Multi Multi Multi- Multi - - -Layer Access Control Layer Access Control Layer Access Control Layer Access Control for SDN for SDN- for SDN for SDN for SDN- for SDN for SDN for SDN - -based Telco Clouds -based Telco Clouds - - - based Telco Clouds based Telco Clouds based Telco Clouds based Telco Clouds based Telco Clouds based Telco Clouds (result of a joint CELTIC research project called SASER (result of a joint CELTIC research project called SASER (result of a joint CELTIC research project called SASER (result of a joint CELTIC research project called SASER – – – – SAve and SEcure Routing) SAve and SEcure Routing) SAve and SEcure Routing) SAve and SEcure Routing) Bernd Jaeger 1 , Christian Röpke 2 , Iris Adam 1 , Thorsten Holz 2 1: Nokia Networks 2: Ruhr-University Bochum
SDN Security SDN Security SDN Security SDN Security Often postulated: two different flavors of SDN security Security of the SDN Architecture SDN-based Security Functions SDN-based Security Functions � The analysis combines both aspects at the example of a SIP signaling SDN network with focus on the security of the SDN architecture � Assumed are multiple applications on top of a single SDN controller, controlling a number of (partly) chained security functions in a SDN switch � The applications and the SDN controller are assumed to run in a telco cloud with the worst- case threat that an application gets compromised and then acts maliciously 2 Nokia Networks; Ruhr-University Bochum Multi-Layer Access Control for SDN-based Telco Clouds 10/21/2015
Split of Physical Network Elements into VNFs and Split of Physical Network Elements into VNFs and Split of Physical Network Elements into VNFs and Split of Physical Network Elements into VNFs and Simplified SIP SDN Network SDN SDN- SDN SDN - - -based Security Functions based Security Functions based Security Functions based Security Functions Physical Network Elements VNFs in a Telco Cloud CSCF CSCF PCRF PCRF DoS Detection DoS Detection SIP SIP SIP Blacklist SIP Blacklist Blacklist PGW Security Functions PCEF in a SDN Switch SIP PCEF SIP Blacklist Blacklist 3 Nokia Networks; Ruhr-University Bochum Multi-Layer Access Control for SDN-based Telco Clouds 10/21/2015
Simplified Example: Mobile Simplified Example: Mobile Simplified Example: Mobile Simplified Example: Mobile- - -Internet Conference - Internet Conference Internet Conference Internet Conference SIP SDN Protection Telco Cloud eNBi UE Attacker Model Conf. App X PCRF CSCF CSCF UE Service Management System • Malicious end user systems exploit vulnerabilities in cloud Northbound Interface applications eNBj EXT EXT EXT EXT UE • Attackers exploit SDN controller Controller Services SDN vulnerabilities by sending UE Ctr Southbound Interface specially crafted packets to an SDN switch triggering it to SDN switch triggering it to SDN Switch delegate these packets to the Sig Data SDN controller SDN PCEF • Cloud applications respectively Blackl. SDN controller extensions – Internet intentionally or unintentionally – attack and infect other cloud AppX AppX App X traffic traffic applications or SDN controller components UE - User Equipment PCRF – Policy & Charging Rules Function SDN Ctr – SDN Controller eNB – eNodeB (base station) PCEF – Policy & Charging Enforcement Function EXT - Extension Sig – Signaling CSCF – Call Session Control Function Blackl. - Blacklist 4 Nokia Networks; Ruhr-University Bochum Multi-Layer Access Control for SDN-based Telco Clouds 10/21/2015
Simplified Example: Mobile- Simplified Example: Mobile Simplified Example: Mobile Simplified Example: Mobile -Internet Conference - - Internet Conference Internet Conference Internet Conference SIP SDN Protection Telco Cloud eNBi UE Attacker Model Conf. App X PCRF CSCF UE Service Management System • Malicious end user systems exploit vulnerabilities in cloud Northbound Interface applications eNBj EXT EXT EXT EXT EXT UE • Attackers exploit SDN controller Controller Services Controller Services SDN vulnerabilities by sending UE Ctr Southbound Interface specially crafted packets to an SDN switch triggering it to SDN switch triggering it to SDN Switch delegate these packets to the Sig Data SDN controller SDN PCEF • Cloud applications respectively Blackl. SDN controller extensions – Internet intentionally or unintentionally – attack and infect other cloud AppX AppX App X traffic traffic applications or SDN controller components UE - User Equipment PCRF – Policy & Charging Rules Function SDN Ctr – SDN Controller eNB – eNodeB (base station) PCEF – Policy & Charging Enforcement Function EXT - Extension Sig – Signaling CSCF – Call Session Control Function Blackl. - Blacklist 5 Nokia Networks; Ruhr-University Bochum Multi-Layer Access Control for SDN-based Telco Clouds 10/21/2015
