COUNTERMEASURES FOR OPENFLOW-BASED SDNS

To reduce the security threats in SDNs various countermeasures can be embedded. Several number of countermeasures which can be applied to various elements of an SDN/OpenFlow-enabled network are summarized in Table 4.3. In the current versions of OpenFlow specifications (version 1.3.1 and later) some of the measures such as event filtering, rate limiting, shorter timeouts, flow aggregation and rate limiting are already recommended. But most of them are not yet performed or supported in SDN deployments.

To mitigate or prevent attacks several approaches such as attack detection mechanisms, firewalls, access control and intrusion detection can be used and they can be applied in various devices like middle boxes, controllers, forwarding devices and etc. For instance, middle boxes can be a good choice for imposing security policies in an enterprise since they are more robust and high-performance devices. These method also decrease the potential overload which can occurs by applying these countermeasures directly on forwarding devices or controllers, but they can also

increase the complexity of the network management.

Measure Description

Measure Description

Attack detection Applies mechanisms for finding various types of attacks.

Access control Ensure authorization and authentication mechanisms on devices.

IPS and Firewall Tools, which can fend from different types of attacks by filtering the traffic.

Event filtering Permit or block certain types of events to be handled by specific devices.

Forensics support For discover the srcinator of the problems by enablingreliable storage of traces of the network activities.

Flow aggregation For fending DoS attacks and information disclosure by coarse-grained rules to match multiple flows.

Packet dropping Devices have the right to reject packets due to security rules or ongoing system load.

Intrusion tolerance Although intrusions allow the control platforms to support correct operations.

Shorter timeouts Used for reducing the impact of an attack that deflects traffic.

Rate limiting Support rate limit control to prevent DoS attacks on the control plane.

Table 4.3 Countramersures for Security Threats in OpenFlow Networks

To weaken various attacks such as DoS and information disclosure techniques like rate limiting, flow aggregations, packet dropping, shorter timeouts can be implemented on the controllers and forwarding devices. Packet dropping and rate limiting can be implemented to avoid DoS attacks on the control plane or to prevent ongoing attacks directly on the data plane by applying specific rules on the devices where the attacks is being srcinated. The attacker, with reduces timeouts would be compiled to steadily generate a number of forged packets to prevent timeout expiration and the attack can be easily detected.

Forensics and remediation encompass mechanisms such as secure logging, event correlation, and consistent reporting. The operators should be capable if something wrong happens with the network to safely found from where the threat occur and put the network to safety operation mode as fast as possible. Furthermore, to increase the robustness and security different techniques to tolerate intrusions and faults, such as reactive recovery, state machine replication, proactive – and diversity can be added to the controller. SDN controllers should be capable to stand against different types of attacks and events [79]. Replication is one of the most used traditional

techniques to achieve high availability. Two examples of key techniques- proactive – reactive recovery and diversity which add value to the system for resting against various types of failures and attacks.

To address different threats and issues of SDN other countermeasures involve enhancing the security and dependability of controllers, protection, and isolation of applications trust management between controllers and forwarding devices, integrity checks of controllers and applications, forensics and remediation verification frameworks and resilient control planes [79].

Mandatory part of any controller should be the isolation and protection mechanisms. It is important applications to be separated from each other and from the controller. To avoid security problems from network applications different mechanisms like data access protection and security domains should be put in place.

Another crucial necessities is the implementation the trust between the controller and forwarding devices which should ensures that contaminated elements cannot damage the network without being detected. By spoofing the IP address of the controller an attacker can take control of the switches and make them to connect to its own controller. At the moment this is the case because most switches and controller only determine insecure TCP connection. To secure that safe code is being started once the system restarts additional integrity checks on controller and application software can help. Other specialized detection system should be developed for SDN, except the integrity checks.

Declarative languages to eliminate network protocol vulnerabilities are other methods for handling security threats in SDN which should be mention. They can determine structural constraints, semantic constraints, and safe access properties of OpenFlow messages. This kind of languages can help to locate and remove implementation susceptibility of southbound specifications.

Basic security properties such as authentication and access control are already start to shown. A certificate-based authorization, authentication, and accounting (AAA) architecture called BAS for enhancing the security control on SDN facilities. Solution which related to C-BAS can be made highly dependable and secure through hybrid system architectures combing different mechanisms and technologies form security, distributed systems, and fault and intrusion tolerance.