securing the sdn northbound interface
play

Securing the SDN Northbound Interface With the aid of Anomaly - PowerPoint PPT Presentation

Oct 03, 2023 •175 likes •482 views

Securing the SDN Northbound Interface With the aid of Anomaly Detection Jan J. Laan July 2, 2015 Introduction Current status Anomaly detection Conclusion Introduction Traditional network Securing the SDN Northbound Interface 1 / 19

  1. Securing the SDN Northbound Interface With the aid of Anomaly Detection Jan J. Laan July 2, 2015

  2. Introduction Current status Anomaly detection Conclusion Introduction Traditional network Securing the SDN Northbound Interface 1 / 19 �

  3. Introduction Current status Anomaly detection Conclusion Introduction SDN network Advantages Centralized view Dynamic, flexible Securing the SDN Northbound Interface 2 / 19 �

  4. Introduction Current status Anomaly detection Conclusion Introduction SDN overview Securing the SDN Northbound Interface 3 / 19 �

  5. Introduction Current status Anomaly detection Conclusion Introduction Research question Main question How to perform a security assessment of the northbound inter- face of a SDN network? Supporting questions What are the main threats, and associated security requirements, to the SDN northbound interface? What is the best approach to assess the security of a northbound interface? How secure are the northbound interfaces of current popular SDN controllers? How can best practices with regard to security be improved? Securing the SDN Northbound Interface 4 / 19 �

  6. Introduction Current status Anomaly detection Conclusion Introduction Related work OperationCheckpoint [1] Northbound Access control for the Floodlight controller SEFloodlight [2] Conflict resolution, authentication for the Floodlight controller NB API. Rosemary [3] A controller built with security by design, especially for the northbound interface. Securing the SDN Northbound Interface 5 / 19 �

  7. Introduction Current status Anomaly detection Conclusion Current status Testbed 5 popular and/or interesting controllers for testing. Securing the SDN Northbound Interface 6 / 19 �

  8. Introduction Current status Anomaly detection Conclusion Current status 1: HTTPS support Goal: Secure communication in the northbound interface Check for supported HTTPS versions 1 Web interface stops working 2 SSL3 enabled Securing the SDN Northbound Interface 7 / 19 �

  9. Introduction Current status Anomaly detection Conclusion Current status 1: HTTPS support Goal: Secure communication in the northbound interface Check for supported HTTPS versions Floodlight Onos OpenDaylight Ryu Open Mul Yes 1 Partial 2 Yes Yes No 1 Web interface stops working 2 SSL3 enabled Securing the SDN Northbound Interface 7 / 19 �

  10. Introduction Current status Anomaly detection Conclusion Current status 2: Authentication Goal: Only allow access to authorized users/applications Securing the SDN Northbound Interface 8 / 19 �

  11. Introduction Current status Anomaly detection Conclusion Current status 2: Authentication Goal: Only allow access to authorized users/applications Floodlight Onos OpenDaylight Ryu Open Mul Yes Yes Yes No No Floodlight, Onos and OpenDaylight: Client certificates OpenDaylight: HTTP Basic Securing the SDN Northbound Interface 8 / 19 �

  12. Introduction Current status Anomaly detection Conclusion Current status 3: Authorization Goal: A user/application can only access the parts of the API he needs. Securing the SDN Northbound Interface 9 / 19 �

  13. Introduction Current status Anomaly detection Conclusion Current status 3: Authorization Goal: A user/application can only access the parts of the API he needs. Floodlight Onos OpenDaylight Ryu Open Mul No No No No No Research project for Floodlight with access control. Securing the SDN Northbound Interface 9 / 19 �

  14. Introduction Current status Anomaly detection Conclusion Current status 4: Logging Goal: non-repudiation, there is a trail of access to the northbound interface. Securing the SDN Northbound Interface 10 / 19 �

  15. Introduction Current status Anomaly detection Conclusion Current status 4: Logging Goal: non-repudiation, there is a trail of access to the northbound interface. Floodlight Onos OpenDaylight Ryu Open Mul Yes Yes Yes No No Securing the SDN Northbound Interface 10 / 19 �

  16. Introduction Current status Anomaly detection Conclusion Current status 5: Documentation Goal: Ease of configuration for security features Securing the SDN Northbound Interface 11 / 19 �

  17. Introduction Current status Anomaly detection Conclusion Current status 5: Documentation Goal: Ease of configuration for security features Floodlight Onos OpenDaylight Ryu Open Mul Yes No No No No Securing the SDN Northbound Interface 11 / 19 �

  18. Introduction Current status Anomaly detection Conclusion Current status Results summary Floodlight Onos OpenDaylight Ryu Open Mul HTTPS Yes Yes Yes No Partial Authentication Yes Yes Yes No No Authorization No No No No No Logging Yes Yes Yes No No Documentation Yes No No No No Insecure by default. Almost all security features are turned off initially. Securing the SDN Northbound Interface 12 / 19 �

  19. Introduction Current status Anomaly detection Conclusion Anomaly detection Malicious applications A scenario: Application has access through the northbound interface 1 Application gets hacked 2 Hacker abuses access rights to disrupt the network 3 Security measures mentioned before will not prevent this 4 Securing the SDN Northbound Interface 13 / 19 �

  20. Introduction Current status Anomaly detection Conclusion Anomaly detection Malicious applications A scenario: Application has access through the northbound interface 1 Application gets hacked 2 Hacker abuses access rights to disrupt the network 3 Security measures mentioned before will not prevent this 4 Possible solution: Anomaly detection Premise: When an application becomes malicious, its behaviour changes. Securing the SDN Northbound Interface 13 / 19 �

  21. Introduction Current status Anomaly detection Conclusion Anomaly detection Statistical Anomaly Detection Log all access to northbound interface 1 Divide data into ”historical” (training) data and ”current” (testing) 2 data. Compare weighted chances per API call per application for these 3 data sets. Calculate an anomaly score. 4 # ¡of ¡API ¡calls ¡ Time ¡-­‑> ¡ Securing the SDN Northbound Interface 14 / 19 �

  22. Introduction Current status Anomaly detection Conclusion Anomaly detection Statistical Anomaly Detection Log all access to northbound interface 1 Divide data into ”historical” (training) data and ”current” (testing) 2 data. Compare weighted chances per API call per application for these 3 data sets. # ¡of ¡API ¡calls ¡ Calculate an anomaly score. 4 # ¡of ¡API ¡calls ¡ Time ¡-­‑> ¡ Time ¡-­‑> ¡ Securing the SDN Northbound Interface 14 / 19 �

  23. Introduction Current status Anomaly detection Conclusion Anomaly detection Floodlight Proof of Concept Performance impact: 7% (1.1ms extra latency) Needs further research for validation. Securing the SDN Northbound Interface 15 / 19 �

  24. Introduction Current status Anomaly detection Conclusion Anomaly detection Limitations Only works well for predictable applications. Can be ”trained” to accept malicious behaviour. Requires parameter tuning. Securing the SDN Northbound Interface 16 / 19 �

  25. Introduction Current status Anomaly detection Conclusion Conclusion Conclusion SDN northbound interface security is poor at this time. Adding access control and turning on other tested features will help. Insecure by default, lack of security features. Anomaly detection: interesting addition, needs further research. Securing the SDN Northbound Interface 17 / 19 �

  26. Introduction Current status Anomaly detection Conclusion Conclusion Future work Implement authorization on controllers. In-depth analysis of a single controller. Validate detection rate of statistical anomaly detection Explore other means of anomaly detection (machine learning, data mining) Securing the SDN Northbound Interface 18 / 19 �

  27. Introduction Current status Anomaly detection Conclusion References S. Scott-Hayward, C. Kane, and S. Sezer, “Operationcheckpoint: SDN application control,” in Network Protocols (ICNP), 2014 IEEE 22nd International Conference on, 10 2014, pp. 618–623. P. Porras, S. Cheung, M. Fong, K. Skinner, and V. Yegneswaran, “Securing the software-defined network control layer,” in Proceedings of the 2015 Network and Distributed System Security Symposium (NDSS), San Diego, California, 2015. S. Shin, Y. Song, T. Lee, S. Lee, J. Chung, P. Porras, V. Yegneswaran, J. Noh, and B. B. Kang, “Rosemary: A robust, secure, and high-performance network operating system,” in Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, ser. CCS ’14, New York, NY, USA, 2014, pp. 78–89. Securing the SDN Northbound Interface 19 / 19 �

