This document proposes enhancing security in OpenFlow networks. It discusses:
1) OpenFlow currently has security flaws like lack of authentication, encryption, and intrusion detection that can compromise the network.
2) The proposal is to use a network intrusion detection system as a middlebox to monitor traffic at the OpenFlow controller and detect suspicious activity.
3) Additional mechanisms like authentication, encryption, and forensics are needed to fully secure OpenFlow networks against vulnerabilities introduced by the separation of the data and control planes.
A review on software defined network security risks and challengesTELKOMNIKA JOURNAL
Software defined network is an emerging network architecture that separates the traditional
integrated control logic and data forwarding functionality into different planes, namely the control plane and
data forwarding plane. The data plane does an end-to-end data delivery. And the control plane does
the actual network traffic forwarding and routing between different network segments. In software defined
network the networking infrastructure layer is where the entire networking device, such as switches and
routers are connected with the separate controller layer with the help of standard called OpenFlow
protocol. The OpenFlow is a standard protocol that allows different vendor devices like juniper, cisco and
huawei switches to be connected to the controller. The centralization of the software defined network
(SDN) controller makes the network more flexible, manageable and dynamic, such as provisioning of
bandwidth, dynamic scale out and scale in compared to the traditional communication network, however,
the centralized SDN controller is more vulnerable to security risks such as DDOS and flow rule poisoning
attack. In this paper, we will explore the architectures, the principles of software defined network and
security risks associated with the centralized SDN controller and possible ways to mitigate these risks.
HOST AND NETWORK SECURITY by ThesisScientist.comProf Ansari
Network management means different things to different people. In some cases, it involves a solitary network consultant monitoring network activity with an outdated protocol analyzer. In other cases, network management involves a distributed database, auto polling of network devices, and high-end workstations generating real-time graphical views of network topology changes and traffic. In general, network management is a service that employs a variety of tools, applications, and devices to assist human network managers in monitoring and maintaining networks.
SECURING MOBILE AD-HOC NETWORKS AGAINST JAMMING ATTACKS THROUGH UNIFIED SECUR...ijasuc
The varieties of studies in the literature have been addressed by the researchers to solve security
dilemmas of Mobile Ad-Hoc Networks (MANET). Due to the wireless nature of the channel and specific
characteristics of MANETs, the radio interference attacks cannot be defeated through conventional
security mechanisms. An adversary can easily override its medium access control protocol (MAC) and
continually transfer packages on the network channel. The authorized nodes keep sending Request-toSend (RTS) frames to the access point node in order to access to shared medium and start data transfer.
However, due to jamming attacks on the network, the access point node cannot assign authorization
access to shared medium. These attacks cause a significant decrease on overall network throughput,
packet transmission rates and delay on the MAC layer since other nodes back-off from the
communication. The proposed method applied for preventing and mitigating jamming attacks is
implemented at the MAC layer that consist of a combination of different coordination mechanisms. These
are a combination of Point Controller Functions (PCF) that are used to coordinate entire network
activities at the MAC layer and RTS/CTS (Clear-To-Send) mechanisms which is a handshaking process
that minimizes the occurrence of collisions on the wireless network. The entire network performance and
mechanism is simulated through OPNET simulation application.
The purpose of this paper two fold. First and foremost it presents a background narrative on the origins, innovations and applications of novel structural automation technologies and the rarity of experts involved in research, development and practice of this field. The second part of this paper presents a rudimentary framework for a solution addressing this paucity – the creation of an interdisciplinary academic program at PAAET that will be the first ever in the region to address applied information communication technologies ICT in the design, planning, engineering and management of structural automation projects. In doing so, we need also to define the level of implementation. This field, as all fields in ICT, have been loosely defined and most applications carry less weight in its implementation than what should be applied. This paper gives an attempt to define an indexing scheme by which we can easily classify such implementation and generate a ranking by which we can safely define its level of ―Intelligence‖.International Journal of Engineering Research and Applications (IJERA) is an open access online peer reviewed international journal that publishes research and review articles in the fields of Computer Science, Neural Networks, Electrical Engineering, Software Engineering, Information Technology, Mechanical Engineering, Chemical Engineering, Plastic Engineering, Food Technology, Textile Engineering, Nano Technology & science, Power Electronics, Electronics & Communication Engineering, Computational mathematics, Image processing, Civil Engineering, Structural Engineering, Environmental Engineering, VLSI Testing & Low Power VLSI Design etc.
A review on software defined network security risks and challengesTELKOMNIKA JOURNAL
Software defined network is an emerging network architecture that separates the traditional
integrated control logic and data forwarding functionality into different planes, namely the control plane and
data forwarding plane. The data plane does an end-to-end data delivery. And the control plane does
the actual network traffic forwarding and routing between different network segments. In software defined
network the networking infrastructure layer is where the entire networking device, such as switches and
routers are connected with the separate controller layer with the help of standard called OpenFlow
protocol. The OpenFlow is a standard protocol that allows different vendor devices like juniper, cisco and
huawei switches to be connected to the controller. The centralization of the software defined network
(SDN) controller makes the network more flexible, manageable and dynamic, such as provisioning of
bandwidth, dynamic scale out and scale in compared to the traditional communication network, however,
the centralized SDN controller is more vulnerable to security risks such as DDOS and flow rule poisoning
attack. In this paper, we will explore the architectures, the principles of software defined network and
security risks associated with the centralized SDN controller and possible ways to mitigate these risks.
HOST AND NETWORK SECURITY by ThesisScientist.comProf Ansari
Network management means different things to different people. In some cases, it involves a solitary network consultant monitoring network activity with an outdated protocol analyzer. In other cases, network management involves a distributed database, auto polling of network devices, and high-end workstations generating real-time graphical views of network topology changes and traffic. In general, network management is a service that employs a variety of tools, applications, and devices to assist human network managers in monitoring and maintaining networks.
SECURING MOBILE AD-HOC NETWORKS AGAINST JAMMING ATTACKS THROUGH UNIFIED SECUR...ijasuc
The varieties of studies in the literature have been addressed by the researchers to solve security
dilemmas of Mobile Ad-Hoc Networks (MANET). Due to the wireless nature of the channel and specific
characteristics of MANETs, the radio interference attacks cannot be defeated through conventional
security mechanisms. An adversary can easily override its medium access control protocol (MAC) and
continually transfer packages on the network channel. The authorized nodes keep sending Request-toSend (RTS) frames to the access point node in order to access to shared medium and start data transfer.
However, due to jamming attacks on the network, the access point node cannot assign authorization
access to shared medium. These attacks cause a significant decrease on overall network throughput,
packet transmission rates and delay on the MAC layer since other nodes back-off from the
communication. The proposed method applied for preventing and mitigating jamming attacks is
implemented at the MAC layer that consist of a combination of different coordination mechanisms. These
are a combination of Point Controller Functions (PCF) that are used to coordinate entire network
activities at the MAC layer and RTS/CTS (Clear-To-Send) mechanisms which is a handshaking process
that minimizes the occurrence of collisions on the wireless network. The entire network performance and
mechanism is simulated through OPNET simulation application.
The purpose of this paper two fold. First and foremost it presents a background narrative on the origins, innovations and applications of novel structural automation technologies and the rarity of experts involved in research, development and practice of this field. The second part of this paper presents a rudimentary framework for a solution addressing this paucity – the creation of an interdisciplinary academic program at PAAET that will be the first ever in the region to address applied information communication technologies ICT in the design, planning, engineering and management of structural automation projects. In doing so, we need also to define the level of implementation. This field, as all fields in ICT, have been loosely defined and most applications carry less weight in its implementation than what should be applied. This paper gives an attempt to define an indexing scheme by which we can easily classify such implementation and generate a ranking by which we can safely define its level of ―Intelligence‖.International Journal of Engineering Research and Applications (IJERA) is an open access online peer reviewed international journal that publishes research and review articles in the fields of Computer Science, Neural Networks, Electrical Engineering, Software Engineering, Information Technology, Mechanical Engineering, Chemical Engineering, Plastic Engineering, Food Technology, Textile Engineering, Nano Technology & science, Power Electronics, Electronics & Communication Engineering, Computational mathematics, Image processing, Civil Engineering, Structural Engineering, Environmental Engineering, VLSI Testing & Low Power VLSI Design etc.
