sdn: is it a solution for network security?

SDN: is it a solution for network security?

Smelyanskiy R.L.Moscow State University, Computer Systems Laboratory

Applied Research Center for Computer Network

2013

http://www.google.ru/url?sa=i&source=images&cd=&docid=SAlFtOVGVMK9OM&tbnid=3TWsYc86X1rgNM:&ved=0CAgQjRwwAA&url=http://magazin-tolstovok.ru/tolstovki-universitetov/tolstovki-vuz-msk/tolstovki-mgu/&ei=sjVwUYWwHI6K9QTT5IGIDA&psig=AFQjCNGlaEiPAiPcJ80r30lTSBtkGVvcSg&ust=1366394674594377

10.04.2023 prof.R.Smelyanskiy MSU & ARCCN

Agenda

• What is SDN network?

• Term “protecting” could be many-sided…

• SDN control environment also needs to be protected.

2

10.04.2023 prof.R.Smelyanskiy MSU & ARCCN 3

Software defined evolution

Classic router

VLANRIP

OSPFIS-IS

ACL

MPLS…



Classic router

VLANRIP

OSPFIS-IS

ACL

MPLS…



VLAN

RIP

OSPF

IS-IS

ACL

MPLS

…

TCAMController

Switch

Flow Table



VLAN

RIP

OSPF

IS-IS

ACL

MPLS

…

TCAMController

Switch

Flow Table

Flow Table

MACsrc

MACdst

IPSrc

IPDst

TCPsport

TCPdport Action

**5.6.7.8*** port 1

Rule examples****00:1f:..* port 5

22***** drop

666205.6.7.81.2.3.400:1f:..00:20.. port 7

Switching

Firewall

FlowSwitching

Routing



VLAN

RIP

OSPF

IS-IS

ACL

MPLS

…

TCAM

Switch

Flow Table APP

APP

APP

APP

APP

APP

APP

Controller

Net

wor

k op

erati

ng sy

stem



VLAN

RIP

OSPF

IS-IS

ACL

MPLS

…

Switch

APP

APP

APP

APP

APP

APP

APP

Controller

Net

wor

k op

erati

ng sy

stem

Switch

Switch



VLAN

RIP

OSPF

IS-IS

ACL

MPLS

…

Switch

APP

APP

APP

APP

APP

APP

APP

Controller

Net

wor

k op

erati

ng sy

stem

Switch

Switch

Free for innovationNetwork Global ViewFlexible for configurationCheep and simple switch devicesAdvantages



VLAN

RIP

OSPF

IS-IS

ACL

MPLS

…

Switch

APP

APP

APP

APP

APP

APP

APP

Controller

Net

wor

k op

erati

ng sy

stem

Switch

Switch

Free for innovationGlobal Network ViewFlexible for configurationCheep and simple network devicesAdvantages


Case studies

• Large Transit Service Provider• Big International Company– Multiple offices – VPN communications

• Network of Large Organization – Large internal networks – Various types of network activities

13


Security in traditional architecture networks

• Case studies:– Large Transit Service

Provider– Airport network– ISP (VPN provider)

• Tendencies– Traffic growth– Mobility

• Infrastructure• Software• Protocols


Term “protecting” could be many-sided…

15

Physical access


Airport example

16


Airport example

17

Control process

Control process

Control process

Control process

Control process

Control processtrespasser


Airport example

18

Control process

Control process

Control process

Control process

Control process


MalwareControl process


Airport example

19

Control process

Control process

Control process

Control process

Server Room

Control process


SDNController

Packetforwarding

Packetforwarding

Packetforwarding

Packetforwarding

Packetforwarding


Term “protecting” could be many-sided…

20

Network flow control


Network of Organization example

Tenant app

Tenant A

Tenant B



Tenant app

Tenant A

Tenant B

TrafficDst point

Traffic Src point

TrafficDst point

Accept

Drop



Firewallapp

Traffic Src point

TrafficDst point

Firewallrules

Firewallrules


SDN control environment also needs

to be protected.


SDN control environment security


Controller security app

Legal traffic

Malware traffic

Legal traffic

Legal traffic

Malware traffic

OF eventOF event

OF event

OF event

OF event

OF event

OF event

OF event

Security app

Security app


Switch-controller security

MalwareSwitch


Switch-controller security

Authenticationserver

MalwareSwitch

Internet Key Exchange, IPsec,

Kerberos and etc.


Controller-to-controller security

Controller-to-controller out-band protocol

Seems to be secure enough,

but an expensive solution


Controller-to-controller security

Controller-to-controller in-band protocol

Check policies

IsolateControllers traffic

andDatapath traffic

Special QoS

settings

Problem 1 Problem 2

Problem 3

32

Controllers requirements • c-applications should be reusable by different controllers placed

near-by each other;• different controller instances should be able to share the same

instance of a c-application;• controller should be trusted environment;• controller should be scalable; it means that if workload is

growing beyond the current computational power of controller then it should be able to get more computational power, for example by splitting its activity with another controller instance, placed on another physical resource;

• if some controller instance shut down than some other controllers placed nearby should be able to catch up those part of network switches were managed by those shut down.



Conclusion

• Software Defined Networking (SDN) has been rapidly developed.– Working in data centers– Replacing proprietary routers

• Splitting data plane and control plane brings advantages, but also opens new way to exploit such networks in malicious purposes.

The major advantages of SDN approach– programmable configuration – data plane and control plane separation– flexible data flow control


Q&A

[email protected]

34

mailto:[email protected]


Switch - Controller security

49

host host host

Openflow switch

Controller

Control channel

hostLegal traffic

Malware traffic

Openflow event checker

Openflow event

Openflow event

Openflow event

Openflow eventOpenflow event

Openflow event



50

host host host

Openflow switch

Controller

Control channel

hostLegal traffic

Malware traffic

Openflow event checker

Openflow event

Openflow event

Openflow event


Openflow event



51

host host host

Openflow switch

Controller

Control channel

hostLegal traffic

Malware traffic

Openflow event

Openflow event

Openflow event


Openflow event

Vulnerable app



52

host host host

Openflow switch

Controller

Control channel

hostLegal traffic

Malware traffic

Openflow event

Openflow event

Openflow event


Openflow event

Vulnerable app

Security app


Controller-controller protocol security

53

host host host

Openflow switch

Controller

Control channel

host Controller

Controller-controller out-band protocol

Seems to be secure enough,

but an expensive solution


Controller-controller protocol security

54

host host host

Openflow switch

Controllerhost

Controller

Controller-controller out-band protocol

Controller-controller in-band protocol

Check policies

IsolateControllers traffic

andDatapath traffic

Special QoS

settings

sdn: is it a solution for network security?

Technology

smelyanskiy msu arccnacl

smelyanskiy msu arccn27

smelyanskiy msu arccn22

smelyanskiy msu arccn24

smelyanskiy msu arccn17

smelyanskiy msu arccn18

smelyanskiy msu arccn4

smelyanskiy msu arccn5