Security Challenges & Opportunities in Software Defined Networks (SDN) June 30 th, 2015 SEC2 2015 Premier atelier sur la sécurité dans les Clouds Nizar KHEIR Cyber Security Researcher Orange Labs Products and Services 1 Orange Public Nizar KHEIR
Understanding the SDN Concept Analogy with the operating system Applications Supply value added services that leverage the main physical assets for the underlying system Operating system Provides a mediation layer between the application logic and the physical hardware. It may be accessed through dedicated APIs and system calls Operating system Hardware Supplies a collection of physical elements that make available both compute, data, and storage capabilities in order to execute the application logic Memory 2 Orange Public Nizar KHEIR CPU Hardware HDD Network
SDN as a Network Operating System Packet_In ( ) SDN controller (Network OS) Flow_mod Flow_mod Openflow messages: Packet_In, Flow_mod, etc. Networking device Networking device Networking device Networking device Networking device Networking Networking device 3 Orange Public device Nizar KHEIR Network infrastructure
Global SDN Architecture SDN application plane Service and application logic Applications: e.g. routing, QoS, security Northbound interface: e.g. REST, Java (not sandardized) Control plane Northbound application interface SDN control plane (controller) Southbound network interface Openflow control messages Forwarding devices Data plane 4 Orange Public Nizar KHEIR Controller (topology management): e.g. NOX, OpenDayLight, FloodLight, Southbound Interface : e.g. OpenFlow standard Network devices, e.g. Cisco, Juniper, Alcatel
Common Benefits Central management Global routing policies instead of separate device configuration Network slicing using SDN Network abstraction layer Dissociate network management from low level configuration Adaptive/autonomic network management Setup autonomous reaction strategies against failures and security incidents Network slicing and isolated management Segregate network traffic into different slices using isolated control logic Normal traffic VIP traffic SDN controller (normal traffic) QoS Level a Data plane SDN controller (VIP traffic) QoS Level b 5 Orange Public Nizar KHEIR
Security Challenges with SDN Global risk overview Attacks in the data plane - Common to legacy attacks Control plane Controller Controller (4) (2) Attacks on s (4) - Impact on data plane traffic - Impact on control plane (LLDP tampering) (3) Attacks on the control plane - DDoS by flooding packet_in messages - Topology poisoning via address spoofing (ARP, LLDP, IGMP) (4) Attacks on the controller - Malicious or untrusted applications - Saturation of device forwarding tables - Lack of isolation and conflict resolution Users (3) (2) (3) (3) (3) (2) (2) (3) (2) Users 6 Orange Public Nizar KHEIR Data plane
Topology Poisoning Attacks on SDN Data plane link fabrication attack Threat model and constraints -Attacker controls only few virtual machines connected to the SDN network Link fabrication attack mechanism SDN controller Link Discovery in OpenFlow networks LLDP Packet_out (4) LLDP Packet_In SDN controller Device C (2) LLDP Packet_out (3) (2) LLDP Packet_In LLDP advertisement Device A (2) Forged link LLDP advertisement Device B (3) LLDP advertisement Device A Device B Infected terminal Covert channel 7 Orange Public Nizar KHEIR Infected terminal
Europe AMEA Control plane saturation attacks Flooding the controller with Packet_In messages Limited monitoring support for many security applications in openflow Inherent communication bottleneck between control and data planes, which enables control plane saturation attacks SDN controller Packet_In flooding Packet_In ( ) FlowMod (2) (3) malicious terminals (bots) (4) malicious terminals (bots) Source Device A Packet Packet Destination malicious terminals (bots) 8 Orange Public Nizar KHEIR malicious terminals (bots)
Defending SDNs from malicious applications Security Enforcement within SDN controllers No effective mechanisms to enforce access control and conflict resolution among SDN applications Core Apps Net Apps Web Apps Example of NOX Controller Connection Manager Event dispatcher OpenFlow Manager DSO Deployer Existing Components No built-in Access control management and conflict handling Input/Output: Socket Asynchronous File OpenFlow API Core-services: Threading and Event management Network protocols, data structures, Utilities 9 Orange Public Nizar KHEIR
Router Isolated network slices Router Defending SDNs from malicious applications (cont d) Security Enforcement within SDN controllers Two competing directions for enforcing security and access control in SDN architectures Security enforcement kernel Seamless network slicing App 1 App credential management Administrator rules Other Controller functionalities RBAC authentication Controllers Control logic 1 Control logic n App n Security-related rules Application rules RCA Conflict analysis State table manager Network orchestrator Isolation policy OpenFlow API OpenFlow API Forwarding tables Forwarding tables 10 Orange Public Nizar KHEIR
What about SDN security applications (cont d)? Dynamic and lightweight composition of security services Security 1 s1 service 2 s1 Security service Source SDN Data Plane Destination Source Destination (a) Network topology (b) No security service Shortest path routing Security 3 s1 service 4 s1 Security service Source SDN Data Plane Destination Source Destination (c) Subscribed Security service Shortest path through (d) Subscribed Security service Multi-shortest paths with passive monitoring 11 Orange Public Nizar KHEIR
What about SDN security applications? Seamless and autonomic security incident management Enhancing SDN capabilities by introducing a framework for the modular composition of eventdriven security services DB Security resource manager Event manager A Security engine B C SDN security modules Library A D D Activated SDN security modules SDN appli. SDN appli. SDN appli. SDN controller Security Enforcement Kernel OpenFlow messages 12 Orange Public Nizar KHEIR SDN data plane devices
Network security monitoring in SDN Open issues and questions A security monitoring framework as an SDN application Packet content is sent to the DPI application using Packet_In messages DPI Application (packet content) Data/Security analytics Statistics/Netflow Application Monitoring Application Pros: Straightforward approach (Leverage inherent SDN) No intelligence required for data plane devices Packet_In ( ) SDN controller Cons: Bottleneck since all traffic is forwarded to the controller (at least first packets of a flow) 13 Orange Public Nizar KHEIR SDN data plane devices
Conclusion SDN security challenges have sparked multiple research efforts in the recent years Resilience of SDN control plane => Avoid bottlenecks & single points of failure Management of SDN control plane => Detect and handle poisoning attacks Security and reliability of SDN data plane => Diagnose failures and data plane attacks Open innovation ecosystem => Enable isolation & security enforcement But also several opportunities in terms of enhancing autonomic security monitoring Bridge the longstanding gap between detection and remediation of security incidents Network layer abstraction, which enables comprehensive security management and dissociates security mechanisms from low level configuration 14 Orange Public Nizar KHEIR
Thank you June 30 th, 2015 SEC2 2015 Premier atelier sur la sécurité dans les Clouds nizar.kheir@orange.com 15 Orange Public Nizar KHEIR