This document summarizes Gregory Pickett's presentation on SDN security at SACON International 2020. It discusses current SDN trends like SDN, SD-WAN and SDDC. It then covers vulnerabilities in SDN components like switches, controllers and applications. Examples of vulnerabilities in vendors like Cisco APIC, Floodlight and Big Cloud Fabric are provided. Finally, it discusses general approaches to securing SDN through techniques like encryption, authentication, hardening, architecture and operations. A case study of Cisco's approach to SDN security is also summarized.

1. SACON
SACON International 2020
India | Bangalore | February 21 - 22 | Gregory Pickett
Adventures In SDN Security

2. SACON
BRIEF OVERVIEW
 Current Trend
 SDN
 SDWAN
 SDDC
 What’s next
 Some Predictions

3. SACON
SOFTWARE DEFINED NETWORKS
 Influencers
 Market Segments
 Realized Benefits

4. SACON
INFLUENCERS
 Academics
 Vendors
 Big Switch Networks
 VMWare
 Cisco
 Practitioners

5. SACON
MARKET SEGMENTS
 SDDC
 First Products Seen
 Not Widespread
 SDWAN
 Recent Addition
 Spreading Rapidly
 SDP

6. SACON
REALIZED BENEFITS
 Integrated Approach
 Orchestration is Baked In
 Moves Toward Composable
Infrastructure
 Optimized Operations
 Reduced Complexity
 Faster Application Development
 Reduced Provisioning
 Improved Bandwidth

7. SACON
REALIZED BENEFITS
 Optimized Operations
 Improved Uptime
 Shorter Return on Investment
 Dynamic and Flexible Security

8. SACON
SDWAN
 The Risks
 The Threats
 Securing It!

9. SACON
THE RISKS
 Operational
 Opaque Operations
 Security
 Introduces Attack Surfaces
- Device
- Cloud
 Limits detection of and response to threats

10. SACON
VULNERABILITIES
 Weak Encryption
 Weak Authentication
 Insecure Applications

11. SACON
WEAK ENCRYPTION
 Bad Certificates
 Poor Key Management
 No Encryption

12. SACON
WEAK AUTHENTICATION
 Client-Side Logic
 Default Passwords
 Hardcoded Credentials
 Hardcoded Certificates
 Route Spoofing
 No Authentication

13. SACON
INSECURE APPLICATIONS
 Host Header Attacks
 Cross-Site Scripting
 Cross-Site Request Forgery
 Cross-Site Socket Hijacking
 Directory Traversal
 SQL Injection
 Command Injection
 Improper Access Control

14. SACON
INSECURE APPLICATIONS
 Remote Code Execution
 Privilege Escalation
 Slow HTTP DoS

15. SACON
Attacks
 Viprinet
 Citrix
 Viptela
 SilverPeak
 Riverbed
 Versa
 Arista
 Verocloud
 Talari
 Brain4Net

16. SACON
VIPRINET
 Cross-Site Scripting
 CLI
 Delivers Private Key

17. SACON
CITRIX APPLIANCE
 Hardcoded Certificates (Controller)
 Cross-Site Scripting (Console)
 Cross-Site Request Forgery (Console)
 Directory Traversal (Console)
 SQL Injection (Console)
 Command Injection (Console)
 Improper Access Control (Console)
 Remote Code Execution (Console)
 Privilege Escalation (Console)

18. SACON
CITRIX CENTER
 Cross-Site Scripting (Console)
 Cross-Site Request Forgery (Console)
 Directory Traversal (Console)
 Command Injection (Console)
 Improper Access Control (Console)
 Remote Code Execution (Console)
 Slow HTTPS DoS (Console)

19. SACON
VIPTELA
 Cross-Site Request Forgery
 API

20. SACON
SILVERPEAK
 Poor Key Management
(Key Distribution)
 Default Passwords (Console)
 Hard Coded Credentials
 API
 Tunnel Keys
 Cross-Site Request
Forgery (API)

21. SACON
RIVERBED
 Host Header
 Console
 Password Reset

22. SACON
VERSA
 No Encryption (Analytics)
 Hardcoded Credentials
 ZTP
 API

23. SACON
ARISTA
 No Encryption
 ZTP

24. SACON
VEROCLOUD
 Bad Certificates (Activation)
 Command Injection
(Activation)

25. SACON
TALARI
 Route Spoofing
 Uses SNMP
 Default Community
String

26. SACON
BRAIN4NET
 No Encryption
 GRPC
 API
 Openflow
 Mongo
 No Authentication (Monitoring)
 Cross-Site Scripting (Console)
 Cross-Site Socket Hijacking (Console)

