University of Kentucky UKnowledge Theses and Dissertations--Computer Science Computer Science 2019 AUTOMATED NETWORK SECURITY WITH EXCEPTIONS USING SDN Sergio A. Rivera Polanco University of Kentucky, [email protected] Digital Object Identifier: https://doi.org/10.13023/etd.2019.342 Right click to open a feedback form in a new tab to let us know how this document benefits ou.y Recommended Citation Rivera Polanco, Sergio A., "AUTOMATED NETWORK SECURITY WITH EXCEPTIONS USING SDN" (2019). Theses and Dissertations--Computer Science. 87. https://uknowledge.uky.edu/cs_etds/87 This Doctoral Dissertation is brought to you for free and open access by the Computer Science at UKnowledge. It has been accepted for inclusion in Theses and Dissertations--Computer Science by an authorized administrator of UKnowledge. For more information, please contact [email protected]. STUDENT AGREEMENT: I represent that my thesis or dissertation and abstract are my original work. Proper attribution has been given to all outside sources. I understand that I am solely responsible for obtaining any needed copyright permissions. I have obtained needed written permission statement(s) from the owner(s) of each third-party copyrighted matter to be included in my work, allowing electronic distribution (if such use is not permitted by the fair use doctrine) which will be submitted to UKnowledge as Additional File. I hereby grant to The University of Kentucky and its agents the irrevocable, non-exclusive, and royalty-free license to archive and make accessible my work in whole or in part in all forms of media, now or hereafter known. I agree that the document mentioned above may be made available immediately for worldwide access unless an embargo applies. I retain all other ownership rights to the copyright of my work. I also retain the right to use in future works (such as articles or books) all or part of my work. I understand that I am free to register the copyright to my work. REVIEW, APPROVAL AND ACCEPTANCE The document mentioned above has been reviewed and accepted by the student’s advisor, on behalf of the advisory committee, and by the Director of Graduate Studies (DGS), on behalf of the program; we verify that this is the final, approved version of the student’s thesis including all changes required by the advisory committee. The undersigned agree to abide by the statements above. Sergio A. Rivera Polanco, Student Dr. Zongming Fei, Major Professor Dr. Miroslaw Truszczynski, Director of Graduate Studies AUTOMATED NETWORK SECURITY WITH EXCEPTIONS USING SDN DISSERTATION A dissertation submitted in partial fulfillment of the requirements for the degree of Doctor of Philosophy in the College of Engineering at the University of Kentucky By Sergio A. Rivera Polanco Lexington, Kentucky Co-Directors: Dr. Zongming Fei, Professor of Computer Science and Dr. James Griffioen, Professor of Computer Science Lexington, Kentucky 2019 Copyright c Sergio A. Rivera Polanco 2019 ABSTRACT OF DISSERTATION AUTOMATED NETWORK SECURITY WITH EXCEPTIONS USING SDN Campus networks have recently experienced a proliferation of devices ranging from personal use devices (e.g. smartphones, laptops, tablets), to special-purpose network equipment (e.g. firewalls, network address translation boxes, network caches, load balancers, virtual private network servers, and authentication servers), as well as special-purpose systems (badge readers, IP phones, cameras, location trackers, etc.). To establish directives and regulations regarding the ways in which these heteroge- neous systems are allowed to interact with each other and the network infrastructure, organizations typically appoint policy writing committees (PWCs) to create accept- able use policy (AUP) documents describing the rules and behavioral guidelines that all campus network interactions must abide by. While users are the audience for AUP documents produced by an organiza- tion's PWC, network administrators are the responsible party enforcing the contents of such policies using low-level CLI instructions and configuration files that are typi- cally difficult to understand and are almost impossible to show that they do, in fact, enforce the AUPs. In other words, mapping the contents of imprecise unstructured sentences into technical configurations is a challenging task that relies on the inter- pretation and expertise of the network operator carrying out the policy enforcement. Moreover, there are multiple places where policy enforcement can take place. For ex- ample, policies governing servers (e.g. web, mail, and file servers) are often encoded into the server's configuration files. However, from a security perspective, conflating policy enforcement with server configuration is a dangerous practice because minor server misconfigurations