HPE Network Protector SDN Application Part 5 - Demo OpenFlow table interception flows

Key Takeaways

now this is the HP van sdn controller that the network protector application is installed on so notice here the application is active on the sdn controller and when I go and look at OpenFlow monitor I can see some switches in my network that have registered with this controller including as an example this 3500 series switch and this 3800 series switch in this demonstration I will showing you the output on this user machine connected to a 3500 now the reason I've chosen a 3500 is it's a really old switch but HP have updated the firmware or software of that switch to support OpenFlow and if you want to test this with physical switches a 3500 switch isn't that expensive on eBay these days so there's the 3500 while I can look at ports there's some ports on the one of the ports is being blocked by spanning tree but if I go and look at flows what you'll notice here is DNS traffic Port 53 is being forwarded to the controller so notice we've had some matches on this DNS entry this flow entry is put into Hardware on the switch in other words OpenFlow table 100 it's matching IP version for UDP Port 53 traffic and is forwarding that traffic to the controller if I disable network protector and go back to the controller and I'll refresh the page you'll notice that DNS traffic is no longer being intercepted by The Switch I'll go back to network protector enable the network protector service refresh the flow entries on the switch and notice now we have these entries intercepting DNS traffic hence when a user tries to go to malicious website the traffic is intercepted here's another user in this topology it's a user connected to this switch but their traffic is going to be intercepted by this 5400 switch OpenFlow is not enabled on this 5500 series switch but it is enabled on this 546 so flow entry is going to be written there on the core switch to intercept traffic from this host so when the host sends traffic it's going to go across the network hit to the switch and be intercepted so hp.com that works facebook.com Chrome is complaining because the traffic is being intercepted notice here Internet Explorer traffic is forwarded if we go to any home.can Doom traffic is blocked Network protector allows you to create different policies for different users and block certain users from accessing certain websites so as an example going back to my previous user user if I try and go to Facebook again the user is redirected to hp.com but on this user they're allowed to go to facebook.com you can create different policies and stop some users going to certain websites that you decide that you don't want them to go to during working hours let's say but you could allow other users to go to Facebook or other social websites during working hours in this case militia websites like anyhome doca and how to do it man are blocked because in the network protector database if we do a search in the database for one of those malicious websites so anyome doca and I'll check all the databases this website has a reputation score of 90 by default anything above 79 is blocked how to doit man.com do a search it's got a reputation score of 100 so it's a malware website it's also going to be blocked facebook.com is put into what's called a gry list in this example so what was done here is we're blocking certain users from going to that website but we're not going to log their actions when we create what's called a blacklist users can't go to that website at all a blacklist will block them but also log in the dashboard as an example any attempts to go to that website a gry list attempt will not be logged