This document summarizes Gregory Pickett's presentation on SDN security at SACON International 2020. It discusses current SDN trends like SDN, SD-WAN and SDDC. It then covers vulnerabilities in SDN components like switches, controllers and applications. Examples of vulnerabilities in vendors like Cisco APIC, Floodlight and Big Cloud Fabric are provided. Finally, it discusses general approaches to securing SDN through techniques like encryption, authentication, hardening, architecture and operations. A case study of Cisco's approach to SDN security is also summarized.
29. SACON
CASE STUDIES
Many, many case studies
available on the Internet
Most DO NOT mention
security
Most rely on the SD-WAN device
Those that don’t have opted for one of these
Service Chaining
WAN traffic encryption
31. SACON
THE RISKS
Operational
Large Failure Domain
Security
Introduces Attack Surfaces
- Forwarding Elements
- Controllers
Limits detection of and response to threats
39. SACON
FLOODLIGHT
Open Source
No Encryption (Openflow, Console)
Denial of Service (Controller)
No Authentication (Console)
Atlassian
Denial of Service (Forwarding Module)
Cross-Site Scripting (Console)
40. SACON
FLOODLIGHT
Big Cloud Fabric
No Encryption (ZTN, ONIE, Sync)
No Authentication (ZTN, ONIE)
Weak Password (API)
Token Stale, Doesn’t Expire, and Doesn’t Invalidate (API)
52. SACON
BIG CLOUD FABRIC (Stale Token)
Was it based on the password?
No. I changed that on the 27th!
53. SACON
BIG CLOUD FABRIC (Stale Token)
It still works after the
password changed.
Most of these are used
across the loopback.
One is used for controller to
controller communication.
Does it check certificates?
59. SACON
CISCO APIC (Backdoor)
This was a little more difficult
However, everything that you need is
still there!
Offline mount HDD
Add “backdoor.service” to root “snapshot”
Loads netcat listener at boot
79. SACON
SWITCHES
TLS
Between forwarding element
and controllers
Using Updated libraries
Add Mutual Authentication
DevSecOps or SDN to coordinate certificate
and key distribution
80. SACON
SWITCHES
Hardening
Install Environment (Above)
Operating System
- Changeable names
- Forced password changes
- Remove uid 0 from admin
- 2FA for shell?
- Remove unnecessary tools … Etc.
86. SACON
CASE STUDY
Cisco Systems (2018)
Traditional Network
NetFlow
IPS
Firewalling
Software Defined Network
Switches and Controllers are black boxes
Management plane relies on the existing traditional network
87. SACON
CASE STUDY
Software Defined Network
Architecture
- Default behaviors
- Includes partitioning
- Web application firewalls are used
Applications and Operations
- Not Available
- Closed System
88. SACON
SDN IN YOUR ENTERPRISE
Plans for SDN
Concerns Regarding SDN
Addressing Those Concerns
Need
Practical
89. SACON
5G
What will it look like?
How will we use it?
What will the risks be?
90. SACON
WHAT WILL IT LOOK LIKE
Public and private infrastructure
Coupled and Decoupled data/control planes
Managed and Unmanaged nodes
Lots of Different Architecture
Traditional Hub/Spoke
Mesh Networks
Cloud Distributed
Hybrid Deployments
92. SACON
HOW WILL WE USE IT
Autonomous/Connected
Vehicles
Sensor/Actuator Networks
Smart Grid
Robots and Drones
Personal Health
Augmented Reality
93. SACON
THE RISKS
Operational
Different (Incompatible)
Implementations
Managing and Keeping Nodes
Updated
Complying with Legal and
Regulatory Frameworks
108. SACON
WORK WITH PROVIDERS
Additional Physical Layer Security
Radio-Frequency (RF) Fingerprinting
Asymmetric Security Schemes
Dynamic Changing Security
Host Identity Protocol (HIP) for radio interface
key exchange
Backhaul encryption (Native)
Adoption of fiber ring network protection
109. SACON
WORK WITH PROVIDERS
More use of the cloud for C-RAN
operations
Better compartmentalization within
the cloud
Use of the above SDN countermeasures
More comprehensive data classification policies
110. SACON
NEW APPROACHES
SDN
Regulation of Traffic (Flash Network Traffic)
Facilitating NFV
Machine Learning
Within NFV
Both provider and customer use
112. SACON
SOME PREDICTIONS
Lots of Holes
Supply Chain Attacks
Mismatches Everywhere
Privacy Nightmare
Vulnerabilities in individual components will roll in …
Regulations will make it worse
Those building on top of what is offered will
do the best!