sdn security - viktoria swedish ict · pdf filesdn security nokia research perspective ......
TRANSCRIPT
1 © Nokia Solutions and Networks 2015
SDN security Nokia Research perspective
Public
Peter Schneider
19-05-2015 Version 1.1
2 © Nokia Solutions and Networks 2015
Security at Nokia
SDN in mobile networks
SDN security research
SDN security standardization
Securing SDN based networks
Using SDN to implement security solutions
Conclusion: SDN security challenges and opportunities
Agenda
Public
3 © Nokia Solutions and Networks 2015
• Product security
- security processes
- “security leads” per product
- “security managers” per product line
- central product security team
• Security products (including services)
• Security Research: Teams in Munich and Espoo (~20 people)
• Security Experts in various functions (e.g. standardisation)
Security at Nokia
Public
4 © Nokia Solutions and Networks 2015
Nokia Security building blocks
Public
5 © Nokia Solutions and Networks 2015
Nokia’s mobile network security vision Summary of Research areas
99.9
1 Embedded security for 5G
2 Intelligent monitoring & response
3 Improving the security foundation
4 Easy security management & usability
5 Tool supported co-operation
Public
6 © Nokia Solutions and Networks 2015
4G Mobile Core Network (Evolved Packet Core)
The evolved packet system (4G mobile network)
Public
Untrusted Non-3GPP Access Network
Trusted Non-3GPP Access Network
Corporate IP networks
Internet
Charging system
3GPP AAA Server
ePDG
PCRF
IMS / Operator services
Trusted Untrusted
Control plane User plane Control+user plane
3G RAN
Node B RNC
2G RAN
BTS BSC
Don’t care about all these abbreviations!
SGSN
LTE RAN
Serv.-GW PDN-GW
MME
eNB
HSS
7 © Nokia Solutions and Networks 2015
SDN in future telco networks (still LTE, evolution example)
Forwarding
Public
Forwarding
SDN for gateway control
SDN for networking within the
cloud
SDN for backhauling
Control functions move into the cloud
Gateways may be split into control and forwarding part
8 © Nokia Solutions and Networks 2015
Bu
ilt-in S
ecu
rity
Access Cloud
SDN in an 5G e2e network architecture
Evolved Core Cloud 5G Radio
Fixed access
Wifi access
LTE (all variants)
Data plane
Network applications
Software-defined transport
mm-wave frontend
QoS on demand Dynamic QoS/QoE
management
Session on demand
Mobility on demand
Service chaining
Virtualized resources
cm-wave frontend
5G WAN frontend
Virtualized resources
Distributed Gateway Multi-connectivity
(Centralized) radio resource control
Software-defined backhaul
Distributed MEC
Application-aware radio scheduler
Management & Orchestration
Customer experience management
2G, 3G
Software-defined fronthaul
Controllers SDN
SDN
SDN
SDN
SDN
SDN
Public
9 © Nokia Solutions and Networks 2015
• Interacting with the research community
• Own research - understand the SDN security issues - solution sketches for Nokia products/services including SDN - intellectual property rights - internal/external research papers/presentations
• Monitoring/supporting SDN standardisation
• Monitoring the market (commercial SDN products)
• Nokia internal enabling; ultimate goal is to create secure innovative products
Work on SDN security at Nokia Research
Public
10 © Nokia Solutions and Networks 2015
• M.Tsugawa et al.,“Cloud Computing Security: What Changes with Software-Defined Networking?” [1]: Good description of both security challenges and opportunities of SDN. Many considerations are not restricted to the cloud scenario.
• R.Klöti, Master Thesis “OpenFLow: A Security Analysis” [2]: Detailed analysis of a number of attack scenarios, focuses partly on quite sophisticated, slightly “academic“ attacks.
