Muutke küpsiste eelistusi

E-raamat: Software-Defined Networking and Security: From Theory to Practice

2.00/5 (2 hinnangut Goodreads-ist)
(Arizona State University, Tempe, USA), (Arizona State University), (Arizona State University)
Teised raamatud teemal:
  • Formaat - EPUB+DRM
  • Hind: 59,79 €*
  • * hind on lõplik, st. muud allahindlused enam ei rakendu
  • Lisa ostukorvi
  • Lisa soovinimekirja
  • See e-raamat on mõeldud ainult isiklikuks kasutamiseks. E-raamatuid ei saa tagastada.
Software-Defined Networking and Security: From Theory to PracticeSuurem pilt
Teised raamatud teemal:

DRM piirangud

  • Kopeerimine (copy/paste):

    ei ole lubatud

  • Printimine:

    ei ole lubatud

  • Kasutamine:

    Digitaalõiguste kaitse (DRM)
    Kirjastus on väljastanud selle e-raamatu krüpteeritud kujul, mis tähendab, et selle lugemiseks peate installeerima spetsiaalse tarkvara. Samuti peate looma endale  Adobe ID Rohkem infot siin. E-raamatut saab lugeda 1 kasutaja ning alla laadida kuni 6'de seadmesse (kõik autoriseeritud sama Adobe ID-ga).

    Vajalik tarkvara
    Mobiilsetes seadmetes (telefon või tahvelarvuti) lugemiseks peate installeerima selle tasuta rakenduse: PocketBook Reader (iOS / Android)

    PC või Mac seadmes lugemiseks peate installima Adobe Digital Editionsi (Seeon tasuta rakendus spetsiaalselt e-raamatute lugemiseks. Seda ei tohi segamini ajada Adober Reader'iga, mis tõenäoliselt on juba teie arvutisse installeeritud )

    Seda e-raamatut ei saa lugeda Amazon Kindle's. 

This book provides readers insights into cyber maneuvering or adaptive and intelligent cyber defense. It describes the required models and security supporting functions that enable the analysis of potential threats, detection of attacks, and implementation of countermeasures while expending attacker resources and preserving user experience. This book not only presents significant education-oriented content, but uses advanced content to reveal a blueprint for helping network security professionals design and implement a secure Software-Defined Infrastructure (SDI) for cloud networking environments. These solutions are a less intrusive alternative to security countermeasures taken at the host level and offer centralized control of the distributed network.

The concepts, techniques, and strategies discussed in this book are ideal for students, educators, and security practitioners looking for a clear and concise text to avant-garde cyber security installations or simply to use as a reference.

Hand-on labs and lecture slides are located at http://virtualnetworksecurity.thothlab.com/.

Features











Discusses virtual network security concepts Considers proactive security using moving target defense Reviews attack representation models based on attack graphs and attack trees

