SDN and Security: some real-world experience
•
2 likes•181 views
This document discusses SDN and security from Jeff Young of Telstra. It summarizes Telstra's Programmable Network, views potential vulnerabilities in Openflow networks including attacks on the controller and switch tables. It proposes solutions like protecting the controller and dropping unknown traffic. The document also discusses securing applications on the network through authentication and DOS protection. Finally, it lists several research papers related to SDN security including enforcing security on Openflow networks and securing SDN data plane protocols and programmability.
More Related Content
What's hot
What's hot (20)
Similar to SDN and Security: some real-world experience
Similar to SDN and Security: some real-world experience (20)
More from APNIC
More from APNIC (20)
Recently uploaded
Recently uploaded (11)
SDN and Security: some real-world experience
- 1. SDN and Security Some real-world experience Jeff Young Product Architecture, Global Platforms
- 2. Agenda • Telstra Programmable Network • How do I view the problem? • Network vulnerabilities (Openflow, control plane, data plane) • Application vulnerabilities • Our Solution(s) • Research and Presentations
- 3. 3 The Telstra Programmable Network (7) (3) (1) (5) (4) (2) (3) (1) (1) (1) (1) (1) NFV Farm Internet Breakout VPN Interconnect NFV Farm Sydney, Hong Kong, Tokyo, Singapore, Los Angeles, New Jersey, London Internet Sydney, Hong Kong, Tokyo, Singapore, Los Angeles, Secaucus New Jersey, London Telstra NextIP Interconnect Sydney, Melbourne IPVPN/GWAN Interconnect Hong Kong, Singapore, New Jersey, London External exchanges AWS (7), ECX (6), AxonVX (2), Epsilon (2), Westin (1) • Fortinet Fortigate NGFW • Fortinet Fortiweb vAppliance • Palo Alto VM-series • Cisco vASA • Cisco CSR1000v • Riverbed vSteelhead • VeloCloud • Juniper vSRX • Cisco Primare vNAM • FortiAnalyzer 35 Programmable Network PoPs in 17 cities and 11 countries and territories Directly connected to Telstra’s network of more than 2,000 points of presence in 200 countries Connect to leading public cloud providers via various DC Exchange providers How do I view the problem?
- 4. Openflow Basics 4 Network Attributes • Separation of control/data planes • Controller is smart, switches are dumb • switches act on simple match/act • switches have limited fwd tables • By use of a protocol, switches discovered • OFDP ~ LLDP • Controller has both north and southbound • Network traffic CAN prompt controller to • create forwarding rules • create drop rules • do something else? Telstra PN
- 5. Openflow Basics 5 Possible Attacks • Attack the controller/application (later) • Controller is smart, switches are dumb • overload the controller • overload the switch tables • By use of a protocol, switches discovered • snoop/react to OFDP • masquerade as a switch (send bad info) • Controller has both north and southbound • reveal controller patterns to identify • specific attacks on controller type • Network traffic CAN prompt controller to • create malicious rules Telstra PN
- 6. Openflow Basics 6 Possible Solutions • Protect controller/application (later) • Controller is smart, switches are dumb • drop unknown traffic rather than fwd • not always possible… • By use of a protocol, switches discovered • don’t use OFDP (or modify it) • LLDP encryption, BFD, (see research) • Controller has both north and southbound • write your own controller :-) • Network traffic CAN prompt controller to Telstra PN
- 7. Open Kilda 7 HDFS HBASEKAFKA ZOOKEEPER STORM OpenTSDB TOPOLOGY ENGINE NORTHBOUNDAPI OPENFLOWSWITCH NEO4J Architecture
- 8. OpenKilda — a whole new controller 8
- 9. Application Security 9 Customer Driven (created) • Multiple canvases • Multi-tenant • Create flows (L2) between building blocks “Lego” Building Blocks: • IPVPN’s • Exchanges • VNF’s (in server farms) • Internet • Switch Ports • Bandwidth (on demand) Open Marketplace • Bring your own ’service’ One-Click “Deploy” • Guaranteed deploy time • Changes as-needed (self-provision)
- 11. Application Security 11 Authentication • carry token at every step • both in the web UI • and in the API DOS • be vigilant at the API interface • ready/protected from DOS Future • P4 • product direction exposes _____ • who knows?
- 12. Research and Presentations: 12 A Security Enforcement Kernel for OpenFlow Networks Phillip Porras† Seungwon Shin‡ Vinod Yegneswaran† Martin Fong† Mabry Tyson† Guofei Gu‡ http://www.cs.columbia.edu/~lierranli/coms6998-8SDNFall2013/papers/FortNox- HotSDN2012.pdf sOFTDP: Secure and Efficient Topology Discovery Protocol for SDN Abdelhadi Azzouni1, Raouf Boutaba2, Nguyen Thi Mai Trang1, and Guy Pujolle1 https://arxiv.org/pdf/1705.04527.pdf A Survey on the Security of Stateful SDN Data Planes Tooska Dargahi, Alberto Caponi, Moreno Ambrosin, Giuseppe Bianchi, and Mauro Conti http://ieeexplore.ieee.org/document/7890396/ Data Plane Programmability the next step in SDN http://sites.ieee.org/netsoft/files/2017/07/Netsoft2017_Keynote_Bianchi.pdf
- 13. Thank you 13