27. SACON
SECURING IT
 General Approaches
 Case Study

28. SACON
GENERAL APPROACHES
 Backhaul Encryption
 Second Line of Defense
 Inspection
 Firewalling
 Logging
 Monitoring

29. SACON
CASE STUDIES
 Many, many case studies
available on the Internet
 Most DO NOT mention
security
 Most rely on the SD-WAN device
 Those that don’t have opted for one of these
 Service Chaining
 WAN traffic encryption

30. SACON
SDDC
 The Risks
 The Threats
 Securing It!

31. SACON
THE RISKS
 Operational
 Large Failure Domain
 Security
 Introduces Attack Surfaces
- Forwarding Elements
- Controllers
 Limits detection of and response to threats

32. SACON
VULNERABILITIES
 Weak Encryption
 Denial of Service
 Weak Authentication
 Insecure Session
 Insecure Installation
 Insecure Boot
 Insecure Applications
 Others

33. SACON
WEAK ENCRYPTION
 Outdated OpenSSL
 Insufficient Entropy
 Hardcoded Certificate
 No Encryption

34. SACON
WEAK AUTHENTICATION
 Default Password
 Hardcoded Credentials
 Weak Passwords
 No Authentication

35. SACON
INSECURE SESSION
 Stale Tokens
 No Expiration
 Not Invalidated

36. SACON
INSECURE APPLICATIONS
 XXE Injection
 Command Injection
 SQL Injection
 Directory Traversal
 Cross-Site Scripting

37. SACON
OTHERS
 Improper Access Controls
 Shell Bypass
 Privilege Escalation

38. SACON
Attacks
 Floodlight
 Open Daylight
 Cisco APIC
 ONOS
 Openflow
 Protocol
 Agents
 ONIE
 Cumulus Linux
 MLNX-OS
 Switch Light

39. SACON
FLOODLIGHT
 Open Source
 No Encryption (Openflow, Console)
 Denial of Service (Controller)
 No Authentication (Console)
 Atlassian
 Denial of Service (Forwarding Module)
 Cross-Site Scripting (Console)

40. SACON
FLOODLIGHT
 Big Cloud Fabric
 No Encryption (ZTN, ONIE, Sync)
 No Authentication (ZTN, ONIE)
 Weak Password (API)
 Token Stale, Doesn’t Expire, and Doesn’t Invalidate (API)

41. SACON
BIG CLOUD FABRIC (Architecture)
 Storage
 Structure
 Partitions
 Hosts
 Services
 Authentication
 Users
 Services
 Management
 SSH
 Console
 API

42. SACON
BIG CLOUD FABRIC (Services)
 Shell
 Mail
 DNS
 Proxy
 Web (Console/API/ONIE/ZTN)
 Queues
 Database
 Sync (Cluster)
 OpenFlow
 Others

43. SACON
BIG CLOUD FABRIC (Backdoor)
 It’s not magic!
 It’s built-in
 Just enter “debug bash”
 From there, “sudo” anything that you want

44. SACON
BIG CLOUD FABRIC (No Encryption)

45. SACON
BIG CLOUD FABRIC (No Encryption)

46. SACON
BIG CLOUD FABRIC (No Encryption)

47. SACON
BIG CLOUD FABRIC (No Authentication)

48. SACON
BIG CLOUD FABRIC (Weak Password)

49. SACON
BIG CLOUD FABRIC (Weak Password)

50. SACON
BIG CLOUD FABRIC (Stale Token)

51. SACON
BIG CLOUD FABRIC (Stale Token)

52. SACON
BIG CLOUD FABRIC (Stale Token)
Was it based on the password?
No. I changed that on the 27th!

53. SACON
BIG CLOUD FABRIC (Stale Token)
It still works after the
password changed.
Most of these are used
across the loopback.
One is used for controller to
controller communication.
Does it check certificates?

54. SACON
BIG CLOUD FABRIC (Remaining)
 API
 OpenFlow
 Sync (with working client)

55. SACON
OPEN DAYLIGHT
 No Encryption (Openflow)
 Denial of Service (TSDR Module)
 Default Password (Console)
 XXE Injection (Netconf)
 SQL Injection (SDNInterfaceapp)

56. SACON
CISCO APIC
 Hardcoded Certificate (csync, ifc)
 No Authentication (HMS)
 Weak Password (Console)
 Token Not Invalidated (Console)
 Improper Access Controls (HMS)

57. SACON
CISCO APIC (Architecture)
 Storage
 Structure
 Partitions
 Snapshots
 Hosts
 Services
 Authentication
 Users
 Services
 Management
 SSH
 Console
 API