Examines service function chaining in virtual networks with security considerations Recognizes machine learning and AI in network security
Preface xvii
Acknowledgments xxiii
About the Authors xxv
Part I Foundations of Virtual Networking and Security
1 Introduction of Computer Networks
7(32)
1.1 Foundations of Computer Networks
8(3)
1.1.1 Protocol Layers
8(1)
1.1.2 Networking Services and Packet Encapsulation
9(2)
1.2 Addresses
11(13)
1.2.1 MAC Address
12(1)
1.2.2 IP Address (IPv4)
13(7)
1.2.2.1 Classless Inter-Domain Routing
14(5)
1.2.2.2 Private IPs
19(1)
1.2.3 IP Address (IPv6)
20(3)
1.2.3.1 Address Representation
20(1)
1.2.3.2 Address Uniqueness
21(1)
1.2.3.3 Link-local Address
22(1)
1.2.3.4 Global Addressing
22(1)
1.2.4 Port Number
23(1)
1.3 Physical, Logical, and Overlay Networks
24(3)
1.3.1 Physical Networks
24(1)
1.3.2 Logical Networks
24(2)
1.3.3 Overlay Networks
26(1)
1.4 Computer Networking Services
27(9)
1.4.1 Address Resolution Protocol
27(2)
1.4.2 Dynamic Host Configuration Protocol
29(1)
1.4.3 Domain Name System
30(1)
1.4.4 Network Address Translation
31(3)
1.4.4.1 What is NAT
31(1)
1.4.4.2 PREROUTING and POSTROUTING
32(1)
1.4.4.3 Netfilter and NAT
33(1)
1.4.5 iptables
34(5)
1.4.5.1 Tables in iptables
34(1)
1.4.5.2 Chains in iptables
35(1)
1.4.5.3 Targets in iptables' Chains
36(1)
1.5 IP Network Routing
36(2)
Summary
38(1)
2 Virtual Networking
39(42)
2.1 Virtual Networks
39(8)
2.1.1 Basis of Virtual Networks
39(2)
2.1.2 Abstraction vs. Virtualization
41(1)
2.1.3 Benefits of Virtualizing Networks
42(2)
2.1.4 Orchestration and Management of Virtual Networks
44(1)
2.1.5 Virtual Networking Embedding Problems
44(3)
2.1.5.1 VNE Problem Description
45(1)
2.1.5.2 VNE Formal Definition
46(1)
2.2 Layer-2 Virtual Networking
47(14)
2.2.1 Linux Bridge
49(8)
2.2.1.1 Data Structures of Linux Bridge
50(1)
2.2.1.2 Linux Bridge Configuration
51(1)
2.2.1.3 Linux Bridge Frame Processing
52(2)
2.2.1.4 Use Cases of Linux Bridge
54(3)
2.2.2 Open Virtual Switches
57(4)
2.2.2.1 Linux Bridge vs. Open Virtual Switch
57(1)
2.2.2.2 Open Virtual Switch Supporting Features
58(1)
2.2.2.3 Open Virtual Switch Internal Modules
59(1)
2.2.2.4 Packet Processing in OVS
60(1)
2.3 Tunneling Protocols and Virtual Private Networks
61(15)
2.3.1 VLAN
63(9)
2.3.1.1 Types of VLANs
64(3)
2.3.1.2 IEEE 802.1Q
67(5)
2.3.2 Virtual Extensible LAN
72(3)
2.3.2.1 VXLAN Design Requirements and Challenges
73(1)
2.3.2.2 VXLAN Frame
73(2)
2.3.3 Generic Routing Encapsulation
75(7)
2.3.3.1 GRE Header
75(1)
2.3.3.2 GRE Packet Flow
76(1)
2.4 Virtual Routing and Forwarding
76(2)
Summary
78(3)
3 SDN and NFV
81(28)
3.1 Introduction
81(1)
3.2 Network Functions Virtualization
82(6)
3.2.1 Background and Motivation behind NFV
82(1)
3.2.2 NFV Framework
83(1)
3.2.3 Benefits and Challenges of NFV
84(1)
3.2.4 OPNFV
84(1)
3.2.5 OpenStack
85(3)
3.3 Software-Defined Networks
88(16)
3.3.1 Benefits and Challenges of SDN
89(2)
3.3.2 Background
91(1)
3.3.3 SDN Control Plane
91(1)
3.3.4 SDN Data Plane
92(1)
3.3.5 OpenFlow
92(1)
3.3.6 SDN Controllers
93(1)
3.3.7 Open Virtual Switch
94(1)
3.3.8 Routing in SDN
95(4)
3.3.8.1 RCP: Routing Control Platform
95(1)
3.3.8.2 The SoftRouter
96(1)
3.3.8.3 RF IP Routing: IP Routing Services over RouteFlow-based SDN
96(1)
3.3.8.4 VRS: Virtual Routers as a Service
97(1)
3.3.8.5 RFCP: RouteFlow Routing Control Platform over SDN
98(1)
3.3.8.6 RaaS: Routing as a Service
98(1)
3.3.8.7 CAR-Cloud Assisted Routing
99(1)
3.3.9 OpenDaylight
99(3)
3.3.10 Distributed SDN Environments
102(1)
3.3.11 Distributed SDN Controller Considerations
103(1)
3.3.12 Challenges in Multiple-Controller Domain
104(1)
3.4 Advanced Topic: Deep Programmability
104(3)
