sdn: is it a solution for network security?
DESCRIPTION
Доклад Р.Л. Смелянского на международном форуме «Партнерство государства, бизнеса и гражданского общества при обеспечении информационной безопасности и противодействии терроризму», Гармиш-Партенкирхен, Мюнхен, апрель 2013 г.TRANSCRIPT
![Page 1: SDN: is it a solution for network security?](https://reader038.vdocuments.us/reader038/viewer/2022110303/54bcb1744a795927308b45a4/html5/thumbnails/1.jpg)
SDN: is it a solution for network security?
Smelyanskiy R.L.Moscow State University, Computer Systems Laboratory
Applied Research Center for Computer Network
2013
![Page 2: SDN: is it a solution for network security?](https://reader038.vdocuments.us/reader038/viewer/2022110303/54bcb1744a795927308b45a4/html5/thumbnails/2.jpg)
10.04.2023 prof.R.Smelyanskiy MSU & ARCCN
Agenda
• What is SDN network?
• Term “protecting” could be many-sided…
• SDN control environment also needs to be protected.
2
![Page 3: SDN: is it a solution for network security?](https://reader038.vdocuments.us/reader038/viewer/2022110303/54bcb1744a795927308b45a4/html5/thumbnails/3.jpg)
10.04.2023 prof.R.Smelyanskiy MSU & ARCCN 3
Software defined evolution
Classic router
VLANRIP
OSPFIS-IS
ACL
MPLS…
![Page 4: SDN: is it a solution for network security?](https://reader038.vdocuments.us/reader038/viewer/2022110303/54bcb1744a795927308b45a4/html5/thumbnails/4.jpg)
10.04.2023 prof.R.Smelyanskiy MSU & ARCCN 4
Software defined evolution
Classic router
VLANRIP
OSPFIS-IS
ACL
MPLS…
![Page 5: SDN: is it a solution for network security?](https://reader038.vdocuments.us/reader038/viewer/2022110303/54bcb1744a795927308b45a4/html5/thumbnails/5.jpg)
10.04.2023 prof.R.Smelyanskiy MSU & ARCCN 5
Software defined evolution
Classic router
VLANRIP
OSPFIS-IS
ACL
MPLS…
![Page 6: SDN: is it a solution for network security?](https://reader038.vdocuments.us/reader038/viewer/2022110303/54bcb1744a795927308b45a4/html5/thumbnails/6.jpg)
10.04.2023 prof.R.Smelyanskiy MSU & ARCCN 6
Software defined evolution
VLAN
RIP
OSPF
IS-IS
ACL
MPLS
…
TCAMController
Switch
Flow Table
![Page 7: SDN: is it a solution for network security?](https://reader038.vdocuments.us/reader038/viewer/2022110303/54bcb1744a795927308b45a4/html5/thumbnails/7.jpg)
10.04.2023 prof.R.Smelyanskiy MSU & ARCCN 7
Software defined evolution
VLAN
RIP
OSPF
IS-IS
ACL
MPLS
…
TCAMController
Switch
Flow Table
Flow Table
MACsrc
MACdst
IPSrc
IPDst
TCPsport
TCPdport Action
**5.6.7.8*** port 1
Rule examples****00:1f:..* port 5
22***** drop
666205.6.7.81.2.3.400:1f:..00:20.. port 7
Switching
Firewall
FlowSwitching
Routing
![Page 8: SDN: is it a solution for network security?](https://reader038.vdocuments.us/reader038/viewer/2022110303/54bcb1744a795927308b45a4/html5/thumbnails/8.jpg)
10.04.2023 prof.R.Smelyanskiy MSU & ARCCN 8
Software defined evolution
VLAN
RIP
OSPF
IS-IS
ACL
MPLS
…
TCAMController
Switch
Flow Table
Flow Table
MACsrc
MACdst
IPSrc
IPDst
TCPsport
TCPdport Action
**5.6.7.8*** port 1
Rule examples****00:1f:..* port 5
22***** drop
666205.6.7.81.2.3.400:1f:..00:20.. port 7
Switching
Firewall
FlowSwitching
Routing
![Page 9: SDN: is it a solution for network security?](https://reader038.vdocuments.us/reader038/viewer/2022110303/54bcb1744a795927308b45a4/html5/thumbnails/9.jpg)
10.04.2023 prof.R.Smelyanskiy MSU & ARCCN 9
Software defined evolution
VLAN
RIP
OSPF
IS-IS
ACL
MPLS
…
TCAM
Switch
