SDN: is it a solution for
network security?
Smelyanskiy R.L.
Moscow State University, Computer Systems Laboratory
Applied Research Center for Computer Network

2013
Agenda
• What is SDN network?
• Term “protecting” could be many-sided…
• SDN control environment also needs to be
protected.

25.11.2013

prof.R.Smelyanskiy MSU & ARCCN

2
Software defined evolution
RIP

VLAN

OSPF
IS-IS

Classic router
…

25.11.2013

ACL

MPLS

prof.R.Smelyanskiy MSU & ARCCN

3
Software defined evolution
RIP

VLAN

OSPF
IS-IS

Classic router
…

25.11.2013

ACL

MPLS

prof.R.Smelyanskiy MSU & ARCCN

4
Software defined evolution
RIP

VLAN

OSPF

IS-IS

Classic router
…

25.11.2013

ACL

MPLS

prof.R.Smelyanskiy MSU & ARCCN

5
Software defined evolution
VLAN

Flow Table

TCAM

Controller
Switch

RIP
OSPF
IS-IS
ACL
MPLS
…

25.11.2013

prof.R.Smelyanskiy MSU & ARCCN

6
Software defined evolution
Flow Table
MAC
src

MAC
dst

TCAM
*
*

IP
IP
Flow Table Dst
Src

*

Switch

5.6.7.8

TCP
sport

*

TCP
dport

Action

* Controller
port 1

RIP

OSPF
Routing

Rule examples

IS-IS

*

00:1f:..

*

*

*

*

port 5

*

*

*

*

*

22

drop

20

666

port 7

00:20.. 00:1f:.. 1.2.3.4 5.6.7.8
25.11.2013

VLAN

prof.R.Smelyanskiy MSU & ARCCN

ACL
Switching
MPLS

Firewall
…

Flow
Switching
7
Software defined evolution
Flow Table
MAC
src

MAC
dst

TCAM
*
*

IP
IP
Flow Table Dst
Src

*

Switch

5.6.7.8

TCP
sport

*

TCP
dport

Action

* Controller
port 1

RIP

OSPF
Routing

Rule examples

IS-IS

*

00:1f:..

*

*

*

*

port 5

*

*

*

*

*

22

drop

20

666

port 7

00:20.. 00:1f:.. 1.2.3.4 5.6.7.8
25.11.2013

VLAN

prof.R.Smelyanskiy MSU & ARCCN

ACL
Switching
MPLS

Firewall
…

Flow
Switching
8
Flow Table

TCAM

Network operating system

Software defined evolution

Controller
Switch

25.11.2013

prof.R.Smelyanskiy MSU & ARCCN

APP
VLAN
APP
RIP
APP
OSPF
APP
IS-IS
APP
ACL
APP
MPLS
APP
…

9
Software defined evolution
Network operating system

Switch

Controller
Switch

APP
VLAN
APP
RIP
APP
OSPF
APP
IS-IS
APP
ACL
APP
MPLS
APP
…

Switch

25.11.2013

prof.R.Smelyanskiy MSU & ARCCN

10
Software defined evolution
Advantages devices
Cheep and simple switch
Flexible for configuration
APP
VLAN
Network Global View
Free for innovation
Network operating system

Switch

Controller

Switch

APP
RIP

APP
OSPF
APP
IS-IS
APP
ACL
APP
MPLS
APP
…

Switch

25.11.2013

prof.R.Smelyanskiy MSU & ARCCN

11
Software defined evolution
Advantages
Cheep and simple network devices

Flexible for configuration
Globalfor innovation
Network View
Free

Network operating system

Switch

Controller

Switch

APP
VLAN
APP
RIP
APP
OSPF
APP
IS-IS
APP
ACL
APP
MPLS
APP
…

Switch

25.11.2013

prof.R.Smelyanskiy MSU & ARCCN

12
Case studies
• Large Transit Service Provider
• Big International Company
– Multiple offices
– VPN communications

• Network of Large Organization
– Large internal networks
– Various types of network activities

25.11.2013

prof.R.Smelyanskiy MSU & ARCCN

13
Security in traditional architecture
networks
• Case studies:
– Large Transit Service
Provider
– Airport network
– ISP (VPN provider)