Cloud computing challenges and solutionsIJCNCJournal
Cloud computing is an emerging area of computer technology that benefits form the processing power and
the computing resources of many connected, geographically distanced computers connected via Internet.
Cloud computing eliminates the need of having a complete infrastructure of hardware and software to meet
users requirements and applications. It can be thought of or considered as a complete or a partial
outsourcing of hardware and software resources. To access cloud applications, a good Internet connection
and a standard Internet browser are required. Cloud computing has its own drawback from the security
point of view; this paper aims to address most of these threats and their possible solutions.
DESIGN AND IMPLEMENTATION OF A TRUST-AWARE ROUTING PROTOCOL FOR LARGE WSNSIJNSA Journal
The domain of Wireless Sensor Networks (WSNs) applications is increasing widely over the last few years. As this new type of networking is characterized by severely constrained node resources, limited network resources and the requirement to operate in an ad hoc manner, implementing security functionality to protect against adversary nodes becomes a challenging task. In this paper, we present a trust-aware, location-based routing protocol which protects the WSN against routing attacks, and also supports large-scale WSNs deployments. The proposed solution has been shown to efficiently detect and avoid malicious nodes and has been implemented in state-of-the-art sensor nodes for a real-life test-bed. This work focuses on the assessment of the implementation cost and on the lessons learned through the design, implementation and validation process.
Security is always important in data networks, but it is particularly critical in wireless networks such as
WiMAX. Authentication is the first element in wireless security that, if not well safeguarded, all following
security measures will be vulnerable. Denial of Service is one of the attacks that could target a WiMAX
network to make its operation inefficient. This paper is an investigation into a) the weakness and threats on
WiMAX security algorithms and b) the best method that could prevent DoS attacks prior to the
authentication algorithm.
The paper is presenting the architecture of WiMAX and identifying the main layers and sub layers that
these security algorithms are performing their functions from within. The paper incorporates the new
method with the authentication algorithm to improve the efficiency of the security of WiMAX.
Mobile ad-hoc network is a relatively new innovation in the field of wireless technology. These types of networks operate in the absence of fixed infrastructure, which makes them easy to deploy at any place and at any time. Mobile ad-hoc networks are highly dynamic; topology changes and link breakage happen quite frequently. Therefore, we need a security solution, which is dynamic, too. Security in Mobile Ad hoc Networks (MANETs) is an important issue in need of a solution that not only works well with a small network, but also sustains efficiency and scalability. In ad hoc environment, much of the research has been done focusing on the efficiency of the network. Therefore, there are a number of routing protocols that provide good efficiency. Considering security has radically changed the situation, for all of the existing routing protocols are designed with an assumption that the participating players and the network environment do not harm the security. It highly contradicts with the reality. Most of the secure routing protocols have the various disadvantages. In this paper a trusted solution is provided for routing in ad hoc network. The routing protocol is modified by relating the security components. Finally, the simulation results of insecure AODV are studied using simulator.
: While conventional cryptographic security mechanisms are essential to the overall problem, of securing wireless networks, the wireless medium is a powerful source of domain-specific information, that can complement and enhancetraditional security mechanisms . In this work a security paradigms, which exploit physical layer properties of the wireless medium, can enhance confidentiality and authentication services.In essence using the physical layer information available , we are able to continuously authenticate packets at the same layer. However ,this form of security is only possible through physical layer security mechanisms. An approach where wireless devices, interested in establishing a secret key, sample the link signature space in a physical area to collect and combine uncorrelated measurements channel based secrecy algorithms ,based on ITS key derivation protocol, in order to improve existing wireless security system had been laid down and modified as appropriate algorithms.
Secure and efficient handover authentication and detection of spoofing attackeSAT Publishing House
IJRET : International Journal of Research in Engineering and Technology is an international peer reviewed, online journal published by eSAT Publishing House for the enhancement of research in various disciplines of Engineering and Technology. The aim and scope of the journal is to provide an academic medium and an important reference for the advancement and dissemination of research results that support high-level learning, teaching and research in the fields of Engineering and Technology. We bring together Scientists, Academician, Field Engineers, Scholars and Students of related fields of Engineering and Technology
IJRET : International Journal of Research in Engineering and Technology is an international peer reviewed, online journal published by eSAT Publishing House for the enhancement of research in various disciplines of Engineering and Technology. The aim and scope of the journal is to provide an academic medium and an important reference for the advancement and dissemination of research results that support high-level learning, teaching and research in the fields of Engineering and Technology. We bring together Scientists, Academician, Field Engineers, Scholars and Students of related fields of Engineering and Technology
Software Defined Networking Attacks and Countermeasures .docxrosemariebrayshaw
Software Defined Networking: Attacks and
Countermeasures
Nada Mostafa Abd Elazim
Computer Engineering Department.
Arab Academy for Science and
Technology, College of Engineering
Cairo, Egypt
[email protected]
Mohamed A. Sobh
Ain Shams University
Cairo, Egypt
[email protected]
Ayman M. Bahaa-Eldin
Misr International University
On leave from Ain Shams University
[email protected]
Abstract —Software defined networking (SDN) is an
emerging network architecture; it differs from traditional
networks as it separates control planes from data planes.
This separation helps the network to be more flexible and
easier to handle and allows faster innovation cycles at both
planes. SDN has benefit over traditional networks in terms
of simplicity, programmability and elasticity. Openflow
protocol is a south-bound API interface; it is the most
popular and common protocol that used to communicate the
controller with the switches. This paper will focus on the
architecture of SDN and provide some challenges faces the
SDN; finally, it will discuss some security threats that face
SDN and their countermeasures.
Index Terms—SDN, Openflow, API interface
I. INTRODUCTION
Traditional networks were very complex and difficult
to manage. They combine the control plane with data
plane that make network management difficult.
On the other hand, software defined networking
(SDN) is a new networking approach to build computer
networks that separates and abstracts elements of these
systems to help building flexible and scalable network.
Advantages of Software defined networking (SDN)
over traditional network [1]:
• It has virtual environment as it uses resources
without caring about where it is located and how
it is orderly.
• Monitor large number of devices by one
command.
• Easy to change behaviour, size, and quantity.
• Minimize downtime, enforcement of policy,
discover the faults and solve them, and add new
devices, resources, sites, and workloads.
• Monitoring of resources.
• Improve the utilization of network device.
• The global vision of the network due to the
centralization of the controller.
Openflow [2] is a protocol found in the southbound
API interface that locates between the control and data
forwarding layer. It is the way to virtualize the network.
openflow is designed to be easy programmed, that helps
the network manager to create new protocols for solving
problems.
SDN has many applications in data centre, WAN,
IoTs, cellular networks, and Wi-Fi network.
Security threats are on the rise, SDN faces many
security threats in each of its layer, for example, in Data
forwarding layer there are man at the end attack, DoS
attack, spoofing attack, intrusion attack, scanning attack,
tampering attack, hijacking attack, side channel attack,
and anomaly attack. In control layer there are DoS/DDoS
attack, intrusion attack, anomaly attack, threats based on
distributed multi-controllers, threats from a.
In software-defined networking (SDN), network traffic is managed by software controllers or application programming interfaces (APIs) rather than hardware components. It differs from traditional networks, which use
switches and routers to control traffic. Using SDN, you can create and control virtual networks or traditional hardware networks. Furthermore, OpenFlow allows network administrators to control exact network behavior
through centralized control of packet forwarding. For these reasons, SDN has advantages over certain security issues, unlike traditional networks.
