OpenFlow-enabled dynamic DMZ for local networks

dc.contributor.authorWu, Haotian
dc.date.accessioned2017-11-16T22:36:15Z
dc.date.available2017-11-16T22:36:15Z
dc.date.graduationmonthDecemberen_US
dc.date.issued2017-12-01en_US
dc.date.published2017en_US
dc.description.abstractCybersecurity is playing a vital role in today's network. We can use security devices, such as a deep packet inspection (DPI) device, to enhance cybersecurity. However, a DPI has a limited amount of inspection capability, which cannot catch up with the ever-increasing volume of network traffic, and that gap is getting even larger. Therefore, inspecting every single packet using DPI is impractical. Our objective is to find a tradeoff between network security and network performance. More explicitly, we aim at maximizing the utilization of security devices, while not decreasing network throughput. We propose two prototypes to address this issue in a demilitarized zone (DMZ) architecture. Our first prototype involves a flow-size based DMZ criterion. In a campus network elephant flows, flows with large data rate, are usually science data and they are mostly safe. Moreover, the majority of the network bandwidth is consumed by elephant flows. Therefore, we propose a DMZ prototype that we inspect elephant flows for a few seconds, and then we allow them to bypass DPI inspection, as long as they are identified as safe flows; and they can be periodically inspected to ensure they remain safe. Our second prototype is a congestion-aware DMZ scheme. Instead of determining whether a flow is safe or not by its size, we treat all flows identically. We measure the data rates of all flows, and use a global optimization algorithm to determine which flows are allowed to safely bypass a DPI. The objective is to maximize DPI utilization. Both prototypes are implemented using OpenFlow in this work, and extensive experiments are performed to test both prototypes' feasibility. The results attest that the two prototypes are effective in ensuring network security while not compromising network performance. A number of tools for SDN network configuring and testing are also developed.en_US
dc.description.advisorDon M. Gruenbacheren_US
dc.description.advisorCaterina M. Scoglioen_US
dc.description.degreeDoctor of Philosophyen_US
dc.description.departmentDepartment of Electrical and Computer Engineeringen_US
dc.description.levelDoctoralen_US
dc.identifier.urihttp://hdl.handle.net/2097/38231
dc.language.isoen_USen_US
dc.publisherKansas State Universityen
dc.subjectOpenFlowen_US
dc.subjectSoftware-defined Networkingen_US
dc.subjectSecurityen_US
dc.subjectTraffic enginerringen_US
dc.subjectDemilitarized zoneen_US
dc.subjectLocal area networken_US
dc.titleOpenFlow-enabled dynamic DMZ for local networksen_US
dc.typeDissertationen_US

Files

Original bundle
Now showing 1 - 1 of 1
Loading...
Thumbnail Image
Name:
HaotianWu2017.pdf
Size:
4.83 MB
Format:
Adobe Portable Document Format
Description:
License bundle
Now showing 1 - 1 of 1
No Thumbnail Available
Name:
license.txt
Size:
1.62 KB
Format:
Item-specific license agreed upon to submission
Description: