This document discusses the implementation of a unified security plugin for the Opendaylight SDN controller. It begins by describing how SDN architectures introduce new security challenges by making the controller a single point of failure. It then outlines some existing security measures in Opendaylight but notes remaining vulnerabilities, such as from packet-in flooding attacks. The document proposes a unified security plugin that would monitor the controller's interfaces and APIs to identify attacks and share security-related information for mitigation. It provides an example of how the plugin could help detect and block a packet-in flooding attack aimed at overwhelming the controller.
Evaluation of Authentication Mechanisms in Control Plane Applications for Sof...Siyabonga Masuku
This document evaluates different authentication mechanisms for control plane applications in software defined networks (SDNs). It discusses how a lack of trust between network applications and controllers is a challenge for SDN security. The document reviews several proposed authentication mechanisms and outlines a research proposal to evaluate these mechanisms under different performance scenarios in order to recommend a well-performing and reliable standard for the northbound API. It will use literature reviews and simulations with Mininet and NS3 to test authentication mechanisms on factors like the number of authenticated/unauthenticated applications over time.
Attacking SDN infrastructure: Are we ready for the next gen networkingPriyanka Aash
The document discusses attacking SDN infrastructure and whether we are ready for next-generation networking from a security perspective. It outlines several attack vectors against the SDN control plane, including compromising it at build time by injecting malware or at runtime through malicious applications. Specific vulnerabilities discussed include lack of system integrity protection, lack of authentication for SDN controller nodes, and lack of access control for applications. The document advocates for more work to improve SDN security, such as through the Project DELTA evaluation framework and mechanisms to enforce application security policies, before next-gen networking is ready.
BsidesSP: Pentesting in SDN - Owning the ControllersRoberto Soares
Conference:
BsidesSP
Description:
SDN (Software Defined Network) has attracted the attention of many technology giants from various segments such as VMware, Juniper, Cisco, HP, IBM, Google, China Telecom, Huawei and others by providing more virtualized services that can be scheduled, managed and monitored faster, more efficient and in a less costly manner than the usual solutions. Defining routes, switching, QoS treatment and security policies that happened in stocky and specific hardware now has performed his duties in higher layers of software, installed on virtualized machine. But how can we test this? First, we'll address an overview of the SDN architecture, soon after, it will be explained how to find SDN controllers, and if present in our network, steal critical information so that we can proceed with our exploitation. In the end, we will take possession of the controllers and make unexpected. There will be a smattering of codes for metasploit that will be demonstrated. Does a controller can control us? We'll see.
This document discusses security enhancements for IEEE 802.11i wireless networks. It proposes using physical layer information and channel-based secrets to improve authentication and key establishment. Specifically, it suggests modifying the 802.11i key derivation process to incorporate information-theoretic secure bits extracted from wireless channel measurements. This would make stolen credentials like passwords less useful, improving security. The document outlines integrating channel secrets into the pairwise transient key derivation in 802.11i to provide forward and backward secrecy.
The purpose of this paper two fold. First and foremost it presents a background narrative on the origins, innovations and applications of novel structural automation technologies and the rarity of experts involved in research, development and practice of this field. The second part of this paper presents a rudimentary framework for a solution addressing this paucity – the creation of an interdisciplinary academic program at PAAET that will be the first ever in the region to address applied information communication technologies ICT in the design, planning, engineering and management of structural automation projects. In doing so, we need also to define the level of implementation. This field, as all fields in ICT, have been loosely defined and most applications carry less weight in its implementation than what should be applied. This paper gives an attempt to define an indexing scheme by which we can easily classify such implementation and generate a ranking by which we can safely define its level of ―Intelligence‖.International Journal of Engineering Research and Applications (IJERA) is an open access online peer reviewed international journal that publishes research and review articles in the fields of Computer Science, Neural Networks, Electrical Engineering, Software Engineering, Information Technology, Mechanical Engineering, Chemical Engineering, Plastic Engineering, Food Technology, Textile Engineering, Nano Technology & science, Power Electronics, Electronics & Communication Engineering, Computational mathematics, Image processing, Civil Engineering, Structural Engineering, Environmental Engineering, VLSI Testing & Low Power VLSI Design etc.
Describes the term Internet of Things IoT security architecture based on Software Defined Networking SDN . In this context, building on SDN works with or without infrastructure. This is called the SDN domain. This work describes the mechanics of the proposed architecture and reduces the chances of using SDN to achieve more effective and flexible network security. It outlined the issues associated with current SDN security applications and introduced a new IoT system plan. This document has discussed the management of Internet access for specific networks and monitoring of global traffic. Finally, it describes the choice of architecture for SDN using OpenFlow and discusses the resulting results. M. Silambarasan | B. Michael Vinoline Rinoj | V. Karthik ""A Novel SDN Architecture for IoT Security"" Published in International Journal of Trend in Scientific Research and Development (ijtsrd), ISSN: 2456-6470, Volume-4 | Issue-2 , February 2020, URL: https://www.ijtsrd.com/papers/ijtsrd29908.pdf
Paper Url : https://www.ijtsrd.com/engineering/electronics-and-communication-engineering/29908/a-novel-sdn-architecture-for-iot-security/m-silambarasan
Performance Analysis of Wireless Trusted Software Defined NetworksIRJET Journal
This document analyzes the performance of wireless trusted software defined networks (SDNs) by considering metrics like energy consumption, throughput, end-to-end delay, and packet delivery ratio. It finds that SDNs perform better than conventional networks without SDN capabilities. It also compares the energy consumption of different SDN topology models. The key findings are that SDNs provide centralized control, programmability, and flexibility that improve performance compared to traditional networks. Additionally, different SDN topology models have varying levels of energy efficiency.
Evaluation of Authentication Mechanisms in Control Plane Applications for Sof...Siyabonga Masuku
This document evaluates different authentication mechanisms for control plane applications in software defined networks (SDNs). It discusses how a lack of trust between network applications and controllers is a challenge for SDN security. The document reviews several proposed authentication mechanisms and outlines a research proposal to evaluate these mechanisms under different performance scenarios in order to recommend a well-performing and reliable standard for the northbound API. It will use literature reviews and simulations with Mininet and NS3 to test authentication mechanisms on factors like the number of authenticated/unauthenticated applications over time.
Attacking SDN infrastructure: Are we ready for the next gen networkingPriyanka Aash
The document discusses attacking SDN infrastructure and whether we are ready for next-generation networking from a security perspective. It outlines several attack vectors against the SDN control plane, including compromising it at build time by injecting malware or at runtime through malicious applications. Specific vulnerabilities discussed include lack of system integrity protection, lack of authentication for SDN controller nodes, and lack of access control for applications. The document advocates for more work to improve SDN security, such as through the Project DELTA evaluation framework and mechanisms to enforce application security policies, before next-gen networking is ready.