• Tendencies
– Traffic growth
– Mobility

• Infrastructure
• Software
• Protocols
25.11.2013

prof.R.Smelyanskiy MSU & ARCCN

14
Term “protecting” could be manysided…

Physical access

25.11.2013

prof.R.Smelyanskiy MSU & ARCCN

15
Airport example

25.11.2013

prof.R.Smelyanskiy MSU & ARCCN

16
Airport example
Control
process

Control
process
Control
process

Control
process

Control
process

trespasser

25.11.2013

Control
process

prof.R.Smelyanskiy MSU & ARCCN

17
Airport example
Control
process

Control
process
Control
process

Malware
Control
Control
process
process

Control
process

trespasser

25.11.2013

Control
process

prof.R.Smelyanskiy MSU & ARCCN

18
Airport example
Control
Packet
forwarding
process

Control
Packet
forwarding
process
Control
Packet
forwarding
process

Control
Packet
forwarding
process

Control
Packet
forwarding
process

Control
process

trespasser

SDN
Controller

25.11.2013

prof.R.Smelyanskiy MSU & ARCCN

19
Term “protecting” could be manysided…

Network flow control

25.11.2013

prof.R.Smelyanskiy MSU & ARCCN

20
Network of Organization example
Tenant A
Tenant
app

Tenant B
25.11.2013

prof.R.Smelyanskiy MSU & ARCCN

21
Network of Organization example
Traffic
Dst point

Traffic
Src point

Tenant AAccept
Drop
Tenant
app

Tenant B
25.11.2013

Traffic
Dst point

prof.R.Smelyanskiy MSU & ARCCN

22
Network of Organization example

25.11.2013

prof.R.Smelyanskiy MSU & ARCCN

23
Network of Organization example

Traffic
Src point

Firewall
rules

Firewall
app
Firewall
rules

25.11.2013

Traffic
Dst point

prof.R.Smelyanskiy MSU & ARCCN

24
SDN control
environment also needs
to be protected.

25.11.2013

prof.R.Smelyanskiy MSU & ARCCN

25
SDN control environment security

25.11.2013

prof.R.Smelyanskiy MSU & ARCCN

26
Controller security app
Malware
traffic
Legal
traffic

OF event

OF event
OF event

OF event

Security
app

Security
app

OF event

OF event
OF event

OF event

Legal
traffic

Legal
traffic

25.11.2013

Malware
traffic

prof.R.Smelyanskiy MSU & ARCCN

27
Switch-controller security

Malware
Switch

25.11.2013

prof.R.Smelyanskiy MSU & ARCCN

28
Switch-controller security
Internet Key
Exchange, IPsec, Kerb
eros and etc.
Authentication
server
Malware
Switch

25.11.2013

prof.R.Smelyanskiy MSU & ARCCN

29
Controller-to-controller security
Seems to be secure
enough,
but an expensive
solution

Controller-to-controller
out-band protocol

25.11.2013

prof.R.Smelyanskiy MSU & ARCCN

30
Controller-to-controller security
Problem 1
Check
policies

Problem 2
Isolate
Controllers traffic
and
Datapath traffic

Controller-to-controller
in-band protocol

25.11.2013

prof.R.Smelyanskiy MSU & ARCCN

Problem 3
Special
QoS
settings

31
Controllers requirements
• c-applications should be reusable by different controllers placed
near-by each other;
• different controller instances should be able to share the same
instance of a c-application;
• controller should be trusted environment;
• controller should be scalable; it means that if workload is
growing beyond the current computational power of controller
then it should be able to get more computational power, for
example by splitting its activity with another controller
instance, placed on another physical resource;
• if some controller instance shut down than some other
controllers placed nearby should be able to catch up those part
of network switches were managed by those shut down.
25.11.2013

prof.R.Smelyanskiy MSU &
ARCCN

32
Conclusion
• Software Defined Networking (SDN) has been
rapidly developed.
– Working in data centers
– Replacing proprietary routers

• Splitting data plane and control plane brings
advantages, but also opens new way to exploit
such networks in malicious purposes.
The major advantages of SDN approach
– programmable configuration
– data plane and control plane separation
– flexible data flow control
25.11.2013

prof.R.Smelyanskiy MSU & ARCCN

33
Q&A
smel@.cs.msu.su
25.11.2013

prof.R.Smelyanskiy MSU & ARCCN

34
Switch - Controller security

Control channel

Openflow switch

Openflow event
Openflow event

host
Legal
traffic

host

host

Controller

host

Malware
traffic

Openflow
event checker

Openflow event
Openflow event
Openflow event

25.11.2013

prof.R.Smelyanskiy MSU & ARCCN

Openflow event

49
Switch - Controller security

Control channel

Openflow switch

Openflow event
Openflow event

host
Legal
traffic

host

host

Controller

host

Malware
traffic

Openflow
event checker

Openflow event
Openflow event
Openflow event

25.11.2013

prof.R.Smelyanskiy MSU & ARCCN

Openflow event

50
Switch - Controller security

Control channel

Openflow switch

Openflow event
Openflow event

host
Legal
traffic

host

host

Controller

host

Malware
traffic

Vulnerable
app

Openflow event
Openflow event
Openflow event

25.11.2013

prof.R.Smelyanskiy MSU & ARCCN

Openflow event

51
Switch - Controller security

Control channel

Openflow switch

Openflow event
Openflow event

host
Legal
traffic

host

host

Controller

host

Malware
traffic

Vulnerable
Security
app

Openflow event
Openflow event
Openflow event

25.11.2013

prof.R.Smelyanskiy MSU & ARCCN

Openflow event

52
Controller-controller protocol
security
Control channel
Controller-controller

Openflow switch

out-band protocol
Seems to be secure
enough,
but an expensive
solution

host

25.11.2013

host

host

host

prof.R.Smelyanskiy MSU & ARCCN

Controller

53
Controller-controller protocol
security
Check
policies

Isolate
Controllers traffic
and
Datapath traffic

Special
QoS
settings

Openflow switch

host

25.11.2013

host

host

Controller

Controller-controller Controller-controller
in-band protocol out-band protocol

host

prof.R.Smelyanskiy MSU & ARCCN

Controller

54

SDN: is it a solution for network security?