However, most of the existing vulnerabilities and security threats in the traditional network also impact the SDN network. This document presents the attacks targeting the SDN network and the solutions that protect against
these attacks. In addition, we introduce a variety of SDN security controls, such as intrusion detection systems (IDS)/intrusion prevention system (IPS), and firewalls. Towards the end, we outline a conclusion and perspectives.
Cloud computing challenges and solutionsIJCNCJournal
Cloud computing is an emerging area of computer technology that benefits form the processing power and
the computing resources of many connected, geographically distanced computers connected via Internet.
Cloud computing eliminates the need of having a complete infrastructure of hardware and software to meet
users requirements and applications. It can be thought of or considered as a complete or a partial
outsourcing of hardware and software resources. To access cloud applications, a good Internet connection
and a standard Internet browser are required. Cloud computing has its own drawback from the security
point of view; this paper aims to address most of these threats and their possible solutions.
DESIGN AND IMPLEMENTATION OF A TRUST-AWARE ROUTING PROTOCOL FOR LARGE WSNSIJNSA Journal
The domain of Wireless Sensor Networks (WSNs) applications is increasing widely over the last few years. As this new type of networking is characterized by severely constrained node resources, limited network resources and the requirement to operate in an ad hoc manner, implementing security functionality to protect against adversary nodes becomes a challenging task. In this paper, we present a trust-aware, location-based routing protocol which protects the WSN against routing attacks, and also supports large-scale WSNs deployments. The proposed solution has been shown to efficiently detect and avoid malicious nodes and has been implemented in state-of-the-art sensor nodes for a real-life test-bed. This work focuses on the assessment of the implementation cost and on the lessons learned through the design, implementation and validation process.
Security is always important in data networks, but it is particularly critical in wireless networks such as
WiMAX. Authentication is the first element in wireless security that, if not well safeguarded, all following
security measures will be vulnerable. Denial of Service is one of the attacks that could target a WiMAX
network to make its operation inefficient. This paper is an investigation into a) the weakness and threats on
WiMAX security algorithms and b) the best method that could prevent DoS attacks prior to the
authentication algorithm.
The paper is presenting the architecture of WiMAX and identifying the main layers and sub layers that
these security algorithms are performing their functions from within. The paper incorporates the new
method with the authentication algorithm to improve the efficiency of the security of WiMAX.
Mobile ad-hoc network is a relatively new innovation in the field of wireless technology. These types of networks operate in the absence of fixed infrastructure, which makes them easy to deploy at any place and at any time. Mobile ad-hoc networks are highly dynamic; topology changes and link breakage happen quite frequently. Therefore, we need a security solution, which is dynamic, too. Security in Mobile Ad hoc Networks (MANETs) is an important issue in need of a solution that not only works well with a small network, but also sustains efficiency and scalability. In ad hoc environment, much of the research has been done focusing on the efficiency of the network. Therefore, there are a number of routing protocols that provide good efficiency. Considering security has radically changed the situation, for all of the existing routing protocols are designed with an assumption that the participating players and the network environment do not harm the security. It highly contradicts with the reality. Most of the secure routing protocols have the various disadvantages. In this paper a trusted solution is provided for routing in ad hoc network. The routing protocol is modified by relating the security components. Finally, the simulation results of insecure AODV are studied using simulator.
: While conventional cryptographic security mechanisms are essential to the overall problem, of securing wireless networks, the wireless medium is a powerful source of domain-specific information, that can complement and enhancetraditional security mechanisms . In this work a security paradigms, which exploit physical layer properties of the wireless medium, can enhance confidentiality and authentication services.In essence using the physical layer information available , we are able to continuously authenticate packets at the same layer. However ,this form of security is only possible through physical layer security mechanisms. An approach where wireless devices, interested in establishing a secret key, sample the link signature space in a physical area to collect and combine uncorrelated measurements channel based secrecy algorithms ,based on ITS key derivation protocol, in order to improve existing wireless security system had been laid down and modified as appropriate algorithms.
Secure and efficient handover authentication and detection of spoofing attackeSAT Publishing House
IJRET : International Journal of Research in Engineering and Technology is an international peer reviewed, online journal published by eSAT Publishing House for the enhancement of research in various disciplines of Engineering and Technology. The aim and scope of the journal is to provide an academic medium and an important reference for the advancement and dissemination of research results that support high-level learning, teaching and research in the fields of Engineering and Technology. We bring together Scientists, Academician, Field Engineers, Scholars and Students of related fields of Engineering and Technology
IJRET : International Journal of Research in Engineering and Technology is an international peer reviewed, online journal published by eSAT Publishing House for the enhancement of research in various disciplines of Engineering and Technology. The aim and scope of the journal is to provide an academic medium and an important reference for the advancement and dissemination of research results that support high-level learning, teaching and research in the fields of Engineering and Technology. We bring together Scientists, Academician, Field Engineers, Scholars and Students of related fields of Engineering and Technology
Software Defined Networking Attacks and Countermeasures .docxrosemariebrayshaw
Software Defined Networking: Attacks and
Countermeasures
Nada Mostafa Abd Elazim
Computer Engineering Department.
Arab Academy for Science and
Technology, College of Engineering
Cairo, Egypt
[email protected]
Mohamed A. Sobh
Ain Shams University
Cairo, Egypt
[email protected]
Ayman M. Bahaa-Eldin
Misr International University
On leave from Ain Shams University
[email protected]
Abstract —Software defined networking (SDN) is an
emerging network architecture; it differs from traditional
networks as it separates control planes from data planes.
This separation helps the network to be more flexible and
easier to handle and allows faster innovation cycles at both
planes. SDN has benefit over traditional networks in terms
of simplicity, programmability and elasticity. Openflow
protocol is a south-bound API interface; it is the most
popular and common protocol that used to communicate the
controller with the switches. This paper will focus on the
architecture of SDN and provide some challenges faces the
SDN; finally, it will discuss some security threats that face
SDN and their countermeasures.
Index Terms—SDN, Openflow, API interface
I. INTRODUCTION
Traditional networks were very complex and difficult
to manage. They combine the control plane with data
plane that make network management difficult.
On the other hand, software defined networking
(SDN) is a new networking approach to build computer
networks that separates and abstracts elements of these
systems to help building flexible and scalable network.
Advantages of Software defined networking (SDN)
over traditional network [1]:
• It has virtual environment as it uses resources
without caring about where it is located and how
it is orderly.
• Monitor large number of devices by one
command.
• Easy to change behaviour, size, and quantity.
• Minimize downtime, enforcement of policy,
discover the faults and solve them, and add new
devices, resources, sites, and workloads.
• Monitoring of resources.
• Improve the utilization of network device.
• The global vision of the network due to the
centralization of the controller.
Openflow [2] is a protocol found in the southbound
API interface that locates between the control and data
forwarding layer. It is the way to virtualize the network.
openflow is designed to be easy programmed, that helps
the network manager to create new protocols for solving
problems.
SDN has many applications in data centre, WAN,
IoTs, cellular networks, and Wi-Fi network.
Security threats are on the rise, SDN faces many
security threats in each of its layer, for example, in Data
forwarding layer there are man at the end attack, DoS
attack, spoofing attack, intrusion attack, scanning attack,
tampering attack, hijacking attack, side channel attack,
and anomaly attack. In control layer there are DoS/DDoS
attack, intrusion attack, anomaly attack, threats based on
distributed multi-controllers, threats from a.
In software-defined networking (SDN), network traffic is managed by software controllers or application programming interfaces (APIs) rather than hardware components. It differs from traditional networks, which use
switches and routers to control traffic. Using SDN, you can create and control virtual networks or traditional hardware networks. Furthermore, OpenFlow allows network administrators to control exact network behavior
through centralized control of packet forwarding. For these reasons, SDN has advantages over certain security issues, unlike traditional networks.
However, most of the existing vulnerabilities and security threats in the traditional network also impact the SDN network. This document presents the attacks targeting the SDN network and the solutions that protect against
these attacks. In addition, we introduce a variety of SDN security controls, such as intrusion detection systems (IDS)/intrusion prevention system (IPS), and firewalls. Towards the end, we outline a conclusion and perspectives.