• Further valuable vulnerability analyses in - K.Benton et al., “OpenFlow vulnerability assessment” [3] - A. Shalimov et al., “Advanced study of SDN/OpenFlow controllers” [4] - D. Kreutz et al.: “Towards Secure and Dependable Software-Defined Networks” [5]
but mitigation measures given in [5] seem cumbersome in practice
• A.Crenshaw, “Security and Software Defined Networking: Practical Possibilities and Potential Pitfalls” [6] gives a nice example how to implement ARP poisoning protection
Monitoring the SDN security research community – examples (1/3)
Public
11 © Nokia Solutions and Networks 2015
• Valuable contributions by the research team OpenFlowSec.org (see http://www.openflowsec.org/Home.html): - Security enhanced OpenFlow controllers FortNOX and SE-Floodlight: Ensure secure
access of applications to network resources, provide patterns simplifying the programming of threat mitigation measures (see [7] and [8])
- FRESCO: “an OpenFlow security application development framework designed to facilitate the rapid design, and modular composition of OF-enabled detection and mitigation modules” [9]
• Access control for applications via the SDN controller - Wen, X., et al., “Towards a Secure Controller Platform for OpenFlow Applications” [10] - S.Shin et al., “Rosemary: A Robust, Secure, and High-Performance Network Operating
System” [11]
Monitoring the SDN security research community – examples (2/3)
Public
12 © Nokia Solutions and Networks 2015
• Improving security techniques by SDN - S. A. Mehdi et al., “Revisiting traffic anomaly detection using software defined
networking” [12] - R. Skowyra et al., “Software-Defined IDS for Securing Embedded Mobile Devices” [13] - S. Shin and G. Gu, “CloudWatcher: Network security monitoring using OpenFlow in
dynamic cloud networks […]” [14]
• Network virtualization (and isolation) using SDN: - R. Sherwood et al., “Flowvisor: A network virtualization layer [15]
Monitoring the SDN security research community – examples (3/3)
Public
13 © Nokia Solutions and Networks 2015
• SASER (Safe and Secure European Routing) (https://www.celticplus.eu/project-saser/ ): - Celtic-Plus project with national funding in Germany, France, Finland - a large project in Germany: three divisions led by different vendors, 36M € funding - originally an optics project, but with security focus; 3 years runtime (2012-2015) - SASER-SIEGFRIED: one of the German divisions of SASER, led by Nokia, with a
substantial work package on security, including SDN security
• SDN security work in SASER-SIEGFRIED - SDN security basics (threats, protection measures) - concepts to control the interaction of multiple applications on an SDN controller - SDN security lab, PoC implementations of security for southbound and northbound
interface, admission control system for applications - publications, e.g. C.Röbke, T.Holz, “Retaining Control Over SDN Network Services” [16] - SDN demos including security features, see S. Gebert, et al., “Demonstrating the
Optimal Placement of Virtualized Cellular Network Functions in Case of Large Crowd Events” [17]
SDN security research in SASER-SIEGFRIED
Public
14 © Nokia Solutions and Networks 2015
Monitoring SDN security standardization: ONF
SDN Architecture document: Reasonable (high level) statements on security
ONF specifications (examples): - OF-Switch: Optional use of TLS, no TLS-profile specified - OF-Config: Based on NetConf security using SSH or TLS
Public
ONF Principles document: - First output of the ONF Security Project (after a slow start as “Security
Discussion Group”) - 8 rather generic security principles, 24 security requirements - Reasonable recommendations how to improve the security of OF-Switch - What will be the impact of this work?
Overall, the ONF security work appears somewhat immature.
15 © Nokia Solutions and Networks 2015
Monitoring SDN security standardization: Others
IRTF SDN research group: Security as a “field of interest” in the charter, but no output so far (?). Discussions at IETF#92 how to move on with the group.