Flow Table APP
APP
APP
APP
APP
APP
APP
Controller
Net
wor
k op
erati
ng sy
stem
![Page 10: SDN: is it a solution for network security?](https://reader038.vdocuments.us/reader038/viewer/2022110303/54bcb1744a795927308b45a4/html5/thumbnails/10.jpg)
10.04.2023 prof.R.Smelyanskiy MSU & ARCCN 10
Software defined evolution
VLAN
RIP
OSPF
IS-IS
ACL
MPLS
…
Switch
APP
APP
APP
APP
APP
APP
APP
Controller
Net
wor
k op
erati
ng sy
stem
Switch
Switch
![Page 11: SDN: is it a solution for network security?](https://reader038.vdocuments.us/reader038/viewer/2022110303/54bcb1744a795927308b45a4/html5/thumbnails/11.jpg)
10.04.2023 prof.R.Smelyanskiy MSU & ARCCN 11
Software defined evolution
VLAN
RIP
OSPF
IS-IS
ACL
MPLS
…
Switch
APP
APP
APP
APP
APP
APP
APP
Controller
Net
wor
k op
erati
ng sy
stem
Switch
Switch
Free for innovationNetwork Global ViewFlexible for configurationCheep and simple switch devicesAdvantages
![Page 12: SDN: is it a solution for network security?](https://reader038.vdocuments.us/reader038/viewer/2022110303/54bcb1744a795927308b45a4/html5/thumbnails/12.jpg)
10.04.2023 prof.R.Smelyanskiy MSU & ARCCN 12
Software defined evolution
VLAN
RIP
OSPF
IS-IS
ACL
MPLS
…
Switch
APP
APP
APP
APP
APP
APP
APP
Controller
Net
wor
k op
erati
ng sy
stem
Switch
Switch
Free for innovationGlobal Network ViewFlexible for configurationCheep and simple network devicesAdvantages
![Page 13: SDN: is it a solution for network security?](https://reader038.vdocuments.us/reader038/viewer/2022110303/54bcb1744a795927308b45a4/html5/thumbnails/13.jpg)
10.04.2023 prof.R.Smelyanskiy MSU & ARCCN
Case studies
• Large Transit Service Provider• Big International Company– Multiple offices – VPN communications
• Network of Large Organization – Large internal networks – Various types of network activities
13
![Page 14: SDN: is it a solution for network security?](https://reader038.vdocuments.us/reader038/viewer/2022110303/54bcb1744a795927308b45a4/html5/thumbnails/14.jpg)
10.04.2023 prof.R.Smelyanskiy MSU & ARCCN 14
Security in traditional architecture networks
• Case studies:– Large Transit Service
Provider– Airport network– ISP (VPN provider)
• Tendencies– Traffic growth– Mobility
• Infrastructure• Software• Protocols
![Page 15: SDN: is it a solution for network security?](https://reader038.vdocuments.us/reader038/viewer/2022110303/54bcb1744a795927308b45a4/html5/thumbnails/15.jpg)
10.04.2023 prof.R.Smelyanskiy MSU & ARCCN
Term “protecting” could be many-sided…
15
Physical access
![Page 16: SDN: is it a solution for network security?](https://reader038.vdocuments.us/reader038/viewer/2022110303/54bcb1744a795927308b45a4/html5/thumbnails/16.jpg)
10.04.2023 prof.R.Smelyanskiy MSU & ARCCN
Airport example
16
![Page 17: SDN: is it a solution for network security?](https://reader038.vdocuments.us/reader038/viewer/2022110303/54bcb1744a795927308b45a4/html5/thumbnails/17.jpg)
10.04.2023 prof.R.Smelyanskiy MSU & ARCCN
Airport example
17
Control process
Control process
Control process
Control process
Control process
Control processtrespasser
![Page 18: SDN: is it a solution for network security?](https://reader038.vdocuments.us/reader038/viewer/2022110303/54bcb1744a795927308b45a4/html5/thumbnails/18.jpg)
10.04.2023 prof.R.Smelyanskiy MSU & ARCCN
Airport example
18
Control process
Control process
Control process
Control process
Control process
Control processtrespasser
MalwareControl process
