• No results found

Security in Software Defined Networking. Professor : Admela Jukan Supervisor : Marcel Caria Student : Siqian Zhao

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Security in Software Defined Networking. Professor : Admela Jukan Supervisor : Marcel Caria Student : Siqian Zhao"

Copied!
21
0
0

Loading.... (view fulltext now)

Download now ( 21 Page )

Full text

(1)

Security in Software Defined Networking

P f Ad l J k

• Professor : Admela Jukan • Supervisor : Marcel Caria • Student : Siqian Zhao

(2)

Overview

Software Defined Networking (SDN)

 Legacy Networking VS. SDN

 d t f SDN

 advantages of SDN

the security problems in SDN

caused by malicious attack

 d b i fi ti

caused by misconfiguration

(3)

Routing in Legacy Networking

Routing : select a path to forward packets from sender to receiver.

In Legacy networking :In Legacy networking :

Each network node has its own control plane.

Information is collected individually from all network nodes.→ Problem

Management Plane

Control Control Control Control Control Control Control Plane Control Plane Control Plane Control Plane Control Plane Control Plane Data Plane

(4)

Routing in SDN

Centralized control in SDN :

API

App App App App App

SDN controller

Data

Plane

Plane

• The controller maintains the forwarding table on all nodes across the network!

(5)

SDN Deployment and Market

Deployment example --- Google

2010: Google started implementing SDN.

O t b 2012 G l id th t it' i t t d it t i t ti l SDN b d

October 2012: Google said, that it's going to extend its current international SDN-based

inter-data center network.

(6)

SDN Future

According to SDN Central :

(7)

Security Concern in SDN

Since the beginning of 2013, various working groups have been established to

study the security in SDN.

Such as : ONF,ETSI,ITU

Id i t f d i i it i f th t t

Idea : importance of designing security in from the start.

However, SDN hardware, software and services which are already in production and

service lack of consideration of security implication!

Mission : explore techniques and policies to overcome the SDN security challenges

(8)

Security in SDN---Challenges

Security Challenges :

Attack on the centralized controller

T t bl b t t ll d ft li ti

Trust problem between controller and software applications

Attack on the communication channel between controller and devices Conflicting flow rules

F di l Forwarding loops Application Malicious Application

SDN Controller

SDN Switch SDN Switch SDN Switch SDN Switch

(9)

Security in SDN---DoS

Attack on the controller : Denial of Service

Flow matched ? ---forward packet.

No flow matched ? send packet to the controller No flow matched ? ---send packet to the controller.

Thus , an attacker can execute a DoS attack on the node by setting up constantly new

and unknown flows.

SDN controller SDN controller

step 2 step 3

step 1 step 4

packet

(10)

Security in SDN---DoS

Possible solution to DoS attack :

Run the device in proactive mode or using Firewall

Fi ll ft h d b d t k it t th t t l th

Firewall : a software or hardware-based network security system that controls the

incoming and outgoing network traffic based on applied rule set.

Internet

Header

(11)

Security in SDN---Malicious Applications

Trust issue between controller and applications

A

SDN controller

App App App App

• Malicious application can now be easily developed and deployed on controllers.

(12)

Security in SDN---Control Channel Attack

Attack on the control channel

SDN Controller

control channel

SSL

Attack can either pretend to be the controller or the switch!

(13)

Security in SDN---Control Channel Attack

Possible solution 2 to the attack on the control channel :

(14)

Security in SDN---Misconfiguration

Conflicting flow rules by OF switch :

 Multiple OF applications run on a network controller device.  Diff t li ti i t diff t t l li i d i ll  Different applications insert different control policies dynamically.

conflicting flow rules may arise! App 1 : A to B ; Modify SRC IP to X.

App 2 : X to B ; Modify DST IP to C

SDN controller App 2 : X to B ; Modify DST IP to C.

App 3 : X to C , Forward.

BLOCK : A C Host B

Host A

(15)

Security in SDN---Misconfiguration

Forwarding loops 10 1 t Bl 10 10.1.x.x ; to Blue 10.x.x.x 10.x.x.x ; to B

10.1.x.x

Packet Packet Packet Packet Packet Packet Packet Packet

Packet PacketPacket

10.1.x.x ; to A 10.x.x.x ; to Green

(16)

Security in SDN---Misconfiguration

Nox Controller

 Nox : an open-source platform that simplifies the creation of software for controlling or monitoring networks

monitoring networks.

: relay flow rules from OF application t th it h

(17)

Security in SDN---Misconfiguration

Possible solution : Fortnox --- an extension to the NOX controller by providing

non-bypass flow rules.

when flow rules when flow rules

are conflict,compare the level of h i i authorization roles.

(18)

Security in SDN---Misconfiguration

Role-based Source Authentication :

 assign priority to a candidate flow rule , recognize 3 standard authorization levels among flow rule producers

among flow rule producers.

OF Operator Level : define authoritative security policy

OF Security Level : add flow constraints to combat live threat activity

(19)

Security in SDN---OpenDaylight Controller

Another possible solution in OpenDaylight Controller : Defense4All.

 Monitoring behavior of protected traffic  Diverting attacked traffic to selected AMSs

(20)

SDN Security Research in IDA

SASER : Safe And Secure European Routing

--- Start date : August 2012 E d S t b 2015 --- End : September 2015

--- Total Budget : about 80 million Euros --- Effort : more than 500 person years

SDN l t d h

SDN related researches :

---Security concept for a new architecture based on software defined networking. ---General architecture specification

---Network optimization …

(21)

Conclusion

• The evolvement of SDN from the legacy network • Security challenges in SDN and possible solutions

SDN h i IDA

References

Download now ( PDF - 21 Page - 0.91 MB )

Related documents

Worcester GB162 wall mounted gas-fired condensing boiler series

For systems with an additional unmixed or mixed heating circuit, the MM10 with flow temperature sensor can be used to control a pump and mixing valve. As shown in the schematic, it

A Description of Pulse Width Modulation Motor Control for Model Locomotives

The speed table tells the decoder how many .128 mS slices out of the total period that power will be supplied to the motor.. The total PWM period of 14 mS can contain a maximum of

SPECIAL REPORT SUMMARY

Examples of syndromes that would be classified as ‘‘ of unknown cause ’’ include epilepsy of infancy with migrating focal seizures and myoclonic epilepsy in infancy [formerly

Analisis Perbandingan Algoritma Classification Untuk Authentication Uang Kertas (Studi Kasus: Banknote Authentication)

C4.5 adalah algoritma yang cocok untuk masalah klasifikasi dan data mining, C4.5 memetakan nilai atribut menjadi class yang dapat diterapkan untuk klasifikasi

The Takaful plan that provides for your protection needs, savings and Hajj aspirations.

5) Rizab Penyamaan Keuntungan (PER) - PER membantu untuk mengurangkan kebolehubahan pulangan pelaburan dengan mengagihkan keuntungan dan kerugian dalam tempoh

5 Development of Data Network Systems for Global Environment Measurements

Our research has focused on developing network technology to transfer massive amounts of data via a long-distance network using the data obtained with observation instruments

The Digital Humanities Imperative: An Archival Response

As a result, the digital archivist needs to provide digital preservation and access to collec- tions such as those housed at the Maine Folklife Center (MFC) at the University of

SOCIAL MEDIA & MOBILE TECHNOLOGY IN HEALTHCARE

MicroStrategy Mobile, Cloud, and Social media technologies allow healthcare organizations to merge their mobile app and social media presence to create business value that is