SDN: is it a solution for network security?

1,264 views

Published on

Доклад Р.Л. Смелянского на международном форуме «Партнерство государства, бизнеса и гражданского общества при обеспечении информационной безопасности и противодействии терроризму», Гармиш-Партенкирхен, Мюнхен, апрель 2013 г.

Published in: Technology, Business
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,264
On SlideShare
0
From Embeds
0
Number of Embeds
554
Actions
Shares
0
Downloads
39
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

SDN: is it a solution for network security?

  1. 1. SDN: is it a solution for network security? Smelyanskiy R.L. Moscow State University, Computer Systems Laboratory Applied Research Center for Computer Network 2013
  2. 2. Agenda • What is SDN network? • Term “protecting” could be many-sided… • SDN control environment also needs to be protected. 25.11.2013 prof.R.Smelyanskiy MSU & ARCCN 2
  3. 3. Software defined evolution RIP VLAN OSPF IS-IS Classic router … 25.11.2013 ACL MPLS prof.R.Smelyanskiy MSU & ARCCN 3
  4. 4. Software defined evolution RIP VLAN OSPF IS-IS Classic router … 25.11.2013 ACL MPLS prof.R.Smelyanskiy MSU & ARCCN 4
  5. 5. Software defined evolution RIP VLAN OSPF IS-IS Classic router … 25.11.2013 ACL MPLS prof.R.Smelyanskiy MSU & ARCCN 5
  6. 6. Software defined evolution VLAN Flow Table TCAM Controller Switch RIP OSPF IS-IS ACL MPLS … 25.11.2013 prof.R.Smelyanskiy MSU & ARCCN 6
  7. 7. Software defined evolution Flow Table MAC src MAC dst TCAM * * IP IP Flow Table Dst Src * Switch 5.6.7.8 TCP sport * TCP dport Action * Controller port 1 RIP OSPF Routing Rule examples IS-IS * 00:1f:.. * * * * port 5 * * * * * 22 drop 20 666 port 7 00:20.. 00:1f:.. 1.2.3.4 5.6.7.8 25.11.2013 VLAN prof.R.Smelyanskiy MSU & ARCCN ACL Switching MPLS Firewall … Flow Switching 7
  8. 8. Software defined evolution Flow Table MAC src MAC dst TCAM * * IP IP Flow Table Dst Src * Switch 5.6.7.8 TCP sport * TCP dport Action * Controller port 1 RIP OSPF Routing Rule examples IS-IS * 00:1f:.. * * * * port 5 * * * * * 22 drop 20 666 port 7 00:20.. 00:1f:.. 1.2.3.4 5.6.7.8 25.11.2013 VLAN prof.R.Smelyanskiy MSU & ARCCN ACL Switching MPLS Firewall … Flow Switching 8
  9. 9. Flow Table TCAM Network operating system Software defined evolution Controller Switch 25.11.2013 prof.R.Smelyanskiy MSU & ARCCN APP VLAN APP RIP APP OSPF APP IS-IS APP ACL APP MPLS APP … 9
  10. 10. Software defined evolution Network operating system Switch Controller Switch APP VLAN APP RIP APP OSPF APP IS-IS APP ACL APP MPLS APP … Switch 25.11.2013 prof.R.Smelyanskiy MSU & ARCCN 10
  11. 11. Software defined evolution Advantages devices Cheep and simple switch Flexible for configuration APP VLAN Network Global View Free for innovation Network operating system Switch Controller Switch APP RIP APP OSPF APP IS-IS APP ACL APP MPLS APP … Switch 25.11.2013 prof.R.Smelyanskiy MSU & ARCCN 11
  12. 12. Software defined evolution Advantages Cheep and simple network devices Flexible for configuration Globalfor innovation Network View Free Network operating system Switch Controller Switch APP VLAN APP RIP APP OSPF APP IS-IS APP ACL APP MPLS APP … Switch 25.11.2013 prof.R.Smelyanskiy MSU & ARCCN 12
  13. 13. Case studies • Large Transit Service Provider • Big International Company – Multiple offices – VPN communications • Network of Large Organization – Large internal networks – Various types of network activities 25.11.2013 prof.R.Smelyanskiy MSU & ARCCN 13
  14. 14. Security in traditional architecture networks • Case studies: – Large Transit Service Provider – Airport network – ISP (VPN provider) • Tendencies – Traffic growth – Mobility • Infrastructure • Software • Protocols 25.11.2013 prof.R.Smelyanskiy MSU & ARCCN 14
  15. 15. Term “protecting” could be manysided… Physical access 25.11.2013 prof.R.Smelyanskiy MSU & ARCCN 15
  16. 16. Airport example 25.11.2013 prof.R.Smelyanskiy MSU & ARCCN 16
  17. 17. Airport example Control process Control process Control process Control process Control process trespasser 25.11.2013 Control process prof.R.Smelyanskiy MSU & ARCCN 17
  18. 18. Airport example Control process Control process Control process Malware Control Control process process Control process trespasser 25.11.2013 Control process prof.R.Smelyanskiy MSU & ARCCN 18
  19. 19. Airport example Control Packet forwarding process Control Packet forwarding process Control Packet forwarding process Control Packet forwarding process Control Packet forwarding process Control process trespasser SDN Controller 25.11.2013 prof.R.Smelyanskiy MSU & ARCCN 19
  20. 20. Term “protecting” could be manysided… Network flow control 25.11.2013 prof.R.Smelyanskiy MSU & ARCCN 20
