SDN: is it a solution for network security?

SDN: is it a solution for
network security?
Smelyanskiy R.L.
Moscow State University, Computer Systems Laboratory
Applied Research Center for Computer Network

2013

Agenda
• What is SDN network?
• Term “protecting” could be many-sided…
• SDN control environment also needs to be
protected.

25.11.2013

prof.R.Smelyanskiy MSU & ARCCN

2

Software defined evolution
RIP

VLAN

OSPF
IS-IS

Classic router
…

25.11.2013

ACL

MPLS


3

RIP

VLAN

OSPF
IS-IS

Classic router
…

25.11.2013

ACL

MPLS


4

RIP

VLAN

OSPF

IS-IS

Classic router
…

25.11.2013

ACL

MPLS


5

VLAN

Flow Table

TCAM

Controller
Switch

RIP
OSPF
IS-IS
ACL
MPLS
…

25.11.2013


6

Flow Table
MAC
src

MAC
dst

TCAM
*
*

IP
IP
Flow Table Dst
Src

*

Switch

5.6.7.8

TCP
sport

*

TCP
dport

Action

* Controller
port 1

RIP

OSPF
Routing

Rule examples

IS-IS

*

00:1f:..

*

*

*

*

port 5

*

*

*

*

*

22

drop

20

666

port 7

00:20.. 00:1f:.. 1.2.3.4 5.6.7.8
25.11.2013

VLAN


ACL
Switching
MPLS

Firewall
…

Flow
Switching
7

Flow Table
MAC
src

MAC
dst

TCAM
*
*

IP
IP
Flow Table Dst
Src

*

Switch

5.6.7.8

TCP
sport

*

TCP
dport

Action

* Controller
port 1

RIP

OSPF
Routing

Rule examples

IS-IS

*

00:1f:..

*

*

*

*

port 5

*

*

*

*

*

22

drop

20

666

port 7

00:20.. 00:1f:.. 1.2.3.4 5.6.7.8
25.11.2013

VLAN


ACL
Switching
MPLS

Firewall
…

Flow
Switching
8

Flow Table

TCAM

Network operating system


Controller
Switch

25.11.2013


APP
VLAN
APP
RIP
APP
OSPF
APP
IS-IS
APP
ACL
APP
MPLS
APP
…

9


Switch

Controller
Switch

APP
VLAN
APP
RIP
APP
OSPF
APP
IS-IS
APP
ACL
APP
MPLS
APP
…

Switch

25.11.2013


10

Advantages devices
Cheep and simple switch
Flexible for configuration
APP
VLAN
Network Global View
Free for innovation

Switch

Controller

Switch

APP
RIP

APP
OSPF
APP
IS-IS
APP
ACL
APP
MPLS
APP
…

Switch

25.11.2013


11

Advantages
Cheep and simple network devices

Flexible for configuration
Globalfor innovation
Network View
Free


Switch

Controller

Switch

APP
VLAN
APP
RIP
APP
OSPF
APP
IS-IS
APP
ACL
APP
MPLS
APP
…

Switch

25.11.2013


12

Case studies
• Large Transit Service Provider
• Big International Company
– Multiple offices
– VPN communications

• Network of Large Organization
– Large internal networks
– Various types of network activities

25.11.2013


13

Security in traditional architecture
networks
• Case studies:
– Large Transit Service
Provider
– Airport network
– ISP (VPN provider)

• Tendencies
– Traffic growth
– Mobility

• Infrastructure
• Software
• Protocols
25.11.2013


14

Term “protecting” could be manysided…

Physical access

25.11.2013


15

Airport example

25.11.2013


16

Airport example
Control
process

Control
process
Control
process

Control
process

Control
process

trespasser

25.11.2013

Control
process


17

Airport example
Control
process

Control
process
Control
process

Malware
Control
Control
process
process

Control
process

trespasser

25.11.2013

Control
process


18

Airport example
Control
Packet
forwarding
process

Control
Packet
forwarding
process
Control
Packet
forwarding
process

Control
Packet
forwarding
process

Control
Packet
forwarding
process

Control
process

trespasser

SDN
Controller

25.11.2013


19

Term “protecting” could be manysided…

Network flow control

25.11.2013


20

Network of Organization example
Tenant A
Tenant
app

Tenant B
25.11.2013


21

Traffic
Dst point

Traffic
Src point

Tenant AAccept
Drop
Tenant
app

Tenant B
25.11.2013

Traffic
Dst point


22


25.11.2013


23


Traffic
Src point

Firewall
rules

Firewall
app
Firewall
rules

25.11.2013

Traffic
Dst point


24

SDN control
environment also needs
to be protected.

