SDN security. Nokia Research perspective. Peter Schneider 19-05-2015. Version 1.1. 1 Nokia Solutions and Networks 2015 Public

SDN security Nokia Research perspective Peter Schneider 19-05-2015 Version 1.1 1 Nokia Solutions and Networks 2015

Agenda Security at Nokia SDN in mobile networks SDN security research SDN security standardization Securing SDN based networks Using SDN to implement security solutions Conclusion: SDN security challenges and opportunities 2 Nokia Solutions and Networks 2015

Security at Nokia Product security - security processes - security leads per product - security managers per product line - central product security team Security products (including services) Security Research: Teams in Munich and Espoo (~20 people) Security Experts in various functions (e.g. standardisation) 3 Nokia Solutions and Networks 2015

Nokia Security building blocks 4 Nokia Solutions and Networks 2015

Nokia s mobile network security vision Summary of Research areas 1 Embedded security for 5G 2 Intelligent monitoring & response 3 Improving the security foundation 4 Easy security management & usability 5 Tool supported cooperation 99.9 5 Nokia Solutions and Networks 2015

The evolved packet system (4G mobile network) Node B 3G RAN 2G RAN RNC 4G Mobile Core Network (Evolved Packet Core) SGSN Charging system Control plane User plane Control+user plane Trusted BTS BSC MME Untrusted Internet enb LTE RAN Serv.-GW PDN-GW Trusted Non-3GPP Access Network HSS PCRF Corporate IP networks Untrusted Non-3GPP Access Network 3GPP AAA Server epdg IMS / Operator services Don t care about all these abbreviations! 6 Nokia Solutions and Networks 2015

SDN in future telco networks (still LTE, evolution example) Control functions move into the cloud Gateways may be split into control and forwarding part SDN for networking within the cloud SDN for backhauling Forwarding SDN for gateway control Forwarding 7 Nokia Solutions and Networks 2015

SDN in an 5G e2e network architecture 5G Radio Management & Orchestration Access Cloud Evolved Core Cloud 5G WAN frontend cm-wave frontend mm-wave frontend LTE (all variants) Wifi access 2G, 3G Multi-connectivity Application-aware radio scheduler (Centralized) radio resource control Controllers Fixed access Distributed Gateway Software-defined fronthaul Distributed MEC Software-defined backhaul Virtualized resources SDN SDN SDN Network applications Customer experience management QoS on demand Session on demand Service chaining Data plane Dynamic QoS/QoE management Mobility on demand Virtualized resources SDN SDN Built-in Security Software-defined transport SDN 8 Nokia Solutions and Networks 2015

Work on SDN security at Nokia Research Interacting with the research community Own research - understand the SDN security issues - solution sketches for Nokia products/services including SDN - intellectual property rights - internal/external research papers/presentations Monitoring/supporting SDN standardisation Monitoring the market (commercial SDN products) Nokia internal enabling; ultimate goal is to create secure innovative products 9 Nokia Solutions and Networks 2015

Monitoring the SDN security research community examples (1/3) M.Tsugawa et al., Cloud Computing Security: What Changes with Software-Defined Networking? [1]: Good description of both security challenges and opportunities of SDN. Many considerations are not restricted to the cloud scenario. R.Klöti, Master Thesis OpenFLow: A Security Analysis [2]: Detailed analysis of a number of attack scenarios, focuses partly on quite sophisticated, slightly academic attacks. Further valuable vulnerability analyses in - K.Benton et al., OpenFlow vulnerability assessment [3] - A. Shalimov et al., Advanced study of SDN/OpenFlow controllers [4] - D. Kreutz et al.: Towards Secure and Dependable Software-Defined Networks [5] but mitigation measures given in [5] seem cumbersome in practice A.Crenshaw, Security and Software Defined Networking: Practical Possibilities and Potential Pitfalls [6] gives a nice example how to implement ARP poisoning protection 10 Nokia Solutions and Networks 2015

