Software Defined Networks (SDN) SEC2 2015 15 Premier atelier sur - - PowerPoint PPT Presentation

1 Orange Public Nizar KHEIR

Security Challenges & Opportunities in Software Defined Networks (SDN)

Nizar KHEIR Cyber Security Researcher Orange Labs Products and Services

June 30th, 2015

SEC2 2015 15

Premier atelier sur la sécurité dans les Clouds

2 Orange Public Nizar KHEIR

Understanding the SDN Concept Analogy with the operating system

Applications Supply value added services that leverage the main physical assets for the underlying system Operating system Provides a mediation layer between the application logic and the physical hardware. It may be accessed through dedicated APIs and system calls Hardware Supplies a collection of physical elements that make available both compute, data, and storage capabilities in order to execute the application logic Operating system Memory HDD Network CPU Appli. Appli. Appli. Appli.

Hardware

3 Orange Public Nizar KHEIR

SDN as a Network Operating System

Networking device

Networking device Networking device Networking device Networking device Networking device

Networking device

Network infrastructure

SDN controller (Network OS)

Openflow messages: Packet_In, Flow_mod, etc. Packet_In ( )

Appli. Appli. Appli.

Flow_mod Flow_mod

4 Orange Public Nizar KHEIR

Global SDN Architecture

Southbound network interface

Data plane

…

Forwarding devices

SDN control plane (controller) Northbound application interface

Openflow control messages Control plane SDN application plane

…

Service and application logic

Network devices, e.g. Cisco, Juniper, Alcatel Southbound Interface : e.g. OpenFlow standard Controller (topology management): e.g. NOX, OpenDayLight, FloodLight, Northbound interface: e.g. REST, Java (not sandardized) Applications: e.g. routing, QoS, security

5 Orange Public Nizar KHEIR

Common Benefits

Central management

Global routing policies instead of separate device configuration

Network abstraction layer

Dissociate network management from low level configuration

Adaptive/autonomic network management

Setup autonomous reaction strategies against failures and security incidents

Network slicing and isolated management

Segregate network traffic into different slices using isolated control logic Data plane

SDN controller (normal traffic) Appli. Appli. SDN controller (VIP traffic) Appli. Appli.

Normal traffic VIP traffic QoS Level a QoS Level b

Network slicing using SDN

6 Orange Public Nizar KHEIR

Security Challenges with SDN Global risk overview

SDN device SDN device SDN device SDN device Controller Controller

Data plane Control plane

Users Users

(1) Attacks in the data plane

• Common to legacy attacks

(2) Attacks on SDN devices

• Impact on data plane traffic
• Impact on control plane (LLDP tampering)

(3) Attacks on the control plane

• DDoS by flooding packet_in messages
• Topology poisoning via address spoofing

(ARP, LLDP, IGMP)

(4) Attacks on the controller

• Malicious or untrusted applications
• Saturation of device forwarding tables
• Lack of isolation and conflict resolution

(1) (2) (3) (4) (2) (2) (2) (3) (3) (3) (3) (1) (1) (1) (4) (1) (1)

7 Orange Public Nizar KHEIR

Topology Poisoning Attacks on SDN Data plane link fabrication attack

Threat model and constraints

• Attacker controls only few virtual

machines connected to the SDN network Link Discovery in OpenFlow networks

SDN controller Device A Device B (1) (2) (3)

LLDP advertisement LLDP Packet_out LLDP Packet_In

Link fabrication attack mechanism

SDN controller Forged link Infected terminal Infected terminal Device A Device B

LLDP Packet_out

Device C (1) (2) (2)

LLDP advertisement

Covert channel (3)

LLDP advertisement

(4)

LLDP Packet_In

8 Orange Public Nizar KHEIR

Control plane saturation attacks Flooding the controller with Packet_In messages

Limited monitoring support for many security applications in openFlow Inherent communication bottleneck between control and data planes, which enables control plane saturation attacks

Europe AMEA

SDN controller Device A Source Destination

Packet

Packet_In ( ) FlowMod

Packet

(1) (2) (3) (4)

SDN device SDN device SDN device SDN device malicious terminals (bots) malicious terminals (bots) malicious terminals (bots)

Packet_In flooding

malicious terminals (bots)

9 Orange Public Nizar KHEIR

Defending SDNs from malicious applications Security Enforcement within SDN controllers

No effective mechanisms to enforce access control and conflict resolution among SDN applications

Input/Output: Socket Asynchronous File OpenFlow API Network protocols, data structures, Utilities Core-services: Threading and Event management Connection Manager Event dispatcher DSO Deployer OpenFlow Manager Existing Components Example of NOX Controller Core Apps Net Apps Web Apps No built-in Access control management and conflict handling

10 Orange Public Nizar KHEIR

Defending SDNs from malicious applications (cont’d) Security Enforcement within SDN controllers

Two competing directions for enforcing security and access control in SDN architectures Security enforcement kernel Network

• rchestrator

…

Control logic n Control logic 1

Controllers

Seamless network slicing Isolation policy OpenFlow API Forwarding tables

Router

RBAC authentication RCA Conflict analysis State table manager

Administrator rules Security-related rules Application rules

App credential management Other Controller functionalities App 1 App n

…

OpenFlow API Forwarding tables

Router

Isolated network slices

11 Orange Public Nizar KHEIR

What about SDN security applications (cont’d) ? Dynamic and lightweight composition of security services

Source Destination s1 Security service SDN Data Plane (a) Network topology Source Destination s1 Security service (b) No security service – Shortest path routing Source Destination s1 Security service SDN Data Plane (c) Subscribed Security service – Shortest path through Source Destination s1 Security service

1 2 3 4

(d) Subscribed Security service – Multi-shortest paths with passive monitoring

12 Orange Public Nizar KHEIR

What about SDN security applications ? Seamless and autonomic security incident management

Enhancing SDN capabilities by introducing a framework for the modular composition of event- driven security services

SDN data plane devices OpenFlow messages SDN controller

Security Enforcement Kernel SDN appli. SDN appli. SDN appli.

…

Security resource manager DB

D C B A

SDN security modules Library Security engine Event manager

D A

Activated SDN security modules

13 Orange Public Nizar KHEIR

Network security monitoring in SDN Open issues and questions

A security monitoring framework as an SDN application Packet content is sent to the DPI application using Packet_In messages SDN controller Monitoring Application Statistics/Netflow Application DPI Application (packet content) Data/Security analytics

Packet_In ( ) SDN data plane devices

Pros:

• Straightforward

approach

(Leverage inherent SDN)

• No intelligence required for

data plane devices

Cons:

Bottleneck since all traffic is forwarded to the controller

(at least first packets of a flow)

14 Orange Public Nizar KHEIR

Conclusion

SDN security challenges have sparked multiple research efforts in the recent years

• Resilience of SDN control plane => Avoid bottlenecks & single points of failure
• Management of SDN control plane => Detect and handle poisoning attacks
• Security and reliability of SDN data plane => Diagnose failures and data plane attacks
• Open innovation ecosystem => Enable isolation & security enforcement

But also several opportunities in terms of enhancing autonomic security monitoring

• Bridge the longstanding gap between detection and remediation of security incidents
• Network layer abstraction, which enables comprehensive security management and

dissociates security mechanisms from low level configuration

15 Orange Public Nizar KHEIR

Thank you

June 30th, 2015

SEC2 2015 15

Premier atelier sur la sécurité dans les Clouds

nizar ar.kheir@o .kheir@orange.c range.com

• m