58. SACON
CISCO APIC (Services)
 Shell
 Web (Console/API/HMS)
 DFS
 Sync (Files)
 Sync (Config)
 Proxy
 Database
 Sync (Cluster)
 DNS
 OpFlex
 RPC
 Others (30+)

59. SACON
CISCO APIC (Backdoor)
 This was a little more difficult
 However, everything that you need is
still there!
 Offline mount HDD
 Add “backdoor.service” to root “snapshot”
 Loads netcat listener at boot

60. SACON
CISCO APIC (Hardcoded Certificate)

61. SACON
CISCO APIC (Hardcoded Certificate)

62. SACON
CISCO APIC (Hardcoded Certificate)

63. SACON
CISCO APIC (Hardcoded Certificate)
Another hardcoded
certificate?
I wonder what uses that ….

64. SACON
CISCO APIC (Hardcoded Certificate)
This library does!
And, it looks important!

65. SACON
CISCO APIC (Improper Access Controls)

66. SACON
CISCO APIC (Improper Access Control)

67. SACON
CISCO APIC (Improper Access Control)
Delete everything?
Hey! Aren’t you multi-tenant?

68. SACON
CISCO APIC (Remaining)
 API
 HMS (with working network)
 30+ services (based on those binaries)
 Opflex
 Others

69. SACON
ONOS
 Denial of Service (OVSDB Component)
 XXE Injection (Notification,
XMLCONFIGPARSER)
 Command Injection (YangWebResource)
 Directory Traversal (Console)

70. SACON
Openflow
 Protocol
 Denial of Service
 Agents
 Arista, Dell, HP, Huawei, IBM, Juniper, Netgear
Pronto, OVS, Switch Light, and eSwitch
 No Encryption
 Debug Port?

71. SACON
ONIE
 Insecure Installation
 Predictable Search Order
 HTTP, TFTP
 Insecure Boot
 Firmware
 Partition
 Insufficient Entropy (SSH)
 No Encryption (Telnet)

72. SACON
ONIE
 No Authentication (Install)
 Default Password

73. SACON
CUMULUS LINUX
 Outdated OpenSSL
 Shell Bypass? What Shell!
 Privilege Escalation
 Command Injection
(clcmd_server)

74. SACON
MLNX-OS
 Outdated OpenSSL
 Hardcoded Credentials
 Shell Bypass
 Privilege Escalation

75. SACON
SWITCH LIGHT
 Outdated OpenSSL
 Hardcoded Credentials
 Shell Bypass
 Privilege Escalation

76. SACON
SECURING IT
 General Approaches
 Case Study

77. SACON
GENERAL APPROACHES
 Switches
 Controllers
 Control Plane
 Management Plane
 Architecture
 Applications
 Operations

78. SACON
SWITCHES
 Secure Boot
 TPM
 Signed Firmware
 Install Environment
 Remove Telnet
 Increase Key Entropy
 Force Password Changes
 Remove TFTP waterfall
 Encrypted Install
 Authenticated Install

79. SACON
SWITCHES
 TLS
 Between forwarding element
and controllers
 Using Updated libraries
 Add Mutual Authentication
 DevSecOps or SDN to coordinate certificate
and key distribution

80. SACON
SWITCHES
 Hardening
 Install Environment (Above)
 Operating System
- Changeable names
- Forced password changes
- Remove uid 0 from admin
- 2FA for shell?
- Remove unnecessary tools … Etc.

81. SACON
CONTROLLERS
 TLS (Between controllers and users)
 Hardening
 Code Review
 Testing

82. SACON
MANAGEMENT PLANE
 VLAN
 Jump Boxes!

83. SACON
ARCHITECTURE
 Network Partitioning
 Controller Clusters
 Static Flow Entries
 Web Application Firewalls and
API proxies

84. SACON
APPLICATIONS
 Traffic Counters
 Other Telemetry

85. SACON
OPERATIONS
 Flow Verification
 Change Management
(Configuration Changes)
 Monitoring (Configuration
Deviations,
Flow Deviations)
 Audit Switches (Switch Configuration, Password
Changes, ONIE Partition Hashes)

86. SACON
CASE STUDY
 Cisco Systems (2018)
 Traditional Network
 NetFlow
 IPS
 Firewalling
 Software Defined Network
 Switches and Controllers are black boxes
 Management plane relies on the existing traditional network

87. SACON
CASE STUDY
 Software Defined Network
 Architecture
- Default behaviors
- Includes partitioning
- Web application firewalls are used
 Applications and Operations
- Not Available
- Closed System