IETF SDN related WGs (examples): - ForCES: Use secure transport protocol between forwarding and control
plane, e.g. SCTP/IPsec; programmability of the network not in scope - I2RS: Reasonable security requirements for the interface; could be based on
NetConf security using SSH or TLS - A new activity: I2NSF (“interface to network security functions”)
ETSI ISG NFV: SDN usage in NFV covered in EVE (Evolution and Ecosystem) group; early draft “Report on SDN Usage in NFV Architectural Framework”; security aspects not yet elaborated; also no respective work item in the NFV SEC (Security) group
Public
16 © Nokia Solutions and Networks 2015
Threats to an SDN-based network
SDN Controller
SDN Switch
SDN Switch
SDN Switch
Network Control
Malicious Application
Application
Virtualized/ Cloud Environment
Application Malicious
Application
Attacks from the forwarding plane
from the control network
via the northbound interface
from the virtualized/cloud
environment
Public
17 © Nokia Solutions and Networks 2015
Securing an SDN-based network
Protection of protocol interfaces (controller-switch i/f, possibly northbound i/f): - preferably cryptographic protection (e.g. IPsec or TLS) - sound, robust protocol implementations - optionally a firewall in front of the controller to protect it against well known network
and transport layer attacks (like TCP SYN floods)
Sound authentication and authorization concepts for network control by applications via the northbound interface, including conflict resolution
Security measures for virtualized/cloud environments when running the controller there (this is an issue of its own, to be solved independently of SDN)
Security measures as applicable also to traditional networks
Public
18 © Nokia Solutions and Networks 2015
Securing an SDN-based network – further details
Security measures for virtualized/cloud environments, like - sound, robust implementations of the hypervisors and the overall cloud
management software - security zones (logical and optionally even physical separation/isolation) - dedicated security functions (like firewalls) as part of the hypervisor or in VMs - traffic separation (dedicated virtual switches, VLANs) - cryptographic protection: traffic to/from/between VMs, data on storage
Security measures as applicable also to traditional networks, like - secure OAM (Operation, Administration and Maintenance) - secure operation of network protocols and services (e.g. routing, DNS, NTP) - individual protection of each network function (formerly physical boxes, now VNFs)
Public
Backup
19 © Nokia Solutions and Networks 2015
Securing an SDN-based network
SDN Controller
Application
Control Network
SDN Switch SDN Switch
SDN Switch
Robust implementation,
overload control
SDN Switch SDN Switch
SDN Switch
Fire-wall
Cryptographic protection
Sound authentication and
authorization concepts
Secure SDN controller Robust implementation,
overload control
Virtualized/ Cloud
Environment
Secure Virtualized/
Cloud En- vironment
Application
Application Cryptographic protection
Public
20 © Nokia Solutions and Networks 2015
Using SDN to Improve Network Security
Advocates of SDN claim substantial benefits such as “Increased network reliability and security as a result of centralized and automated management of network devices, uniform policy enforcement, and fewer configuration errors” (from the ONF).
But network security will not increase by simply applying SDN!
Security opportunities do exist: - fine granular, agile control over all traffic flows: monitor traffic on flow basis; block
suspicious flows or redirect them to dedicated security devices - centralized control: unify security policies, adapt them automatically and consistently - programmability: implement security solutions as apps on the controller - advantageous combination of SDN-based + traditional security solutions possible - running controllers in cloud environments to make them resilient against DoS attacks
Public
21 © Nokia Solutions and Networks 2015
Straightforward example of an SDN-based security solution
SDN Controller
SDN Switch Target
Server
SDN Switch
Anti-DoS App policies
Get Flow
Statistics
Set
Blocking
Rules
Public
SDN Switch
Backup
22 © Nokia Solutions and Networks 2015
Demo-setup: Mobile Guard interacting with de-composed gateways
S-GW U
Mobile Guard
Virtualized/Cloud Environment
P-GW U
S-GW App P-GW App
GW control
Probe
IP Service Network
Sanitizing Server
Detect malware activity
Isolate infected terminal
X
Public Disclaimer: This is a demo setup, not an available Nokia solution!
23 © Nokia Solutions and Networks 2015
• Nokia’s Mobile Guard is a commercial security product - but SDN is currently only a “feature candidate”
• Radware Defense Flow (http://www.radware.com/Products/DefenseFlow/)
• HP SDN App Store (https://hpn.hpwsportal.com/catalog.html#/Home/Show)
- HP Network Protector
- Bluecat DNS Director
- F5 BIG DDoS Umbrella
- Guardicore Active Honeypot
• Related to network virtualisation: VMWare (NSX), Cisco (ACI) and others
SDN security products - examples
Public
24 © Nokia Solutions and Networks 2015
SDN Feature Challenge Opportunity
Separation for-warding/control
increased attack surface (but good protection mechanisms exist)
(basis for other opportunities)
Centralized control
successful attacks have huge impact
unify security policies, adapt them automatically & consistently
Controllers in clouds
various threats, like attacks via hypervisor vulnerabilities
use elasticity of resources to overcome DoS attacks
Agile and fine granular control
increases complexity, is a source of errors, may be abused
facilitates security solutions that need to execute such control
Network pro-grammability
abuse of control functions, exploiting vulnerabilities, compromising controllers
facilitates efficient deployment of security solutions running as applications on controllers
SDN security: Challenges versus opportunities
Public
25 © Nokia Solutions and Networks 2015
Conclusion
Security Challenges Network programmability Controllers in cloud environments
Security Opportunities Unified but still agile control Efficient deployment of security
solutions as network applications
Considerable care and security awareness is required to mitigate the threats!
