Downloaded 44 times
Uploaded byARCCN
SDN: is it a solution for network security?
This document discusses Software Defined Networking (SDN) and its implications for network security, emphasizing the need to protect the SDN control environment. It highlights the advantages of SDN, such as programmable configuration and flexible data flow control, while also addressing potential security vulnerabilities that arise from the separation of data and control planes. Various case studies illustrate the application of SDN in real-world scenarios alongside the security challenges faced by traditional architecture networks.
More Related Content
Similar to SDN: is it a solution for network security?
![[BDD 2025 - Artificial Intelligence] Building AI Systems That Users (and Comp...](https://cdn.slidesharecdn.com/ss_thumbnails/ai-buildingaisystemsthatusersandcompanieslove-251124030845-038f7732-thumbnail.jpg?width=640&height=640&fit=bounds)
![[BDD 2025 - Full-Stack Development] Agentic AI Architecture: Redefining Syste...](https://cdn.slidesharecdn.com/ss_thumbnails/fs-agenticaiarchitectureredefiningsystemcommunication-251124030838-e6c70cc2-thumbnail.jpg?width=640&height=640&fit=bounds)
![[BDD 2025 - Full-Stack Development] The Modern Stack: Building Web & AI Appli...](https://cdn.slidesharecdn.com/ss_thumbnails/fs-themodernstackbuildingwebaiapplicationswithserverless-251124030844-388cf04f-thumbnail.jpg?width=640&height=640&fit=bounds)
![[BDD 2025 - Artificial Intelligence] AI for the Underdogs: Innovation for Sma...](https://cdn.slidesharecdn.com/ss_thumbnails/ai-aifortheunderdogsinnovationforsmallbusinesses-251124030839-72a599a4-thumbnail.jpg?width=640&height=640&fit=bounds)
SDN: is it a solution for network security?
- 1. SDN: is ita solution for network security? Smelyanskiy R.L. Moscow State University, Computer Systems Laboratory Applied Research Center for Computer Network 2013
- 2. Agenda • What isSDN network? • Term “protecting” could be many-sided… • SDN control environment also needs to be protected. 25.11.2013 prof.R.Smelyanskiy MSU & ARCCN 2
- 3. Software defined evolution RIP VLAN OSPF IS-IS Classicrouter … 25.11.2013 ACL MPLS prof.R.Smelyanskiy MSU & ARCCN 3
- 4. Software defined evolution RIP VLAN OSPF IS-IS Classicrouter … 25.11.2013 ACL MPLS prof.R.Smelyanskiy MSU & ARCCN 4
- 5. Software defined evolution RIP VLAN OSPF IS-IS Classicrouter … 25.11.2013 ACL MPLS prof.R.Smelyanskiy MSU & ARCCN 5
- 6. Software defined evolution VLAN FlowTable TCAM Controller Switch RIP OSPF IS-IS ACL MPLS … 25.11.2013 prof.R.Smelyanskiy MSU & ARCCN 6
- 7. Software defined evolution FlowTable MAC src MAC dst TCAM * * IP IP Flow Table Dst Src * Switch 5.6.7.8 TCP sport * TCP dport Action * Controller port 1 RIP OSPF Routing Rule examples IS-IS * 00:1f:.. * * * * port 5 * * * * * 22 drop 20 666 port 7 00:20.. 00:1f:.. 1.2.3.4 5.6.7.8 25.11.2013 VLAN prof.R.Smelyanskiy MSU & ARCCN ACL Switching MPLS Firewall … Flow Switching 7
- 8. Software defined evolution FlowTable MAC src MAC dst TCAM * * IP IP Flow Table Dst Src * Switch 5.6.7.8 TCP sport * TCP dport Action * Controller port 1 RIP OSPF Routing Rule examples IS-IS * 00:1f:.. * * * * port 5 * * * * * 22 drop 20 666 port 7 00:20.. 00:1f:.. 1.2.3.4 5.6.7.8 25.11.2013 VLAN prof.R.Smelyanskiy MSU & ARCCN ACL Switching MPLS Firewall … Flow Switching 8
- 9. Flow Table TCAM Network operatingsystem Software defined evolution Controller Switch 25.11.2013 prof.R.Smelyanskiy MSU & ARCCN APP VLAN APP RIP APP OSPF APP IS-IS APP ACL APP MPLS APP … 9
- 10. Software defined evolution Networkoperating system Switch Controller Switch APP VLAN APP RIP APP OSPF APP IS-IS APP ACL APP MPLS APP … Switch 25.11.2013 prof.R.Smelyanskiy MSU & ARCCN 10
- 11. Software defined evolution Advantagesdevices Cheep and simple switch Flexible for configuration APP VLAN Network Global View Free for innovation Network operating system Switch Controller Switch APP RIP APP OSPF APP IS-IS APP ACL APP MPLS APP … Switch 25.11.2013 prof.R.Smelyanskiy MSU & ARCCN 11
- 12. Software defined evolution Advantages Cheepand simple network devices Flexible for configuration Globalfor innovation Network View Free Network operating system Switch Controller Switch APP VLAN APP RIP APP OSPF APP IS-IS APP ACL APP MPLS APP … Switch 25.11.2013 prof.R.Smelyanskiy MSU & ARCCN 12
- 13. Case studies • LargeTransit Service Provider • Big International Company – Multiple offices – VPN communications • Network of Large Organization – Large internal networks – Various types of network activities 25.11.2013 prof.R.Smelyanskiy MSU & ARCCN 13
- 14. Security in traditionalarchitecture networks • Case studies: – Large Transit Service Provider – Airport network – ISP (VPN provider) • Tendencies – Traffic growth – Mobility • Infrastructure • Software • Protocols 25.11.2013 prof.R.Smelyanskiy MSU & ARCCN 14
- 15. Term “protecting” couldbe manysided… Physical access 25.11.2013 prof.R.Smelyanskiy MSU & ARCCN 15
- 16.
