Enhancing network security with SDN

Size: px

Start display at page:

Download "Enhancing network security with SDN"

Carmel O’Neal’
8 years ago
Views:

2 Overview Security in Traditional Networks SDN Security Solutions Ethane OpenFlow Random Host Mutation Security of SDN Potential Threats Possible Solutions

3 Enterprise and Campus Networks Networks of companies, universities, organizations... Contain devices with diverse hardware and operating systems Usually connected to the Internet Maintaining security requires expertise and manual configuration

4 Network Security Problems Strict security requirements difficult to fulfill Slow deployment of changes Security solutions complex and expensive Long downtimes when a security problem occurs Decrease in productivity Inconvenience for users Poor or no network management in smaller networks

5 Why to use SDN? Network management through software means less manual work Faster Less error-prone Quick deployment of new security rules Can quickly react to dynamic conditions when monitoring in use

6 Ethane: Motivation Difficult to meet the security needs of a large enterprise network Coarse grained access control IP spoofing attacks

7 Ethane Centralized controller architecture for enterprise networks Security achieved through a global network policy Basis for e.g. OpenFlow

8 Ethane Architecture and Basic Operation Source: Martìn Casado et al. Rethinking enterprise network control. IEEE/ACM Trans. Netw

9 Ethane Secure communication between switches and controller Switch flow tables updated by the controller Packets strongly binded to their original sender IP addresses assigned by controller Source device must be registered to the network Users binded to hosts via user authentication

10 Ethane Controller gets rules from applications Policies use high-level names Flow-based Security Language (FSL) # allow computers request ssh connections allow() <= protocol( ssh ) ^ in( computers, HSRC) # deny connection requests from printers deny() <= isconnrequest() ^ in( printers, HSRC)

11 OpenFlow Random Host Mutation: Motivation Static IP addresses make hosts good targets scanners looking for targets to attack scanning worms Solutions in a traditional network require modifying the network architecture synchronization and real-time configuration

12 OpenFlow Random Host Mutation (OF-RHM) Moving target defense (MTD) implemented on OpenFlow Controller randomly mutates network IP addresses Frequent and unpredictable mutations Accuracy of scanned information reduced up to 99% Protecting hosts from scanning worms up to 90%

13 OF-RHM: Network Architecture Source: Jafar Haadi Jafarian et al. OpenFlow Random Host Mutation: Transparent Moving Target Defense using Software Defined Networking. HotSDN 2012.

14 OF-RHM: IP Address Mutation Real IP (rip) and virtual IP (vip) assigned to each host rip not changed vip changed at least at minimum rate Range of unused addresses assigned to each host vip selection either uniformly at random or with weighted probability IP mutation managed by controller rip-vip translations at switches

15 OF-RHM: Communication by Name Source: Jafar Haadi Jafarian et al. OpenFlow Random Host Mutation: Transparent Moving Target Defense using Software Defined Networking. HotSDN 2012.

16 Potential Threats Against SDN Vulnerabilities in controllers Control of the entire network in wrong hands disaster! DoS attacks against controllers Malicious or conflicting security rules

17 Possible Solutions Vulnerabilities in controllers Replication Increasing diversity exploitation of a vulnerability does not affect all replicas DoS attacks against controllers Replication Restricting the traffic rate from switches Malicious or conflicting security rules Restricting application permissions Accept/reject conflicting rules according to authorization level of applications

18 Security by Design Security of SDN addressed in design phase Key elements of the secure design Replication of controllers Diversity of controller replicas Dynamic switch-controller assignment

19 Secure and Dependable SDN Design Source: Diego Kreutz et al. Towards secure and dependable software-defined networks. HotSDN 2013.

20 Discussion Security of SDN itself to be kept in mind when using it to enhance security Security of SDN in wider scale networks Security enhancing solutions New security issues?

21 Reviewer Questions Example on SDN switch? Ethane: If the authenticated users are behind NAT, how could the controller distinguish IP spoofing from normal users behind NAT?

22 Summary Maintaining security in traditional networks is difficult SDN characteristics can be used enhance network security Security threats also in SDN Some threats specific to SDN Threats agains SDN may be avoided with design choices

23 SDN Security Reading Material S. Scott-Hayward et al. Sdn Security: A Survey. Future Networks and Services (SDN4FNS), 2013 IEEE SDN for. Diego Kreutz et al. Towards secure and dependable software-defined networks. HotSDN Martìn Casado et al. Rethinking enterprise network control. IEEE/ACM Trans. Netw Jafar Haadi Jafarian et al. OpenFlow Random Host Mutation: Transparent Moving Target Defense using Software Defined Networking. HotSDN 2012.

OF-RHM: Transparent Moving Target Defense using Software Defined Networking

OF-RHM: Transparent Moving Target Defense using Software Defined Networking Haadi Jafarian, Qi Duan and Ehab Al-Shaer ACM SIGCOMM HotSDN Workshop August 2012 Helsinki, Finland Why IP Mutation Static assignment