How OpenFlow-based SDN can increase network
security
Charles Ferland, IBM System Networking Representing the ONF
Important elements
• The objective is to build SDN networks as secure or more than traditional network
• SDN networks are very different than traditional networks, hence how to protect them as well
• Existing security threats might not apply to SDN network, but new ones can
• SDN holds a huge potential to increase overall security within the networks
• A simple PING from one server to another requires several configuration “touch point”
• Several different manufacturers/vendors • Several different functional groups
Switch ROUTER Switch vSwitch vSwitch Configuration touch point
The best security is the no touch security
The more manual work required, the more potential error and therefore security risks are introduce
• A single logical configuration touch point
• Network configuration is flow & application driven instead of physical ports & features
• Less manual configuration reduce the risk of errors, especially in a highly dynamic environment
Switch ROUTER Switch vSwitch vSwitch Single Config touch point
The best security is the no touch security
Single logical
configuration touch point, regardless of vendors, etc.
Switch Switch
Switch Switch
Switch
In or out of band management
• A separate & dedicated Network can be setup for the communication
between the OF Controller and the networking devices
• Low latency, lossless
• The management network can be a “traditional” network, not OF-aware • Production traffic is not mixing with
IBM PNC – Example Configuration
An example of a network configured with IBM PNCs in a redundant manner is as follows.
6 eth0 eth0 eth2 eth2 eth4 eth4 eth3 eth5 eth3 eth5 Floating IP2 Floating IP1 IBM PNC #2 IBM PNC #1
Network for controlling OpenFlow switches IBM PNC control Network
Interface name IBM PNC#1 Floating IP Interface name IBM PNC#2
eth0 192.168.1.1/24 192.168.1.10 eth0 192.168.1.2/24 eth2 192.168.2.1/24 192.168.2.10 eth2 192.168.2.2/24 eth4 192.168.3.1/24 192.168.3.10 eth4 192.168.3.2/24 Bond0 eth3 192.168.0.1/24 - bond1 eth3 192.168.0.2/24
eth5 eth5
bond0 bond0 For cluster (connected directly)
Floating IP3
SDN Security in 3 acts
Switch
Switch Switch
• Device must be secure
• Authentication against the controller • CPU capabilities to encrypt control plane
messages
• “Slice” resources for multi-tenants • Protocol must be secure
• TLS session establishment protocol for communication
• Mutual authentication via certificate exchange
• Limited control plane messaging options • Controller must be secure
• OS security • Apps security
• Errors are a magnitude more important
Cloud Multi Tenancy
VM Customer 3 Virtual Network VM VM VM VM Customer 2 Virtual Network VM VM VM VM Customer 1 Virtual Network VM VM VM Customer 1 OpenFlow Controller Customer 2 OpenFlow Controller Customer 3 OpenFlow Controller OF API OF API OF API OF API OF API OF API OF API OF API OF API OF API OF API OF API OF API OF API OF API OF API OF API OF API 8October 2012 Representing the ONF: Charles Ferland, IBM System Networking
SDN: Smarter use of Network and
Appliances
OF API OF API OF API OF API OF API OF API OF API OF API OF API OF API OF API OF API OF API OF API OF API OF API OF API OF API SDN Controller Global topology view global link state Server/App Feedback Controller APIFirewall Load balancer
(3)
Advancement route control
Server Flow 1 Flow 2 App 1 App 2 OF Controller App 1 App 2
(2) One sided flows
(1) (1)
(2) Capable of maintenance
■ Route control by OpenFlow
(1) Efficient use of the network band by the route control on a per-flow basis ■ Specific functions become available through the OpenFlow controller:
(3) Specify which devices (such as LB and FW) the packet go through
(2) Improve ease of maintenance of network devices by one-sided flows
SDN/OpenFlow– SPAN and Tap
Diagnostic Compliance
Monitoring Auditing
Parallel network for diagnostics, compliance, auditing
Move flows from SPAN or TAP to OpenFlow switches
Cost-effective alternative to special-purpose devices
Open, standards-based cost-effective solution
Redirecting live traffic
October 2012 Representing the ONF: Charles Ferland, IBM System Networking 12
Record/Audit
Switch
• Selected & interesting traffic can be mirror to additional switch ports
• Dynamic rules can define the mirror traffic
• No TAP or similar devices needed, hence every port can be mirrored • Recording or audit technology can
IPS/IDS interaction
IPS/IDS
Switch
• IPS/IDS software can analyze
network traffic and communicate with the OF controller possible actions
• Deny communication of suspicious traffic between servers
FortNOX incorporates a live rule conflict detection engine
• Rule Conflict: arises when a new candidate rule enables or disables a network flow that is otherwise inversely prohibited (or allowed) by existing rules
• Alias set rule reduction – a method detecting flow rule conflicts, even when OF set operations are used
– SEE DEMO 1 – Security Constraints Enforcement
• [high res .mov or Youtube! ]
Security : Rule conflict analysis
Phillip Porras, Martin Fong, Vinod Yegneswaran, Mabry Tyson Computer Science Laboratory, SRI
International H1 H2 H3 H4 H1 /= H4 H1 = H2 H3 = H4 Switch
Representing the ONF: Charles Ferland, IBM System Networking 14
Specialized Packet Forwarding Hardware
App App App
Specialized Packet Forwarding Hardware Operating System Operating System
App App App
Specialized Packet Forwarding Hardware
App App App
Operating System
Specialized Packet Forwarding Hardware
App App App
Operating System
Software customization
• Previously closed Network Operating Systems are now open to software development
• Security threats can rapidly be developed and deployed across a large network infrastructure App Simple Packet Forwarding Hardware Simple Packet Forwarding Hardware App App Simple Packet Forwarding Hardware
Network Operating System
Simple Packet Forwarding
Hardware
Opening the door to applications
Switch
Switch Switch
Switch
October 2012 Representing the ONF: Charles Ferland, IBM System Networking 16 • OF controller provides a common
and standard based platform
• Specialized security software can be utilized
• Clever analytics, trends analysis, complex security detection, etc. Smart Analytics Credit card fraud Known malicious security patterns Financial threats
Opening the door to applications
Switch
Switch Switch
Switch
• Since the OF controller can potentially “see” all traffic,
specialized software can be loaded to recognized known security
threats
• Messages from the OF controller to the data plane can “intercept” the security threats
• Virus signature, etc.
Known security signature
Application & OF Controller communication
• Web-API• Basic feature sets such as VTN creation and Flow info collection are available
18 OpenFlow Controller API Client https Request https Reply
• To enable WEB-API, firewall setting and certification for SSL are required on OF Controller
• RESTful API
• XML 1.0 and Jason
• Applications can securely communicate with the controller and request resources, configuration changes, etc.
• OF controller can also modify Applications behavior
DoS Secured VTN provides:
• Monitoring of traffic statistics based on OpenFlow L3-L4 counters
• Learning normal VTN traffic baselines • Detects deviation from normal
traffic baselines
• Using P-Flow traffic diversion abilities to:
– Divert suspicious traffic to “scrubbing center” – Re-inject “clean” traffic to original destination
• Back to normal after attack termination
Radware’s Integration in NEC PFlow
VTN A VTN B VTN C ProgrammableFlow Controller Radware DoS attack detection OF app Suspicious DoS activities detected Content provided by Radware
Key points
• SDN architecture is different but no less secure than existing network infrastructure
• Secure messaging, isolated/protected network and redundant controller are recommended security practices
• OpenFlow route manipulation can deploy security devices anywhere and any time -> seriously increase your overall network infrastructure
• Split between the data and control plane allows a multitude of security applications to be develop
