Catching Up on All Things Faucet
In collaboration with Charlie Lewis and Josh Bailey
A few of us at IQT Labs attended FaucetCon 2019 in late October. In this post we will cover some of the more recent developments coming out of the Faucet community. In this post we will share the interesting work Cyber Reboot has contributed towards deployable SDN through our own project work.
Faucet is an OpenFlow SDN controller that transitions network control functions to server based software as opposed to the traditional router or switched based on-board firmware. As a result network control functions are easier to test and manage in an OpenFlow environment. Currently Faucet supports the OpenFlow 1.3 standard and you can find the code here.
At FaucetCon this year, we had a chance to hear about how various organizations are starting to leverage Faucet’s capabilities as they transition their traditional networks into SDNs. We heard from national labs, ISPs, university research groups, and various large commercial entities who all shared how they have adopted Faucet into their networks to take advantage of SDN efficiencies. We learned that Sandia National Lab has a research team who has successfully installed and configured Faucet on a lab network. Their test network spans 300 physical interfaces with four switches running Faucet on a stacked L3 routing architecture. Their initial findings indicate that the network is significantly more stable, efficient, and easily reconfigurable than their traditional corporate network. We were also excited to hear that Sandia will be starting to install and test Poseidon in the coming months, more to come on that later!
During the conference, CyberReboot had a chance to showcase how our Poseidon code works in conjunction with Faucet in order to help network operators learn what devices are on their networks and if those devices are behaving as expected. During a live demonstration we built a SDN network using Faucet, installed Poseidon, and illustrated how events in Faucet and Poseidon work together to better inform and enable network operators. We attached 2 Raspberry Pi devices to our newly created network to generate network traffic and then setup rules for automated network access control lists. By combining Faucet and Poseidon, we were finally able to actually show on screen that devices on the network were being classified (properly!) based on network traffic they were sending and receiving. Furthermore, ACLs were automatically (and properly!) being applied based on these classifications. You can learn more about Poseidon here and here. Poseidon code can be found here.
Diagnosis: Planned Deception
Faucet enables developers to easily and selectively override industry standard L2 switching behavior, without requiring a new language like P4, while remaining compatible with non-SDN L2 switches (necessary for incremental deployment). For example, a developer might want to transparently intercept a TCP service (such as SSH) transiting a switch — perhaps simply to observe it, but perhaps also to proxy it for deception purposes, in order to better understand a cyber attacker’s movement and methods without letting the attacker find out that the jig is up. Without SDN such transparent proxying would require an additional appliance to be installed in the network itself, and the network would have to be arranged to cause traffic of interest to flow through it.
With SDN the transparent proxy can be built into every switch in the network. Faucet calls this “coprocessing” — Faucet can cause traffic to be diverted to a coprocessor appliance, and that appliance can inject arbitrary traffic back into network at any point. In addition, an application like Poseidon (which can already command Faucet) could command coprocessors to selectively change the network’s behavior (i.e., intentionally degrade a given host’s connectivity when abnormal activity is detected, or even cause a fake service to appear in the network to confuse an attacker).
The Case for Network Data
At FaucetCon, we previewed an upcoming project here at Cyber Reboot which aims to create a large, open source corpus of network traffic data. Currently, Poseidon device classification models are limited in their understanding of various network devices and understanding abnormal network behavior. To allow these models to be generalized across different and varied networks requires diverse, real-world network traffic training data. One cannot have good data science without first having good data, and in the network security domain we have neither. We assert that by providing valuable analytics in an easy-to-use, give-to-get service online, we can start addressing this issue and build out a network traffic dataset suited for exploring machine learning techniques that have already advanced other domains.
CyberReboot will be exploring these ideas, and others in the coming months, so stay tuned!
