1 © Nokia Solutions and Networks 2015

SDN security Nokia Research perspective

Public

Peter Schneider

19-05-2015 Version 1.1

2 © Nokia Solutions and Networks 2015

Security at Nokia

SDN in mobile networks

SDN security research

SDN security standardization

Securing SDN based networks

Using SDN to implement security solutions

Conclusion: SDN security challenges and opportunities

Agenda

Public

3 © Nokia Solutions and Networks 2015

• Product security

- security processes

- “security leads” per product

- “security managers” per product line

- central product security team

• Security products (including services)

• Security Research: Teams in Munich and Espoo (~20 people)

• Security Experts in various functions (e.g. standardisation)

Security at Nokia

Public

4 © Nokia Solutions and Networks 2015

Nokia Security building blocks

Public

5 © Nokia Solutions and Networks 2015

Nokia’s mobile network security vision Summary of Research areas

99.9

1 Embedded security for 5G

2 Intelligent monitoring & response

3 Improving the security foundation

4 Easy security management & usability

5 Tool supported co-operation

Public

6 © Nokia Solutions and Networks 2015

4G Mobile Core Network (Evolved Packet Core)

The evolved packet system (4G mobile network)

Public

Untrusted Non-3GPP Access Network

Trusted Non-3GPP Access Network

Corporate IP networks

Internet

Charging system

3GPP AAA Server

ePDG

PCRF

IMS / Operator services

Trusted Untrusted

Control plane User plane Control+user plane

3G RAN

Node B RNC

2G RAN

BTS BSC

Don’t care about all these abbreviations!

SGSN

LTE RAN

Serv.-GW PDN-GW

MME

eNB

HSS

7 © Nokia Solutions and Networks 2015

SDN in future telco networks (still LTE, evolution example)

Forwarding

Public

Forwarding

SDN for gateway control

SDN for networking within the

cloud

SDN for backhauling

Control functions move into the cloud

Gateways may be split into control and forwarding part

8 © Nokia Solutions and Networks 2015

Bu

ilt-in S

ecu

rity

Access Cloud

SDN in an 5G e2e network architecture

Evolved Core Cloud 5G Radio

Fixed access

Wifi access

LTE (all variants)

Data plane

Network applications

Software-defined transport

mm-wave frontend

QoS on demand Dynamic QoS/QoE

management

Session on demand

Mobility on demand

Service chaining

Virtualized resources

cm-wave frontend

5G WAN frontend

Virtualized resources

Distributed Gateway Multi-connectivity

(Centralized) radio resource control

Software-defined backhaul

Distributed MEC

Application-aware radio scheduler

Management & Orchestration

Customer experience management

2G, 3G

Software-defined fronthaul

Controllers SDN

SDN

SDN

SDN

SDN

SDN

Public

9 © Nokia Solutions and Networks 2015

• Interacting with the research community

• Own research - understand the SDN security issues - solution sketches for Nokia products/services including SDN - intellectual property rights - internal/external research papers/presentations

• Monitoring/supporting SDN standardisation

• Monitoring the market (commercial SDN products)

• Nokia internal enabling; ultimate goal is to create secure innovative products

Work on SDN security at Nokia Research

Public

10 © Nokia Solutions and Networks 2015

• M.Tsugawa et al.,“Cloud Computing Security: What Changes with Software-Defined Networking?” [1]: Good description of both security challenges and opportunities of SDN. Many considerations are not restricted to the cloud scenario.

• R.Klöti, Master Thesis “OpenFLow: A Security Analysis” [2]: Detailed analysis of a number of attack scenarios, focuses partly on quite sophisticated, slightly “academic“ attacks.

• Further valuable vulnerability analyses in - K.Benton et al., “OpenFlow vulnerability assessment” [3] - A. Shalimov et al., “Advanced study of SDN/OpenFlow controllers” [4] - D. Kreutz et al.: “Towards Secure and Dependable Software-Defined Networks” [5]

but mitigation measures given in [5] seem cumbersome in practice

• A.Crenshaw, “Security and Software Defined Networking: Practical Possibilities and Potential Pitfalls” [6] gives a nice example how to implement ARP poisoning protection

Monitoring the SDN security research community – examples (1/3)