25.11.2013


25

SDN control environment security

25.11.2013


26

Controller security app
Malware
traffic
Legal
traffic

OF event

OF event
OF event

OF event

Security
app

Security
app

OF event

OF event
OF event

OF event

Legal
traffic

Legal
traffic

25.11.2013

Malware
traffic


27

Switch-controller security

Malware
Switch

25.11.2013


28

Switch-controller security
Internet Key
Exchange, IPsec, Kerb
eros and etc.
Authentication
server
Malware
Switch

25.11.2013


29

Controller-to-controller security
Seems to be secure
enough,
but an expensive
solution

Controller-to-controller
out-band protocol

25.11.2013


30

Controller-to-controller security
Problem 1
Check
policies

Problem 2
Isolate
Controllers traffic
and
Datapath traffic

Controller-to-controller
in-band protocol

25.11.2013


Problem 3
Special
QoS
settings

31

Controllers requirements
• c-applications should be reusable by different controllers placed
near-by each other;
• different controller instances should be able to share the same
instance of a c-application;
• controller should be trusted environment;
• controller should be scalable; it means that if workload is
growing beyond the current computational power of controller
then it should be able to get more computational power, for
example by splitting its activity with another controller
instance, placed on another physical resource;
• if some controller instance shut down than some other
controllers placed nearby should be able to catch up those part
of network switches were managed by those shut down.
25.11.2013

prof.R.Smelyanskiy MSU &
ARCCN

32

Conclusion
• Software Defined Networking (SDN) has been
rapidly developed.
– Working in data centers
– Replacing proprietary routers

• Splitting data plane and control plane brings
advantages, but also opens new way to exploit
such networks in malicious purposes.
The major advantages of SDN approach
– programmable configuration
– data plane and control plane separation
– flexible data flow control
25.11.2013


33

Q&A
smel@.cs.msu.su
25.11.2013


34

Switch - Controller security

Control channel

Openflow switch

Openflow event
Openflow event

host
Legal
traffic

host

host

Controller

host

Malware
traffic

Openflow
event checker

Openflow event
Openflow event
Openflow event

25.11.2013


Openflow event

49


Control channel

Openflow switch

Openflow event
Openflow event

host
Legal
traffic

host

host

Controller

host

Malware
traffic

Openflow
event checker

Openflow event
Openflow event
Openflow event

25.11.2013


Openflow event

50


Control channel

Openflow switch

Openflow event
Openflow event

host
Legal
traffic

host

host

Controller

host

Malware
traffic

Vulnerable
app

Openflow event
Openflow event
Openflow event

25.11.2013


Openflow event

51


Control channel

Openflow switch

Openflow event
Openflow event

host
Legal
traffic

host

host

Controller

host

Malware
traffic

Vulnerable
Security
app

Openflow event
Openflow event
Openflow event

25.11.2013


Openflow event

52

Controller-controller protocol
security
Control channel
Controller-controller

Openflow switch

out-band protocol
Seems to be secure
enough,
but an expensive
solution

host

25.11.2013

host

host

host


Controller

53

Controller-controller protocol
security
Check
policies

Isolate
Controllers traffic
and
Datapath traffic

Special
QoS
settings

Openflow switch

host

25.11.2013

host

host

Controller

Controller-controller Controller-controller
in-band protocol out-band protocol

host


Controller

54

SDN: is it a solution for network security?

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (6)

Similar to SDN: is it a solution for network security?

Similar to SDN: is it a solution for network security? (20)

More from ARCCN

More from ARCCN (20)

Recently uploaded

Recently uploaded (20)

SDN: is it a solution for network security?