

(1)

3.2.2 NFV Framework

(1)

3.2.3 Benefits and Challenges of NFV

(1)

3.2.4 OPNFV

(1)

3.2.5 OpenStack

(3)

3.3 Software-Defined Networks

(16)

3.3.1 Benefits and Challenges of SDN

(2)

3.3.2 Background

(1)

3.3.3 SDN Control Plane

(1)

3.3.4 SDN Data Plane

(1)

3.3.5 OpenFlow

(1)

3.3.6 SDN Controllers

(1)

3.3.7 Open Virtual Switch

(1)

3.3.8 Routing in SDN

(1)

3.3.8.1 RCP: Routing Control Platform

(1)

3.3.8.2 The SoftRouter

(1)

3.3.8.3 RF IP Routing: IP Routing Services over RouteFlow-based SDN

(1)

3.3.8.4 VRS: Virtual Routers as a Service

(1)

3.3.8.5 RFCP: RouteFlow Routing Control Platform over SDN

(1)

3.3.8.6 RaaS: Routing as a Service

(1)

3.3.8.7 CAR-Cloud Assisted Routing

(1)

3.3.9 OpenDaylight

(3)

3.3.10 Distributed SDN Environments

102

(1)

3.3.11 Distributed SDN Controller Considerations

103

(1)

3.3.12 Challenges in Multiple-Controller Domain

104

(1)

3.4 Advanced Topic: Deep Programmability

104

(5)

3.4.1 P4 Forwarding Model

105

(1)

3.4.2 P4 Programming Language

105

(2)

3.4.3 Protocol Independent Switch Architecture

107

(1)

Summary

107

(2)

4 Network Security Preliminaries

109

(18)

4.1 Basic Concepts of Computer Network Security

109

(5)

4.1.1 Threat, Risk, and Attack

109

(2)

4.1.2 Defense In Depth

111

(1)

4.1.3 Cyber Killer Chain

112

(2)

4.2 Network Reconnaissance

114

(2)

4.2.1 Network Mapping

114

(1)

4.2.2 Port Scanning

115

(1)

4.2.3 Vulnerability Scanning and Penetration Testing

115

(1)

4.3 Preventive Techniques

116

(5)

4.3.1 Firewalls

116

(4)

4.3.2 Intrusion Prevention

120

(1)

4.4 Detection and Monitoring

121

(4)

4.4.1 Intrusion Detection

121

(1)

4.4.2 Logging

122

(3)

4.5 Network Security Assessment

125

(2)

Summary

126

(1)

5 SDN and NFV Security

127

(28)

5.1 Introduction

127

(2)

5.1.1 An Overview of Security Challenges in NFV

127

(1)

5.1.1.1 NFV Threat Vectors

128

(1)

5.1.1.2 NFV Security Goals

128

(1)

5.2 NFV Security

129

(8)

5.2.1 NFV Security Classification

129

(1)

5.2.1.1 Intra-VNF Security

129

(1)

5.2.1.2 Extra-VNF Security

130

(1)

5.2.2 NFV Security Lifecycle

130

(2)

5.2.3 Use Case: DNS Amplification Attack

132

(1)

5.2.4 NFV Security Countermeasures

133

(1)

5.2.4.1 Topology Verification and Enforcement

133

(1)

5.2.4.2 Securing the Virtualization Platform

134

(1)

5.2.4.3 Network and I/O Partitioning

134

(1)

5.2.4.4 Authentication, Authorization, and Accounting

135

(1)

5.2.4.5 Dynamic State Management, and Integrity Protection

136

(1)

5.3 SDN Security

137

(18)

5.3.1 SDN Security Classification

137

(2)

5.3.1.1 SDN Security Threat Vectors

139

(1)

5.3.2 Design of Secure and Dependable SDN Platform

140

(3)

5.3.3 SDN Data Plane Attacks and Countermeasures

143

(1)

5.3.3.1 SDN Data Plane Attacks

143

(1)

5.3.3.2 SDN Data Plane Attack Countermeasures

144

(1)

5.3.4 SDN-Specific Security Challenges

145

(1)

5.3.4.1 Programmablity

145

(1)