  28. Introduction Current status Anomaly detection Conclusion Anomaly types The red line depicts the amount of API calls over time to an API function. Three types of anomalous traffic are shown. Securing the SDN Northbound Interface 20 / 22 �

  29. Introduction Current status Anomaly detection Conclusion Security assessment (STRIDE) Spoofing (Lack of) user authentication Divert NB network traffic. (f.e. ARP spoofing) Tampering Capture and alter network traffic (MitM) take over (hack) SDN application Repudiation Log API access Securing the SDN Northbound Interface 21 / 22 �

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

SDN controller: Intent-based Northbound Interface realization for extended applications

SDN controller: Intent-based Northbound Interface realization for extended applications

SDN controller: Intent-based Northbound Interface realization for extended applications Introduction 1. SDN Controller 2. Intent-based Northbound Interface (NBI) 3. The Intent framework in ONOS controller 4. The proposed architecture for

440 views • 18 slides
O c t o b e r 15, 2020 Overview Northbound Strategic Plan Vision Zero Action Plan

O c t o b e r 15, 2020 Overview Northbound Strategic Plan Vision Zero Action Plan

O c t o b e r 15, 2020 Overview Northbound Strategic Plan Vision Zero Action Plan Context Driven Initiatives What is Northbound? Northbound Strategic Plan o The Northbound Ten 5-year plan with 10 Goals o Goals we can work on

313 views • 18 slides
Authenticated Sensor Interface Device for Securing Sensors and Data Transmission Rick Poland

Authenticated Sensor Interface Device for Securing Sensors and Data Transmission Rick Poland

Authenticated Sensor Interface Device for Securing Sensors and Data Transmission Rick Poland R&D Execution Manager Instrumentation & Electronic Development International Conference on Physical Protection of Nuclear Materials and Nuclear

431 views • 13 slides
ODOT Region 1 I-205: Johnson Creek Blvd to Glen Jackson Bridge Northbound Auxiliary Lane

ODOT Region 1 I-205: Johnson Creek Blvd to Glen Jackson Bridge Northbound Auxiliary Lane

ODOT Region 1 I-205: Johnson Creek Blvd to Glen Jackson Bridge Northbound Auxiliary Lane SE Powell Blvd to I-84 Northbound and Southbound Active Traffic Management (ATM) Project Map Schedule Advance Plans: May 31, 2018

163 views • 15 slides
ODOT Region 1 I-205: Johnson Creek Blvd to Glen Jackson Bridge Northbound Auxiliary Lane

ODOT Region 1 I-205: Johnson Creek Blvd to Glen Jackson Bridge Northbound Auxiliary Lane

ODOT Region 1 I-205: Johnson Creek Blvd to Glen Jackson Bridge Northbound Auxiliary Lane SE Powell Blvd to I-84 Northbound and Southbound Active Traffic Management (ATM) Schedule Advance Plans: May 31, 2018 Final

710 views • 32 slides
I/O Bus and Interface Data Bus Addr Bus CPU Control Interface Interface Interface Interface

I/O Bus and Interface Data Bus Addr Bus CPU Control Interface Interface Interface Interface

I/O Bus and Interface Data Bus Addr Bus CPU Control Interface Interface Interface Interface Keyboard CD Hard Printer & or Disk Display DVD Flaxer Eli - Computer Architecture Ch 8 - 1 Example: 8254 DB(0..7) DB 8254 IOR RD

453 views • 3 slides
Northbound Connections of VPP for NFV in Containers and Kubernetes FastData.io VPP Billy

Northbound Connections of VPP for NFV in Containers and Kubernetes FastData.io VPP Billy

Northbound Connections of VPP for NFV in Containers and Kubernetes FastData.io VPP Billy McFall bmcfall@RedHat.com Agenda Ligato Previous Session Multus CNI / Userspace CNI Network Service Mesh Summary Multus CNI

299 views • 15 slides
IoT Security Image: xkcd How is securing IoT different from securing any other system? IoT

