1. World-Leading Research with Real-World Impact! 1
Security Challenges in
Software Defined Networks (SDN)
Lecture 18
2. World-Leading Research with Real-World Impact! 2
Outline
• Market and SDN
• Conventional Networks v.s SDN
• OpenFlow-enabled SDN devices
• SDN Security Applications
• SDN Security Challenges
• Community Debate regarding Security in SDN
3. World-Leading Research with Real-World Impact! 3
Market and SDN
• In 2016, the market research firm IDC predicted that the
market for SDN network applications would reach
US$3.5 billion by 2020.
• Leading IT companies such as Nokia, Cisco, Dell, HP,
Juniper, IBM, and VMware have developed their own
SDN strategies.
• In 2015, AT&T reduced provisioning cycle by 95% with
SDN.
Marc C. Dacier, Hartmut Cwalinski , Frank Kargl , Sven Dietrich, Security Challenges and
Opportunities of Software-Defined Networking, Apr 3, 2017
“We have taken a process from low automation and weeks to
complete to high automation and minutes to complete. We’re turning
the industry on its head in an unprecedented way.” John Donovan
AT&T’s analyst conference in August 2015, John Donovan
4. World-Leading Research with Real-World Impact!
Conventional Networks vs. SDN
4
Customization
Programmability
Control Plane
Data Plane Dumb, fast
Control Plane
Data Plane
Abstract
view
Global
view
Control Plane
S S
S
S
Network
Applications
Open
North-bound API
OpenFlow
South-bound API
Traffic mngmnt,QoS
Policy Imp.
Security services
Decentralized Control
•Limited visibility
•Vendor-specfic
•Missconfiguration
•Poor responses
•Policy conflicts
•Security breaches
•Decentralized.
•Complex
•Static architecture
•Innovation is difficult
•Costly
•Yes costly
*Figure: Kreutz, Diego, et al. "Software-defined networking: A comprehensive survey." Proceedings of the IEEE 103.1 (2015): 14-76.
*
Conventional Networks
Data Plane
Software Defined Networks
Decoupling
Smart
Policy mngmnt
5. World-Leading Research with Real-World Impact! 5
OpenFlow-enabled SDN devices
Match Fields
* 00:2E * * * * * * *
* * * * * 4.5.6.7 * * *
* * * * * * * * 10
port3
port5
drop
Switching
Routing
Firewall
300
250
500
OpenFlow is: Enabler of SDN
• Protocol between the control plan and data plane
• Describes how controller and a network forwarding device should
communicate
Packet+ byte Counters
6. World-Leading Research with Real-World Impact! 6
SDN security applications
Control Plane
Application plane
Routing, Load Balancer,
Access Control, monitoring,
firewall, DDoS Mitigation,
IDS/IPS
examples
• Load Balancer: send each HTTP request over
lightly loaded path to lightly loaded server.
• Firewall: inform Central Controller about
malware’s packets, controller pushes new rules
to drop packets.
S S
R
S S
S
S
S
S
S
AB drop
Network Virtualization
Up-to-date Global Network View
Abstract Network View
Incoming packets
6
Server
7. World-Leading Research with Real-World Impact! 7
The big Picture
SDN Archetucture
Alsmadi, Izzat, and Dianxiang Xu. "Security of software defined networks: A survey." Computers & security 53 (2015): 79-108.
9. World-Leading Research with Real-World Impact! 9
Application Plane
Security Challenges
SDN aware & SDN unaware apps
Nested applications
Lack of Access
Control and
Accountability
Lack of
Authentication
and Authorization
Fraudulent
flow rule
insertion
Path characteristics
Access ports
Monitor traffic
Reject/Accept flows
sensitive apps
Service apps
Apps classes
10. World-Leading Research with Real-World Impact! 10
Application Plane
Targeted Threat/Proposed Solution
Security policy
verification framework
-Flover:
on controller
new/old rules conflict
-ndb: root cause
-OFRewind : trace anomalies
Security policy
violation
Threats
within/from apps
flow rules
contradiction
Framework for security
apps development
(FRESCO Scripting
language)
Access control
breach
Assertion-based language
-catch bugs before deployed
- forwarding loops
- black holes
Permission system
(PermOF ):
least privilege on apps
11. World-Leading Research with Real-World Impact! 11
PermOF
Wen, Xitao, et al. "Towards a secure controller platform for openflow applications." Proceedings of the second ACM SIGCOMM
workshop on Hot topics in software defined networking. ACM, 2013.
The design is based on a Set of permissions & Isolation mechanisms
–Ensures controller superiority over applications
–Isolates control flow and data flow
–controller should be able to mediate all the apps’ activity
Availability of
sensitive info
real time
controlled by the
controller kernel
dynamic
execute
12. World-Leading Research with Real-World Impact!
Control Plane
Security Challenges
12
DoS Attacks
Threats due to
Scalability
Challenges in
Distributed
Control Plane
-SDN response times
-IP packets with
random headers
-Huge # flow rules
-saturation
13. World-Leading Research with Real-World Impact!
Control Plane
Targeted Threat/Proposed Solution
13
DDoS Attack
Controller scalability Challenges in
distributed control
plane
1. Wildcards mechanism
-Load balancing: direct an
aggregate of client requests to
replicas
2. Increase the processing power
(McNettle controller)
parallelism
3. Hybrid reactively/Proactive
controller
Detection Framework
SDN DDoSDetection
intra-domain & inter-domain
(DISO)
McNettle
http://haskell.cs.yale.edu/wp-content/uploads/
2013/04/thesis-singlespace.pdf
• NOX-MT scales to 5m f/s at 10 CPU cores
• Beacon 13m f/s at 20 CPU cores
• McNettle 20m f/s at 46 CPU cores
14. World-Leading Research with Real-World Impact!
Reactively vs. Proactive Controller
14
Marcial P. Fernandez, Evaluating OpenFlow Controller Paradigms, 2013
15. World-Leading Research with Real-World Impact! 15
SDN DDoSDetection
1. Flow collector module: gathers flow
entries within intervals.