3.4.1 P4 Forwarding Model
105(1)
3.4.2 P4 Programming Language
105(2)
3.4.3 Protocol Independent Switch Architecture
107(1)
Summary
107(2)
4 Network Security Preliminaries
109(18)
4.1 Basic Concepts of Computer Network Security
109(5)
4.1.1 Threat, Risk, and Attack
109(2)
4.1.2 Defense In Depth
111(1)
4.1.3 Cyber Killer Chain
112(2)
4.2 Network Reconnaissance
114(2)
4.2.1 Network Mapping
114(1)
4.2.2 Port Scanning
115(1)
4.2.3 Vulnerability Scanning and Penetration Testing
115(1)
4.3 Preventive Techniques
116(5)
4.3.1 Firewalls
116(4)
4.3.2 Intrusion Prevention
120(1)
4.4 Detection and Monitoring
121(4)
4.4.1 Intrusion Detection
121(1)
4.4.2 Logging
122(3)
4.5 Network Security Assessment
125(1)
Summary
126(1)
5 SDN and NFV Security
127(28)
5.1 Introduction
127(2)
5.1.1 An Overview of Security Challenges in NFV
127(2)
5.1.1.1 NFV Threat Vectors
128(1)
5.1.1.2 NFV Security Goals
128(1)
5.2 NFV Security
129(8)
5.2.1 NFV Security Classification
129(1)
5.2.1.1 Intra-VNF Security
129(1)
5.2.1.2 Extra-VNF Security
130(1)
5.2.2 NFV Security Lifecycle
130(2)
5.2.3 Use Case: DNS Amplification Attack
132(1)
5.2.4 NFV Security Countermeasures
133(4)
5.2.4.1 Topology Verification and Enforcement
133(1)
5.2.4.2 Securing the Virtualization Platform
134(1)
5.2.4.3 Network and I/O Partitioning
134(1)
5.2.4.4 Authentication, Authorization, and Accounting
135(1)
5.2.4.5 Dynamic State Management, and Integrity Protection
136(1)
5.3 SDN Security
137(12)
5.3.1 SDN Security Classification
137(3)
5.3.1.1 SDN Security Threat Vectors
139(1)
5.3.2 Design of Secure and Dependable SDN Platform
140(3)
5.3.3 SDN Data Plane Attacks and Countermeasures
143(2)
5.3.3.1 SDN Data Plane Attacks
143(1)
5.3.3.2 SDN Data Plane Attack Countermeasures
144(1)
5.3.4 SDN-Specific Security Challenges
145(1)
5.3.4.1 Programmablity
145(1)
5.3.4.2 Integration with Legacy Protocols
146(1)
5.3.4.3 Cross-Domain Connection
146(1)
5.3.5 OpenFlow Protocol and OpenFlow Switch Security Analysis
146(14)
5.3.5.1 Attack Model
146(1)
5.3.5.2 Protocol-Specific Analysis
147(2)
Summary
149(6)
Part II Advanced Topics on Software-Defined and Virtual Network Security
6 Microsegmentation
155(26)
6.1 From Firewall to Microsegmentation
155(5)
6.2 Distributed Firewalls
160(6)
6.2.1 Issues of Conventional Firewalls
160(2)
6.2.2 Introduction of Distributed Firewalls
162(2)
6.2.3 Implementation of Distributed Firewalls
164(2)
6.3 Microsegmentation
166(5)
6.3.1 Design Microsegmentation and Considerations
166(3)
6.3.1.1 Software-Defined and Programmability
166(1)
6.3.1.2 Fine-Grained Data Flow Control and Policy Management
167(1)
6.3.1.3 Applying Network Analytic Models to Understand Data Traffic Pattern
167(1)
6.3.1.4 Zero Trust Zones
168(1)
6.3.1.5 Tools for Supporting Legacy Networks
168(1)
6.3.1.6 Leveraging Cloud-Based Resource Management and Support
168(1)
6.3.2 MicroSegmentation Defined
169(1)
6.3.3 NIST Cybersecurity Recommendations for Protecting Virtualized Workloads
170(1)
6.4 Case Study: VMware NSX Microsegmentation
171(9)
6.4.1 Isolation
172(1)
6.4.2 Segmentation
172(1)
6.4.3 Security Service Function Chaining
172(2)
6.4.4 Network and Guest Introspection
174(1)
6.4.5 Security Service Abstraction
175(7)
6.4.5.1 Service Composer
175(2)
6.4.5.2 Grouping
177(1)
6.4.5.3 Intelligent Grouping
177(2)
6.4.5.4 Security Tag
179(1)
Summary
180(1)
7 Moving Target Defense
181(24)
7.1 Introduction
181(1)
7.2 MTD Classification
182(6)
7.2.1 Security Modeling-based MTD
183(2)
7.2.1.1 Shuffle
183(1)
7.2.1.2 Diversification
183(2)
7.2.1.3 Redundancy
185(1)
7.2.2 Implementation Layer-based MTD
185(3)
7.2.2.1 Network Level MTD
186(1)
7.2.2.2 Host Level MTD
187(1)
7.2.2.3 Application Level MTD