IoT Security Image: xkcd How is securing IoT different from securing any other system? IoT

IoT Security Image: xkcd How is securing IoT different from securing any other system? IoT is a system of systems, with A great deal of heterogeneity (sensing, computation, communication, energy) New types of devices appearing all

1.35k views • 65 slides
Building&Hacking modern iOS apps Wojciech Regua @_r3ggi wojciech.regula@securing.pl

Building&Hacking modern iOS apps Wojciech Regua @_r3ggi wojciech.regula@securing.pl

www.securing.pl Building&Hacking modern iOS apps Wojciech Regua @_r3ggi wojciech.regula@securing.pl @_r3ggi wojciech.regula@securing.pl www.securing.pl www.securing.pl WHOAMI -Senior IT Security Consultant @ SecuRing -Focused on

998 views • 67 slides
ODL neutron northbound boron planning feature gaps in ODL and openstack Isaku Yamahata

ODL neutron northbound boron planning feature gaps in ODL and openstack Isaku Yamahata

ODL neutron northbound boron planning feature gaps in ODL and openstack Isaku Yamahata OpenDaylight Developer Design Forum Feb 29, 2016 https://wiki.opendaylight.org/view/NeutronNorthbound:Main

366 views • 20 slides
Age genda da 1 Comments from July 2018 Public Meeting 2 Northbound Meadowbrook Entrance Ramp

Age genda da 1 Comments from July 2018 Public Meeting 2 Northbound Meadowbrook Entrance Ramp

F ORT W ORTH D ISTRICT District 95 Town Hall, Southeast Connector Update Photo by Liam Frederick I-20, I-820 & US 287 November 8, 2018 Age genda da 1 Comments from July 2018 Public Meeting 2 Northbound Meadowbrook Entrance Ramp

617 views • 44 slides
Interface Documents David Christian 11/20/17 Interface between CE and DAQ Interface

Interface Documents David Christian 11/20/17 Interface between CE and DAQ Interface

Interface Documents David Christian 11/20/17 Interface between CE and DAQ Interface documents will define the boundaries of responsibility between the various consortia. Project management (Steve Kettell) is pushing to get these drafted.

226 views • 4 slides
PROJECT BRIEF October 12, 2016 VIA EDSA (FROM MAKATI) Take EDSA heading Northbound Stay on the

PROJECT BRIEF October 12, 2016 VIA EDSA (FROM MAKATI) Take EDSA heading Northbound Stay on the

PROJECT BRIEF October 12, 2016 VIA EDSA (FROM MAKATI) Take EDSA heading Northbound Stay on the right side as you approach Cloverleaf interchange Turn right to Cloverleaf Interchange via To Manila ramp Exit towards A. Bonifacio Avenue

754 views • 46 slides
SANS Securing The Human Training Department of Safety Securing the Human Training Web

SANS Securing The Human Training Department of Safety Securing the Human Training Web

SANS Securing The Human Training Department of Safety Securing the Human Training Web based Centrally Administrated Divisionally managed Consistent content Central reporting Ability to add custom content (Policy's)

761 views • 10 slides
NORTHBOUND NORTHWESTERN HWY SERVICE DRIVE ROAD REHABILITATION SOUTHFIELD RD TO LAHSER RD March

NORTHBOUND NORTHWESTERN HWY SERVICE DRIVE ROAD REHABILITATION SOUTHFIELD RD TO LAHSER RD March

NORTHBOUND NORTHWESTERN HWY SERVICE DRIVE ROAD REHABILITATION SOUTHFIELD RD TO LAHSER RD March 26, 2018 PROJECT LIMITS EAST OF LAHSER RD WEST OF SOUTHIELD RD NB NORTHWESTERN HWY SERVICE DRIVE Overview Concrete patching with asphalt

524 views • 7 slides
Securing and Protecting Securing and Protecting Water Rights and Uses in Water Rights and Uses

Securing and Protecting Securing and Protecting Water Rights and Uses in Water Rights and Uses

Securing and Protecting Securing and Protecting Water Rights and Uses in Water Rights and Uses in Arizona Arizona L. William Staudenmaier One Arizona Center 400 East Van Buren Street, Suite 1900 Phoenix, Arizona 85004 2202 602.382.6000 |