  21. 21. Network of Organization example Tenant A Tenant app Tenant B 25.11.2013 prof.R.Smelyanskiy MSU & ARCCN 21
  22. 22. Network of Organization example Traffic Dst point Traffic Src point Tenant AAccept Drop Tenant app Tenant B 25.11.2013 Traffic Dst point prof.R.Smelyanskiy MSU & ARCCN 22
  23. 23. Network of Organization example 25.11.2013 prof.R.Smelyanskiy MSU & ARCCN 23
  24. 24. Network of Organization example Traffic Src point Firewall rules Firewall app Firewall rules 25.11.2013 Traffic Dst point prof.R.Smelyanskiy MSU & ARCCN 24
  25. 25. SDN control environment also needs to be protected. 25.11.2013 prof.R.Smelyanskiy MSU & ARCCN 25
  26. 26. SDN control environment security 25.11.2013 prof.R.Smelyanskiy MSU & ARCCN 26
  27. 27. Controller security app Malware traffic Legal traffic OF event OF event OF event OF event Security app Security app OF event OF event OF event OF event Legal traffic Legal traffic 25.11.2013 Malware traffic prof.R.Smelyanskiy MSU & ARCCN 27
  28. 28. Switch-controller security Malware Switch 25.11.2013 prof.R.Smelyanskiy MSU & ARCCN 28
  29. 29. Switch-controller security Internet Key Exchange, IPsec, Kerb eros and etc. Authentication server Malware Switch 25.11.2013 prof.R.Smelyanskiy MSU & ARCCN 29
  30. 30. Controller-to-controller security Seems to be secure enough, but an expensive solution Controller-to-controller out-band protocol 25.11.2013 prof.R.Smelyanskiy MSU & ARCCN 30
  31. 31. Controller-to-controller security Problem 1 Check policies Problem 2 Isolate Controllers traffic and Datapath traffic Controller-to-controller in-band protocol 25.11.2013 prof.R.Smelyanskiy MSU & ARCCN Problem 3 Special QoS settings 31
  32. 32. Controllers requirements • c-applications should be reusable by different controllers placed near-by each other; • different controller instances should be able to share the same instance of a c-application; • controller should be trusted environment; • controller should be scalable; it means that if workload is growing beyond the current computational power of controller then it should be able to get more computational power, for example by splitting its activity with another controller instance, placed on another physical resource; • if some controller instance shut down than some other controllers placed nearby should be able to catch up those part of network switches were managed by those shut down. 25.11.2013 prof.R.Smelyanskiy MSU & ARCCN 32
  33. 33. Conclusion • Software Defined Networking (SDN) has been rapidly developed. – Working in data centers – Replacing proprietary routers • Splitting data plane and control plane brings advantages, but also opens new way to exploit such networks in malicious purposes. The major advantages of SDN approach – programmable configuration – data plane and control plane separation – flexible data flow control 25.11.2013 prof.R.Smelyanskiy MSU & ARCCN 33
  34. 34. Q&A smel@.cs.msu.su 25.11.2013 prof.R.Smelyanskiy MSU & ARCCN 34
  35. 35. Switch - Controller security Control channel Openflow switch Openflow event Openflow event host Legal traffic host host Controller host Malware traffic Openflow event checker Openflow event Openflow event Openflow event 25.11.2013 prof.R.Smelyanskiy MSU & ARCCN Openflow event 49
  36. 36. Switch - Controller security Control channel Openflow switch Openflow event Openflow event host Legal traffic host host Controller host Malware traffic Openflow event checker Openflow event Openflow event Openflow event 25.11.2013 prof.R.Smelyanskiy MSU & ARCCN Openflow event 50
  37. 37. Switch - Controller security Control channel Openflow switch Openflow event Openflow event host Legal traffic host host Controller host Malware traffic Vulnerable app Openflow event Openflow event Openflow event 25.11.2013 prof.R.Smelyanskiy MSU & ARCCN Openflow event 51
  38. 38. Switch - Controller security Control channel Openflow switch Openflow event Openflow event host Legal traffic host host Controller host Malware traffic Vulnerable Security app Openflow event Openflow event Openflow event 25.11.2013 prof.R.Smelyanskiy MSU & ARCCN Openflow event 52
  39. 39. Controller-controller protocol security Control channel Controller-controller Openflow switch out-band protocol Seems to be secure enough, but an expensive solution host 25.11.2013 host host host prof.R.Smelyanskiy MSU & ARCCN Controller 53
  40. 40. Controller-controller protocol security Check policies Isolate Controllers traffic and Datapath traffic Special QoS settings Openflow switch host 25.11.2013 host host Controller Controller-controller Controller-controller in-band protocol out-band protocol host prof.R.Smelyanskiy MSU & ARCCN Controller 54

×