Outsmarting Network Security with SDN Teleportation KASHYAP - - PowerPoint PPT Presentation

outsmarting network security with sdn teleportation
SMART_READER_LITE
LIVE PREVIEW

Outsmarting Network Security with SDN Teleportation KASHYAP - - PowerPoint PPT Presentation

Apr 03, 2024 96 likes •279 views

Outsmarting Network Security with SDN Teleportation KASHYAP THIMMARAJU (TU BERLIN, GERMANY) LIRON SCHIFF (GUARDICORE LABS, ISRAEL) STEFAN SCHMID (AALBORG UNIVERSITY, DENMARK) IEEE EURO S&P, PARIS, FRANCE APRIL 2017 Networking Equipment

slide-1
SLIDE 1

Outsmarting Network Security with SDN Teleportation

KASHYAP THIMMARAJU (TU BERLIN, GERMANY) LIRON SCHIFF (GUARDICORE LABS, ISRAEL) STEFAN SCHMID (AALBORG UNIVERSITY, DENMARK) IEEE EURO S&P, PARIS, FRANCE APRIL 2017

slide-2
SLIDE 2

Networking Equipment is Critical

  • It forms a technological foundation for communication
  • It contributes to the economy
  • Vital for national security
slide-3
SLIDE 3

Backdoors, exploits and 0days in Networking Equipment

slide-4
SLIDE 4

Backdoors in SDN equipment

  • Does that introduce new attacks?
  • Can we detect backdoor activity?
slide-5
SLIDE 5

Software Defined Networking (SDN) is a networking paradigm

  • Separated planes
  • Centralized model

Data plane Control plane Switch Controller

slide-6
SLIDE 6

SDN Teleportation: An attack previously not possible

Traditional Networks Software Defined Networks Teleportation Data plane Control plane Control plane

slide-7
SLIDE 7

SDN Teleportation poses several threats

  • Bypass security mechanisms
  • Attack coordination
  • Exfiltration
  • Eavesdrop
slide-8
SLIDE 8

The Teleportation Model

1)Switch to Controller 2)Controller to Switches 3)Destination Processing Switch Controller ( 1 ) (2)

01 10 ... (3)

Switch

slide-9
SLIDE 9

Teleportation Techniques

  • Out-of-band Forwarding
  • Flow (re-)configurations
  • Switch Identification
slide-10
SLIDE 10

Out-of-band Forwarding Teleportation

  • Complete packets from one

switch are teleported to another switch Packet-in Packet-Out

slide-11
SLIDE 11

Flow (Re-)Confjguration T eleportation

  • Exploit the controllers

centralized control to reconfjgure the network when a host moves across the network P a c k e t

  • i

n Flow-add P a c k e t

  • i

n Flow-add F l

  • w
  • d

e l e t e

slide-12
SLIDE 12

Switch Identification Teleportation

  • Impersonate the

Datapath-ID to communicate information Hello Features-request Features-request Features-reply (DPID=1) Features-reply (DPID=1) Hello

slide-13
SLIDE 13

Attacks using Teleportation

  • Bypass firewalls, IDS and IPS
  • Exfiltration
  • Man-in-the-middle
  • Rendezvous/Attack coordination
slide-14
SLIDE 14

Teleportation Bandwidth

slide-15
SLIDE 15

Countermeasures

  • Packet-in-Packet-Out Watcher
  • Audit-Trails and Accountability
  • Enhanced IDS with Waypoint Enforcement
slide-16
SLIDE 16

Conclusions

  • Introduced a conceptually novel SDN attack
  • Teleportation enables several attacks
  • Teleportation has high quality and throughput
  • Suggested Teleportation countermeasures
slide-17
SLIDE 17

Questions