Public

11 © Nokia Solutions and Networks 2015

• Valuable contributions by the research team OpenFlowSec.org (see http://www.openflowsec.org/Home.html): - Security enhanced OpenFlow controllers FortNOX and SE-Floodlight: Ensure secure

access of applications to network resources, provide patterns simplifying the programming of threat mitigation measures (see [7] and [8])

- FRESCO: “an OpenFlow security application development framework designed to facilitate the rapid design, and modular composition of OF-enabled detection and mitigation modules” [9]

• Access control for applications via the SDN controller - Wen, X., et al., “Towards a Secure Controller Platform for OpenFlow Applications” [10] - S.Shin et al., “Rosemary: A Robust, Secure, and High-Performance Network Operating

System” [11]

Monitoring the SDN security research community – examples (2/3)

Public

12 © Nokia Solutions and Networks 2015

• Improving security techniques by SDN - S. A. Mehdi et al., “Revisiting traffic anomaly detection using software defined

networking” [12] - R. Skowyra et al., “Software-Defined IDS for Securing Embedded Mobile Devices” [13] - S. Shin and G. Gu, “CloudWatcher: Network security monitoring using OpenFlow in

dynamic cloud networks […]” [14]

• Network virtualization (and isolation) using SDN: - R. Sherwood et al., “Flowvisor: A network virtualization layer [15]

Monitoring the SDN security research community – examples (3/3)

Public

13 © Nokia Solutions and Networks 2015

• SASER (Safe and Secure European Routing) (https://www.celticplus.eu/project-saser/ ): - Celtic-Plus project with national funding in Germany, France, Finland - a large project in Germany: three divisions led by different vendors, 36M € funding - originally an optics project, but with security focus; 3 years runtime (2012-2015) - SASER-SIEGFRIED: one of the German divisions of SASER, led by Nokia, with a

substantial work package on security, including SDN security

• SDN security work in SASER-SIEGFRIED - SDN security basics (threats, protection measures) - concepts to control the interaction of multiple applications on an SDN controller - SDN security lab, PoC implementations of security for southbound and northbound

interface, admission control system for applications - publications, e.g. C.Röbke, T.Holz, “Retaining Control Over SDN Network Services” [16] - SDN demos including security features, see S. Gebert, et al., “Demonstrating the

Optimal Placement of Virtualized Cellular Network Functions in Case of Large Crowd Events” [17]

SDN security research in SASER-SIEGFRIED

Public

14 © Nokia Solutions and Networks 2015

Monitoring SDN security standardization: ONF

SDN Architecture document: Reasonable (high level) statements on security

ONF specifications (examples): - OF-Switch: Optional use of TLS, no TLS-profile specified - OF-Config: Based on NetConf security using SSH or TLS

Public

ONF Principles document: - First output of the ONF Security Project (after a slow start as “Security

Discussion Group”) - 8 rather generic security principles, 24 security requirements - Reasonable recommendations how to improve the security of OF-Switch - What will be the impact of this work?

Overall, the ONF security work appears somewhat immature.

15 © Nokia Solutions and Networks 2015

Monitoring SDN security standardization: Others

IRTF SDN research group: Security as a “field of interest” in the charter, but no output so far (?). Discussions at IETF#92 how to move on with the group.

IETF SDN related WGs (examples): - ForCES: Use secure transport protocol between forwarding and control

plane, e.g. SCTP/IPsec; programmability of the network not in scope - I2RS: Reasonable security requirements for the interface; could be based on

NetConf security using SSH or TLS - A new activity: I2NSF (“interface to network security functions”)

ETSI ISG NFV: SDN usage in NFV covered in EVE (Evolution and Ecosystem) group; early draft “Report on SDN Usage in NFV Architectural Framework”; security aspects not yet elaborated; also no respective work item in the NFV SEC (Security) group

Public

16 © Nokia Solutions and Networks 2015

Threats to an SDN-based network

SDN Controller

SDN Switch

SDN Switch

SDN Switch

Network Control

Malicious Application

Application

Virtualized/ Cloud Environment

Application Malicious

Application

Attacks from the forwarding plane

from the control network

via the northbound interface

from the virtualized/cloud

environment

Public

17 © Nokia Solutions and Networks 2015

Securing an SDN-based network

Protection of protocol interfaces (controller-switch i/f, possibly northbound i/f): - preferably cryptographic protection (e.g. IPsec or TLS) - sound, robust protocol implementations - optionally a firewall in front of the controller to protect it against well known network

and transport layer attacks (like TCP SYN floods)