88. SACON
SDN IN YOUR ENTERPRISE
 Plans for SDN
 Concerns Regarding SDN
 Addressing Those Concerns
 Need
 Practical

89. SACON
5G
 What will it look like?
 How will we use it?
 What will the risks be?

90. SACON
WHAT WILL IT LOOK LIKE
 Public and private infrastructure
 Coupled and Decoupled data/control planes
 Managed and Unmanaged nodes
 Lots of Different Architecture
 Traditional Hub/Spoke
 Mesh Networks
 Cloud Distributed
 Hybrid Deployments

91. SACON
WHAT WILL IT LOOK LIKE
 Homogenous and Heterogenous Environments

92. SACON
HOW WILL WE USE IT
 Autonomous/Connected
Vehicles
 Sensor/Actuator Networks
 Smart Grid
 Robots and Drones
 Personal Health
 Augmented Reality

93. SACON
THE RISKS
 Operational
 Different (Incompatible)
Implementations
 Managing and Keeping Nodes
Updated
 Complying with Legal and
Regulatory Frameworks

94. SACON
THE RISKS
 Security
 Introduces Attack Surfaces
- Supply Chain
- Underlay Network
Small Cells
Backbone Network
Signaling Protocols
Legacy Integrations
Multiparty Involvement

95. SACON
THE RISKS
 Security
 Introduces Attack Surfaces
- Devices
- Controllers
- Management Platforms
- Cloud
 Limits detection of and responses to threats

96. SACON
VULNERABILITIES
 Weak Encryption
 Denial of Service
 Weak Authentication
 Information Disclosure
 Parameter Manipulation
 Others

97. SACON
WEAK ENCRYPTION
 Poor Key Management
(Radio Interface
key exchange)
 Forced Downgrades
(3G/Weaker Encryption)
 Differing Standards
 In Transit
 Multiparty Involvement
 No Encryption (Backhaul Network)

98. SACON
DENIAL OF SERVICE
 Flash Network Traffic (Nodes)
 Jamming Transmission
 Entire Spectrum
 Certain Frequencies (Lowering Performance)
 Signaling Storm (Underlay Network)
 Floods
 SDN or Forwarding Elements
 Cloud

99. SACON
WEAK AUTHENTICATION
 Differing Standards
 In Transit
 Multiparty Involvement

100. SACON
INFORMATION DISCLOSURE
 Timing/Boundary/Caching Attacks
(User Location)
 Differing Standards
 At Rest
 Multiparty Involvement
 Shared Resources (Cloud)

101. SACON
PARAMETER MANIPULATION
 Model
 Poisoning
 User to Platform
 User
 Cross-Over
 User to User

102. SACON
OTHERS
 Spoofing Base Stations
 User Security Update Failures
(Multiparty Involvement)
 Access Control Bypass
 VM Escape
 Cloud

103. SACON
SECURING IT
 General Approaches
 New Approaches

104. SACON
GENERAL APPROACHES
 Backhaul Encryption
 Second Line of Defense
 Product/Service appropriate
add-ins
 Work with Providers

105. SACON
BACKHAUL ENCRYPTION
 Don’t rely on the provider
 Encrypt your traffic

106. SACON
SECOND LINE OF DEFENSE
 Inspection
 Firewalling
 Logging
 Monitoring

107. SACON
PRODUCT/SERVICES
 Zero Trust
 Proxies and Gateways

108. SACON
WORK WITH PROVIDERS
 Additional Physical Layer Security
 Radio-Frequency (RF) Fingerprinting
 Asymmetric Security Schemes
 Dynamic Changing Security
 Host Identity Protocol (HIP) for radio interface
key exchange
 Backhaul encryption (Native)
 Adoption of fiber ring network protection

109. SACON
WORK WITH PROVIDERS
 More use of the cloud for C-RAN
operations
 Better compartmentalization within
the cloud
 Use of the above SDN countermeasures
 More comprehensive data classification policies

110. SACON
NEW APPROACHES
 SDN
 Regulation of Traffic (Flash Network Traffic)
 Facilitating NFV
 Machine Learning
 Within NFV
 Both provider and customer use

111. SACON
5G IN YOUR
ENTERPRISE
 Plans for 5G
 Concerns regarding 5G
 Addressing those concerns
 Need
 Pratical

112. SACON
SOME PREDICTIONS
 Lots of Holes
 Supply Chain Attacks
 Mismatches Everywhere
 Privacy Nightmare
 Vulnerabilities in individual components will roll in …
 Regulations will make it worse
 Those building on top of what is offered will
do the best!

113. SACON
Questions?