Security Challenges & Opportunities in Software Defined Networks (SDN)



Similar documents
WHITE PAPER. SDN Controller Testing: Part 1

Trusting SDN. Brett Sovereign Trusted Systems Research National Security Agency 28 October, 2015

An Introduction to Software-Defined Networking (SDN) Zhang Fu

DEMYSTIFYING ROUTING SERVICES IN SOFTWAREDEFINED NETWORKING

Designing Virtual Network Security Architectures Dave Shackleford

SDN/Virtualization and Cloud Computing

Poisoning Network Visibility in Software-Defined Networks: New Attacks and Countermeasures Sungmin Hong, Lei Xu, Haopei Wang, Guofei Gu

Software Defined Networking (SDN) OpenFlow and OpenStack. Vivek Dasgupta Principal Software Maintenance Engineer Red Hat

Software Defined Networking A quantum leap for Devops?

The State of OpenFlow: Advice for Those Considering SDN. Steve Wallace Executive Director, InCNTRE SDN Lab Indiana University

Network Virtualization and Software-defined Networking. Chris Wright and Thomas Graf Red Hat June 14, 2013

Using SDN-OpenFlow for High-level Services

Testing Software Defined Network (SDN) For Data Center and Cloud VERYX TECHNOLOGIES

Ten Things to Look for in an SDN Controller

A denial of service attack against the Open Floodlight SDN controller

SDN AND SECURITY: Why Take Over the Hosts When You Can Take Over the Network

Software Defined Networking and OpenFlow: a Concise Review

A Coordinated. Enterprise Networks Software Defined. and Application Fluent Programmable Networks

OpenFlow - the key standard of Software-Defined Networks. Dmitry Orekhov, Epam Systems

Simplify IT. With Cisco Application Centric Infrastructure. Roberto Barrera VERSION May, 2015

Securing SDN deployments right from the start.

Software Defined Networking & Openflow

Content Distribution Networks (CDN)

基 於 SDN 與 可 程 式 化 硬 體 架 構 之 雲 端 網 路 系 統 交 換 器

Leveraging SDN and NFV in the WAN

SIMPLE NETWORKING QUESTIONS?

Current Trends of Topology Discovery in OpenFlow-based Software Defined Networks

Using SouthBound APIs to build an SDN Solution. Dan Mihai Dumitriu Midokura Feb 5 th, 2014

SDN Applications in Today s Data Center

SDN Architecture and Standards for Operational, at Scale Networks. 신명기 ETRI KRNET June 2012

How OpenFlow-based SDN can increase network security

How To Write A Network Plan In Openflow V1.3.3 (For A Test)

SDN Interfaces and Performance Analysis of SDN components

Ethernet-based Software Defined Network (SDN) Cloud Computing Research Center for Mobile Applications (CCMA), ITRI 雲 端 運 算 行 動 應 用 研 究 中 心

Open Source Network: Software-Defined Networking (SDN) and OpenFlow

SOFTWARE DEFINED NETWORKS REALITY CHECK. DENOG5, Darmstadt, 14/11/2013 Carsten Michel

Towards Secure and Dependable Software-Defined Networks

SDN, OpenFlow and the ONF

App Development Tutorial

Adoption of SDN: Progress Update

Transport SDN Toolkit: Framework and APIs. John McDonough OIF Vice President NEC BTE 2015

Software Defined Networking Seminar

SDN. What's Software Defined Networking? Angelo Capossele

Open Source Tools & Platforms

ViSION Status Update. Dan Savu Stefan Stancu. D. Savu - CERN openlab

OF 1.3 Testing and Challenges

Outline. Institute of Computer and Communication Network Engineering. Institute of Computer and Communication Network Engineering

Software Defined Networks

Business Case for Open Data Center Architecture in Enterprise Private Cloud

SDN and NFV in the WAN

Cisco Active Network Abstraction 4.0

Cisco Network Foundation Protection Overview

2013 ONS Tutorial 2: SDN Market Opportunities

Open vswitch and the Intelligent Edge

From Active & Programmable Networks to.. OpenFlow & Software Defined Networks. Prof. C. Tschudin, M. Sifalakis, T. Meyer, M. Monti, S.

Network Security Demonstration - Snort based IDS Integration -

HAWAII TECH TALK SDN. Paul Deakin Field Systems Engineer

Network Services in the SDN Data Center

FRESCO: Modular Composable Security Services for So;ware- Defined Networks

Software Defined Networking What is it, how does it work, and what is it good for?