- 17.
- 18.
- 19.
- 20. Term “protecting” couldbe manysided… Network flow control 25.11.2013 prof.R.Smelyanskiy MSU & ARCCN 20
- 21. Network of Organizationexample Tenant A Tenant app Tenant B 25.11.2013 prof.R.Smelyanskiy MSU & ARCCN 21
- 22. Network of Organizationexample Traffic Dst point Traffic Src point Tenant AAccept Drop Tenant app Tenant B 25.11.2013 Traffic Dst point prof.R.Smelyanskiy MSU & ARCCN 22
- 23. Network of Organizationexample 25.11.2013 prof.R.Smelyanskiy MSU & ARCCN 23
- 24. Network of Organizationexample Traffic Src point Firewall rules Firewall app Firewall rules 25.11.2013 Traffic Dst point prof.R.Smelyanskiy MSU & ARCCN 24
- 25. SDN control environment alsoneeds to be protected. 25.11.2013 prof.R.Smelyanskiy MSU & ARCCN 25
- 26. SDN control environmentsecurity 25.11.2013 prof.R.Smelyanskiy MSU & ARCCN 26
- 27. Controller security app Malware traffic Legal traffic OFevent OF event OF event OF event Security app Security app OF event OF event OF event OF event Legal traffic Legal traffic 25.11.2013 Malware traffic prof.R.Smelyanskiy MSU & ARCCN 27
- 28.
- 29. Switch-controller security Internet Key Exchange,IPsec, Kerb eros and etc. Authentication server Malware Switch 25.11.2013 prof.R.Smelyanskiy MSU & ARCCN 29
- 30. Controller-to-controller security Seems tobe secure enough, but an expensive solution Controller-to-controller out-band protocol 25.11.2013 prof.R.Smelyanskiy MSU & ARCCN 30
- 31. Controller-to-controller security Problem 1 Check policies Problem2 Isolate Controllers traffic and Datapath traffic Controller-to-controller in-band protocol 25.11.2013 prof.R.Smelyanskiy MSU & ARCCN Problem 3 Special QoS settings 31
- 32. Controllers requirements • c-applicationsshould be reusable by different controllers placed near-by each other; • different controller instances should be able to share the same instance of a c-application; • controller should be trusted environment; • controller should be scalable; it means that if workload is growing beyond the current computational power of controller then it should be able to get more computational power, for example by splitting its activity with another controller instance, placed on another physical resource; • if some controller instance shut down than some other controllers placed nearby should be able to catch up those part of network switches were managed by those shut down. 25.11.2013 prof.R.Smelyanskiy MSU & ARCCN 32
- 33. Conclusion • Software DefinedNetworking (SDN) has been rapidly developed. – Working in data centers – Replacing proprietary routers • Splitting data plane and control plane brings advantages, but also opens new way to exploit such networks in malicious purposes. The major advantages of SDN approach – programmable configuration – data plane and control plane separation – flexible data flow control 25.11.2013 prof.R.Smelyanskiy MSU & ARCCN 33
- 34.
- 35. Switch - Controllersecurity Control channel Openflow switch Openflow event Openflow event host Legal traffic host host Controller host Malware traffic Openflow event checker Openflow event Openflow event Openflow event 25.11.2013 prof.R.Smelyanskiy MSU & ARCCN Openflow event 49
- 36. Switch - Controllersecurity Control channel Openflow switch Openflow event Openflow event host Legal traffic host host Controller host Malware traffic Openflow event checker Openflow event Openflow event Openflow event 25.11.2013 prof.R.Smelyanskiy MSU & ARCCN Openflow event 50
- 37. Switch - Controllersecurity Control channel Openflow switch Openflow event Openflow event host Legal traffic host host Controller host Malware traffic Vulnerable app Openflow event Openflow event Openflow event 25.11.2013 prof.R.Smelyanskiy MSU & ARCCN Openflow event 51
- 38. Switch - Controllersecurity Control channel Openflow switch Openflow event Openflow event host Legal traffic host host Controller host Malware traffic Vulnerable Security app Openflow event Openflow event Openflow event 25.11.2013 prof.R.Smelyanskiy MSU & ARCCN Openflow event 52
- 39. Controller-controller protocol security Control channel Controller-controller Openflowswitch out-band protocol Seems to be secure enough, but an expensive solution host 25.11.2013 host host host prof.R.Smelyanskiy MSU & ARCCN Controller 53
- 40. Controller-controller protocol security Check policies Isolate Controllers traffic and Datapathtraffic Special QoS settings Openflow switch host 25.11.2013 host host Controller Controller-controller Controller-controller in-band protocol out-band protocol host prof.R.Smelyanskiy MSU & ARCCN Controller 54