5.3.4.2 Integration with Legacy Protocols

146

(1)

5.3.4.3 Cross-Domain Connection

146

(1)

5.3.5 OpenFlow Protocol and OpenFlow Switch Security Analysis

146

(1)

5.3.5.1 Attack Model

146

(1)

5.3.5.2 Protocol-Specific Analysis

147

(2)

Summary

149

(6)

Part II Advanced Topics on Software-Defined and Virtual Network Security

6 Microsegmentation

155

(26)

6.1 From Firewall to Microsegmentation

155

(5)

6.2 Distributed Firewalls

160

(6)

6.2.1 Issues of Conventional Firewalls

160

(2)

6.2.2 Introduction of Distributed Firewalls

162

(2)

6.2.3 Implementation of Distributed Firewalls

164

(2)

6.3 Microsegmentation

166

(5)

6.3.1 Design Microsegmentation and Considerations

166

(1)

6.3.1.1 Software-Defined and Programmability

166

(1)

6.3.1.2 Fine-Grained Data Flow Control and Policy Management

167

(1)

6.3.1.3 Applying Network Analytic Models to Understand Data Traffic Pattern

167

(1)

6.3.1.4 Zero Trust Zones

168

(1)

6.3.1.5 Tools for Supporting Legacy Networks

168

(1)

6.3.1.6 Leveraging Cloud-Based Resource Management and Support

168

(1)

6.3.2 MicroSegmentation Defined

169

(1)

6.3.3 NIST Cybersecurity Recommendations for Protecting Virtualized Workloads

170

(1)

6.4 Case Study: VMware NSX Microsegmentation

171

(10)

6.4.1 Isolation

172

(1)

6.4.2 Segmentation

172

(1)

6.4.3 Security Service Function Chaining

172

(2)

6.4.4 Network and Guest Introspection

174

(1)

6.4.5 Security Service Abstraction

175

(1)

6.4.5.1 Service Composer

175

(2)

6.4.5.2 Grouping

177

(1)

6.4.5.3 Intelligent Grouping

177

(2)

6.4.5.4 Security Tag

179

(1)

Summary

180

(1)

7 Moving Target Defense

181

(24)

7.1 Introduction

181

(1)

7.2 MTD Classification

182

(6)

7.2.1 Security Modeling-based MTD

183

(1)

7.2.1.1 Shuffle

183

(1)

7.2.1.2 Diversification

183

(2)

7.2.1.3 Redundancy

185

(1)

7.2.2 Implementation Layer-based MTD

185

(1)

7.2.2.1 Network Level MTD

186

(1)

7.2.2.2 Host Level MTD

187

(1)

7.2.2.3 Application Level MTD

187

(1)

7.3 SDN-based MTD

188

(6)

7.3.1 Network Mapping and Reconnaissance Protection

189

(1)

7.3.1.1 Service Version and OS Hiding

189

(1)

7.3.2 OpenFlow Random Host Mutation

190

(1)

7.3.3 Frequency Minimal MTD Using SDN

191

(2)

7.3.4 SDN-based Scalable MTD in Cloud

193

(1)

7.4 Game Theoretic MTD Models

194

(7)

7.4.1 Game Theoretic Approach to IP Randomization

194

(1)

7.4.2 Game Theoretic Approach to Feedback Driven Multi-Stage MTD

195

(1)

7.4.3 Game Theory-based Software Diversity

196

(2)

7.4.4 Markov Game-based MTD

198

(1)

7.4.4.1 IP Hopping Using Markov Game Modeling

199

(1)

7.4.4.2 Winning Strategy for Adversary

200

(1)

7.5 Evaluation of MTD

201

(4)

7.5.1 Quantitative Metrics for MTD Evaluation

201

(1)

7.5.2 MTD Analysis and Evaluation Framework

202

(1)

Summary

203

(2)

8 Attack Representation

205

(20)

8.1 Introduction

205

(5)

8.1.1 Cybersecurity Metrics

206

(1)

8.1.2 Common Vulnerability Scoring System (CVSS)

206

(1)

8.1.3 CVSS Use Case

207

(1)

8.1.4 Attack Scenario Analysis

208

(1)