BsidesSP: Pentesting in SDN - Owning the ControllersRoberto Soares
Conference:
BsidesSP
Description:
SDN (Software Defined Network) has attracted the attention of many technology giants from various segments such as VMware, Juniper, Cisco, HP, IBM, Google, China Telecom, Huawei and others by providing more virtualized services that can be scheduled, managed and monitored faster, more efficient and in a less costly manner than the usual solutions. Defining routes, switching, QoS treatment and security policies that happened in stocky and specific hardware now has performed his duties in higher layers of software, installed on virtualized machine. But how can we test this? First, we'll address an overview of the SDN architecture, soon after, it will be explained how to find SDN controllers, and if present in our network, steal critical information so that we can proceed with our exploitation. In the end, we will take possession of the controllers and make unexpected. There will be a smattering of codes for metasploit that will be demonstrated. Does a controller can control us? We'll see.
This document discusses security enhancements for IEEE 802.11i wireless networks. It proposes using physical layer information and channel-based secrets to improve authentication and key establishment. Specifically, it suggests modifying the 802.11i key derivation process to incorporate information-theoretic secure bits extracted from wireless channel measurements. This would make stolen credentials like passwords less useful, improving security. The document outlines integrating channel secrets into the pairwise transient key derivation in 802.11i to provide forward and backward secrecy.
The purpose of this paper two fold. First and foremost it presents a background narrative on the origins, innovations and applications of novel structural automation technologies and the rarity of experts involved in research, development and practice of this field. The second part of this paper presents a rudimentary framework for a solution addressing this paucity – the creation of an interdisciplinary academic program at PAAET that will be the first ever in the region to address applied information communication technologies ICT in the design, planning, engineering and management of structural automation projects. In doing so, we need also to define the level of implementation. This field, as all fields in ICT, have been loosely defined and most applications carry less weight in its implementation than what should be applied. This paper gives an attempt to define an indexing scheme by which we can easily classify such implementation and generate a ranking by which we can safely define its level of ―Intelligence‖.International Journal of Engineering Research and Applications (IJERA) is an open access online peer reviewed international journal that publishes research and review articles in the fields of Computer Science, Neural Networks, Electrical Engineering, Software Engineering, Information Technology, Mechanical Engineering, Chemical Engineering, Plastic Engineering, Food Technology, Textile Engineering, Nano Technology & science, Power Electronics, Electronics & Communication Engineering, Computational mathematics, Image processing, Civil Engineering, Structural Engineering, Environmental Engineering, VLSI Testing & Low Power VLSI Design etc.
Describes the term Internet of Things IoT security architecture based on Software Defined Networking SDN . In this context, building on SDN works with or without infrastructure. This is called the SDN domain. This work describes the mechanics of the proposed architecture and reduces the chances of using SDN to achieve more effective and flexible network security. It outlined the issues associated with current SDN security applications and introduced a new IoT system plan. This document has discussed the management of Internet access for specific networks and monitoring of global traffic. Finally, it describes the choice of architecture for SDN using OpenFlow and discusses the resulting results. M. Silambarasan | B. Michael Vinoline Rinoj | V. Karthik ""A Novel SDN Architecture for IoT Security"" Published in International Journal of Trend in Scientific Research and Development (ijtsrd), ISSN: 2456-6470, Volume-4 | Issue-2 , February 2020, URL: https://www.ijtsrd.com/papers/ijtsrd29908.pdf
Paper Url : https://www.ijtsrd.com/engineering/electronics-and-communication-engineering/29908/a-novel-sdn-architecture-for-iot-security/m-silambarasan
Performance Analysis of Wireless Trusted Software Defined NetworksIRJET Journal
This document analyzes the performance of wireless trusted software defined networks (SDNs) by considering metrics like energy consumption, throughput, end-to-end delay, and packet delivery ratio. It finds that SDNs perform better than conventional networks without SDN capabilities. It also compares the energy consumption of different SDN topology models. The key findings are that SDNs provide centralized control, programmability, and flexibility that improve performance compared to traditional networks. Additionally, different SDN topology models have varying levels of energy efficiency.
IRJET- SDN Simulation in Mininet to Provide Security Via FirewallIRJET Journal
This document discusses implementing a firewall application in a Software Defined Networking (SDN) environment using Mininet and the POX controller. The authors create an SDN network topology in Mininet with hosts and switches. They develop an OpenFlow-based firewall that checks incoming packets against rules defined in the POX controller. This allows filtering of traffic and blocking of unauthorized access in a centralized, software-based way without dedicated hardware. The firewall implementation and experiment results using this SDN testbed are presented.
IRJET- Software Defined Network: DDOS Attack DetectionIRJET Journal
This document discusses software defined networks (SDNs) and detecting distributed denial-of-service (DDoS) attacks in SDNs. It provides background on SDN architecture and how DDoS attacks work. The paper aims to address risks of DDoS attacks in SDNs and focuses on detection. It describes existing DDoS attack techniques and solutions. The document proposes using algorithms like TCM-KNN and DPTCM-KNN for detection of attacks in network traffic flows, and compares the two algorithms using parameters like packet length and response time.
A review on software defined network security risks and challengesTELKOMNIKA JOURNAL
Software defined network is an emerging network architecture that separates the traditional
integrated control logic and data forwarding functionality into different planes, namely the control plane and
data forwarding plane. The data plane does an end-to-end data delivery. And the control plane does
the actual network traffic forwarding and routing between different network segments. In software defined
network the networking infrastructure layer is where the entire networking device, such as switches and
routers are connected with the separate controller layer with the help of standard called OpenFlow
protocol. The OpenFlow is a standard protocol that allows different vendor devices like juniper, cisco and
huawei switches to be connected to the controller. The centralization of the software defined network
(SDN) controller makes the network more flexible, manageable and dynamic, such as provisioning of
bandwidth, dynamic scale out and scale in compared to the traditional communication network, however,
the centralized SDN controller is more vulnerable to security risks such as DDOS and flow rule poisoning
attack. In this paper, we will explore the architectures, the principles of software defined network and
security risks associated with the centralized SDN controller and possible ways to mitigate these risks.
Cloud computing challenges and solutionsIJCNCJournal
Cloud computing is an emerging area of computer technology that benefits form the processing power and
the computing resources of many connected, geographically distanced computers connected via Internet.
Cloud computing eliminates the need of having a complete infrastructure of hardware and software to meet
users requirements and applications. It can be thought of or considered as a complete or a partial
outsourcing of hardware and software resources. To access cloud applications, a good Internet connection
and a standard Internet browser are required. Cloud computing has its own drawback from the security
point of view; this paper aims to address most of these threats and their possible solutions.
A secure intrusion detection system against ddos attack in wireless mobile ad...vishnuRajan20
At Softroniics we provide job oriented training for freshers in IT sector. We are providing IEEE project guidance and Final year project guidance. We are Pioneers in all leading technologies like Android, Java, .NET, PHP, Python, Embedded Systems, Matlab, NS2, VLSI, Modelsim, Tanner, Xilinx etc. We are specializiling in technologies like Big Data, Cloud Computing, Internet Of Things (iOT), Data Mining, Networking, Information Security, Image Processing and many other. We are providing long term and short term internship also. We are also providing IEEE project support at Calicut, Thrissur and Palakkad. For more details contact 9037291113, 7907435072
NERC-CIP’s most recent release, version 5, focuses primarily on BES substations and their critical Cyber Assets (CA), by establishing an Electronic Security Perimeter (ESP) around the substation’s control system. RAD’s Megaplex, a major building block in RAD’s Service Assured Networking (SAN) solutions for power utilities, is strategically located to manage all electronic access to the substation and the cyber assets within it from external and internal attacks.
This paper reviews Megaplex’ 3-tier ESP protection and outlines how it helps power utilities boost their compliance with NERC CIP 005 and 007 requirements
IRJET- A Survey on DDOS Attack in ManetIRJET Journal
This document summarizes a survey on distributed denial of service (DDoS) attacks in mobile ad hoc networks (MANETs). It begins by introducing MANETs and some of the key security issues they face, including DDoS attacks. It then discusses different types of DDoS attacks like flooding and amplification/reflection attacks. The document proposes a new defense scheme against amplification attacks, which exploit protocols like DNS and NTP to amplify traffic. It describes using the Network Security Simulator to model and simulate DDoS attacks with master, zombie, and server entities to evaluate defense techniques and compare the impact of protocols like DNS and NTP.
IJERA (International journal of Engineering Research and Applications) is International online, ... peer reviewed journal. For more detail or submit your article, please visit www.ijera.com
This document provides an analysis of security issues and solutions for routing protocols in wireless sensor networks and wireless mesh networks. It discusses various threats and attacks at different layers of the OSI model, including jamming, man-in-the-middle attacks, and denial-of-service attacks at the physical layer. At higher layers, threats include selective forwarding, sinkhole attacks, and wormhole attacks. The document then outlines some solutions, such as intrusion prevention, intrusion detection systems, and key management techniques. It concludes by discussing prospects for improved security through techniques like elliptic curve cryptography and quantum cryptography.
This document proposes enhancing security in OpenFlow networks. It discusses:
1) OpenFlow currently has security flaws like lack of authentication, encryption, and intrusion detection that can compromise the network.
2) The proposal is to use a network intrusion detection system as a middlebox to monitor traffic at the OpenFlow controller and detect suspicious activity.
3) Additional mechanisms like authentication, encryption, and forensics are needed to fully secure OpenFlow networks against vulnerabilities introduced by the separation of the data and control planes.
Enhancing the impregnability of linux serversIJNSA Journal
Worldwide IT industry is experiencing a rapid shift towards Service Oriented Architecture (SOA). As a
response to the current trend, all the IT firms are adopting business models such as cloud based services
which rely on reliable and highly available server platforms. Linux servers are known to be highly
secure. Network security thus becomes a major concern to all IT organizations offering cloud based
services. The fundamental form of attack on network security is Denial of Service. This paper focuses on
fortifying the Linux server defence mechanisms resulting in an increase in reliability and availability of
services offered by the Linux server platforms. To meet this emerging scenario, most of the organizations
are adopting business models such as cloud computing that are dependant on reliable server platforms.
Linux servers are well ahead of other server platforms in terms of security. This brings network security
to the forefront of major concerns to an organization. The most common form of attacks is a Denial of
Service attack. This paper focuses on mechanisms to detect and immunize Linux servers from DoS .
A Defense-in-depth Cybersecurity for Smart SubstationsIJECEIAES
The increase of cyber-attacks on industrial and power systems in the recent years make the cybersecurity of supervisory control and data acquisition and substation automation systemsa high important engineering issue. This paper proposes a defense in depth cybersecurity solution for smart substations in different layers of the substation automation system. In fact, it presents possible vulnerabilities in the substation automation system and propose a multiple layer solution based on best practice in cyber security such as the hardening ofdevices, whitelisting, network configuration, network segmentation, role-based account management and cyber security management and deployement.
Preventing Distributed Denial of Service Attacks in Cloud Environments IJITCA Journal
Distributed-Denial of Service (DDoS) is a key intimidation to network security. Network is a group of
nodes that interrelate with each other for switch over the information. This information is necessary for
that node is reserved confidentially. Attacker in the system may capture this private information and
distorted. So security is the major issue. There are several security attacks in network. One of the major
intimidations to internet examine is DDoS attack. It is a malevolent effort to suspending or suspends
services to destination node. DDoS or DoS is an effort to create network resource or the machine is busy to
its intentional user. Numerous thoughts are developed for avoid the DDoS or DoS. DDoS occur in two
different behaviors they may happen obviously or it may due to some attackers .Various schemes are
developed defense against to this attack. The Main focus of paper is present basis of DDoS attack, DDoS
attack types, and DDoS attack components, intrusion prevention system for DDoS.
A NEW GENERATION OF DRIVER ASSISTANCE AND SECURITYIJCI JOURNAL
Vehicular ad hoc networks are tremendously and very effectively used for safety related applications. Especially
for driver assistance and when it comes to safety of either from an accident or stealing of data VANET is the future of the all such problems.”A New Generation of Driver Assistance and Security” gives a idea about VANET and also provide solutions to various problems comes in this. Authentication will be provided by Group signature and Identity based (ID- based) Signature scheme. The scheme Provides cost effective, highly privacy
preserving of user, efficient message authentication and verification than existing system for VANETs. This
required CA (Central Authority) and LA (Local Authority) where LA is group leader and which has to concern with CA. This safety technique is efficient, robust, and scalable for VANET’s authentication and provide reallife solution match with the standard.
Data Transfer Security solution for Wireless Sensor NetworkEditor IJCATR
WSN is a wide growth area for specific resource limited application. Factor associated with technology like, the encryption
security, operating speed and power consumption for network. Here, we introduce a mechanism for secure transferring of data is WSN
and various security related issues. This energy-efficient encryption is a secure communication framework in which an algorithm is
used to encode the sensed data using like, RC5, AES and CAST Algorithm. The proposed scheme is most suitable for wireless sensor
networks that incorporate data centric routing protocols. An algorithm in sensor network is help to designers predict security
performance under a set of constraints for WSNs. This symmetric key function is used to guarantee secure communications between
in-network nodes and reliable operation cost. RC5 is good on the code point of view, but the key schedule consumes more resource
time for efficient security aspects.
Coming to this issue we have Network Security in Tool Gyan which will put light on how to set up a secured network, Who wants to be a Millionaire in Tool Gyan, check out yourself of what exactly its all about ;)TOR in Mom's guide for all those who thought 'It sounds very complicated to use, I’m not a hacker! I can’t use it!' by our Author- Federico from Italy.
Next Generation Network: Security and Architectureijsrd.com
Wireless sensor networks will be widely deployed in the near future. While much research has focused on making these networks feasible and useful, security has received little attention. Wireless Sensor Networks (WSN) are a most challenging and emerging technology for the Research due to their vital scope in the field coupled with their low processing power and associated low energy. As wireless sensor networks continue to grow, so does the need for effective security mechanisms. Because sensor networks may interact with sensitive data and/or operate in hostile unattended environments, it is imperative that these security concerns be addressed from the beginning of the system design staring with a brief overview of the sensor networks security, a review is made of and how to provide the security in the wireless sensor networks. This paper studies the security problems, Requirement, Architecture of WSN and different platform, characterized by severely constrained computational and energy resources, and an ad hoc operational environment.
IRJET- Detection of Distributed Denial-of-Service (DDos) Attack on Software D...IRJET Journal
This document discusses detecting distributed denial-of-service (DDoS) attacks on software defined networks (SDNs). It first provides background on SDNs and DDoS attacks. It then reviews related research on DDoS detection methods for SDNs. The document evaluates these methods based on results using the KDD99 dataset in a simulated SDN environment. It finds that the Double P-value of Transductive Confidence Machines for K-Nearest Neighbors (DPTCM-KNN) method achieved the highest true positive rate and lowest false positive rate, making it the most efficient approach for detecting anomalous flows in SDNs.
This document outlines seven strategies that can be implemented to defend industrial control systems (ICSs) against cyber intrusions: 1) application whitelisting, 2) proper configuration/patch management, 3) reducing attack surface area, 4) building a defendable environment through network segmentation, 5) managing authentication securely, 6) implementing secure remote access, and 7) monitoring networks and having an incident response plan. The document estimates that implementing these strategies could have prevented 98% of incidents responded to by ICS-CERT in 2014-2015. It concludes that a layered defense approach is needed to protect internal systems and components.
The munoz migration - geography family tree1pmunoz01
Casiano Muñoz De Luna migrated from Asturias, Spain to Aguascalientes, Mexico in the mid-1800s. He settled in Aguascalientes and entered the cattle business, becoming one of the main cattle producers. The Muñoz family has resided in Aguascalientes for four generations, continuing to work in cattle raising although it is no longer their primary economic activity. Some family members have also migrated to other parts of the world.
This document provides 21 practices for improving personal and professional relationships. It encourages the reader to focus on one practice per day to strengthen integrity, build trust, listen empathetically, question assumptions, and focus on what is truly important. The practices are meant to help readers lead more meaningful lives through developing their character and relationships.
This document discusses four methods for Hyper-V disaster recovery:
1. Export/Import - Basic backup/restore but VMs must be shut down during export and individual file restoration is not possible.
2. Snapshots - Allow restoring to prior configurations but have performance and data integrity risks. Snapshots cannot be easily moved.
3. Replication - Provides workload resilience by replicating VMs between sites, but requires administrator monitoring and at least two Hyper-V hosts.
4. Commercial software - Easy to use with fast, flexible backup/restore, but is more expensive than other options.
IRJET- SDN Simulation in Mininet to Provide Security Via FirewallIRJET Journal
This document discusses implementing a firewall application in a Software Defined Networking (SDN) environment using Mininet and the POX controller. The authors create an SDN network topology in Mininet with hosts and switches. They develop an OpenFlow-based firewall that checks incoming packets against rules defined in the POX controller. This allows filtering of traffic and blocking of unauthorized access in a centralized, software-based way without dedicated hardware. The firewall implementation and experiment results using this SDN testbed are presented.
IRJET- Software Defined Network: DDOS Attack DetectionIRJET Journal
This document discusses software defined networks (SDNs) and detecting distributed denial-of-service (DDoS) attacks in SDNs. It provides background on SDN architecture and how DDoS attacks work. The paper aims to address risks of DDoS attacks in SDNs and focuses on detection. It describes existing DDoS attack techniques and solutions. The document proposes using algorithms like TCM-KNN and DPTCM-KNN for detection of attacks in network traffic flows, and compares the two algorithms using parameters like packet length and response time.
A review on software defined network security risks and challengesTELKOMNIKA JOURNAL
Software defined network is an emerging network architecture that separates the traditional
integrated control logic and data forwarding functionality into different planes, namely the control plane and
data forwarding plane. The data plane does an end-to-end data delivery. And the control plane does
the actual network traffic forwarding and routing between different network segments. In software defined
network the networking infrastructure layer is where the entire networking device, such as switches and
routers are connected with the separate controller layer with the help of standard called OpenFlow
protocol. The OpenFlow is a standard protocol that allows different vendor devices like juniper, cisco and
huawei switches to be connected to the controller. The centralization of the software defined network
(SDN) controller makes the network more flexible, manageable and dynamic, such as provisioning of
bandwidth, dynamic scale out and scale in compared to the traditional communication network, however,
the centralized SDN controller is more vulnerable to security risks such as DDOS and flow rule poisoning
attack. In this paper, we will explore the architectures, the principles of software defined network and
security risks associated with the centralized SDN controller and possible ways to mitigate these risks.
Cloud computing challenges and solutionsIJCNCJournal
Cloud computing is an emerging area of computer technology that benefits form the processing power and
the computing resources of many connected, geographically distanced computers connected via Internet.
Cloud computing eliminates the need of having a complete infrastructure of hardware and software to meet
users requirements and applications. It can be thought of or considered as a complete or a partial
outsourcing of hardware and software resources. To access cloud applications, a good Internet connection
and a standard Internet browser are required. Cloud computing has its own drawback from the security
point of view; this paper aims to address most of these threats and their possible solutions.
A secure intrusion detection system against ddos attack in wireless mobile ad...vishnuRajan20
At Softroniics we provide job oriented training for freshers in IT sector. We are providing IEEE project guidance and Final year project guidance. We are Pioneers in all leading technologies like Android, Java, .NET, PHP, Python, Embedded Systems, Matlab, NS2, VLSI, Modelsim, Tanner, Xilinx etc. We are specializiling in technologies like Big Data, Cloud Computing, Internet Of Things (iOT), Data Mining, Networking, Information Security, Image Processing and many other. We are providing long term and short term internship also. We are also providing IEEE project support at Calicut, Thrissur and Palakkad. For more details contact 9037291113, 7907435072
NERC-CIP’s most recent release, version 5, focuses primarily on BES substations and their critical Cyber Assets (CA), by establishing an Electronic Security Perimeter (ESP) around the substation’s control system. RAD’s Megaplex, a major building block in RAD’s Service Assured Networking (SAN) solutions for power utilities, is strategically located to manage all electronic access to the substation and the cyber assets within it from external and internal attacks.
This paper reviews Megaplex’ 3-tier ESP protection and outlines how it helps power utilities boost their compliance with NERC CIP 005 and 007 requirements
IRJET- A Survey on DDOS Attack in ManetIRJET Journal
This document summarizes a survey on distributed denial of service (DDoS) attacks in mobile ad hoc networks (MANETs). It begins by introducing MANETs and some of the key security issues they face, including DDoS attacks. It then discusses different types of DDoS attacks like flooding and amplification/reflection attacks. The document proposes a new defense scheme against amplification attacks, which exploit protocols like DNS and NTP to amplify traffic. It describes using the Network Security Simulator to model and simulate DDoS attacks with master, zombie, and server entities to evaluate defense techniques and compare the impact of protocols like DNS and NTP.
IJERA (International journal of Engineering Research and Applications) is International online, ... peer reviewed journal. For more detail or submit your article, please visit www.ijera.com
This document provides an analysis of security issues and solutions for routing protocols in wireless sensor networks and wireless mesh networks. It discusses various threats and attacks at different layers of the OSI model, including jamming, man-in-the-middle attacks, and denial-of-service attacks at the physical layer. At higher layers, threats include selective forwarding, sinkhole attacks, and wormhole attacks. The document then outlines some solutions, such as intrusion prevention, intrusion detection systems, and key management techniques. It concludes by discussing prospects for improved security through techniques like elliptic curve cryptography and quantum cryptography.