574 views • 32 slides
Denver Moves: Pedestrians & Trails Task Force Meeting #3 Nov. 16, 2016 Todays Agenda

Denver Moves: Pedestrians & Trails Task Force Meeting #3 Nov. 16, 2016 Todays Agenda

Denver Moves: Pedestrians & Trails Task Force Meeting #3 Nov. 16, 2016 Todays Agenda Introductions, agenda (John & Rosemary) Public comment (All) October 4-5 th outreach results (Jay & David) Existing

182 views • 16 slides
Montreal, Canada Basile van Havre October 2019 Overarching principles guiding the process 1.

Montreal, Canada Basile van Havre October 2019 Overarching principles guiding the process 1.

DEVELOPMENT OF POST 2020 GLOBAL BIODIVERSITY FRAMEWORK: UPDATE ON PROGRESS OEWG Co-Chairs November 24, 2019 Francis Ogwal Montreal, Canada Basile van Havre October 2019 Overarching principles guiding the process 1. Participatory 2.

285 views • 17 slides
Prevention and Early Intervention Program Central Region- Santa Clara County Prevention Early

Prevention and Early Intervention Program Central Region- Santa Clara County Prevention Early

Alum Rock Counseling Center & EMQ FamiliesFirst Prevention and Early Intervention Program Central Region- Santa Clara County Prevention Early Intervention Program Program Overview The Santa Clara County Mental Health Department has

583 views • 12 slides
VETASSESS Presentation to Digital Student Data Depositories Worldwide 2013 April 2013, Beijing

VETASSESS Presentation to Digital Student Data Depositories Worldwide 2013 April 2013, Beijing

VETASSESS Presentation to Digital Student Data Depositories Worldwide 2013 April 2013, Beijing VETASSESS online assessment systems Presenter: Rosemary Woodger, Deputy Executive Director of VETASSESS and Manager of Resources Management,

320 views • 16 slides
1 Many if not most businesses within the Tourism Sector are now temporarily closed in line with

1 Many if not most businesses within the Tourism Sector are now temporarily closed in line with

Rosemary Connolly LL.B., LL.M. Principal Solicitor Rosemary Connolly Solicitors Limited www.solicitorsni.net 1 Many if not most businesses within the Tourism Sector are now temporarily closed in line with Government direction. 2 Many

385 views • 11 slides
LIQUID FLOWERS FLORLIK ROSE ROSE WATER ROSE WATER ROSE WATER FLORLIK ROSE FLORLIK ROSE

LIQUID FLOWERS FLORLIK ROSE ROSE WATER ROSE WATER ROSE WATER FLORLIK ROSE FLORLIK ROSE

LIQUID FLOWERS FLORLIK ROSE ROSE WATER ROSE WATER ROSE WATER FLORLIK ROSE FLORLIK ROSE FLORLIK ROSE FLORLIK ROSE FLORLIK ROSE FLORLIK ROSE FLORLIK ROSE FLORLIK ROSE ROSE WATER FLORLIK ROSE NANO ROSE WATER FLORLIK ROSE NANO ROSE

321 views • 20 slides
Washington State Water Law June 15 th 2016 John Rose Water Resources Ecology 1 Water Rights

Washington State Water Law June 15 th 2016 John Rose Water Resources Ecology 1 Water Rights

Washington State Water Law June 15 th 2016 John Rose Water Resources Ecology 1 Water Rights 101 Historical background and overview Definitions - Permits, Certificates, and Claims Permit Exempt wells Instream Flow Water Rights

446 views • 43 slides
Vern Freeman Diversion Constructed in 1991 Total Diversions (Jan 1991 - Dec 2016): 1,706,671

Vern Freeman Diversion Constructed in 1991 Total Diversions (Jan 1991 - Dec 2016): 1,706,671

Vern Freeman Diversion Constructed in 1991 Total Diversions (Jan 1991 - Dec 2016): 1,706,671 AF Average Annual Diversion: 65,641 AF 1955: El Rio Facility Constructed OH Pipeline Maximum Production Capacity 60,000 AF/YR

945 views • 27 slides

More recommend