187(1)
7.3 SDN-based MTD
188(6)
7.3.1 Network Mapping and Reconnaissance Protection
189(1)
7.3.1.1 Service Version and OS Hiding
189(1)
7.3.2 OpenFlow Random Host Mutation
190(1)
7.3.3 Frequency Minimal MID Using SDN
191(2)
7.3.4 SDN-based Scalable MTD in Cloud
193(1)
7.4 Game Theoretic MTD Models
194(7)
7.4.1 Game Theoretic Approach to IP Randomization
194(1)
7.4.2 Game Theoretic Approach to Feedback Driven Multi-Stage MTD
195(1)
7.4.3 Game Theory-based Software Diversity
196(2)
7.4.4 Markov Game-based MTD
198(3)
7.4.4.1 IP Hopping Using Markov Game Modeling
199(1)
7.4.4.2 Winning Strategy for Adversary
200(1)
7.5 Evaluation of MTD
201(2)
7.5.1 Quantitative Metrics for MTD Evaluation
201(1)
7.5.2 MTD Analysis and Evaluation Framework
202(1)
Summary
203(2)
8 Attack Representation
205(20)
8.1 Introduction
205(5)
8.1.1 Cybersecurity Metrics
206(1)
8.1.2 Common Vulnerability Scoring System (CVSS)
206(1)
8.1.3 CVSS Use Case
207(1)
8.1.4 Attack Scenario Analysis
208(1)
8.1.5 Qualitative and Quantitative Metrics
209(1)
8.2 Attack Graph
210(5)
8.2.1 Probabilistic Attack Graphs
212(1)
8.2.2 Risk Mitigation Using Probability Metrics
213(1)
8.2.3 Attack Graph Ranking
214(1)
8.3 Attack Tree
215(1)
8.4 Attack Countermeasure Tree
216(5)
8.4.1 ACT Qualitative and Quantitative Analysis
217(4)
8.5 Other Attack Representation Models
221(2)
8.5.1 Fault Tree
221(1)
8.5.2 Event Tree
221(1)
8.5.3 Hierarchical Attack Representation Model
222(1)
8.6 Limitations of Attack Representation Methods
223(1)
Summary
224(1)
9 Service Function Chaining
225(22)
9.1 Introduction
225(2)
9.2 SFC Concepts
227(5)
9.2.1 Challenges in SFC
229(3)
9.3 SDN- and NFV-based SFC
232(2)
9.3.1 SDN as an Enabler of SFC
233(1)
9.4 SFC Implementations
234(3)
9.4.1 T-Nova: SDN-NFV-based SFC
234(2)
9.4.2 Tacker: OpenStack-based SFC
236(1)
9.5 Policy-Aware SFC
237(3)
9.5.1 PGA: Graph-based Policy Expression and Reconciliation
238(1)
9.5.1.1 Policy Composition Example
239(1)
9.5.2 Group-based Policy
239(1)
9.6 Secure Service Function Chaining
240(6)
9.6.1 Secure In Cloud Chaining
242(1)
9.6.2 SFC Using Network Security Defense Patterns
243(3)
Summary
246(1)
10 Security Policy Management in Distributed SDN Environments
247(34)
10.1 Background
248(2)
10.2 Related Work
250(3)
10.2.1 Firewall Rule Conflicts
250(1)
10.2.2 SDN Security and SDN Policy Management
251(2)
10.3 Flow Rules
253(5)
10.3.1 Security Policies Using Flow Rules
255(2)
10.3.2 Flow Rule Model
257(1)
10.4 Flow Rule Management Challenges
258(4)
10.4.1 Motivating Scenarios
259(3)
10.4.1.1 Case Study 1: MTD
260(1)
10.4.1.2 Case Study 2: VPN Services
261(1)
10.4.1.3 Case Study 3: Load Balancing and IDS
262(1)
10.5 Flow Rule Conflicts
262(9)
10.5.1 Problem Setup
262(1)
10.5.2 Conflict Classes
263(5)
10.5.2.1 Redundancy
264(1)
10.5.2.2 Shadowing
264(3)
10.5.2.3 Generalization
267(1)
10.5.2.4 Correlation
267(1)
10.5.2.5 Overlap
268(1)
10.5.2.6 Imbrication
268(1)
10.5.3 Cross-layer Policy Conflicts
268(2)
10.5.4 Traffic Engineering Flow Rules
270(1)
10.6 Controller Decentralization Considerations
271(5)
10.6.1 Clustered Controllers
272(1)
10.6.2 Host-based Partitioning
272(2)
10.6.3 Hierarchical Controllers
274(1)
10.6.4 Application-based Partitioning
275(1)
10.6.5 Heterogeneous Partitioning
276(1)
10.7 Flow Rule Conflict Resolution
276(1)
10.7.1 Conflict Severity Classification
276(1)
10.7.1.1 Tier-1 Conflicts
276(1)
10.7.1.2 Tier-2 Conflicts
277(1)
10.7.1.3 Tier-3 Conflicts
277(1)
10.8 Conflict Resolution Model
277(2)
10.8.1 Intelligible Conflicts
277(1)
10.8.2 Interpretative Conflicts
278(3)
10.8.2.1 Least Privilege
278(1)
10.8.2.2 Module Security Precedence
278(1)
10.8.2.3 Environment Calibrated
279(1)