This document proposes enhancing security in OpenFlow networks. It discusses:
1) OpenFlow currently has security flaws like lack of authentication, encryption, and intrusion detection that can compromise the network.
2) The proposal is to use a network intrusion detection system as a middlebox to monitor traffic at the OpenFlow controller and detect suspicious activity.
3) Additional mechanisms like authentication, encryption, and forensics are needed to fully secure OpenFlow networks against vulnerabilities introduced by the separation of the data and control planes.
Enhancing the impregnability of linux serversIJNSA Journal
Worldwide IT industry is experiencing a rapid shift towards Service Oriented Architecture (SOA). As a
response to the current trend, all the IT firms are adopting business models such as cloud based services
which rely on reliable and highly available server platforms. Linux servers are known to be highly
secure. Network security thus becomes a major concern to all IT organizations offering cloud based
services. The fundamental form of attack on network security is Denial of Service. This paper focuses on
fortifying the Linux server defence mechanisms resulting in an increase in reliability and availability of
services offered by the Linux server platforms. To meet this emerging scenario, most of the organizations
are adopting business models such as cloud computing that are dependant on reliable server platforms.
Linux servers are well ahead of other server platforms in terms of security. This brings network security
to the forefront of major concerns to an organization. The most common form of attacks is a Denial of
Service attack. This paper focuses on mechanisms to detect and immunize Linux servers from DoS .
A Defense-in-depth Cybersecurity for Smart SubstationsIJECEIAES
The increase of cyber-attacks on industrial and power systems in the recent years make the cybersecurity of supervisory control and data acquisition and substation automation systemsa high important engineering issue. This paper proposes a defense in depth cybersecurity solution for smart substations in different layers of the substation automation system. In fact, it presents possible vulnerabilities in the substation automation system and propose a multiple layer solution based on best practice in cyber security such as the hardening ofdevices, whitelisting, network configuration, network segmentation, role-based account management and cyber security management and deployement.
Preventing Distributed Denial of Service Attacks in Cloud Environments IJITCA Journal
Distributed-Denial of Service (DDoS) is a key intimidation to network security. Network is a group of
nodes that interrelate with each other for switch over the information. This information is necessary for
that node is reserved confidentially. Attacker in the system may capture this private information and
distorted. So security is the major issue. There are several security attacks in network. One of the major
intimidations to internet examine is DDoS attack. It is a malevolent effort to suspending or suspends
services to destination node. DDoS or DoS is an effort to create network resource or the machine is busy to
its intentional user. Numerous thoughts are developed for avoid the DDoS or DoS. DDoS occur in two
different behaviors they may happen obviously or it may due to some attackers .Various schemes are
developed defense against to this attack. The Main focus of paper is present basis of DDoS attack, DDoS
attack types, and DDoS attack components, intrusion prevention system for DDoS.
A NEW GENERATION OF DRIVER ASSISTANCE AND SECURITYIJCI JOURNAL
Vehicular ad hoc networks are tremendously and very effectively used for safety related applications. Especially
for driver assistance and when it comes to safety of either from an accident or stealing of data VANET is the future of the all such problems.”A New Generation of Driver Assistance and Security” gives a idea about VANET and also provide solutions to various problems comes in this. Authentication will be provided by Group signature and Identity based (ID- based) Signature scheme. The scheme Provides cost effective, highly privacy
preserving of user, efficient message authentication and verification than existing system for VANETs. This
required CA (Central Authority) and LA (Local Authority) where LA is group leader and which has to concern with CA. This safety technique is efficient, robust, and scalable for VANET’s authentication and provide reallife solution match with the standard.
Data Transfer Security solution for Wireless Sensor NetworkEditor IJCATR
WSN is a wide growth area for specific resource limited application. Factor associated with technology like, the encryption
security, operating speed and power consumption for network. Here, we introduce a mechanism for secure transferring of data is WSN
and various security related issues. This energy-efficient encryption is a secure communication framework in which an algorithm is
used to encode the sensed data using like, RC5, AES and CAST Algorithm. The proposed scheme is most suitable for wireless sensor
networks that incorporate data centric routing protocols. An algorithm in sensor network is help to designers predict security
performance under a set of constraints for WSNs. This symmetric key function is used to guarantee secure communications between
in-network nodes and reliable operation cost. RC5 is good on the code point of view, but the key schedule consumes more resource
time for efficient security aspects.
Coming to this issue we have Network Security in Tool Gyan which will put light on how to set up a secured network, Who wants to be a Millionaire in Tool Gyan, check out yourself of what exactly its all about ;)TOR in Mom's guide for all those who thought 'It sounds very complicated to use, I’m not a hacker! I can’t use it!' by our Author- Federico from Italy.
Next Generation Network: Security and Architectureijsrd.com
Wireless sensor networks will be widely deployed in the near future. While much research has focused on making these networks feasible and useful, security has received little attention. Wireless Sensor Networks (WSN) are a most challenging and emerging technology for the Research due to their vital scope in the field coupled with their low processing power and associated low energy. As wireless sensor networks continue to grow, so does the need for effective security mechanisms. Because sensor networks may interact with sensitive data and/or operate in hostile unattended environments, it is imperative that these security concerns be addressed from the beginning of the system design staring with a brief overview of the sensor networks security, a review is made of and how to provide the security in the wireless sensor networks. This paper studies the security problems, Requirement, Architecture of WSN and different platform, characterized by severely constrained computational and energy resources, and an ad hoc operational environment.
IRJET- Detection of Distributed Denial-of-Service (DDos) Attack on Software D...IRJET Journal
This document discusses detecting distributed denial-of-service (DDoS) attacks on software defined networks (SDNs). It first provides background on SDNs and DDoS attacks. It then reviews related research on DDoS detection methods for SDNs. The document evaluates these methods based on results using the KDD99 dataset in a simulated SDN environment. It finds that the Double P-value of Transductive Confidence Machines for K-Nearest Neighbors (DPTCM-KNN) method achieved the highest true positive rate and lowest false positive rate, making it the most efficient approach for detecting anomalous flows in SDNs.
This document outlines seven strategies that can be implemented to defend industrial control systems (ICSs) against cyber intrusions: 1) application whitelisting, 2) proper configuration/patch management, 3) reducing attack surface area, 4) building a defendable environment through network segmentation, 5) managing authentication securely, 6) implementing secure remote access, and 7) monitoring networks and having an incident response plan. The document estimates that implementing these strategies could have prevented 98% of incidents responded to by ICS-CERT in 2014-2015. It concludes that a layered defense approach is needed to protect internal systems and components.
The munoz migration - geography family tree1pmunoz01
Casiano Muñoz De Luna migrated from Asturias, Spain to Aguascalientes, Mexico in the mid-1800s. He settled in Aguascalientes and entered the cattle business, becoming one of the main cattle producers. The Muñoz family has resided in Aguascalientes for four generations, continuing to work in cattle raising although it is no longer their primary economic activity. Some family members have also migrated to other parts of the world.