Comparisons of SDN OpenFlow Controllers over EstiNet: Ryu vs. NOX

HP SDN Controller Architecture

March 2012 Interoperability Event White Paper

ALCATEL-LUCENT ENTERPRISE DATA CENTER SWITCHING SOLUTION Automation for the next-generation data center

OrchSec: An Orchestrator-Based Architecture For Enhancing Network Monitoring and SDN Control Functions

Exploring OpenDaylight

ONOS Open Network Operating System

FloodGuard: A DoS Attack Prevention Extension in Software-Defined Networks

Mock RFI for Enterprise SDN Solutions

SDN and OpenFlow. Naresh Thukkani (ONF T&I Contributor) Technical Leader, Criterion Networks

Cisco Nexus 1000V Switch for Microsoft Hyper-V

Taxonomic Modeling of Security Threats in Software Defined Networking

CSCI-1680 So ware-defined Networking

What is SDN? And Why Should I Care? Jim Metzler Vice President Ashton Metzler & Associates

Software Defined Networking

THE SDN OPPORTUNITY. Michael Beesley VP/CTO, PLATFORM SYSTEMS DIVISION

Testing Challenges for Modern Networks Built Using SDN and OpenFlow

Defining SDN. Overview of SDN Terminology & Concepts. Presented by: Shangxin Du, Cisco TAC Panelist: Pix Xu Jan 2014

Ethernet-based Software Defined Network (SDN)

Software Defined Networking

Towards a distributed SDN control Inter-platform signalling & Flow-aware Path Computation Element (PCE)

D4.1 Preliminary Architecture of the Multi-Cloud Network Virtualization Infrastructure

SDN and NFV Open Source Initiatives. Systematic SDN and NFV Workshop Challenges, Opportunities and Potential Impact

Security in Software Defined Networking. Professor : Admela Jukan Supervisor : Marcel Caria Student : Siqian Zhao

White Paper. SDN 101: An Introduction to Software Defined Networking. citrix.com

Software Defined Networking and the design of OpenFlow switches

Agile VPN for Carrier/SP Network. ONOS- based SDN Controller for China Unicom MPLS L3VPN Service

Improving the Security and Efficiency of Network Clients Using OpenFlow

Wedge Networks: Transparent Service Insertion in SDNs Using OpenFlow

Cloud Networking Disruption with Software Defined Network Virtualization. Ali Khayam

Why Software Defined Networking (SDN)? Boyan Sotirov

Radware ADC-VX Solution. The Agility of Virtual; The Predictability of Physical

A Look at the New Converged Data Center

OpenDaylight Network Virtualization and its Future Direction

IPOP-TinCan: User-defined IP-over-P2P Virtual Private Networks

2014 Open Networking Foundation

SOFTWARE-DEFINED NETWORKING (SDN)/NFV AND ACADEMIC RESEARCH IN CANADA

Group-Based Policy for OpenStack

A Presentation at DGI 2014 Government Cloud Computing and Data Center Conference & Expo, Washington, DC. September 18, 2014.

Transcription:

Security Challenges & Opportunities in Software Defined Networks (SDN) June 30 th, 2015 SEC2 2015 Premier atelier sur la sécurité dans les Clouds Nizar KHEIR Cyber Security Researcher Orange Labs Products and Services 1 Orange Public Nizar KHEIR

Understanding the SDN Concept Analogy with the operating system Applications Supply value added services that leverage the main physical assets for the underlying system Operating system Provides a mediation layer between the application logic and the physical hardware. It may be accessed through dedicated APIs and system calls Operating system Hardware Supplies a collection of physical elements that make available both compute, data, and storage capabilities in order to execute the application logic Memory 2 Orange Public Nizar KHEIR CPU Hardware HDD Network

SDN as a Network Operating System Packet_In ( ) SDN controller (Network OS) Flow_mod Flow_mod Openflow messages: Packet_In, Flow_mod, etc. Networking device Networking device Networking device Networking device Networking device Networking Networking device 3 Orange Public device Nizar KHEIR Network infrastructure

Global SDN Architecture SDN application plane Service and application logic Applications: e.g. routing, QoS, security Northbound interface: e.g. REST, Java (not sandardized) Control plane Northbound application interface SDN control plane (controller) Southbound network interface Openflow control messages Forwarding devices Data plane 4 Orange Public Nizar KHEIR Controller (topology management): e.g. NOX, OpenDayLight, FloodLight, Southbound Interface : e.g. OpenFlow standard Network devices, e.g. Cisco, Juniper, Alcatel

Common Benefits Central management Global routing policies instead of separate device configuration Network slicing using SDN Network abstraction layer Dissociate network management from low level configuration Adaptive/autonomic network management Setup autonomous reaction strategies against failures and security incidents Network slicing and isolated management Segregate network traffic into different slices using isolated control logic Normal traffic VIP traffic SDN controller (normal traffic) QoS Level a Data plane SDN controller (VIP traffic) QoS Level b 5 Orange Public Nizar KHEIR