Controller Placement Problem resiliency evaluation in SDN-based architecturesIJCNCJournal
The Software-Defined Networking (SDN) paradigm does represent an effective approach aimed at enhancing the performance of core networks by introducing a clean separation between the routing plane and the forwarding plane. However, the centralized architecture of SDN networks raises resiliency concerns that are addressed by a class of algorithms falling under the Controller Placement Problem (CPP) umbrella term. Such algorithms seek the optimal placement of the SDN controller. In this paper, we evaluate the main CPP algorithms and provide an experimental analysis of their performance, as well as of their capability to dynamically adapt to network malfunctions and disconnections.
Controller Placement Problem Resiliency Evaluation in SDN-based ArchitecturesIJCNCJournal
The Software-Defined Networking (SDN) paradigm does represent an effective approach aimed at enhancing the performance of core networks by introducing a clean separation between the routing plane and the forwarding plane. However, the centralized architecture of SDN networks raises resiliency concerns that are addressed by a class of algorithms falling under the Controller Placement Problem (CPP) umbrella term. Such algorithms seek the optimal placement of the SDN controller. In this paper, we evaluate the main CPP algorithms and provide an experimental analysis of their performance, as well as of their capability to dynamically adapt to network malfunctions and disconnections.
OPTIMIZING CONGESTION CONTROL BY USING DEVICES AUTHENTICATION IN SOFTWARE-DEF...IJNSA Journal
The Internet and local networks (LAN) are essential in all organizations and aspects of our lives. These networks' performance should be at high speeds to perform efficiently. This thesis suggests several motions to improve performance. The first is a software-defined network (SDN) distinguished from traditional networks by its ability to program traffic, agility, and support for applications that need big data and virtualization. The second is to control congestion by rerouting traffic to the shortest path. Finally, to modify the above, device authentication reduces congestion and improves network performance.
Security in Software Defined Networks (SDN): Challenges and Research Opportun...Editor IJCATR
In networks, the rapidly changing traffic patterns of search engines, Internet of Things (IoT) devices, Big Data and data centers has thrown up new challenges for legacy; existing networks; and prompted the need for a more intelligent and innovative way to dynamically manage traffic and allocate limited network resources. Software Defined Network (SDN) which decouples the control plane from the data plane through network vitalizations aims to address these challenges. This paper has explored the SDN architecture and its implementation with the OpenFlow protocol. It has also assessed some of its benefits over traditional network architectures, security concerns and how it can be addressed in future research and related works in emerging economies such as Nigeria.
Security and risk analysis in the cloud with software defined networking arch...IJECEIAES
Cloud computing has emerged as the actual trend in business information technology service models, since it provides processing that is both costeffective and scalable. Enterprise networks are adopting software-defined networking (SDN) for network management flexibility and lower operating costs. Information technology (IT) services for enterprises tend to use both technologies. Yet, the effects of cloud computing and software defined networking on business network security are unclear. This study addresses this crucial issue. In a business network that uses both technologies, we start by looking at security, namely distributed denial-of-service (DDoS) attack defensive methods. SDN technology may help organizations protect against DDoS assaults provided the defensive architecture is structured appropriately. To mitigate DDoS attacks, we offer a highly configurable network monitoring and flexible control framework. We present a dataset shift-resistant graphic model-based attack detection system for the new architecture. The simulation findings demonstrate that our architecture can efficiently meet the security concerns of the new network paradigm and that our attack detection system can report numerous threats using real-world network data.
Firewall and vpn investigation on cloud computing performanceIJCSES Journal
The paper presents the way to provide the security to one of the recent development in computing, cloud
computing. The main interest is to investigate the impact of using Virtual Private Network VPN together
with firewall on cloud computing performance. Therefore, computer modeling and simulation of cloud
computing with OPNET modular simulator has been conducted for the cases of cloud computing with and
without VPN and firewall. To achieve clear idea on these impacts, the simulation considers different
scenarios and different form application traffic applied. Simulation results showing throughput, delay,
servers traffic sent and received have been collected and presented. The results clearly show that there is
impact in throughput and delay through the use of VPN and firewall. The impact on throughput is higher
than that on the delay. Furthermore, the impact show that the email traffic is more affected than web
traffic.
Security of software defined networking (sdn) and cognitive radio network (crn)Ameer Sameer
Security of Software Defined Networking (SDN)
Overview
Definition Software Defined Networking (SDN)
SDN security & Security Challenges
SDN Attack Surface & Attacks Examples
SDN Threat Model
Open Research issues SDN
Future Research Directions
Simulator for Software Defined Networking
Security of Cognitive Radio Network (CRN)
Overview
Definition Cognitive Network
Security of Cognitive Radios & Threats
Security issues in cognitive radio
Attacks and the proposed defense mechanisms
Open Research issues in Cognitive Radio
Evaluation Methodologies for Cognitive Networking
Future Research Directions
Simulator for Cognitive Radio
Q-learning based distributed denial of service detectionIJECEIAES
Distributed denial of service (DDoS) attacks the target service providers by sending a huge amount of traffic to prevent legitimate users from getting the service. These attacks become more challenging in the software-defined network paradigm, due to the separation of the control plane from the data plane. Centralized software defined networks are more vulnerable to DDoS attacks that may cause the failure of all networks. In this work, a new approach is proposed based on q-learning to enhance the detection of DDoS attacks and reduce false positives and false negatives. The results of this work are compared with entropy detection in terms of the number of received packets to detect the attack and also the continuity of service for legitimate users. Moreover, these results indicate that the proposed system detects the DDoS attack from flash crowds and redirects the traffic to the edge of the data center. A second controller is used to redirect traffic to a honeypot server that works as a mirror server. This guarantees the continuity of service for both normal and suspected traffic until further analysis is done. The results indicate an increase of up to 50% in the throughput compared to other approaches.
A SCALABLE MONITORING SYSTEM FOR SOFTWARE DEFINED NETWORKSijdpsjournal
Monitoring functionality is an essential element of any network system. Traditional monitoring solutions
are mostly used for manual and infrequent network management tasks. Software-defined networks (SDN)
have emerged with enabled automatic and frequent network reconfigurations. In this paper, a scalable
monitoring system for SDN is introduced. The proposed system monitors small, medium, and large-scale
SDN. Multiple instances of the proposed monitoring system can run in parallel for monitoring many SDN
slices. The introduced monitoring system receives requests from network management applications,
collects considerable amounts of measurement data, processes them, and returns the resulting knowledge
to the network management applications. The proposed monitoring system slices the network (switches and
links) into multiple slices. The introduced monitoring system concurrently monitors applications for
various tenants, with each tenant's application running on a dedicated network slice. Each slice is
monitored by a separate copy of the proposed monitoring system. These copies operate in parallel and are
synchronized. The scalability of the monitoring system is achieved by enhancing the performance of SDN.
In this context, scalability is addressed by increasing the number of tenant applications and expanding the
size of the physical network without compromising SDN performance.
There is no doubt that network coding is a promising enhancement of routing to improve network throughput and provide high reliability. However, there are several open problems in practical network coding, especially on how to guarantee coding advantage for a decentralized control network without the knowledge of the network topology. The biggest benefit of OpenFlow is to decouple the control plane from the data plane, allowing the centralized forwarding decisions in comparison to traditional distributed control network. As a result, we propose a Software-Defined coding network and address key technical challenges in practice. We design NC-OF, a framework to enable networking coding in SDN networks, and use MMF-NC coding strategy proposed by Guan Xu in NC-OF. Finally, we proved that our solutions can effectively improve network performance through simulation experiments. And we also find that network coding is not necessary when the link bandwidth is enough , because it will bring the problems of time delay, the increase in the amount of calculation and so on.