This document provides 21 practices for improving personal and professional relationships. It encourages the reader to focus on one practice per day to strengthen integrity, build trust, listen empathetically, question assumptions, and focus on what is truly important. The practices are meant to help readers lead more meaningful lives through developing their character and relationships.
This document discusses four methods for Hyper-V disaster recovery:
1. Export/Import - Basic backup/restore but VMs must be shut down during export and individual file restoration is not possible.
2. Snapshots - Allow restoring to prior configurations but have performance and data integrity risks. Snapshots cannot be easily moved.
3. Replication - Provides workload resilience by replicating VMs between sites, but requires administrator monitoring and at least two Hyper-V hosts.
4. Commercial software - Easy to use with fast, flexible backup/restore, but is more expensive than other options.
Indian Government Passed Coal Mines Bill 2015, In March 2015. The Coal Mines which were the Meat and Bones of Corruption in Indian Economy Were Auctioned in March 2015, Under the Proviso of the Bill. The Indian Supreme Court has asked the Indian Government to Bring out Norms and Auction the Mines.
The following report from IBM explores the latest Security trends—from malware delivery to mobile device risks—based on 2013 year-end data and ongoing research.
The establishment of the Single Supervisory Mechanism is the first step towards a European Banking Union. The ECB will take responsibility for bank supervision in November 2014. Before then, the ECB will conduct an assessment of around 130 large banks through an Asset Quality Review and stress test. It is important that the ECB's assessment is seen as credible by capital markets in order to boost confidence in banks. However, there is a risk that a very tough assessment could undermine some governments' ability to recapitalize national banks. The ECB aims to enhance transparency, strengthen bank balance sheets, and rebuild trust. But a remaining issue is establishing a credible public backstop for banks through a Single Resolution Mechanism.
Construction has begun on George Brown College's new Health Sciences campus on Queen's Quay East in Toronto. Workers are installing nearly 400 underground concrete pillars around the perimeter to create a waterproof wall and allow excavation of the site. The new building will house 3,500 health sciences students and is scheduled to be completed in six months.
The Creditsafe Commercial Credit Managment Suite CreditsafeUK
Creditsafe is a commercial credit reporting agency that provides risk management services to over 200,000 professionals. They have built the world's largest database of company credit reports across over 50 countries. Their services help companies reduce credit risk and defaulted payments. They provide UK and international company credit reports that include a credit score, financial data, payment history, directors, and other information. They also offer monitoring, batch credit checking, director reports, debtor tracing, identity verification, and other risk management and compliance tools.
This document discusses securing next generation mobile networks. It outlines how exploding mobile data usage is straining network capacity and driving operators to adopt new technologies like LTE. LTE will increase speeds but use all-IP networks that introduce new security challenges. The document also examines using wireless offload over public internet to relieve congestion and notes this exposes networks to threats on untrusted internet connections. It proposes using a security gateway to help secure these new network architectures from cyber threats.
The Neurosurgery Research and Education Foundation (NREF) had a productive year in 2015. The NREF supported numerous educational courses for neurosurgery residents and fellows, funded research grants for young investigators, and provided clinical fellowships with support from industry partners. Donations to the NREF increased in 2015, allowing the foundation to continue and expand its efforts in neurosurgery education and research.
The document discusses optimizing value added services (VAS) for greater revenue generation. It covers 5 technology trends that are optimizing VAS delivery, including the growth of LTE, small cells, offloading data to WiFi and the internet, and machine-to-machine communications with policy enforcement. It also discusses how an IMS architecture can generate VAS revenue through services like VoLTE, video calling, and conferencing using a media resource function (MRF). The presentation concludes by emphasizing how the MPX-12000 MRF platform supports VoLTE, video, and other VAS through high definition voice and video processing capabilities.
This letter offers shareholders of RR Greenhands Infrastructure India Limited the opportunity to tender their equity shares at a price of Rs. 10 per share, representing a 20% acquisition of the company's voting share capital. M/s SAAG (Mauritius) Ltd, Mr. R Sriram, and persons acting in concert, including M/s. SAAG Consolidated (M) Bhd, Mr. R.Raju, Mr. R.Ananthakrishnan, and Ms. Bharathi Anand, are offering to acquire up to 21,00,000 equity shares. The deadline for shareholders to withdraw their acceptance is August 18, 2004. The offer closes on August 24, 2004
Visa offers a range of credit, debit, and prepaid card options that allow travelers to avoid the hassle and risk of carrying large amounts of cash while traveling abroad. Visa cards can be used to withdraw cash from ATMs and make purchases anywhere that accepts Visa cards. They offer benefits like global acceptance at over 30 million merchants and 1 million ATMs worldwide, reimbursement if the card is lost or stolen, and 24/7 assistance. More travelers choose Visa because of its widespread acceptance and security features.
WB Engineering provides Rapid Prototyping and Product Design Services in Miami, Florida. Our Product Design division is concerned with effective idea generation and development
Gaurav Kumar is currently employed as a Directional Driller-I with Jindal Drilling and Industries Ltd. He has over 2.5 years of experience in directional drilling on land rigs across India as well as 3 years of experience as a MWD engineer. He holds a B.Tech in Mechanical Engineering and is skilled in drilling directional well profiles, solving downhole problems, and avoiding wellbore collisions.
In the new healthcare industry, providers and patients will thrive by deploying intelligent technology to deliver care sooner and more effectively. New solutions include Kofax Smart Process Applications and Smart Mobile Apps, which enable healthcare organizations to automatically and accurately capture, validate, extract and classify information form anywhere inside or outside the organization.
EdgeBuilder is a fully integrated project management system that automates common project processes to streamline project execution and administration. It incorporates features such as document control, communication management, cost control, procurement management, and collaboration tools to help project teams focus on high-value work while maintaining consistent project records and controls.
This document provides an overview of how oil and gas companies use Kofax solutions to improve productivity, collaboration and profitability. It discusses challenges such as large amounts of operational data still being captured on paper. It then summarizes Kofax solutions that allow companies to automate information-intensive business processes, improve the speed and quality of decision making, and increase efficiency. Specific solutions covered include enterprise capture, land management, information integration, collaboration tools, business intelligence and analytics, mobile capabilities, crude run and water ticket processing, and compliance. It also provides an example of Kofax helping Chesapeake Energy improve enterprise capture.
Software Defined Networking Attacks and Countermeasures .docxrosemariebrayshaw
Software Defined Networking: Attacks and
Countermeasures
Nada Mostafa Abd Elazim
Computer Engineering Department.
Arab Academy for Science and
Technology, College of Engineering
Cairo, Egypt
[email protected]
Mohamed A. Sobh
Ain Shams University
Cairo, Egypt
[email protected]
Ayman M. Bahaa-Eldin
Misr International University
On leave from Ain Shams University
[email protected]
Abstract —Software defined networking (SDN) is an
emerging network architecture; it differs from traditional
networks as it separates control planes from data planes.