![Page 19: SDN: is it a solution for network security?](https://reader038.vdocuments.us/reader038/viewer/2022110303/54bcb1744a795927308b45a4/html5/thumbnails/19.jpg)
10.04.2023 prof.R.Smelyanskiy MSU & ARCCN
Airport example
19
Control process
Control process
Control process
Control process
Server Room
Control process
Control processtrespasser
SDNController
Packetforwarding
Packetforwarding
Packetforwarding
Packetforwarding
Packetforwarding
![Page 20: SDN: is it a solution for network security?](https://reader038.vdocuments.us/reader038/viewer/2022110303/54bcb1744a795927308b45a4/html5/thumbnails/20.jpg)
10.04.2023 prof.R.Smelyanskiy MSU & ARCCN
Term “protecting” could be many-sided…
20
Network flow control
![Page 21: SDN: is it a solution for network security?](https://reader038.vdocuments.us/reader038/viewer/2022110303/54bcb1744a795927308b45a4/html5/thumbnails/21.jpg)
10.04.2023 prof.R.Smelyanskiy MSU & ARCCN 21
Network of Organization example
Tenant app
Tenant A
Tenant B
![Page 22: SDN: is it a solution for network security?](https://reader038.vdocuments.us/reader038/viewer/2022110303/54bcb1744a795927308b45a4/html5/thumbnails/22.jpg)
10.04.2023 prof.R.Smelyanskiy MSU & ARCCN 22
Network of Organization example
Tenant app
Tenant A
Tenant B
TrafficDst point
Traffic Src point
TrafficDst point
Accept
Drop
![Page 23: SDN: is it a solution for network security?](https://reader038.vdocuments.us/reader038/viewer/2022110303/54bcb1744a795927308b45a4/html5/thumbnails/23.jpg)
10.04.2023 prof.R.Smelyanskiy MSU & ARCCN 23
Network of Organization example
![Page 24: SDN: is it a solution for network security?](https://reader038.vdocuments.us/reader038/viewer/2022110303/54bcb1744a795927308b45a4/html5/thumbnails/24.jpg)
10.04.2023 prof.R.Smelyanskiy MSU & ARCCN 24
Network of Organization example
Firewallapp
Traffic Src point
TrafficDst point
Firewallrules
Firewallrules
![Page 25: SDN: is it a solution for network security?](https://reader038.vdocuments.us/reader038/viewer/2022110303/54bcb1744a795927308b45a4/html5/thumbnails/25.jpg)
10.04.2023 prof.R.Smelyanskiy MSU & ARCCN 25
SDN control environment also needs
to be protected.
![Page 26: SDN: is it a solution for network security?](https://reader038.vdocuments.us/reader038/viewer/2022110303/54bcb1744a795927308b45a4/html5/thumbnails/26.jpg)
10.04.2023 prof.R.Smelyanskiy MSU & ARCCN 26
SDN control environment security
![Page 27: SDN: is it a solution for network security?](https://reader038.vdocuments.us/reader038/viewer/2022110303/54bcb1744a795927308b45a4/html5/thumbnails/27.jpg)
10.04.2023 prof.R.Smelyanskiy MSU & ARCCN 27
Controller security app
Legal traffic
Malware traffic
Legal traffic
Legal traffic
Malware traffic
OF eventOF event
OF event
OF event
OF event
OF event
OF event
OF event
Security app
Security app
![Page 28: SDN: is it a solution for network security?](https://reader038.vdocuments.us/reader038/viewer/2022110303/54bcb1744a795927308b45a4/html5/thumbnails/28.jpg)
10.04.2023 prof.R.Smelyanskiy MSU & ARCCN 28
Switch-controller security
MalwareSwitch
![Page 29: SDN: is it a solution for network security?](https://reader038.vdocuments.us/reader038/viewer/2022110303/54bcb1744a795927308b45a4/html5/thumbnails/29.jpg)
10.04.2023 prof.R.Smelyanskiy MSU & ARCCN 29
Switch-controller security
Authenticationserver
MalwareSwitch
Internet Key Exchange, IPsec,
Kerberos and etc.