could open up avenues for security exploits. On the other hand, policies that are enforced in the network tend to rarely change over time and are often based on one-size-fits-all policies that can severely limit the fast-paced dynamics of emerging research workflows found in campus networks. This dissertation addresses the above problems by leveraging recent advances in Software-Defined Networking (SDN) to support systems that enable novel in- network approaches developed to support an organization's network security policies. Namely, we introduce PoLanCO, a human-readable yet technically-precise policy lan- guage that serves as a middle-ground between the imprecise statements found in AUPs and the technical low-level mechanisms used to implement them. Real-world examples show that PoLanCO is capable of implementing a wide range of policies found in cam- pus networks. In addition, we also present the concept of Network Security Caps, an enforcement layer that separates server/device functionality from policy enforcement. A Network Security Cap intercepts packets coming from, and going to, servers and ensures policy compliance before allowing network devices to process packets using the traditional forwarding mechanisms. Lastly, we propose the on-demand security exceptions model to cope with the dynamics of emerging research workflows that are not suited for a one-size-fits-all security approach. In the proposed model, network users and providers establish trust relationships that can be used to temporarily by- pass the policy compliance checks applied to general-purpose traffic { typically by network appliances that perform Deep Packet Inspection, thereby creating network bottlenecks. We describe the components of a prototype exception system as well as experiments showing that through short-lived exceptions researchers can realize significant improvements for their special-purpose traffic. KEYWORDS: Software-Defined Networking, Network Security, Policy Enforcement, Security Exceptions Students's signature: Sergio A. Rivera Polanco Date: August 1, 2019 AUTOMATED NETWORK SECURITY WITH EXCEPTIONS USING SDN By Sergio A. Rivera Polanco Co-Director of Dissertation: Zongming Fei Co-Director of Dissertation: James Griffioen Director of Graduate Studies: Miroslaw Truszczynski Date: August 1, 2019 To my wife Vera, my baby girl Valeria, my parents, and siblings for being my constant support and inspiration throughout these years... ACKNOWLEDGMENTS There are several people that I would like to thank for making the completion of this dissertation possible. I would like to thank my advisor, Dr. Zongming Fei, for giving me the op- portunity to pursue my doctoral degree under his guidance. Inviting me as a guest lecturer, providing me with several recommendation letters, and nominating me for student awards made a significant contribution towards my professional career. Next, I would like to thank Dr. James Griffioen for agreeing to serve as a co-chair on my committee. During all these years, Prof. Griffioen has been encouraging and very supportive, constantly providing me with thorough feedback on all of my publica- tions, including this dissertation, and helping me notably improve my presentation skills. I would also like to thank Dr. Jane Hayes, Dr. Hank Dietz, and Dr. Daniela Moga who all had immediately responded to my request to become members of the doctoral committee at a late stage of my research and yet provided very valuable feedback on my work. I gratefully acknowledge all my colleagues from the different projects in which I was involved for fostering design and implementation discussions, provisioning the adequate infrastructure to deploy system prototypes, and sharing their insights on the systems presented in this dissertation. Especially, members of the Laboratory for Advanced Networking, the Research Computing group, and the Center for Compu- tational Sciences at the University of Kentucky (Mami, Song, Jacob, Charles, Lowell, Bhushan, Pinyi, Satrio, and Nasir), and collaborators of the NetSecOps project from the University of Utah (Prof. Kobus Van der Merwe and Joe Breen). Thanks are also due to the National Science Foundation (under grants ACI-1541380, ACI-1541426, ACI-1642134, and CNS-1346688 subcontracts 1925 and 1928) for providing financial iii support and funding the research. I am also grateful to the UK Graduate School, especially, Dr. Morris Grubbs, Chad Gilpin, and Ashley Sorrell for organizing disser- tation writing camps; the quiet and supportive environment helped me concentrate on my writing. My personal thanks to my uncle Alvaro and his wife Yolanda who helped me during the application process to the Computer Science program and who kindly opened their home to me during several months of my first year