Simplified Example: Mobile- Simplified Example: Mobile Simplified Example: Mobile Simplified Example: Mobile - -Internet Conference - Internet Conference Internet Conference Internet Conference SIP SDN Protection Telco Cloud eNBi UE Attacker Model Conf. PCRF App X App X PCRF CSCF UE Service Management System • Malicious end user systems exploit vulnerabilities in cloud Northbound Interface applications eNBj EXT EXT EXT EXT EXT UE • Attackers exploit SDN controller Controller Services SDN vulnerabilities by sending UE Ctr Southbound Interface specially crafted packets to an SDN switch triggering it to SDN switch triggering it to SDN Switch delegate these packets to the Sig Data SDN controller SDN PCEF • Cloud applications respectively Blackl. SDN controller extensions – Internet intentionally or unintentionally – attack and infect other cloud AppX AppX App X traffic traffic applications or SDN controller components UE - User Equipment PCRF – Policy & Charging Rules Function SDN Ctr – SDN Controller eNB – eNodeB (base station) PCEF – Policy & Charging Enforcement Function EXT - Extension Sig – Signaling CSCF – Call Session Control Function Blackl. - Blacklist 6 Nokia Networks; Ruhr-University Bochum Multi-Layer Access Control for SDN-based Telco Clouds 10/21/2015
Multi Multi- Multi Multi -Layer Access Control - - Layer Access Control Layer Access Control Layer Access Control SIP SDN Protection • A Policy Enforcement (PE) unit provides Telco Cloud protection against malicious behavior of northbound applications and SDN controller CSCF App X PCRF Application extensions, provided by means of a descriptor Layer from an independent management system agement System • On Application Layer the Policy Enforcement Northbound Interface unit restricts the allowed instruction set EXT EXT EXT EXT according to an application profile criptor Managem Control Control Descript • On Control Layer the allowed instruction set of • On Control Layer the allowed instruction set of SDN-specific EXT Interface SDN-specific EXT Interface PE PE Layer Layer SDN controller extensions is reduced by high- Controller-specific EXT Service level permissions in an SDN controller Controller Services independent fashion SDN Ctr Southbound Interface • SDN controller independence can be achieved by providing an additional layer that adapts the high-level permissions to the respective SDN Switch SDN controller specifics 7 Nokia Networks; Ruhr-University Bochum Multi-Layer Access Control for SDN-based Telco Clouds 10/21/2015
Assigning Applications to Forwarding Tables Assigning Applications to Forwarding Tables Assigning Applications to Forwarding Tables Assigning Applications to Forwarding Tables SIP SDN Protection Telco Cloud • A first step to increase security is to separate the flow App X App X PCRF PCRF CSCF CSCF rules of the respective applications into separate Management System Forwarding Tables (FT) Northbound Interface • With that Forwarding Tables are decoupled unless they work on the same traffic stream. If so, they are still EXT EXT EXT EXT Descriptor able to affect each other. PE SDN-specific EXT Interface • But even if the Forwarding Tables are completely De Controller-specific EXT Service Controller-specific EXT Service decoupled from each other, they are still not protected decoupled from each other, they are still not protected Ma against attacks because each of the applications in the Controller Services SDN Telco Cloud can be potentially compromised and then Ctr Southbound Interface send malicious instructions to the SDN controller • This may e.g. result in DoS attacks (drop *.*), in FT1 illegitimate service consumption attacks, in PCEF PCEF manipulation of traffic integrity or in eavesdropping Blackl. Blackl. attacks by copying the traffic to an unauthorized FT2 destination FT3 AppX App X App X traffic SDN Switch 8 Nokia Networks; Ruhr-University Bochum Multi-Layer Access Control for SDN-based Telco Clouds 10/21/2015
Recommend
More recommend