2. Feature extractor: Avg. packets/f, Avg.
Bytes /f, avg duration/f, growth of single-
flows, and growth of different ports.
3. Classifier: Analyzes Alarm?
R. Braga, E. Mota, and A. Passito, “Lightweight DDoS flooding attack detection using NOX/OpenFlow,” in Proc. IEEE 35th Conf. LCN, Oct.
2010, pp. 408–415.
16. World-Leading Research with Real-World Impact! 16
intra-domain & inter-domain
(DISO)
– intra-domain : manages its
own network domain
• compute the paths of flows
• dynamically react to network
issues (broken line, high latency,
bandwidth cap exceeded)
• redirecting and/or stopping
traffic
– inter-domain:
• discovers neighboring controllers
and manages communication
among controllers
• exchange aggregated network-
wide information with others
C2 C3
C1
SubD3
SubD2
SubD1
Traffic Optimization...
Topology!
Link information!
A
17. World-Leading Research with Real-World Impact! 17
Data Plane
Security Challenges
Switch-Controller link
Flow rules installation
Genuine vs. malicious rules
Limited table entries
Limited switch buffer
#switches per controller
path Length
18. World-Leading Research with Real-World Impact! 18
Data Plane
Targeted Threat/Proposed Solution
Real-time contradiction check
FortNox
man-in-the-middle
attacks
flow rule
contradiction
20. World-Leading Research with Real-World Impact! 20
Centralization in SDN
The Good:
• Fast responsiveness
• Easy to removing policy inconsistencies
– centralized routing algorithms
– Firewalls
– network-monitoring
The Bad:
• Single point of failure may be exploited by an internal or external attacker
Regarding DDoS
Bad: centralization added a new type of denial-of-service (DoS) vector.
Good: Effective management of existing DoS attack types
– Using Global view
– Traffic analysis
New security challenges but benefits appear to be predominant!!!
Marc C. Dacier, Hartmut Cwalinski , Frank Kargl , Sven Dietrich, Security Challenges and Opportunities of Software-Defined Networking, Apr 3, 2017
21. World-Leading Research with Real-World Impact! 21
Attack Surface vs. Defense Opportunities
Good:
• In SDN defenders can create customized security solutions
• e.g Anomaly detection systems
– Global view
– Open hardware interfaces
– Centralized control
Bad:
• Benefit the attackers (zero day attacks)
– The centralized architecture
– Lack of defender expertise
– Still immature technology
Marc C. Dacier, Hartmut Cwalinski , Frank Kargl , Sven Dietrich, Security Challenges and Opportunities of Software-Defined Networking, Apr 3, 2017
22. World-Leading Research with Real-World Impact! 22
Centralized vs. Distributed Approach
Good:
• Reduced complexity by splitting into planes.
– Easier testable
– E.g, routing algorithms simpler than the distributed approach in
conventional networks.
Bad:
• Stressed by two aspects that strongly call for the use of a
distributed approach.
– The need for scalability
– Operational requirements (fault tolerance)
Marc C. Dacier, Hartmut Cwalinski , Frank Kargl , Sven Dietrich, Security Challenges and Opportunities of Software-Defined Networking, Apr 3, 2017
23. World-Leading Research with Real-World Impact! 23
Is SDN More Complex?, or Is It Simpler?
Implementing the control plane completely in software
Good :
• Programmability
Bad:
• Opposes simplicity : raises issues about algorithmic complexity.
– Why: additional requirements that weren’t imposed on classical networks
but are now thinkable in SDN.
– Simplicity is a key design principle in building secure systems.
SDN has the potential to be simple—but making it simple is quite complex.
Marc C. Dacier, Hartmut Cwalinski , Frank Kargl , Sven Dietrich, Security Challenges and Opportunities of Software-Defined Networking, Apr 3, 2017
24. World-Leading Research with Real-World Impact! 24
Open problems & research directions
• How to implement authentication and authorization to certify SDN
applications.
• How to implement access control and accountability in SDN.
• How to implement customized security procedures based on the type or
categories of applications.
• How can we find automated derivation of Secure SDN Configurations.
• How can we secure the controller-switches communication?
• How can we perform efficient intrusion detection and anomaly detection in
SDNs?
• How can we operate SDN in presence of untrusted HW components?
• How can we protect the controller itself?
Without security, SDN will not succeed!
#3:International Data Corporation (IDC), an American market research, analysis and advisory firm, specializes in information technology,
AT&T reduces provisioning cycle by 95% with SDN
reduction in the time spent ordering, managing and changing services by up up to 95%.
“We have taken a process from low automation and weeks to complete to high automation and minutes to complete. We’re turning the industry on its head in an unprecedented way.” John Donovan
John Donovan : senior executive vice president of technology and network operations