8.1.5 Qualitative and Quantitative Metrics

209

(1)

8.2 Attack Graph

210

(5)

8.2.1 Probabilistic Attack Graphs

212

(1)

8.2.2 Risk Mitigation Using Probability Metrics

213

(1)

8.2.3 Attack Graph Ranking

214

(1)

8.3 Attack Tree

215

(1)

8.4 Attack Countermeasure Tree

216

(5)

8.4.1 ACT Qualitative and Quantitative Analysis

217

(4)

8.5 Other Attack Representation Models

221

(2)

8.5.1 Fault Tree

221

(1)

8.5.2 Event Tree

221

(1)

8.5.3 Hierarchical Attack Representation Model

222

(1)

8.6 Limitations of Attack Representation Methods

223

(2)

Summary

224

(1)

9 Service Function Chaining

225

(22)

9.1 Introduction

225

(2)

9.2 SFC Concepts

227

(5)

9.2.1 Challenges in SFC

229

(3)

9.3 SDN- and NFV-based SFC

232

(2)

9.3.1 SDN as an Enabler of SFC

233

(1)

9.4 SFC Implementations

234

(3)

9.4.1 T-Nova: SDN-NFV-based SFC

234

(2)

9.4.2 Tacker: OpenStack-based SFC

236

(1)

9.5 Policy-Aware SFC

237

(3)

9.5.1 PGA: Graph-based Policy Expression and Reconciliation

238

(1)

9.5.1.1 Policy Composition Example

239

(1)

9.5.2 Group-based Policy

239

(1)

9.6 Secure Service Function Chaining

240

(7)

9.6.1 Secure In Cloud Chaining

242

(1)

9.6.2 SFC Using Network Security Defense Patterns

243

(3)

Summary

246

(1)

10 Security Policy Management in Distributed SDN Environments

247

(34)

10.1 Background

248

(2)

10.2 Related Work

250

(3)

10.2.1 Firewall Rule Conflicts

250

(1)

10.2.2 SDN Security and SDN Policy Management

251

(2)

10.3 Flow Rules

253

(5)

10.3.1 Security Policies Using Flow Rules

255

(2)

10.3.2 Flow Rule Model

257

(1)

10.4 Flow Rule Management Challenges

258

(4)

10.4.1 Motivating Scenarios

259

(1)

10.4.1.1 Case Study 1: MTD

260

(1)

10.4.1.2 Case Study 2: VPN Services

261

(1)

10.4.1.3 Case Study 3: Load Balancing and IDS

262

(1)

10.5 Flow Rule Conflicts

262

(9)

10.5.1 Problem Setup

262

(1)

10.5.2 Conflict Classes

263

(1)

10.5.2.1 Redundancy

264

(1)

10.5.2.2 Shadowing

264

(3)

10.5.2.3 Generalization

267

(1)

10.5.2.4 Correlation

267

(1)

10.5.2.5 Overlap

268

(1)

10.5.2.6 Imbrication

268

(1)

10.5.3 Cross-layer Policy Conflicts

268

(2)

10.5.4 Traffic Engineering Flow Rules

270

(1)

10.6 Controller Decentralization Considerations

271

(5)

10.6.1 Clustered Controllers

272

(1)

10.6.2 Host-based Partitioning

272

(2)

10.6.3 Hierarchical Controllers

274

(1)

10.6.4 Application-based Partitioning

275

(1)

10.6.5 Heterogeneous Partitioning

276

(1)

10.7 Flow Rule Conflict Resolution

276

(1)

10.7.1 Conflict Severity Classification

276

(1)

10.7.1.1 Tier-1 Conflicts

276

(1)

10.7.1.2 Tier-2 Conflicts

277

(1)

10.7.1.3 Tier-3 Conflicts

277

(1)

10.8 Conflict Resolution Model

277

(4)

10.8.1 Intelligible Conflicts

277

(1)

10.8.2 Interpretative Conflicts

278

(1)

10.8.2.1 Least Privilege

278

(1)

10.8.2.2 Module Security Precedence

278

(1)

10.8.2.3 Environment Calibrated

279

(1)