This separation helps the network to be more flexible and
easier to handle and allows faster innovation cycles at both
planes. SDN has benefit over traditional networks in terms
of simplicity, programmability and elasticity. Openflow
protocol is a south-bound API interface; it is the most
popular and common protocol that used to communicate the
controller with the switches. This paper will focus on the
architecture of SDN and provide some challenges faces the
SDN; finally, it will discuss some security threats that face
SDN and their countermeasures.
Index Terms—SDN, Openflow, API interface
I. INTRODUCTION
Traditional networks were very complex and difficult
to manage. They combine the control plane with data
plane that make network management difficult.
On the other hand, software defined networking
(SDN) is a new networking approach to build computer
networks that separates and abstracts elements of these
systems to help building flexible and scalable network.
Advantages of Software defined networking (SDN)
over traditional network [1]:
• It has virtual environment as it uses resources
without caring about where it is located and how
it is orderly.
• Monitor large number of devices by one
command.
• Easy to change behaviour, size, and quantity.
• Minimize downtime, enforcement of policy,
discover the faults and solve them, and add new
devices, resources, sites, and workloads.
• Monitoring of resources.
• Improve the utilization of network device.
• The global vision of the network due to the
centralization of the controller.
Openflow [2] is a protocol found in the southbound
API interface that locates between the control and data
forwarding layer. It is the way to virtualize the network.
openflow is designed to be easy programmed, that helps
the network manager to create new protocols for solving
problems.
SDN has many applications in data centre, WAN,
IoTs, cellular networks, and Wi-Fi network.
Security threats are on the rise, SDN faces many
security threats in each of its layer, for example, in Data
forwarding layer there are man at the end attack, DoS
attack, spoofing attack, intrusion attack, scanning attack,
tampering attack, hijacking attack, side channel attack,
and anomaly attack. In control layer there are DoS/DDoS
attack, intrusion attack, anomaly attack, threats based on
distributed multi-controllers, threats from a.
1) The document discusses security challenges in software defined networks (SDNs) including threats to the application plane, control plane, and data plane due to the separation of the control and data planes in SDNs.
2) It describes various security approaches and platforms that can secure each plane and provide network-wide security in SDNs.
3) The paper analyzes SDN security according to several dimensions and highlights both present and future security challenges in SDNs to guide further research on secure SDN architectures.
Security of software defined networking (sdn) and cognitive radio network (crn)Ameer Sameer
Security of Software Defined Networking (SDN)
Overview
Definition Software Defined Networking (SDN)
SDN security & Security Challenges
SDN Attack Surface & Attacks Examples
SDN Threat Model
Open Research issues SDN
Future Research Directions
Simulator for Software Defined Networking
Security of Cognitive Radio Network (CRN)
Overview
Definition Cognitive Network
Security of Cognitive Radios & Threats
Security issues in cognitive radio
Attacks and the proposed defense mechanisms
Open Research issues in Cognitive Radio
Evaluation Methodologies for Cognitive Networking
Future Research Directions
Simulator for Cognitive Radio
In software-defined networking (SDN), network traffic is managed by software controllers or application programming interfaces (APIs) rather than hardware components. It differs from traditional networks, which use
switches and routers to control traffic. Using SDN, you can create and control virtual networks or traditional hardware networks. Furthermore, OpenFlow allows network administrators to control exact network behavior
through centralized control of packet forwarding. For these reasons, SDN has advantages over certain security issues, unlike traditional networks.
However, most of the existing vulnerabilities and security threats in the traditional network also impact the SDN network. This document presents the attacks targeting the SDN network and the solutions that protect against
these attacks. In addition, we introduce a variety of SDN security controls, such as intrusion detection systems (IDS)/intrusion prevention system (IPS), and firewalls. Towards the end, we outline a conclusion and perspectives.
This document discusses SDN security. It outlines how SDN allows for centralized control of network flows and security policies. However, the centralized nature of SDN also introduces new threats, such as attacks on controllers or switches. Potential threats are discussed, such as DoS attacks, traffic manipulation, or vulnerabilities in controllers/applications. Mitigation techniques are proposed, such as monitoring for abnormal behavior, access control, and replication of controllers. Future work may focus on improving the security and dependability of SDN through techniques like dynamic switch association and diversity.
TACTiCS_WP Security_Addressing Security in SDN EnvironmentSaikat Chaudhuri
This document discusses addressing security concerns in SDN environments. It proposes an approach using an application on the SDN controller to monitor alerts from an IDS, analyze network traffic samples, and automate blocking of malicious flows. The application would function similarly to a security operations center (SOC) by correlating security events and taking action. The implementation is demonstrated using the OpenDaylight controller and Mininet virtual network, with SNORT for intrusion detection and sFlow for traffic sampling.
Security and risk analysis in the cloud with software defined networking arch...IJECEIAES
Cloud computing has emerged as the actual trend in business information technology service models, since it provides processing that is both costeffective and scalable. Enterprise networks are adopting software-defined networking (SDN) for network management flexibility and lower operating costs. Information technology (IT) services for enterprises tend to use both technologies. Yet, the effects of cloud computing and software defined networking on business network security are unclear. This study addresses this crucial issue. In a business network that uses both technologies, we start by looking at security, namely distributed denial-of-service (DDoS) attack defensive methods. SDN technology may help organizations protect against DDoS assaults provided the defensive architecture is structured appropriately. To mitigate DDoS attacks, we offer a highly configurable network monitoring and flexible control framework. We present a dataset shift-resistant graphic model-based attack detection system for the new architecture. The simulation findings demonstrate that our architecture can efficiently meet the security concerns of the new network paradigm and that our attack detection system can report numerous threats using real-world network data.
RESOLVING NETWORK DEFENSE CONFLICTS WITH ZERO TRUST ARCHITECTURES AND OTHER E...IJNSA Journal
Network defense implies a comprehensive set of software tools to preclude malicious entities from conducting activities such as exfiltration of data, theft of credentials, blocking of services and other nefarious activities. For most enterprises at this time, that defense builds upon a clear concept of the fortress approach. Many of the requirements are based on inspection and reporting prior to delivery of the communication to the intended target. These inspections require decryption of packets and this implies that the defensive suite either impersonates the requestor, or has access to the private cryptographic keysof the servers that are the target of communication. This is in contrast to an end-to-end paradigm where known good entities can communicate directly and no other entity has access to the content unless that content is provided to them. There are many new processes that require end-to-end encrypted communication, including distributed computing, endpoint architectures, and zero trust architectures and enterprise level security. In an end-to-end paradigm, the keys used for authentication, confidentiality, and integrity reside only with the endpoints. This paper examines a formulation that allows unbroken communication, while meeting the inspection and reporting requirements of a network defense. This work is part of a broader security architecture termed Enterprise Level Security (ELS)framework.