Security Challenges with SDN Global risk overview Attacks in the data plane - Common to legacy attacks Control plane Controller Controller (4) (2) Attacks on s (4) - Impact on data plane traffic - Impact on control plane (LLDP tampering) (3) Attacks on the control plane - DDoS by flooding packet_in messages - Topology poisoning via address spoofing (ARP, LLDP, IGMP) (4) Attacks on the controller - Malicious or untrusted applications - Saturation of device forwarding tables - Lack of isolation and conflict resolution Users (3) (2) (3) (3) (3) (2) (2) (3) (2) Users 6 Orange Public Nizar KHEIR Data plane

Topology Poisoning Attacks on SDN Data plane link fabrication attack Threat model and constraints -Attacker controls only few virtual machines connected to the SDN network Link fabrication attack mechanism SDN controller Link Discovery in OpenFlow networks LLDP Packet_out (4) LLDP Packet_In SDN controller Device C (2) LLDP Packet_out (3) (2) LLDP Packet_In LLDP advertisement Device A (2) Forged link LLDP advertisement Device B (3) LLDP advertisement Device A Device B Infected terminal Covert channel 7 Orange Public Nizar KHEIR Infected terminal

Europe AMEA Control plane saturation attacks Flooding the controller with Packet_In messages Limited monitoring support for many security applications in openflow Inherent communication bottleneck between control and data planes, which enables control plane saturation attacks SDN controller Packet_In flooding Packet_In ( ) FlowMod (2) (3) malicious terminals (bots) (4) malicious terminals (bots) Source Device A Packet Packet Destination malicious terminals (bots) 8 Orange Public Nizar KHEIR malicious terminals (bots)

Defending SDNs from malicious applications Security Enforcement within SDN controllers No effective mechanisms to enforce access control and conflict resolution among SDN applications Core Apps Net Apps Web Apps Example of NOX Controller Connection Manager Event dispatcher OpenFlow Manager DSO Deployer Existing Components No built-in Access control management and conflict handling Input/Output: Socket Asynchronous File OpenFlow API Core-services: Threading and Event management Network protocols, data structures, Utilities 9 Orange Public Nizar KHEIR

Router Isolated network slices Router Defending SDNs from malicious applications (cont d) Security Enforcement within SDN controllers Two competing directions for enforcing security and access control in SDN architectures Security enforcement kernel Seamless network slicing App 1 App credential management Administrator rules Other Controller functionalities RBAC authentication Controllers Control logic 1 Control logic n App n Security-related rules Application rules RCA Conflict analysis State table manager Network orchestrator Isolation policy OpenFlow API OpenFlow API Forwarding tables Forwarding tables 10 Orange Public Nizar KHEIR

What about SDN security applications (cont d)? Dynamic and lightweight composition of security services Security 1 s1 service 2 s1 Security service Source SDN Data Plane Destination Source Destination (a) Network topology (b) No security service Shortest path routing Security 3 s1 service 4 s1 Security service Source SDN Data Plane Destination Source Destination (c) Subscribed Security service Shortest path through (d) Subscribed Security service Multi-shortest paths with passive monitoring 11 Orange Public Nizar KHEIR

What about SDN security applications? Seamless and autonomic security incident management Enhancing SDN capabilities by introducing a framework for the modular composition of eventdriven security services DB Security resource manager Event manager A Security engine B C SDN security modules Library A D D Activated SDN security modules SDN appli. SDN appli. SDN appli. SDN controller Security Enforcement Kernel OpenFlow messages 12 Orange Public Nizar KHEIR SDN data plane devices

Network security monitoring in SDN Open issues and questions A security monitoring framework as an SDN application Packet content is sent to the DPI application using Packet_In messages DPI Application (packet content) Data/Security analytics Statistics/Netflow Application Monitoring Application Pros: Straightforward approach (Leverage inherent SDN) No intelligence required for data plane devices Packet_In ( ) SDN controller Cons: Bottleneck since all traffic is forwarded to the controller (at least first packets of a flow) 13 Orange Public Nizar KHEIR SDN data plane devices

Conclusion SDN security challenges have sparked multiple research efforts in the recent years Resilience of SDN control plane => Avoid bottlenecks & single points of failure Management of SDN control plane => Detect and handle poisoning attacks Security and reliability of SDN data plane => Diagnose failures and data plane attacks Open innovation ecosystem => Enable isolation & security enforcement But also several opportunities in terms of enhancing autonomic security monitoring Bridge the longstanding gap between detection and remediation of security incidents Network layer abstraction, which enables comprehensive security management and dissociates security mechanisms from low level configuration 14 Orange Public Nizar KHEIR

Thank you June 30 th, 2015 SEC2 2015 Premier atelier sur la sécurité dans les Clouds nizar.kheir@orange.com 15 Orange Public Nizar KHEIR

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information