Monitoring the SDN security research community examples (2/3) Valuable contributions by the research team OpenFlowSec.org (see http://www.openflowsec.org/home.html): - Security enhanced OpenFlow controllers FortNOX and SE-Floodlight: Ensure secure access of applications to network resources, provide patterns simplifying the programming of threat mitigation measures (see [7] and [8]) - FRESCO: an OpenFlow security application development framework designed to facilitate the rapid design, and modular composition of OF-enabled detection and mitigation modules [9] Access control for applications via the SDN controller - Wen, X., et al., Towards a Secure Controller Platform for OpenFlow Applications [10] - S.Shin et al., Rosemary: A Robust, Secure, and High-Performance Network Operating System [11] 11 Nokia Solutions and Networks 2015

Monitoring the SDN security research community examples (3/3) Improving security techniques by SDN - S. A. Mehdi et al., Revisiting traffic anomaly detection using software defined networking [12] - R. Skowyra et al., Software-Defined IDS for Securing Embedded Mobile Devices [13] - S. Shin and G. Gu, CloudWatcher: Network security monitoring using OpenFlow in dynamic cloud networks [ ] [14] Network virtualization (and isolation) using SDN: - R. Sherwood et al., Flowvisor: A network virtualization layer [15] 12 Nokia Solutions and Networks 2015

SDN security research in SASER-SIEGFRIED SASER (Safe and Secure European Routing) (https://www.celticplus.eu/project-saser/ ): - Celtic-Plus project with national funding in Germany, France, Finland - a large project in Germany: three divisions led by different vendors, 36M funding - originally an optics project, but with security focus; 3 years runtime (2012-2015) - SASER-SIEGFRIED: one of the German divisions of SASER, led by Nokia, with a substantial work package on security, including SDN security SDN security work in SASER-SIEGFRIED - SDN security basics (threats, protection measures) - concepts to control the interaction of multiple applications on an SDN controller - SDN security lab, PoC implementations of security for southbound and northbound interface, admission control system for applications - publications, e.g. C.Röbke, T.Holz, Retaining Control Over SDN Network Services [16] - SDN demos including security features, see S. Gebert, et al., Demonstrating the Optimal Placement of Virtualized Cellular Network Functions in Case of Large Crowd Events [17] 13 Nokia Solutions and Networks 2015

Monitoring SDN security standardization: ONF SDN Architecture document: Reasonable (high level) statements on security ONF specifications (examples): - OF-Switch: Optional use of TLS, no TLS-profile specified - OF-Config: Based on NetConf security using SSH or TLS ONF Principles document: - First output of the ONF Security Project (after a slow start as Security Discussion Group ) - 8 rather generic security principles, 24 security requirements - Reasonable recommendations how to improve the security of OF-Switch - What will be the impact of this work? Overall, the ONF security work appears somewhat immature. 14 Nokia Solutions and Networks 2015

Monitoring SDN security standardization: Others IRTF SDN research group: Security as a field of interest in the charter, but no output so far (?). Discussions at IETF#92 how to move on with the group. IETF SDN related WGs (examples): - ForCES: Use secure transport protocol between forwarding and control plane, e.g. SCTP/IPsec; programmability of the network not in scope - I2RS: Reasonable security requirements for the interface; could be based on NetConf security using SSH or TLS - A new activity: I2NSF ( interface to network security functions ) ETSI ISG NFV: SDN usage in NFV covered in EVE (Evolution and Ecosystem) group; early draft Report on SDN Usage in NFV Architectural Framework ; security aspects not yet elaborated; also no respective work item in the NFV SEC (Security) group 15 Nokia Solutions and Networks 2015

Threats to an SDN-based network Attacks Virtualized/ Malicious Cloud Environment Application Application Malicious Application Application from the forwarding plane from the control network via the northbound interface from the virtualized/cloud environment SDN Controller Control Network SDN Switch SDN Switch 16 Nokia Solutions and Networks 2015 SDN Switch