A Survey of Past, Present and Future of Software Defined Networking.pdf
Enhancing Security in OpenFlow
1. 1
Enhancing Security in OpenFlow
Capstone Research Project Proposal
April 22, 2016
Niketa Chellani
Prateek Tejpal
Prashant Hari
Vishal Neeralike
Interdisciplinary Telecommunications Program
University of Colorado Boulder
Abstract—The exponential growth in application-layer
programs in recent years has placed a severe constraint on the
underlying computer networks. To achieve the scalability necessary
to meet this growing demand, transition to a software-oriented
paradigm is essential. Software-defined networks (SDN) improve
network management and provide a higher quality of service while
achieving the desired scalability. However, the decoupling of data
and control planes introduces vulnerabilities in the network. The
shift to programmable networks can only be successful when the
inherent security concerns in software-defined networks are
addressed.
OpenFlow, the most widely used architecture for software-
defined networks, has several security flaws that can be exploited to
compromise the network. In this paper, we analyze the security
flaws in OpenFlow and the threats they pose to the SDN
architecture. We discuss the lack of authentication, encryption, and
intrusion detection and present a unified solution to address these
vulnerabilities.
Keywords—software-defined networking; OpenFlow; security;
middlebox; authentication; encryption; intrusion detection systems
I. INTRODUCTION
The unprecedented growth in computer networking
technology has created the need for a scalable networking
architecture. The concerns with traditional computer networks
are manifold; traditional networking protocols are static,
whereas the applications that run on top of these networks are
distributed in nature [1]. This in turn makes the networking
architecture complex and harder to scale [2]. The increasing
complexity makes it difficult for network administrators to
implement routing and administrative policies [3]. As a result,
network management becomes tougher and the quality of
service for the network suffers. To overcome these issues, it is
imperative to shift to software-defined networks.
Faculty Advisor: Joe McManus
University of Colorado Boulder
Industry Advisor: Jim Alexander
Senior Director, Charter Communications
The transition to software defined networks entails the
need for separate data and control planes. The diagram in
Fig.1 illustrates the de-coupling of control and data planes in a
Software Defined Network.
Fig.1. Architecture of a Software Defined Network
The logic of the network is implemented in the centralized
control plane, and the network switches are reduced to
forwarding elements [2] [3]. This provides an abstracted view
of the network to the higher-layer applications [3]. OpenFlow
not only provides the architecture for such a distributed
network, it also defines the communication between the
control and data planes. Thus, OpenFlow has become the
industry standard for implementing software-defined
networks.
2. 2
However, this decoupling also leaves the network open to
several vulnerabilities [4] [5] [6]. These vulnerabilities pose a
threat to the widespread implementation and adoption of
software-defined networks. Thus, it is crucial to address these
security flaws in OpenFlow to ensure the progression to
software-defined networks.
In this research proposal, we discuss the security concerns
with OpenFlow architecture and provide possible solutions to
mitigate them. Section II provides the backdrop for the
research problem through the research setting. Section III
analyzes the vulnerabilities in OpenFlow architecture. Section
IV provides a concise overview of the existing literature for
securing OpenFlow. Section V posits tentative solutions for
the vulnerabilities described in the previous sections. Section
VI gives a comprehensive plan for implementing the proposed
security solutions.
II. RESEARCH QUESTION AND PROBLEM SETTING
“Can a Network Intrusion Detection System be used as
a middlebox in the OpenFlow architecture to enhance the
security of OpenFlow networks?”
The decoupling of data and control planes in software-
defined networks has its limitations. These include threats
such as Denial of Service (DoS) attacks, information
disclosure and man-in-the-middle attacks [4] [5]. These threats
can compromise the confidentiality, integrity and availability
of the data in the computer networks. To prevent this, a
network intrusion detection system can be implemented as a
middlebox at the OpenFlow controller [6]. The Intrusion
Detection system can analyze the data at the controller to
detect any suspicious traffic flowing through the network.
However, malicious applications and compromised nodes can
find a workaround for this, and hence a more comprehensive
solution is essential. Thus, additional mechanisms are
necessary to ensure the networks are inherently secure. These
mechanisms include the use of authentication, encryption, and
forensics. Integrating these techniques with the OpenFlow
architecture will significantly enhance the security of
OpenFlow networks.
III. RESEARCH SUBPROBLEMS
A. Mitigating the Threat of a Single Point of Failure
The centralized controller presents a unique problem in
software-defined networks by introducing a single point of
failure [3] [6]. In existing computer networks, network
intelligence is distributed throughout the network in the form
of routing and forwarding tables at the routers. This
intelligence converges to a single point in OpenFlow
networks. Compromising a controller can compromise the
entire network. Thus, multiple instances of the controller are
necessary to counter the threat from a single-point of failure.
B. Ensuring Secure Communication
OpenFlow currently does not enforce encryption between
the data and control planes [4]. This leaves the network open
to man-in-the-middle attacks [4]. A single compromised node
can be used to eavesdrop communication between the
controller and switches. This can be further exploited to alter
flow tables, thus compromising the integrity and
confidentiality of the network. To prevent this, communication
between the data and control planes must be encrypted using
strong cryptographic standards.
C. Preventing Information Disclosure
OpenFlow relies on flow tables within an OpenFlow
switch to process packets [1]. The controller processes flows
and not individual packets from the OpenFlow switches [1].
This flow aggregation provides a global view of the network
to the applications in the application layer [5]. Malicious and
compromised applications can use this aggregated flow data to
discern aspects of the network that would otherwise not be
visible to them. It is, therefore, advantageous to match flows
to multiple flow rules. Further, authentication at the controller
as well as the application layer is needed.
D. Preventing Denial of Service attacks
The centralized architecture of OpenFlow leaves it
vulnerable to Denial of Service attacks. Compromised
switches can be used to alter flow tables and flood the
controller with traffic. This can bring down the entire network.
To protect the network from such attacks, it is essential to
limit packet flow-rates.
E. Using Forensics for Recovery and Investigation
OpenFlow currently does not implement any forensics
tools for data recovery and back-up. To minimize the damage
from an attack, it is crucial to incorporate security forensics
mechanisms in the OpenFlow protocol
F. Cost modelling for the proposed solution
The proposed middlebox should have a low-cost of
ownership to attract potential customers and competition from
competitors. However, the return on investment must be high
enough to incentivize the developers to implement the
solution.
IV. LITERATURE REVIEW
The concept of programmable networks originated in the
3. 3
mid-90s, when the number of networks and their
dependency on each other grew to support a wide range of
applications. However, there has been limited work done to
find ways to secure SDN networks. Previous work on the
benefits of SDNs over traditional networks, vulnerabilities
in SDN and approaches to secure them are discussed in the
following sub-sections.
A. Software defined networking terms
A software defined network can be logically divided into
three layers: the first layer, which is the component layer,
consists of network devices like switches and routers. The
second layer is the controller layer and the third is the
application layer. Communication within the SDN
architecture takes place between the switches and the
controllers over the southbound interface, and between the
controller and the applications over the northbound interface
[7].
B. Advantages of software defined networks over
traditional networks
Network management is complex and error-prone due to
the tight coupling between the data plane and control plane
of a network [8]. This makes introducing functionalities like
load-balancing, intrusion detection, and deploying new
protocols a tedious and long process. Software defined
networking simplifies network management by decoupling
the data plane and control plane [1].
The program logic in such software defined networks is
responsible to carry out the control plane functionalities,
while the hardware components such as switches and routers
forward frames and packets. The centralized logic makes
introduction of new features and protocols into the network
hassle-free. Another advantage of this approach is that new
features can be tested without affecting the network before
introducing them, therefore, minimizing the occurrences of
network failures.
Centralization of the control plane decisions helps in better
network management by being able to control the
granularity, while ensuring a centralized policy enforcement
in Software Defined Networks [8]. One approach to achieve
this by adopting OpenFlow protocol for communication
between the control plane and data plane. OpenFlow is a
standardized way of managing traffic in switches by and
exchanging information between the switches and controller.
Due to their ability to provide consistency, scalability and
hassle free management of large, heterogeneous networks,
SDNs are becoming increasingly popular in the industry.