![Page 30: SDN: is it a solution for network security?](https://reader038.vdocuments.us/reader038/viewer/2022110303/54bcb1744a795927308b45a4/html5/thumbnails/30.jpg)
10.04.2023 prof.R.Smelyanskiy MSU & ARCCN 30
Controller-to-controller security
Controller-to-controller out-band protocol
Seems to be secure enough,
but an expensive solution
![Page 31: SDN: is it a solution for network security?](https://reader038.vdocuments.us/reader038/viewer/2022110303/54bcb1744a795927308b45a4/html5/thumbnails/31.jpg)
10.04.2023 prof.R.Smelyanskiy MSU & ARCCN 31
Controller-to-controller security
Controller-to-controller in-band protocol
Check policies
IsolateControllers traffic
andDatapath traffic
Special QoS
settings
Problem 1 Problem 2
Problem 3
![Page 32: SDN: is it a solution for network security?](https://reader038.vdocuments.us/reader038/viewer/2022110303/54bcb1744a795927308b45a4/html5/thumbnails/32.jpg)
32
Controllers requirements • c-applications should be reusable by different controllers placed
near-by each other;• different controller instances should be able to share the same
instance of a c-application;• controller should be trusted environment;• controller should be scalable; it means that if workload is
growing beyond the current computational power of controller then it should be able to get more computational power, for example by splitting its activity with another controller instance, placed on another physical resource;
• if some controller instance shut down than some other controllers placed nearby should be able to catch up those part of network switches were managed by those shut down.
10.04.2023 prof.R.Smelyanskiy MSU & ARCCN
![Page 33: SDN: is it a solution for network security?](https://reader038.vdocuments.us/reader038/viewer/2022110303/54bcb1744a795927308b45a4/html5/thumbnails/33.jpg)
10.04.2023 prof.R.Smelyanskiy MSU & ARCCN 33
Conclusion
• Software Defined Networking (SDN) has been rapidly developed.– Working in data centers– Replacing proprietary routers
• Splitting data plane and control plane brings advantages, but also opens new way to exploit such networks in malicious purposes.
The major advantages of SDN approach– programmable configuration – data plane and control plane separation– flexible data flow control
![Page 35: SDN: is it a solution for network security?](https://reader038.vdocuments.us/reader038/viewer/2022110303/54bcb1744a795927308b45a4/html5/thumbnails/35.jpg)
10.04.2023 prof.R.Smelyanskiy MSU & ARCCN
Switch - Controller security
49
host host host
Openflow switch
Controller
Control channel
hostLegal traffic
Malware traffic
Openflow event checker
Openflow event
Openflow event
Openflow event
Openflow eventOpenflow event
Openflow event
![Page 36: SDN: is it a solution for network security?](https://reader038.vdocuments.us/reader038/viewer/2022110303/54bcb1744a795927308b45a4/html5/thumbnails/36.jpg)
10.04.2023 prof.R.Smelyanskiy MSU & ARCCN
Switch - Controller security
50
host host host
Openflow switch
Controller
Control channel
hostLegal traffic
Malware traffic
Openflow event checker
Openflow event
Openflow event
Openflow event
Openflow eventOpenflow event
Openflow event
![Page 37: SDN: is it a solution for network security?](https://reader038.vdocuments.us/reader038/viewer/2022110303/54bcb1744a795927308b45a4/html5/thumbnails/37.jpg)
10.04.2023 prof.R.Smelyanskiy MSU & ARCCN
Switch - Controller security
51
host host host
Openflow switch
Controller
Control channel
hostLegal traffic
Malware traffic
Openflow event
Openflow event
Openflow event
Openflow eventOpenflow event
Openflow event
Vulnerable app
![Page 38: SDN: is it a solution for network security?](https://reader038.vdocuments.us/reader038/viewer/2022110303/54bcb1744a795927308b45a4/html5/thumbnails/38.jpg)
10.04.2023 prof.R.Smelyanskiy MSU & ARCCN
Switch - Controller security
52
host host host
Openflow switch
Controller
Control channel
hostLegal traffic
Malware traffic
Openflow event
Openflow event
Openflow event
Openflow eventOpenflow event
Openflow event
Vulnerable app
Security app
![Page 39: SDN: is it a solution for network security?](https://reader038.vdocuments.us/reader038/viewer/2022110303/54bcb1744a795927308b45a4/html5/thumbnails/39.jpg)
10.04.2023 prof.R.Smelyanskiy MSU & ARCCN
Controller-controller protocol security
53
host host host
Openflow switch
Controller
Control channel
host Controller
Controller-controller out-band protocol
Seems to be secure enough,
but an expensive solution
![Page 40: SDN: is it a solution for network security?](https://reader038.vdocuments.us/reader038/viewer/2022110303/54bcb1744a795927308b45a4/html5/thumbnails/40.jpg)
10.04.2023 prof.R.Smelyanskiy MSU & ARCCN
Controller-controller protocol security
54
host host host
Openflow switch
Controllerhost
Controller
Controller-controller out-band protocol
Controller-controller in-band protocol
Check policies
IsolateControllers traffic
andDatapath traffic
Special QoS
settings