Securing an SDN-based network Protection of protocol interfaces (controller-switch i/f, possibly northbound i/f): - preferably cryptographic protection (e.g. IPsec or TLS) - sound, robust protocol implementations - optionally a firewall in front of the controller to protect it against well known network and transport layer attacks (like TCP SYN floods) Sound authentication and authorization concepts for network control by applications via the northbound interface, including conflict resolution Security measures for virtualized/cloud environments when running the controller there (this is an issue of its own, to be solved independently of SDN) Security measures as applicable also to traditional networks 17 Nokia Solutions and Networks 2015

Securing an SDN-based network further details Backup Security measures for virtualized/cloud environments, like - sound, robust implementations of the hypervisors and the overall cloud management software - security zones (logical and optionally even physical separation/isolation) - dedicated security functions (like firewalls) as part of the hypervisor or in VMs - traffic separation (dedicated virtual switches, VLANs) - cryptographic protection: traffic to/from/between VMs, data on storage Security measures as applicable also to traditional networks, like - secure OAM (Operation, Administration and Maintenance) - secure operation of network protocols and services (e.g. routing, DNS, NTP) - individual protection of each network function (formerly physical boxes, now VNFs) 18 Nokia Solutions and Networks 2015

Securing an SDN-based network Cryptographic protection Sound authentication and authorization concepts Robust implementation, overload control Cryptographic protection Application Secure SDN SDN Controller controller Control Network Application Application Firewall Secure Virtualized/ Virtualized/ Cloud Environment Cloud En- vironment Robust implementation, overload control SDN Switch SDN Switch SDN Switch 19 Nokia Solutions and Networks 2015

Using SDN to Improve Network Security Advocates of SDN claim substantial benefits such as Increased network reliability and security as a result of centralized and automated management of network devices, uniform policy enforcement, and fewer configuration errors (from the ONF). But network security will not increase by simply applying SDN! Security opportunities do exist: - fine granular, agile control over all traffic flows: monitor traffic on flow basis; block suspicious flows or redirect them to dedicated security devices - centralized control: unify security policies, adapt them automatically and consistently - programmability: implement security solutions as apps on the controller - advantageous combination of SDN-based + traditional security solutions possible - running controllers in cloud environments to make them resilient against DoS attacks 20 Nokia Solutions and Networks 2015

Straightforward example of an SDN-based security solution Anti-DoS App policies Get Flow Statistics Backup Set Blocking Rules SDN Controller SDN Switch SDN Switch Target Server SDN Switch 21 Nokia Solutions and Networks 2015

Demo-setup: Mobile Guard interacting with de-composed gateways Virtualized/Cloud Environment S-GW App P-GW App GW control Mobile Guard Detect malware activity Isolate infected terminal Sanitizing Server S-GW U Probe P-GW U X IP Service Network 22 Nokia Solutions and Networks 2015 Disclaimer: This is a demo setup, not an available Nokia solution!

SDN security products - examples Nokia s Mobile Guard is a commercial security product - but SDN is currently only a feature candidate Radware Defense Flow (http://www.radware.com/products/defenseflow/) HP SDN App Store (https://hpn.hpwsportal.com/catalog.html#/home/show) - HP Network Protector - Bluecat DNS Director - F5 BIG DDoS Umbrella - Guardicore Active Honeypot Related to network virtualisation: VMWare (NSX), Cisco (ACI) and others 23 Nokia Solutions and Networks 2015

SDN security: Challenges versus opportunities SDN Feature Challenge Opportunity Separation forwarding/control Centralized control Controllers in clouds Agile and fine granular control Network programmability increased attack surface (but good protection mechanisms exist) successful attacks have huge impact various threats, like attacks via hypervisor vulnerabilities increases complexity, is a source of errors, may be abused abuse of control functions, exploiting vulnerabilities, compromising controllers (basis for other opportunities) unify security policies, adapt them automatically & consistently use elasticity of resources to overcome DoS attacks facilitates security solutions that need to execute such control facilitates efficient deployment of security solutions running as applications on controllers 24 Nokia Solutions and Networks 2015

Conclusion Security Challenges Network programmability Controllers in cloud environments Security Opportunities Unified but still agile control Efficient deployment of security solutions as network applications Considerable care and security awareness is required to mitigate the threats! Turning the opportunities into better network security is a process that has just started! 25 Nokia Solutions and Networks 2015