C. Security analysis of software-defined networks
Security issues are involved with both northbound
and southbound communication in SDNs. At the northbound
communication level, weak authentication methods between
the application and the controller and inappropriate
authorization, makes spoofing attacks and malicious access to
applications easy for the offender [10]. At the southbound
level, unencrypted exchange of information between the
switches and the controller, weak authentication method and
inappropriate authorization, makes this level susceptible to
man in the middle attack, eavesdropping, spoofing and
malicious access to flow rules [10].
D. Security vulnerabilities in OpenFlow
In SDN, a centralized program logic (at the controller) is
used to carry out the functions of the control plane. Though,
this has many benefits, the centralized nature of the control
plane, creates a lot of security concerns. Traditional networks
are inherently secure because of their heterogeneous hardware
and network policies that were difficult to exploit. The paper
[9] discusses seven threat vectors to software defined
networks that are discussed below.
1. An attacker can inject a large volume of traffic in the
network to launch a Denial of Service (DoS) attack on
OpenFlow switches. Intrusion Detection Systems (IDS)
and dynamic control of traffic flow can be used to
mitigate this threat.
2. Switches in the SDN architecture can be attacked by
manipulating their behavior to disrupt network operations.
In the paper, autonomic trust solutions, detection and
monitoring of network behavior are given as the possible
ways to mitigate this threat.
3. Lack of encryption for communication over the south
bound interface and authentication of the switches at the
controller makes the entire SDN network vulnerable.
Such lack of security can be used to gain unauthorized
access to data. Multiple authorization certificates,
enhanced cryptography techniques, with addition to
dynamic flow control can be used to mitigate this threat.
4. The fact that controllers are used to simply translate the
network commands can be exploited to introduce an
aggregated attack on the network. Strict application to
port mappings, periodic flushing of forwarding rules,
cryptographic keys at the controller, and detection of
abnormal behavior are some ways to mitigate this threat.
5. A lack of mechanisms to ensure trust on the northbound
interface, used for communication between the controller
4. 4
and applications, can introduce additional threats. This
can be avoided by allowing network access to trusted
applications or defining security policies for these
applications.
6. This threat is due to the vulnerabilities in the
administrative station, which can be reprogrammed to
attack a system. Stricter authentication techniques and
recovery mechanisms are possible techniques that can
mitigate such a threat.
7. The last type of threat is the lack of an incident response
in case of an attack. Methods to determine the nature and
type of an attack, and restore the network to an operable
state immediately after an attack are not implemented in
SDNs currently. Using network security forensic tools,
maintaining immutable logs of activities and creating
periodic backups are ways to quickly recover from an
attack.
E. Enhancing security in Software Defined Networks
Security in SDNs is an unexplored field, posing many
challenges and opportunities. The following approaches
have been proposed in the past to secure software defined
networks:
• Setting permission system for communication
between applications and the control plane: In a
permission system, various parameters can be
defined to specify the access level of any
application reaching the system [11]. This
approach allows access to trusted applications
only, greatly enhancing the security at the control
and application layers.
• Intrusion Detection and Prevention System
(IDPS): Intrusion detection is the process of
monitoring and analyzing events in the network
to protect it from any security violation. Intrusion
prevention is the process of enforcing policies in
order to prevent any security compromise.
Intrusion detection and prevention together serve
as a strong line of defense against network
attacks. The basic functionalities of an IDPS
include record network events, report suspicious
events to the administrator and generate reports.
IDPSs generate logs of the information collected
by them, which are then used to frame policies to
secure the network [12].
• Ensuring flow rule data confidentiality in
OpenFlow: Limited industry and research
community work has been done to address the
security issues related to SDN. The centralized
controllers are an attractive target for attacks in
the SDN architecture, since they are open to
unauthorized access and exploitation. The
OpenFlow protocol used for communication in
the southbound interface is unencrypted and is
susceptible to man in the middle attacks. A
security measure like encrypting the data being
transmitted on the south bound interface, by the
implementation of TLS (Transport Layer
Security) combined with authentication of the
controller at the switch, may provide the
necessary security and mitigate the threat to data
confidentiality [13].
• Blocking malicious traffic by implementation of
FRESCO and FORTNOX: Seugwon Shin
in [15] suggests that "the FRESCO design
provides security response directives that may
span many flow rules, or even address network-
wide attack scenarios". FRESCO consists of an
API (Application Programming Interface) and a
security enforcement kernel, incorporated into
NOX, which can be used to block flow from an
infectious machine or shun malicious traffic and
even prioritize flow rules to enhance the security
and performance of the network.
IV. RESEARCH METHODOLOGY
The architecture of our proposed solution enhances
the security of OpenFlow widely by the following two
mechanisms: (i) encrypting data on the southbound
interface and authenticating the switches to the controller
and vice versa by enforcing TLS on the southbound
interface; (ii) implementing middle-boxes concurrently
with the switches to provide monitoring, load-balancing,
and intrusion detection of upstream traffic in the
OpenFlow network. The diagram below (Fig.2) provides
an overview of the mechanisms adopted to secure
OpenFlow network proposed in this paper.
5. 5
Fig.2. Proposed model to enhance security in SDN
A. Transport Layer Security to provide encryption and
authentication:
Transport Layer Security is a public key
infrastructure that implements the X.509 standard for
asymmetric encryption [23]. TLS enforces authentication
and encryption using two protocols: the TLS Handshake
Protocol and the TLS Record Protocol [24]. The
Handshake Protocol uses an asymmetric algorithm such
as the Rivest-Shamir-Adleman (RSA) for authentication
and secure key exchange. The Record Protocol then uses
this key as the input to a symmetric encryption algorithm
such as Advanced Encryption Standard (AES) to encrypt
data between the two endpoints, thus scrambling the data
and rendering it unreadable to an intruder.
TLS uses digital certificates to verify the identity of a
user/host. Digital certificates embed the public key of an
entity, along with other details such as the subject name,
the issuer name, validity period and the algorithm used for
signing [25] [26]. This certificate also contains the
algorithms that the entity supports for encryption. Digital
certificates are generally issued by Certificate Authorities
(CA). The Certificate Authority is a verified third party
that maintains digital certificates. When a user requests
the certificate of an entity from a CA, the CA signs the
certificate using its private key before sending it to the
user; the user then decrypts the signed certificate using the
public key of the CA. Thus, the user can verify that the
certificate is valid and has not been tampered.
Fig.3 shows a scenario where a controller uses TLS
to encrypt and authenticate the communication to an
OpenVSwitch.
Fig.3. Transport Layer Security over South-Bound Interface in
SDN
The switch first sends a Hello Packet to the
controller. This Hello indicates the version of TLS and the
encryption algorithm that the switch supports [27]. The
controller then responds with a Hello Packet of its own
[27], after which it proceeds to send its certificate to the
switch. Thus, the switch can authenticate the controller.
The switch then generates a private key and uses the
public key of the controller to encrypt the private key and
send it to the controller. Following this, the controller
switches over to TLS thus authenticates the controller;
however, this leaves the network open to attacks from
compromised switches. To prevent a rogue switch from
injecting malicious traffic, it is necessary to authenticate
the switches in addition to the controller. This is done by
authenticating the switches using their public key [27].
Once the controller sends its certificate to a switch, it will
then ask for the switch to verify its identity by sending a
public key. This prevents an adversary from adding
malicious switches to the network, thus greatly increasing
the security of the network.
B. Intrusion Detection System
Our design principle decouples traffic monitoring from
the flow control by introducing Middle-boxes in the
network. This is achieved in the following steps:
(i) Traffic from the switch access-ports is mirrored onto a
Switched Port Analyzer (SPAN)/ Mirror Port, which is
then forwarded to a Middle Box.
(ii) An Intrusion Detection System (IDS) is implemented
at the Middle Box to monitor malicious traffic by
generating alerts based on set of rules.
(iii) Any anomaly detected by the IDS is forwarded to the
‘Scrubber Network’, which then alters flow rules.
