outsmarting network security with sdn teleportation
play

Outsmarting Network Security with SDN Teleportation KASHYAP - PowerPoint PPT Presentation

Outsmarting Network Security with SDN Teleportation KASHYAP THIMMARAJU (TU BERLIN, GERMANY) LIRON SCHIFF (GUARDICORE LABS, ISRAEL) STEFAN SCHMID (AALBORG UNIVERSITY, DENMARK) IEEE EURO S&P, PARIS, FRANCE APRIL 2017 Networking Equipment


  1. Outsmarting Network Security with SDN Teleportation KASHYAP THIMMARAJU (TU BERLIN, GERMANY) LIRON SCHIFF (GUARDICORE LABS, ISRAEL) STEFAN SCHMID (AALBORG UNIVERSITY, DENMARK) IEEE EURO S&P, PARIS, FRANCE APRIL 2017

  2. Networking Equipment is Critical • It forms a technological foundation for communication • It contributes to the economy • Vital for national security

  3. Backdoors, exploits and 0days in Networking Equipment

  4. Backdoors in SDN equipment • Does that introduce new attacks? • Can we detect backdoor activity?

  5. Software Defined Networking (SDN) is a networking paradigm ● Separated planes ● Centralized model Control Controller plane Data plane Switch

  6. SDN Teleportation: An attack previously not possible Control plane Teleportation Control plane Data plane Software Defined Traditional Networks Networks

  7. SDN Teleportation poses several threats ● Bypass security mechanisms ● Attack coordination ● Exfiltration ● Eavesdrop

  8. The Teleportation Model 1)Switch to Controller 2)Controller to Switches 3)Destination Processing Controller (2) ) 1 ( 01 10 ... (3) Switch Switch

  9. Teleportation Techniques • Out-of-band Forwarding • Flow (re-)configurations • Switch Identification

  10. Out-of-band Forwarding Teleportation ● Complete packets from one switch are teleported to another switch Packet-Out Packet-in

  11. Flow (Re-)Confjguration T eleportation ● Exploit the controllers centralized control to e t e Flow-add l reconfjgure the network Flow-add e P d n - a w i - c t o e k l k e F when a host moves across c t - a i n P the network

  12. Switch Identification Teleportation ● Impersonate the Features-reply (DPID=1) Features-reply (DPID=1) Datapath-ID to Features-request Features-request communicate Hello Hello information

  13. Attacks using Teleportation ● Bypass firewalls, IDS and IPS ● Exfiltration ● Man-in-the-middle ● Rendezvous/Attack coordination

  14. Teleportation Bandwidth

  15. Countermeasures ● Packet-in-Packet-Out Watcher ● Audit-Trails and Accountability ● Enhanced IDS with Waypoint Enforcement

  16. Conclusions ● Introduced a conceptually novel SDN attack ● Teleportation enables several attacks ● Teleportation has high quality and throughput ● Suggested Teleportation countermeasures

  17. Questions

Recommend


More recommend