Sound authentication and authorization concepts for network control by applications via the northbound interface, including conflict resolution

Security measures for virtualized/cloud environments when running the controller there (this is an issue of its own, to be solved independently of SDN)

Security measures as applicable also to traditional networks

Public

18 © Nokia Solutions and Networks 2015

Securing an SDN-based network – further details

Security measures for virtualized/cloud environments, like - sound, robust implementations of the hypervisors and the overall cloud

management software - security zones (logical and optionally even physical separation/isolation) - dedicated security functions (like firewalls) as part of the hypervisor or in VMs - traffic separation (dedicated virtual switches, VLANs) - cryptographic protection: traffic to/from/between VMs, data on storage

Security measures as applicable also to traditional networks, like - secure OAM (Operation, Administration and Maintenance) - secure operation of network protocols and services (e.g. routing, DNS, NTP) - individual protection of each network function (formerly physical boxes, now VNFs)

Public

Backup

19 © Nokia Solutions and Networks 2015

Securing an SDN-based network

SDN Controller

Application

Control Network

SDN Switch SDN Switch

SDN Switch

Robust implementation,

overload control

SDN Switch SDN Switch

SDN Switch

Fire-wall

Cryptographic protection

Sound authentication and

authorization concepts

Secure SDN controller Robust implementation,

overload control

Virtualized/ Cloud

Environment

Secure Virtualized/

Cloud En- vironment

Application

Application Cryptographic protection

Public

20 © Nokia Solutions and Networks 2015

Using SDN to Improve Network Security

Advocates of SDN claim substantial benefits such as “Increased network reliability and security as a result of centralized and automated management of network devices, uniform policy enforcement, and fewer configuration errors” (from the ONF).

But network security will not increase by simply applying SDN!

Security opportunities do exist: - fine granular, agile control over all traffic flows: monitor traffic on flow basis; block

suspicious flows or redirect them to dedicated security devices - centralized control: unify security policies, adapt them automatically and consistently - programmability: implement security solutions as apps on the controller - advantageous combination of SDN-based + traditional security solutions possible - running controllers in cloud environments to make them resilient against DoS attacks

Public

21 © Nokia Solutions and Networks 2015

Straightforward example of an SDN-based security solution

SDN Controller

SDN Switch Target

Server

SDN Switch

Anti-DoS App policies

Get Flow

Statistics

Set

Blocking

Rules

Public

SDN Switch

Backup

22 © Nokia Solutions and Networks 2015

Demo-setup: Mobile Guard interacting with de-composed gateways

S-GW U

Mobile Guard

Virtualized/Cloud Environment

P-GW U

S-GW App P-GW App

GW control

Probe

IP Service Network

Sanitizing Server

Detect malware activity

Isolate infected terminal

X

Public Disclaimer: This is a demo setup, not an available Nokia solution!

23 © Nokia Solutions and Networks 2015

• Nokia’s Mobile Guard is a commercial security product - but SDN is currently only a “feature candidate”

• Radware Defense Flow (http://www.radware.com/Products/DefenseFlow/)

• HP SDN App Store (https://hpn.hpwsportal.com/catalog.html#/Home/Show)

- HP Network Protector

- Bluecat DNS Director

- F5 BIG DDoS Umbrella

- Guardicore Active Honeypot

• Related to network virtualisation: VMWare (NSX), Cisco (ACI) and others

SDN security products - examples

Public

24 © Nokia Solutions and Networks 2015

SDN Feature Challenge Opportunity

Separation for-warding/control

increased attack surface (but good protection mechanisms exist)

(basis for other opportunities)

Centralized control

successful attacks have huge impact

unify security policies, adapt them automatically & consistently

Controllers in clouds

various threats, like attacks via hypervisor vulnerabilities

use elasticity of resources to overcome DoS attacks

Agile and fine granular control

increases complexity, is a source of errors, may be abused

facilitates security solutions that need to execute such control

Network pro-grammability

abuse of control functions, exploiting vulnerabilities, compromising controllers

facilitates efficient deployment of security solutions running as applications on controllers

SDN security: Challenges versus opportunities

Public

25 © Nokia Solutions and Networks 2015

Conclusion

Security Challenges Network programmability Controllers in cloud environments

Security Opportunities Unified but still agile control Efficient deployment of security

solutions as network applications

Considerable care and security awareness is required to mitigate the threats!