Turning the opportunities into better network security is a process that has just started!
Public
27 © Nokia Solutions and Networks 2015
[1] Maurício Tsugawa, Andréa Matsunaga, and José A.B. Fortes, “Cloud Computing Security: What Changes with Software-Defined Networking?” in S. Jajodia et al. (eds.), Secure Cloud Computing, DOI 10.1007/978-1-4614-9278-8__4, © Springer Science+Business Media New York 2014
[2] Rowan Klöti, Master Thesis “OpenFLow: A Security Analysis”, ETH Zürich (retrieved at ftp://ftp.tik.ee.ethz.ch/pub/students/2012-HS/MA-2012-20.pdf )
[3] K.Benton et al., "OpenFlow vulnerability assessment“, In: ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking. HotSDN'13 (2013)
[4] A. Shalimov et al., “Advanced study of SDN/OpenFlow controllers”, Proceedings of the 9th Central & Eastern European Software Engineering Conference in Russia, ACM, New York 2013
[5] Kreutz, D., Ramos, F., Verissimo, P.: “Towards Secure and Dependable Software-Defined Networks”. In: ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking. HotSDN'13 (2013)
[6] Adrian Crenshaw, “Security and Software Defined Networking: Practical Possibilities and Potential Pitfalls”, Indiana University, Dec 16, 2012 (published on http://www.irongeek.com/)
[7] Phillip Porras et al., “A Security Enforcement Kernel for OpenFlow Networks”, Proceedings of the ACm SIGCOMM Workshop on Hot Topics in Software Defined Networking (HotSDN), 2012
[8] Phillip Porras et al., “Securing the Software-Defined Network Control Layer”, NDSS ’15, 8-11 February 2015, San Diego, CA, USA; Copyright 2015 Internet Society, ISBN 1-891562-38-X; retrieved: http://dx.doi.org/10.14722/ndss.2015.23222
[9] S. Shin, P.A. Porras, V. Yegneswaran, M.W. Fong, G. Gu, M. Tyson, "FRESCO: Modular Composable Security Services for Software-Defined Networks," Proceedings of the ISOC Network and Distributed System Security Symposium, San Diego, CA, February 2013
References
Public
28 © Nokia Solutions and Networks 2015
[10] Wen, X., Chen, Y., Hu, C., Shi, C., Wang, Y.: “Towards a Secure Controller Platform for OpenFlow Applications”. In: ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking. HotSDN'13 (2013)
[11] S.Shin et al., “Rosemary: A Robust, Secure, and High-Performance Network Operating System”, CCS’14, Nov 3, 2014. Arizona, USA. Retrieved on April 20, 2015 from http://www.csl.sri.com/~vinod/papers/rosemary.pdf
[12] S. A. Mehdi, J. Khalid, and S. A. Khayam, “Revisiting traffic anomaly detection using software defined networking,” in Recent Advances in Intrusion Detection. Springer, 2011, pp. 161–180
[13] R. Skowyra, S. Bahargam, and A. Bestavros, “Software-Defined IDS for Securing Embedded Mobile Devices”, 2013. [Online]. Available: http://www.cs.bu.edu/techreports/pdf/2013-005-software-defined-ids.pdf
[14] S. Shin and G. Gu, “CloudWatcher: Network security monitoring using OpenFlow in dynamic cloud networks (or: How to provide security monitoring as a service in clouds?),” in 20th IEEE International Conference on Network Protocols (ICNP). IEEE, 2012, pp. 1–6.
[15] R. Sherwood et al., “Flowvisor: A network virtualization layer”, OpenFlow Switch Consortium, Tech. Rep, 2009
[16] C.Röbke, T.Holz, “Retaining Control Over SDN Network Services”, Proceedings of the International Conference of Net-worked Systems, IEEE 2015, retrieved at http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=7089082&tag=1
[17] S. Gebert, D. Hock, T. Zinner, P. Tran-Gia, M. Hoffmann, M. Jarschel, E. D. Schmidt, R. Braun, C. Banse, “Demonstrating the Optimal Placement of Virtualized Cellular Network Functions in Case of Large Crowd Events”, ACM SIGCOMM 2014, Chicago, USA, August 17-22, 2014
References
Public