10.8.2.4 Administrator Assistance
279(1)
Summary
279(2)
11 Intelligent Software-Defined Security
281(22)
11.1 Intelligence in Network Security
281(8)
11.1.1 Application of Machine Learning and AI in Security
281(1)
11.1.2 Intelligent Cybersecurity Methods and Architectures
282(2)
11.1.2.1 Neural Networks
282(1)
11.1.2.2 Expert Systems
282(1)
11.1.2.3 Intelligent Agents
283(1)
11.1.2.4 Learning
283(1)
11.1.2.5 Search
283(1)
11.1.2.6 Constraint Solving
283(1)
11.1.3 Application of AI in IDS
284(1)
11.1.3.1 Data Reduction
284(1)
11.1.3.2 Behavior Classification
285(1)
11.1.4 SDN-based Intelligent Network Security Solutions
285(4)
11.1.4.1 Topology Protection
285(4)
11.1.4.2 SDN-based DoS Protection
289(1)
11.2 Advanced Persistent Threats
289(9)
11.2.1 Traditional Attacks vs. APT
290(1)
11.2.2 APT Attack Model
290(3)
11.2.3 APT Case Studies
293(3)
11.2.3.1 Stuxnet
294(1)
11.2.3.2 Hydraq
295(1)
11.2.4 APT Detection/Mitigation
296(1)
11.2.5 Orchestrating SDN to Disrupt APT
296(2)
11.2.5.1 SDN-based MicroSegmentation
296(2)
11.2.5.2 SDN-enabled Secured Service Function Chaining
298(1)
11.3 Problems in Application of Intelligence in Cybersecurity
298(2)
11.3.1 Outlier Detection
299(1)
11.3.2 High Cost of Errors
299(1)
11.3.3 Semantic Gap
300(1)
11.3.4 Variance in Network Traffic
300(1)
Summary
300(3)
Bibliography 303(20)
Index 323
Dr. Dijiang Huang received his Bachelor of Science degree in Telecommunications from Beijing University of Posts and Telecommunications, China. He received his Master of Science and PhD degrees from University of Missouri-Kansas City, majoring in Computer Science and Telecommunications. He is currently an associate professor at the School of Computing Informatics, and Decision Systems Engineering, at Arizona State University. Dijiangs research interests are in computer and network security, mobile ad hoc networks, network virtualization, and mobile cloud computing. His research is supported by federal agencies NSF, ONR, ARO, and NATO, and organizations such as Consortium of Embedded System (CES), Hewlett-Packard, and China Mobile. He is a recipient of ONR Young Investigator Award and HP Innovation Research Program (IRP) Award. He is a co-founder of Athena Network Solutions LLC (ATHENETS), and is currently leading the Secure Networking and Computing (SNAC) research group at ASU.

Ankur Chowdhary is a PhD Student at ASU. He received a B.Tech in Information Technology from GGSIPU in 2011 and MS in Computer Science from ASU in 2015. He has worked as an Information Security Researcher for Blackberry Ltd., RSG, and an Application Developer for CSC Pvt. Ltd. His research interests include SDN, Web Security, Network Security, and application of Machine Learning in field of Security.

Dr. Sandeep Pisharody received a B.S. degree in Electrical Engineering (distinction), a B.S. degree in Computer Engineering (distinction) from the University of Nebraska in 2004, and an M.S. degree in Electrical Engineering from the University of Nebraska in 2006. He completed his PhD in Computer Science (Information Assurance) from Arizona State University under the guidance of Dr. Dijiang Huang in 2017. His current research interests lie in the areas of secure cloud computing, network security, and Software-Defined Networking. Previously, Sandeep has over eight years experience in designing, building, maintaining and securing enterprise and carrier class networks, while working in various capacities for Sprint, Iveda, Apollo Education Group, Insight, University of Phoenix, and the US Government.
Lisainfo e-raamatute kohta Lisainfo e-raamatute kohta
Püsilink: https://www.kriso.ee/db/97813512107446e.html
Märksõnad: