Security in Software Defined Networking Professor : Admela Jukan Supervisor : Marcel Caria Student : Siqian Zhao
Overview Software Defined Networking (SDN) Legacy Networking VS. SDN advantages of SDN the security problems in SDN caused by malicious attack caused dby misconfiguration SDN research project in IDA Technische Universität Braunschweig Seite 2
Routing in Legacy Networking Routing : select a path to forward packets from sender to receiver. In Legacy networking : Each network node has its own control plane. Information is collected individually from all network nodes. Problem Management Plane Control Control Control Control Control Control Plane Plane Plane Plane Plane Plane Data Plane Technische Universität Braunschweig Seite 3
Routing in SDN Centralized control in SDN : App App App App App API SDN controller Data Plane The controller maintains the forwarding table on all nodes across the network! Benefits : centralized control and programmability. Technische Universität Braunschweig Seite 4
SDN Deployment and Market Deployment example --- Google 2010: Google started implementing SDN. October 2012: Google said, that t it's going to extend its current international ti SDN-based inter-data center network. (source: http://www.sdncentral.com/sdncentral-library-sdn-market-report/) Technische Universität Braunschweig Seite 5
SDN Future According to SDN Central : (source: http://www.sdncentral.com/sdncentral-library-sdn-market-report/) Technische Universität Braunschweig Seite 6
Security Concern in SDN Since the beginning of 2013, various working groups have been established to study the security in SDN. Such as : ONF,ETSI,ITU Idea : importance of designing i security in from the start. t However, SDN hardware, software and services which are already in production and service lack of consideration of security implication! Mission : explore techniques and policies to overcome the SDN security challenges. Technische Universität Braunschweig Seite 7
Security in SDN---Challenges Security Challenges : Attack on the centralized controller Trust t problem between controller and software applications Attack on the communication channel between controller and devices Conflicting flow rules Forwarding loops Application Malicious Application SDN Controller SDN Switch SDN Switch SDN Switch Technische Universität Braunschweig Seite 8
Security in SDN---DoS Attack on the controller : Denial of Service Flow matched? ---forward packet. No flow matched? ---send packet to the controller. Thus, an attacker can execute a DoS attack on the node by setting up constantly new and unknown flows. SDN controller step 2 step 3 packet step 1 step 4 sender switch receiver Technische Universität Braunschweig Seite 9
Security in SDN---DoS Possible solution to DoS attack : Run the device in proactive mode or using Firewall Firewall : a software or hardware-based d network security system that t controls the incoming and outgoing network traffic based on applied rule set. Internet Header Header Technische Universität Braunschweig Seite 10
Security in SDN---Malicious Applications Trust issue between controller and applications App App App App SDN controller Malicious application can now be easily developed and deployed on controllers. Possible solutions : software attestation. Technische Universität Braunschweig Seite 11
Security in SDN---Control Channel Attack Attack on the control channel SDN Controller control channel SSL Attack can either pretend to be the controller or the switch! Possible solution 1: encrypt the channel by SSL. Technische Universität Braunschweig Seite 12
Security in SDN---Control Channel Attack Possible solution 2 to the attack on the control channel : Separate the network Technische Universität Braunschweig Seite 13
Security in SDN---Misconfiguration Conflicting flow rules by OF switch : Multiple OF applications run on a network controller device. Different applications insert different control policies i dynamically. conflicting flow rules may arise! App 1 : A to B ; Modify SRC IP to X. SDN controller App 2 : X to B ; Modify DST IP to C. App 3 : X to C, Forward. BLOCK : A C Host B Host A Host X Host C Technische Universität Braunschweig Seite 14
Security in SDN---Misconfiguration Forwarding loops 10.1.x.x 1 ; to Blue 10.x.x.x 10.x.x.x ; to B Packet Packet 10.1.x.x Packet Packet Packet 10.1.x.x ; to A 10.x.x.x ; to Green Packet Packet Technische Universität Braunschweig Seite 15
Security in SDN---Misconfiguration Nox Controller Nox : an open-source platform that simplifies the creation of software for controlling or monitoring networks. : relay flow rules from OF application to the switch Technische Universität Braunschweig Seite 16
Security in SDN---Misconfiguration Possible solution : Fortnox --- an extension to the NOX controller by providing nonbypass flow rules. when flow rules are conflict,compare the level of authorization i roles. Technische Universität Braunschweig Seite 17
Security in SDN---Misconfiguration Role-based Source Authentication : assign priority to a candidate flow rule, recognize 3 standard authorization levels among flow rule producers. OF Operator Level : define authoritative security policy OF Security Level : add flow constraints to combat live threat activity OF Application Level : legacy OF Apps Technische Universität Braunschweig Seite 18
Security in SDN---OpenDaylight Controller Another possible solution in OpenDaylight Controller : Defense4All. Monitoring behavior of protected traffic Diverting attacked traffic to selected AMSs Technische Universität Braunschweig Seite 19
SDN Security Research in IDA SASER : Safe And Secure European Routing --- Start date : August 2012 --- End : September 2015 --- Total Budget : about 80 million Euros --- Effort : more than 500 person years SDN related researches : ---Security concept for a new architecture based on software defined networking. ---General architecture specification ---Network optimization Challenges coexist with opportunities. Technische Universität Braunschweig Seite 20
Conclusion The evolvement of SDN from the legacy network Security challenges in SDN and possible solutions SDN research in IDA Technische Universität Braunschweig Seite 21