Turning the opportunities into better network security is a process that has just started!

Public

27 © Nokia Solutions and Networks 2015

[1] Maurício Tsugawa, Andréa Matsunaga, and José A.B. Fortes, “Cloud Computing Security: What Changes with Software-Defined Networking?” in S. Jajodia et al. (eds.), Secure Cloud Computing, DOI 10.1007/978-1-4614-9278-8__4, © Springer Science+Business Media New York 2014

[2] Rowan Klöti, Master Thesis “OpenFLow: A Security Analysis”, ETH Zürich (retrieved at ftp://ftp.tik.ee.ethz.ch/pub/students/2012-HS/MA-2012-20.pdf )

[3] K.Benton et al., "OpenFlow vulnerability assessment“, In: ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking. HotSDN'13 (2013)

[4] A. Shalimov et al., “Advanced study of SDN/OpenFlow controllers”, Proceedings of the 9th Central & Eastern European Software Engineering Conference in Russia, ACM, New York 2013

[5] Kreutz, D., Ramos, F., Verissimo, P.: “Towards Secure and Dependable Software-Defined Networks”. In: ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking. HotSDN'13 (2013)

[6] Adrian Crenshaw, “Security and Software Defined Networking: Practical Possibilities and Potential Pitfalls”, Indiana University, Dec 16, 2012 (published on http://www.irongeek.com/)

[7] Phillip Porras et al., “A Security Enforcement Kernel for OpenFlow Networks”, Proceedings of the ACm SIGCOMM Workshop on Hot Topics in Software Defined Networking (HotSDN), 2012

[8] Phillip Porras et al., “Securing the Software-Defined Network Control Layer”, NDSS ’15, 8-11 February 2015, San Diego, CA, USA; Copyright 2015 Internet Society, ISBN 1-891562-38-X; retrieved: http://dx.doi.org/10.14722/ndss.2015.23222

[9] S. Shin, P.A. Porras, V. Yegneswaran, M.W. Fong, G. Gu, M. Tyson, "FRESCO: Modular Composable Security Services for Software-Defined Networks," Proceedings of the ISOC Network and Distributed System Security Symposium, San Diego, CA, February 2013

References

Public

28 © Nokia Solutions and Networks 2015

[10] Wen, X., Chen, Y., Hu, C., Shi, C., Wang, Y.: “Towards a Secure Controller Platform for OpenFlow Applications”. In: ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking. HotSDN'13 (2013)

[11] S.Shin et al., “Rosemary: A Robust, Secure, and High-Performance Network Operating System”, CCS’14, Nov 3, 2014. Arizona, USA. Retrieved on April 20, 2015 from http://www.csl.sri.com/~vinod/papers/rosemary.pdf

[12] S. A. Mehdi, J. Khalid, and S. A. Khayam, “Revisiting traffic anomaly detection using software defined networking,” in Recent Advances in Intrusion Detection. Springer, 2011, pp. 161–180

[13] R. Skowyra, S. Bahargam, and A. Bestavros, “Software-Defined IDS for Securing Embedded Mobile Devices”, 2013. [Online]. Available: http://www.cs.bu.edu/techreports/pdf/2013-005-software-defined-ids.pdf

[14] S. Shin and G. Gu, “CloudWatcher: Network security monitoring using OpenFlow in dynamic cloud networks (or: How to provide security monitoring as a service in clouds?),” in 20th IEEE International Conference on Network Protocols (ICNP). IEEE, 2012, pp. 1–6.

[15] R. Sherwood et al., “Flowvisor: A network virtualization layer”, OpenFlow Switch Consortium, Tech. Rep, 2009

[16] C.Röbke, T.Holz, “Retaining Control Over SDN Network Services”, Proceedings of the International Conference of Net-worked Systems, IEEE 2015, retrieved at http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=7089082&tag=1

[17] S. Gebert, D. Hock, T. Zinner, P. Tran-Gia, M. Hoffmann, M. Jarschel, E. D. Schmidt, R. Braun, C. Banse, “Demonstrating the Optimal Placement of Virtualized Cellular Network Functions in Case of Large Crowd Events”, ACM SIGCOMM 2014, Chicago, USA, August 17-22, 2014

References

Public