The working of the above listed mechanisms are
described below:
6. 6
• Port Mirroring for real-time monitoring of
ingress and egress flows:
Port mirroring or Switched Port Analyzer
(SPAN) port copies packet entering or exiting a
switch port to another local port for traffic monitoring
[1]. As shown in Fig.1, the ingress and egress traffic
at the OpenVSwitch (OVS) port connected to the host
is mirrored or copied to the ‘Mirror/SPAN’ port,
which then forwards these to the Middle Box for
traffic analysis.
Our design principle includes port-mirroring to
copy traffic entering and exiting the switch, primarily
because it can do so ‘real-time’. The diagram below
(Fig.3) illustrates the port-mirroring implemented on
the OpenVSwitch, installed on Ubuntu Server 14.0.4.
Fig.4. Port Mirroring on OpenVSwitch
The traffic entering the OVS on ports eth0 and
eth1 are mirrored on port m0, which are then
forwarded to the Middle-box.
• Intrusion Detection System implemented on
Middle Box using Snort and SiLk
Our security implementation in SDNs focuses
more on the high-level security policies and
automated reaction. Unlike other security
frameworks, our implementation exposes security
modules to external users or administrators who can
further define various security polices using the
modules developed. The main characteristic of our
implementation is that it uses parallel processing
units (middleboxes) that communicate with the
OpenVSwitch. Our approach allows operators to
customize the security of the network using pre-
defined policies and to customize how the switch
reacts automatically when malicious traffic is
detected.
Another important feature included in our
implementation is the automatic response to
threat alerts. Generally, a network administrator
will react to a warning by either ignoring it or
denying the source of the suspicious traffic. In
our implementation, pre-defined rules can be
used by the administrator to react in advance
using three solutions like warn, isolate or block.
For better scalability, the middleboxes in
conjunction with SiLK and YaF are used for
analyzing the traffic and detecting malicious
traffic. Additionally, the alerts generated will be
published on an interactive website to notify the
operator and take necessary actions.
Middleboxes are appliances that offers
functionality beyond simple routing and
forwarding to a network. Middleboxes are used
for additional features like deep packet
inspection or intrusion detection system in the
network.
A controller may be used to implement the
flow rules and firewalling, however, analyzing
traffic at the controller increases the risk of
having a bottleneck and also grows in
complexity. Additionally, because the link
between the controller and switch is the control
plane, it is usually of low bandwidth. Therefore,
by using middle boxes we not only reduce the
overhead on the controller but also obtain faster
bit rate on the data plane which is optimized to
handle big flows.
• Re-directing malicious traffic to Scrubber
Network
When a network administrator detects a
Denial of Service attack, the administrator
should take steps to ensure this attack does not
take the network down. This is accomplished
using a scrubber network. A scrubber network is
an alternate network that has a large bandwidth
dedicated to monitoring malicious network. The
hosts that are deemed to send malicious traffic
are cut-off from the OpenVSwitch and are
instead directed to the scrubber network. Here,
the data can be analyzed in detail; if it is indeed
malicious, this data is discarded and the hosts are
removed from the network. Fig.5 illustrates the
inclusion of Scrubber Network in the proposed
architecture.
7. 7
Fig. 5: Scrubber Network in SDN
C. Interdisciplinary Considerations
This product is a virtual appliance which will serve as
an add-on to the existing SDN infrastructure. We are
providing two different services. First is
authentication and encryption and second is an
intrusion prevention detection system. These services
will be installed as packages on the existing SDN
infrastructure. The prices at which the package will
be sold have not yet been decided upon. Secondly,
any upgrades made to a version of the package will
be installed without any recurring costs. Support for
these services will also be provided if an Annual
Maintenance Contract (AMC) is agreed upon. The
product we are developing will be a stand-alone. The
organization planning to deploy our security
packages will not have to incur the additional costs of
having to procure any hardware from us. It is our
attempt to decouple the software and the proprietary
hardware costs that are associated with the
deployment of a network. One of our value
propositions is that we are offering services that are
not platform specific and it gives organizations the
freedom to deploy their infrastructure without having
to be vendor specific. This provides organizations
with an opportunity to lower their costs since they
can deploy servers running OpenFlow and integrate
our security package with it not having to invest in
expensive hardware. Moreover, we are going to be
developing it on a Linux box and exporting our
service as an Oracle Virtual Appliance (OVA).
V. IMPLEMENTATION AND RESULTS
To realize an OpenFlow network, we used three
virtual machines that were deployed using Virtual
Box as the testbed. The first machine was used as the
SDN switch where an Open vSwitch version 2.5.0
image was installed. Two other virtual hosts (Host 1
and Host 2) were connected to the Open vSwitch and
they ran Ubuntu 14.0.4 OS. The second machine was
used as the SDN controller with an OpenDayLight
image installed. The controller and switch machines
are running Ubuntu 14.0.4 LTS OS. We also used a
simple Ethernet Hub between the two machines that
may be used by the attacker to exploit the
vulnerabilities. Finally, we used the third machine as
a middlebox to implement the security policies like
Intrusion detection system and flow analysis. Here,
OpenVSwitch was controlled by the Open Day Light
controller using OpenFlow version 2.5.0.
A. Encryption
In the OpenFlow architecture, we use a self-signed
root CA as the centralized CA. We implement this
using OpenSSL to realize a X.509 public key
infrastructure.
First, we initialized PKI on the OpenVSwitch.
Using this, we created two sets of key, one for the
controller, and the other for the switch. OpenFlow
allows us to implement this using these commands:
ovs-pki req+sign sc switch, ovs-pki
req+sign ctl controller [57]. This generates a
public-private key pair for the controller and the
switch [57]. Next, we created a key store that acts as
a repository for the controllers key pair. We then
created a trust store that stores the switch’s public
key [57]. Once this was completed, we modified the
TLS plug-in in OpenFlow to enforce encryption
between the controller and the OpenVSwitch.
Fig.6. Implementation of security features in SDN
8. 8
A testing client is connected to another host
machine through an OpenVSwitch. The objective of
the experiment is to protect the switch and host from
denial of service attacks. This testbed comprises of
transmitting malicious traffic and non-malicious
traffic to the server simultaneously. Normal (non-
malicious) traffic is created by replaying common
TCP/UDP requests such as video streaming, file
downloads and chat applications. Malicious traffic is
generated using a python script “flood.py”, developed
specifically for this network and nmap, a port
scanning tool. We then run the following attacks:
SYN flood, ICMP flood, Xmas tree scan, ping of
death, and TCP scan. These scans send 2,000 packets
each and scan multiple ports to explore which
protocols are exposed to the network.
To maintain this type of security architecture, TLS
strongly depends on confidentiality of private keys
and local Certificate Authority trust which is highly
critical to maintain the integrity of the information.
Since OpenFlow allows implementation of latest TLS
version, it is considered to be safe against well-
known attacks such as FREAK [28] and BEAST
[29]. Theoretically transport layer security can be
breached using attacks like SSL-Striping and SSL-
Spitting [30], however, due to novelty of SDNs with
TLS-secured OpenFlow architecture, no such attacks
have been reported or researched.
B. Intrusion Detection
A testing client is connected to another host
machine through an OpenVSwitch. The objective of
the experiment is to protect the switch from denial of
service attacks. This testbed comprises of
transmitting malicious traffic and non-malicious
traffic to the server simultaneously. Non-malicious
traffic is created by replaying common TCP/UDP
requests such as video streaming, file downloads and
chat applications. Malicious traffic is generated using
a python script “flood.py”, developed specifically for
this network and nmap, a port scanning tool. We then
run the following attacks: SYN flood, ICMP flood,
ping of death, and TCP scan. These scans send
multiple packets each and scan multiple ports to
explore which protocols are exposed to the network.
We detected Denial of Service attacks by writing
snort rules that alert an administrator when it detects
malicious traffic patterns. Snort also provides default
rule sets that can be used in conjunction with user-
defined rules. Once snort was up and running, we
flooded the network using different DoS attacks.
