Join David Bombal for an in-depth discussion in this video Demo: OpenFlow tables: Interception flows, part of Practical Software-Defined Networking: 4 SDN and OpenFlow Applications.
- [Instructor] Now, this is the HP VAN SDN Controller that the Network Protector application is installed on. So notice here, the application is active on the SDN controller, and when I go and look at OpenFlow Monitor, I can see some switches in my network that have registered with this controller, including, as an example, this 3500 series switch and this 3800 series switch. In this demonstration, I was showing you the output on this user machine connected to a 3500.
Now, the reason I've chosen a 3500, is it's a really old switch that HP have updated the firmware or software of that switch to support OpenFlow, and if you want to test this with physical switches, a 3500 switch isn't that expensive on eBay these days. So, there's the 3500yl. I can look at ports. There's some ports on the switch. One of the ports is being blocked by a spanning tree, but if I go and look at flows, what you'll notice here is DNS traffic, port 53 is being forwarded to the controller.
So notice we have had some matches on this DNS entry. This flow entry is put into a hardware on this switch. In other words, OpenFlow table 100, it's matching IP version four, UDP port 53 traffic, and is forwarding that traffic to the controller. If I disable Network Protector, and go back to the controller, and I'll refresh the page, you'll notice that DNS traffic is no longer being intercepted by the switch.
I'll go back to Network Protector, enable the Network Protector service, refresh the flow entries on the switch, and notice now, we have these entries intercepting DNS traffic. Hence, when a user tries to go to a malicious website, the traffic is intercepted. Here's another user. In this topology, it's a user connected to the switch, but their traffic is gonna be intercepted by this 5400 switch.
OpenFlow's not enabled on this 5500 series switch, but it is enabled on this 5406, so flow entry's gonna be written there on the core switch to intercept traffic from this host. So when the host sends traffic, it's gonna go across the network, head to the switch, and be intercepted. So, HP.com. That works. Facebook.com. Chrome is complaining because the traffic is being intercepted.
Notice here, Internet Explorer, traffic is forwarded. If we go to anyhome.ca, traffic is blocked, and howtoditman.com, traffic is blocked. Network Protector allows you to create different policies for different users and block certain users from accessing certain websites. So as an example, going back to my previous user, if I try and go to Facebook again, the user is redirected to HP.com.
But on this user, they're allowed to go to Facebook.com. You can create different policies and stop some users going to certain websites that you decide that you don't want them to go to during working hours, let's say, but you could allow other users to go to Facebook or other social websites during working hours. In this case, malicious websites like anyhome.ca and howtodoitman are blocked because in the Network Protector database, if we do a search in the database for one of those malicious websites, so anyhome.ca, and I'll check all the databases, this website has a reputation score of 90.
By default, anything above 79 is blocked. Howtodoitman.com, do a search. It's got a reputation score of 100, so it's a malware website. It's also gonna be blocked. Facebook.com is put into what's called a greylist in this example, so what was done here is we're blocking certain users from going to that website, but we're not going to log their actions.
When we create what's called a blacklist, users can't go to that website at all. A blacklist will block them, but also log in the dashboard, as an example, any attempts to go to that website. A greylist attempt will not be logged.
- Microsoft Skype SDN API
- HPE physical switch, OpenFlow tables, and wiretap tunnel
- OVSDB on Mininet
- DNS interception using OpenFlow
- Cisco SDN options
- Cisco APIC-EM path trace