Security Challenges & Opportunities in June 30 th , 2015 Software Defined Networks (SDN) SEC2 2015 15 Premier atelier sur la sécurité dans les Clouds Nizar KHEIR Cyber Security Researcher Orange Labs Products and Services 1 Orange Public Nizar KHEIR
Understanding the SDN Concept Analogy with the operating system Applications Supply value added services that leverage the main physical assets for the underlying system Appli. Appli. Appli. Appli . Operating system Provides a mediation layer between the application logic and the physical hardware. It may be accessed Operating through dedicated APIs and system calls system Hardware Supplies a collection of physical elements that make available both compute, data, and storage capabilities in order to execute the application logic CPU HDD Memory Network 2 Orange Public Nizar KHEIR Hardware
SDN as a Network Operating System Appli. Appli. Appli. SDN controller (Network OS) Openflow messages: Packet_In, Flow_mod, etc. Flow_mod Flow_mod Packet_In ( ) Networking Networking Networking device device device Networking Networking device device Networking Networking device device 3 Orange Public Nizar KHEIR Network infrastructure
Global SDN Architecture SDN application plane Service and application logic Applications: … e.g. routing, QoS, security Northbound interface: e.g. REST, Java (not sandardized) Northbound application interface Controller (topology management) : e.g. NOX, SDN control plane (controller) OpenDayLight, FloodLight, Southbound network interface Control plane Southbound Interface : Openflow control e.g. OpenFlow standard messages … Network devices, e.g. Cisco, Juniper, Alcatel Forwarding devices Data plane 4 Orange Public Nizar KHEIR
Common Benefits Central management Global routing policies instead of separate device configuration Network slicing using SDN Network abstraction layer Appli. Appli. Appli. Appli. Dissociate network management from low level configuration SDN controller SDN controller Adaptive/autonomic network management (normal traffic) (VIP traffic) Setup autonomous reaction strategies against failures and security incidents QoS Level a QoS Level b Normal traffic Network slicing and isolated management Data plane Segregate network traffic into different slices using VIP traffic isolated control logic 5 Orange Public Nizar KHEIR
Security Challenges with SDN Global risk overview Controller (1) Attacks in the data plane (4) Control plane - Common to legacy attacks Controller (4) (2) Attacks on SDN devices - Impact on data plane traffic - Impact on control plane (LLDP tampering) (3) (3) Attacks on the control plane (3) (3) (3) - DDoS by flooding packet_in messages (3) - Topology poisoning via address spoofing (2) (ARP, LLDP, IGMP) (1) (1) (4) Attacks on the controller SDN device (2) Users (1) SDN device Users - Malicious or untrusted applications (2) (1) (2) - Saturation of device forwarding tables (1) (1) SDN device - Lack of isolation and conflict resolution SDN device 6 Orange Public Nizar KHEIR Data plane
Topology Poisoning Attacks on SDN Data plane link fabrication attack Link fabrication attack mechanism Threat model and constraints SDN controller -Attacker controls only few virtual machines connected to the SDN network LLDP LLDP (4) Link Discovery in OpenFlow networks Packet_out Packet_In (1) SDN controller (2) Device C Forged link LLDP LLDP (3) Device A Device B Packet_out Packet_In LLDP (1) LLDP advertisement (2) (3) advertisement (2) LLDP advertisement Covert channel Device A Device B Infected Infected terminal terminal 7 Orange Public Nizar KHEIR
Control plane saturation attacks Flooding the controller with Packet_In messages Limited monitoring support for many security applications in openFlow Inherent communication bottleneck between control and data planes, which enables control plane saturation attacks Packet_In flooding SDN controller SDN device malicious Europe terminals (bots) FlowMod Packet_In ( ) AMEA SDN device (2) (3) malicious (1) (4) terminals (bots) Device A SDN device SDN device Packet Packet malicious Source Destination terminals (bots) 8 Orange Public Nizar KHEIR malicious terminals (bots)
Defending SDNs from malicious applications Security Enforcement within SDN controllers No effective mechanisms to enforce access control and conflict resolution among SDN applications Net Apps Web Apps Core Apps Example of NOX Controller No built-in Access control management Connection OpenFlow DSO Existing Event and conflict handling Manager dispatcher Manager Deployer Components Core-services: Input/Output: Network Threading and Socket protocols, data OpenFlow API Event Asynchronous structures, management File Utilities 9 Orange Public Nizar KHEIR
Defending SDNs from malicious applications (cont’d) Security Enforcement within SDN controllers Two competing directions for enforcing security and access control in SDN architectures Security enforcement kernel Seamless network slicing App credential Other Controller App 1 Controllers management functionalities Control Control … … logic 1 logic n RBAC authentication Administrator rules Isolated network slices RCA Conflict analysis Security-related rules Network Isolation Application rules App n State table manager orchestrator policy Router Router OpenFlow API OpenFlow API Forwarding Forwarding 10 Orange Public Nizar KHEIR tables tables
What about SDN security applications (cont’d) ? Dynamic and lightweight composition of security services Security Security 1 2 service service s1 s1 Source Source Destination Destination SDN Data Plane (a) Network topology (b) No security service – Shortest path routing Security Security 3 4 service service s1 s1 Source Source Destination Destination SDN Data Plane (c) Subscribed Security service – Shortest path through (d) Subscribed Security service – Multi-shortest paths 11 Orange Public Nizar KHEIR with passive monitoring
What about SDN security applications ? Seamless and autonomic security incident management Enhancing SDN capabilities by introducing a framework for the modular composition of event- driven security services SDN appli. A B C D DB SDN security modules Library SDN appli. Security resource … SDN Activated manager A controller SDN security Security Event manager modules SDN appli. D engine Security Enforcement Kernel OpenFlow messages 12 Orange Public Nizar KHEIR SDN data plane devices
Network security monitoring in SDN Open issues and questions A security monitoring framework as an SDN application Packet content is sent to the DPI application using Packet_In messages Data/Security analytics Pros: • Straightforward approach (Leverage inherent SDN) DPI Application Statistics/Netflow Monitoring • No intelligence required for (packet content) Application Application data plane devices Cons: SDN controller Bottleneck since all traffic is forwarded to the controller (at least first packets of a flow) Packet_In ( ) 13 Orange Public Nizar KHEIR SDN data plane devices
Conclusion SDN security challenges have sparked multiple research efforts in the recent years • Resilience of SDN control plane => Avoid bottlenecks & single points of failure • Management of SDN control plane => Detect and handle poisoning attacks • Security and reliability of SDN data plane => Diagnose failures and data plane attacks • Open innovation ecosystem => Enable isolation & security enforcement But also several opportunities in terms of enhancing autonomic security monitoring • Bridge the longstanding gap between detection and remediation of security incidents • Network layer abstraction, which enables comprehensive security management and dissociates security mechanisms from low level configuration 14 Orange Public Nizar KHEIR
Thank you June 30 th , 2015 SEC2 2015 15 Premier atelier sur la sécurité dans les Clouds nizar ar.kheir@o .kheir@orange.c range.com om 15 Orange Public Nizar KHEIR
Recommend
More recommend