References [1] Maurício Tsugawa, Andréa Matsunaga, and José A.B. Fortes, Cloud Computing Security: What Changes with Software-Defined Networking? in S. Jajodia et al. (eds.), Secure Cloud Computing, DOI 10.1007/978-1-4614-9278-8 4, Springer Science+Business Media New York 2014 [2] Rowan Klöti, Master Thesis OpenFLow: A Security Analysis, ETH Zürich (retrieved at ftp://ftp.tik.ee.ethz.ch/pub/students/2012-hs/ma-2012-20.pdf ) [3] K.Benton et al., "OpenFlow vulnerability assessment, In: ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking. HotSDN'13 (2013) [4] A. Shalimov et al., Advanced study of SDN/OpenFlow controllers, Proceedings of the 9th Central & Eastern European Software Engineering Conference in Russia, ACM, New York 2013 [5] Kreutz, D., Ramos, F., Verissimo, P.: Towards Secure and Dependable Software-Defined Networks. In: ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking. HotSDN'13 (2013) [6] Adrian Crenshaw, Security and Software Defined Networking: Practical Possibilities and Potential Pitfalls, Indiana University, Dec 16, 2012 (published on http://www.irongeek.com/) [7] Phillip Porras et al., A Security Enforcement Kernel for OpenFlow Networks, Proceedings of the ACm SIGCOMM Workshop on Hot Topics in Software Defined Networking (HotSDN), 2012 [8] Phillip Porras et al., Securing the Software-Defined Network Control Layer, NDSS 15, 8-11 February 2015, San Diego, CA, USA; Copyright 2015 Internet Society, ISBN 1-891562-38-X; retrieved: http://dx.doi.org/10.14722/ndss.2015.23222 [9] S. Shin, P.A. Porras, V. Yegneswaran, M.W. Fong, G. Gu, M. Tyson, "FRESCO: Modular Composable Security Services for Software- Defined Networks," Proceedings of the ISOC Network and Distributed System Security Symposium, San Diego, CA, February 2013 27 Nokia Solutions and Networks 2015

References [10] Wen, X., Chen, Y., Hu, C., Shi, C., Wang, Y.: Towards a Secure Controller Platform for OpenFlow Applications. In: ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking. HotSDN'13 (2013) [11] S.Shin et al., Rosemary: A Robust, Secure, and High-Performance Network Operating System, CCS 14, Nov 3, 2014. Arizona, USA. Retrieved on April 20, 2015 from http://www.csl.sri.com/~vinod/papers/rosemary.pdf [12] S. A. Mehdi, J. Khalid, and S. A. Khayam, Revisiting traffic anomaly detection using software defined networking, in Recent Advances in Intrusion Detection. Springer, 2011, pp. 161 180 [13] R. Skowyra, S. Bahargam, and A. Bestavros, Software-Defined IDS for Securing Embedded Mobile Devices, 2013. [Online]. Available: http://www.cs.bu.edu/techreports/pdf/2013-005-software-defined-ids.pdf [14] S. Shin and G. Gu, CloudWatcher: Network security monitoring using OpenFlow in dynamic cloud networks (or: How to provide security monitoring as a service in clouds?), in 20th IEEE International Conference on Network Protocols (ICNP). IEEE, 2012, pp. 1 6. [15] R. Sherwood et al., Flowvisor: A network virtualization layer, OpenFlow Switch Consortium, Tech. Rep, 2009 [16] C.Röbke, T.Holz, Retaining Control Over SDN Network Services, Proceedings of the International Conference of Net-worked Systems, IEEE 2015, retrieved at http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=7089082&tag=1 [17] S. Gebert, D. Hock, T. Zinner, P. Tran-Gia, M. Hoffmann, M. Jarschel, E. D. Schmidt, R. Braun, C. Banse, Demonstrating the Optimal Placement of Virtualized Cellular Network Functions in Case of Large Crowd Events, ACM SIGCOMM 2014, Chicago, USA, August 17-22, 2014 28 Nokia Solutions and Networks 2015