Snort generated alerts when it detected traffic that
matched the rules that we defined. They are as
mentioned below:
04/10-03:46:39.048071 [**] [1:1000001:2]
DDos attack detected [**] [Classification:
Attempted Denial of Service] [Priority: 2]
{ICMP} 100.67.1.1 -> 100.67.1.30
04/10-03:46:40.049305 [**] [1:1000001:2]
DDos attack detected [**] [Classification:
Attempted Denial of Service] [Priority: 2]
{ICMP} 100.67.1.1 -> 100.67.1.30
04/10-03:46:41.050658 [**] [1:1000001:2]
DDos attack detected [**] [Classification:
Attempted Denial of Service] [Priority: 2]
{ICMP} 100.67.1.1 -> 100.67.1.30
The above output shows the alerts generated using
SNORT. Very high detection rate was achieved using
this security mechanism that only affects TCP/UDP
traffic. Similarly when this is implemented in a larger
network where web traffic is majority of the traffic,
these security policies are useful to scan only normal
and malicious HTTP traffic.
VI. CONCLUSION
This paper is an attempt to enhance security and
build resilient OpenFlow architecture. We studied the
different vulnerabilities associated with the control
channel of SDNs and novel solutions to mitigate the
risks by implementing security policies such as
encryption, authentication and Intrusion Detection.
This security implementation provides benefits like
network administrator control, enhanced
authentication mechanism, reduced overhead on
controller and automated alert system. Moreover, the
implementation allows network administrators to
specify pre-defined rules to automatically respond in
case of malicious traffic. The experiments reveal that
proposed architecture protects the control channel
against various IP based attacks such as Denial of
Service, man-in the middle, and eavesdropping.
REFERENCES
[1] B. A. A. Nunes, M. Mendonca, X.-N. Nguyen, K.Obraczka, and
T.Turletti, ‘A Survey of Software-Defined Networking: Past, Present,
and Future of Programmable Networks’, IEEE Communications Surveys
& Tutorials, vol. 16, no. 3, pp. 1617–1634, Feb. 2014.
9. 9
[2] K. Kirkpatrick, ‘Software -defined networking’, Communications of the
ACM, vol. 56, no. 9, pp. 16–18, Sep. 2013.
[3] K. Cabaj, J. Wytrębowicz, S. Kukliński, P. Radziszewski, and K. T.
Dinh, ‘SDN Architecture Impact on Network Security’, 2014 Federated
Conference on Computer Science and Information Systems, vol. 3, pp.
143–148, Sep. 2014.
[4] K. Benton, L. J. Camp, and C. Small, ‘OpenFlow vulnerability
assessment’, Proceedings of the second ACM SIGCOMM workshop on
Hot topics in software defined networking - HotSDN ’13, pp. 151–152,
Aug. 2013.
[5] R. Kloti, V. Kotronis, and P. Smith, ‘OpenFlow: A security analysis’,
2013 21st IEEE International Conference on Network Protocols (ICNP),
pp. 1–6, Oct. 2013.
[6] D. Kreutz, F. M. V. Ramos, and P. Verissimo, ‘Towards secure and
dependable software-defined networks’, Proceedings of the second ACM
SIGCOMM workshop on Hot topics in software defined networking -
HotSDN ’13, pp. 55–60, Aug. 2013.
[7] K. Cabaj et al., “SDN Architecture Impact on Network Security,” in
Position papers of the 2014 Federated Conference on Computer Science
and Information Systems, Warsaw, Poland, 2014, pp. 143–148.
[8] Open Network Foundation. (April 13, 2012). Software-Defined
Networking: The New Norm for Networks.
[9] Diego Kreutz, Fernando M. V. Ramos and Paulo Verissimo, “Towards
Secure and Dependable Software-Defined Networks,” in HotSDN '13
Proceedings of the second ACM SIGCOMM workshop on Hot topics in
software defined networking, ACM SIGCOMM, NY, USA, 2013, pp.
55-60
[10] Antoine Feghali, Rima Kilany and Maroun Chamoun, “SDN Security
Problems and Solutions Analysis,” in International Conference on
Protocol Engineering (ICPE) and International Conference on New
Technologies of Distributed Systems (NTDS), Paris, France, 2015, pp.
1-5.
[11] Wen, Xitao, et al. "Towards a secure controller platform for openflow
applications. Proceedings of the second ACM SIGCOMM workshop on
Hot topics in software defined networking. ACM, 2013.
[12] Scarfone, Karen, and Peter Mell. "Guide to intrusion detection and
prevention systems (idps)." NIST special publication 800.2007 (2007):
94.
[13] Sakir Sezer et al., "Are We Ready for SDN? Implementation Challenges
for Software-Defined Networks," in IEEE Commun. Mag., vol. 51,
issue 7, Jul 2013, pp. 36 – 43
[14] P. Porras, S. Shin, V. Yegneswaran, M. Fong, M. Tyson, and G. Gu, ‘A
security enforcement kernel for OpenFlow networks’, Proceedings of the
first workshop on Hot topics in software defined networks - HotSDN
’12, pp. 121–126, Aug. 2012.
[15] Seugwon Shin et al., "FRESCO: Modular Composable Security Services
for Software-Defined Networks," in NDSS Symposium, 2013, San
Diego, CA
[16] Sandra Scott-Hayward, Gemma O’Callaghan and Sakir Sezer, "SDN
Security: A Survey," in Workshop on Software Defined Networks for
Future Networks and Service, Trento, Italy, 2013, pp. 1 – 7
[17] Xenofon Foukas, Mahesh K. Marina and Kimon Kontovasilis. Software
Defined Networking Concepts [Online]. Available FTP:
http://homepages.inf.ed.ac.uk/ Directory: mmarina/papers/ File: sdn-
chapter.pdf
[18] R. Holz et al. “X.509 Forensics: Detecting and Localising the
SSL/TLS Men-in-the-Middle”. In: Computer Security. LNCS. 2012
[19] Vipul Gupta et al., “Performance Analysis of Elliptic Curve
Cryptography for SSL,” in WiSE '02 Proceedings of the 1st ACM
workshop on Wireless security, NY, USA, 2002, pp. 87-94
[20] Kulkarni, Vikram, and Jayesh Kawli. "Analysis of OpenFlow
Networks."
[21] Bob Lantz, Brandon Heller, and Nick McKeown. A network in a laptop:
“Rapid prototyping for software-defined networks”. In HotNets, pages
1– 6, 2010
[22] Shalimov, Alexander, et al. "Advanced study of SDN/OpenFlow
controllers."Proceedings of the 9th Central & Eastern European
Software Engineering Conference in Russia. ACM, 2013.
[23] D. Cooper and rfcmarkup version 1, "Internet X.509 public key
infrastructure certificate and certificate revocation list (CRL) profile,"
2008. [Online]. Available: https://tools.ietf.org/html/rfc5280#.
[24] T. D. <tim@> and rfcmarkup version 1, "The transport layer security
(TLS) protocol version 1.2," 2008. [Online]. Available:
https://tools.ietf.org/html/rfc5246.
[25] R. Holz, L. Braun, N. Kammenhuber, and G. Carle, "The SSL
landscape," ACM, 2011, pp. 427–444. [Online]. Available:
http://dl.acm.org/citation.cfm?id=2068856.
[26] "The public key infrastructure approach to security," 2001. [Online].
Available:
https://docs.oracle.com/cd/B10501_01/network.920/a96582/pki.htm.
[27] Microsoft, "Public key infrastructure," 2016. [Online]. Available:
https://msdn.microsoft.com/en-
us/library/windows/desktop/bb427432%28v=vs.85%29.aspx.
[28] T. Duong and J. Rizzo, “Here come the ninjas,” Unpublished
manuscript, 2011, p. 4. [29] D. Goodin, “Crack in internets foundation
of trust allows https session hijacking,” Ars Technica, 2012, pp. 1–2.
[29] M. Marlinspike, “New tricks for defeating ssl in practice,” BlackHat
DC, February, 2009, pp. 1–11a