10.8.2.4 Administrator Assistance

279

(1)

Summary

279

(2)

11 Intelligent Software-Defined Security

281

(22)

11.1 Intelligence in Network Security

281

(8)

11.1.1 Application of Machine Learning and AI in Security

281

(1)

11.1.2 Intelligent Cybersecurity Methods and Architectures

282

(1)

11.1.2.1 Neural Networks

282

(1)

11.1.2.2 Expert Systems

282

(1)

11.1.2.3 Intelligent Agents

283

(1)

11.1.2.4 Learning

283

(1)

11.1.2.5 Search

283

(1)

11.1.2.6 Constraint Solving

283

(1)

11.1.3 Application of AI in IDS

284

(1)

11.1.3.1 Data Reduction

284

(1)

11.1.3.2 Behavior Classification

285

(1)

11.1.4 SDN-based Intelligent Network Security Solutions

285

(1)

11.1.4.1 Topology Protection

285

(4)

11.1.4.2 SDN-based DoS Protection

289

(1)

11.2 Advanced Persistent Threats

289

(9)

11.2.1 Traditional Attacks vs. APT

290

(1)

11.2.2 APT Attack Model

290

(3)

11.2.3 APT Case Studies

293

(1)

11.2.3.1 Stuxnet

294

(1)

11.2.3.2 Hydraq

295

(1)

11.2.4 APT Detection/Mitigation

296

(1)

11.2.5 Orchestrating SDN to Disrupt APT

296

(1)

11.2.5.1 SDN-based MicroSegmentation

296

(2)

11.2.5.2 SDN-enabled Secured Service Function Chaining

298

(1)

11.3 Problems in Application of Intelligence in Cybersecurity

298

(5)

11.3.1 Outlier Detection

299

(1)

11.3.2 High Cost of Errors

299

(1)

11.3.3 Semantic Gap

300

(1)

11.3.4 Variance in Network Traffic

300

(1)

Summary

300

(3)

Bibliography

303

(20)

Index

323

Dr. Dijiang Huang received his Bachelor of Science degree in Telecommunications from Beijing University of Posts and Telecommunications, China. He received his Master of Science and PhD degrees from University of Missouri-Kansas City, majoring in Computer Science and Telecommunications. He is currently an associate professor at the School of Computing Informatics, and Decision Systems Engineering, at Arizona State University. Dijiangs research interests are in computer and network security, mobile ad hoc networks, network virtualization, and mobile cloud computing. His research is supported by federal agencies NSF, ONR, ARO, and NATO, and organizations such as Consortium of Embedded System (CES), Hewlett-Packard, and China Mobile. He is a recipient of ONR Young Investigator Award and HP Innovation Research Program (IRP) Award. He is a co-founder of Athena Network Solutions LLC (ATHENETS), and is currently leading the Secure Networking and Computing (SNAC) research group at ASU.

Ankur Chowdhary is a PhD Student at ASU. He received a B.Tech in Information Technology from GGSIPU in 2011 and MS in Computer Science from ASU in 2015. He has worked as an Information Security Researcher for Blackberry Ltd., RSG, and an Application Developer for CSC Pvt. Ltd. His research interests include SDN, Web Security, Network Security, and application of Machine Learning in field of Security.

Dr. Sandeep Pisharody received a B.S. degree in Electrical Engineering (distinction), a B.S. degree in Computer Engineering (distinction) from the University of Nebraska in 2004, and an M.S. degree in Electrical Engineering from the University of Nebraska in 2006. He completed his PhD in Computer Science (Information Assurance) from Arizona State University under the guidance of Dr. Dijiang Huang in 2017. His current research interests lie in the areas of secure cloud computing, network security, and Software-Defined Networking. Previously, Sandeep has over eight years experience in designing, building, maintaining and securing enterprise and carrier class networks, while working in various capacities for Sprint, Iveda, Apollo Education Group, Insight, University of Phoenix, and the US Government.

Software-Defined Networking and Security: From Theory to Practice [Pehme köide]

Konto & seaded

Otsing

Otsingu andmebaas

Filtreeri tulemusi

Teemad Ingliskeelsed raamatud

Vali ostukorv