RESOLVING NETWORK DEFENSE CONFLICTS WITH ZERO TRUST ARCHITECTURES AND OTHER E...IJNSA Journal
Network defense implies a comprehensive set of software tools to preclude malicious entities from conducting activities such as exfiltration of data, theft of credentials, blocking of services and other nefarious activities. For most enterprises at this time, that defense builds upon a clear concept of the fortress approach. Many of the requirements are based on inspection and reporting prior to delivery of the communication to the intended target. These inspections require decryption of packets and this implies that the defensive suite either impersonates the requestor, or has access to the private cryptographic keysof the servers that are the target of communication. This is in contrast to an end-to-end paradigm where known good entities can communicate directly and no other entity has access to the content unless that content is provided to them. There are many new processes that require end-to-end encrypted communication, including distributed computing, endpoint architectures, and zero trust architectures and enterprise level security. In an end-to-end paradigm, the keys used for authentication, confidentiality, and integrity reside only with the endpoints. This paper examines a formulation that allows unbroken communication, while meeting the inspection and reporting requirements of a network defense. This work is part of a broader security architecture termed Enterprise Level Security (ELS)framework.
Controller Placement Problem resiliency evaluation in SDN-based architecturesIJCNCJournal
The Software-Defined Networking (SDN) paradigm does represent an effective approach aimed at enhancing the performance of core networks by introducing a clean separation between the routing plane and the forwarding plane. However, the centralized architecture of SDN networks raises resiliency concerns that are addressed by a class of algorithms falling under the Controller Placement Problem (CPP) umbrella term. Such algorithms seek the optimal placement of the SDN controller. In this paper, we evaluate the main CPP algorithms and provide an experimental analysis of their performance, as well as of their capability to dynamically adapt to network malfunctions and disconnections.
Controller Placement Problem Resiliency Evaluation in SDN-based ArchitecturesIJCNCJournal
The Software-Defined Networking (SDN) paradigm does represent an effective approach aimed at enhancing the performance of core networks by introducing a clean separation between the routing plane and the forwarding plane. However, the centralized architecture of SDN networks raises resiliency concerns that are addressed by a class of algorithms falling under the Controller Placement Problem (CPP) umbrella term. Such algorithms seek the optimal placement of the SDN controller. In this paper, we evaluate the main CPP algorithms and provide an experimental analysis of their performance, as well as of their capability to dynamically adapt to network malfunctions and disconnections.
SDN: A New Approach to Networking TechnologyIRJET Journal
This document summarizes SDN (Software Defined Networking) and its relationship to network virtualization and NFV (Network Function Virtualization). It discusses how SDN separates the control plane from the data plane to make networks programmable. It also describes how network virtualization allows multiple virtual networks to run simultaneously on top of a physical network. NFV aims to virtualize network functions like firewalls and load balancers that were traditionally hardware-based. The document argues that SDN, network virtualization, and NFV work together to provide flexible, easily reconfigurable networks and reduce costs. When combined, they allow networks to be centrally programmed and abstracted from physical hardware.
Web-Based User Interface for the Floodlight SDN ControllerEswar Publications
Software Defined Networking (SDN) was born as a solution for next-generation network design. Due to its flexible architecture, SDN promises to make network devices simpler while giving better centralized control ability over network and improving parameters such as flexibility, resilience, reliability, and security. In this paper, we briefly introduce the SDN architecture and the Floodlight Controller that is one of the popular SDN controllers. We build a web-based user interface for the Floodlight Controller by using REST API. This application is the first program in the Floodlight SDN Controller literature to view the controller upon several properties such as device connections and flow tables.
A LIGHT WEIGHT SOLUTION FOR DETECTING DE-AUTHENTICATION ATTACK IJNSA Journal
Nowadays Wireless local area networks (WLANs) are growing very rapidly. Due to the popularity of 802.11 networks, possibilities of various attacks to the wireless network have also increased. In this paper, a special type of attack De-Authentication/disassociation attack has been investigated. In a normal scenario, a wireless client or user sends a de-authentication frame when it wants to terminate the connection. These frames are in plain text and are not encrypted. These are not authenticated by the access point. Attackers take advantage of this, and spoof these packets and disable the communication between the connected client and access point. In this paper, an algorithm based on radio-tap header information is suggested to identify whether there is a De-Authentication attack on the client or not.
Efficient Data Aggregation in Wireless Sensor NetworksIJAEMSJORNAL
Sensor network is a term used to refer to a heterogeneous system combining tiny sensors and actuators with general/special-purpose processors. Sensor networks are assumed to grow in size to include hundreds or thousands of low-power, low-cost, static or mobile nodes. This system is created by observing that for any densely deployed sensor network, high redundancy exists in the gathered information from the sensor nodes that are close to each other we have exploited the redundancy and designed schemes to secure different kinds of aggregation processing against both inside and outside attacks.
Denial of Service Attacks in Software Defined Networking - A SurveyIRJET Journal
This document summarizes a survey on denial of service attacks in software defined networking. It begins with an introduction to software defined networking and how it separates the control plane from the data plane. It then discusses how saturation attacks like denial of service (DoS) and distributed denial of service (DDoS) attacks work in SDNs by overwhelming switches, controller-switch links, and controllers. Various proposals for detecting and mitigating these attacks are overviewed, such as diverting packets, caching packets, classifying packets, and anomaly detection. Challenges in mitigating low rate attacks and securing SDN-based IoT networks are also discussed.
IRJET- A Study of DDoS Attacks in Software Defined NetworksIRJET Journal
This document discusses DDoS attacks in software defined networks. It begins with an overview of SDN architecture and its vulnerabilities. It then describes different types of DDoS attacks, categorizing them as attacks on the data plane or control plane. Volumetric attacks aim to overwhelm the victim with traffic, while protocol exploitation attacks exhaust system resources. The document reviews approaches for detecting and mitigating DDoS attacks in SDN, such as using thresholds to detect sudden traffic increases or inspecting packets for abnormal values. Machine learning algorithms can also be used to classify packets and detect attacks. Specific studies that implemented detection and mitigation techniques using SDN controllers and tools are also summarized.
Firewall and vpn investigation on cloud computing performanceIJCSES Journal
The paper presents the way to provide the security to one of the recent development in computing, cloud
computing. The main interest is to investigate the impact of using Virtual Private Network VPN together
with firewall on cloud computing performance. Therefore, computer modeling and simulation of cloud
computing with OPNET modular simulator has been conducted for the cases of cloud computing with and
without VPN and firewall. To achieve clear idea on these impacts, the simulation considers different
scenarios and different form application traffic applied. Simulation results showing throughput, delay,
servers traffic sent and received have been collected and presented. The results clearly show that there is
impact in throughput and delay through the use of VPN and firewall. The impact on throughput is higher
than that on the delay. Furthermore, the impact show that the email traffic is more affected than web
traffic.
As computer network grow larger and more complex, there is a need for a new simple kind of approach to configure them. SDN has emerged as promising network architecture. It takes the control plane away from the individual nodes and centralize the network control by utilizing a flow based traffic management. Mininet is a cost effective and an efficient way to emulate and study SDN.This paper presents a study of programmable networks with basics of Mininet.
Similar to Unified Security Plugin for Opendaylight Controller (20)
Unified Security Plugin for Opendaylight Controller
1. Unified Security Plugin for Opendaylight Controller
ABSTRACT
For the last two years, there is a definite buzz around SDN which
is complemented by NFV. The strong focus on SDN is vindicated
by the fact that by 2016, there is a prediction that more than
10,000 enterprises will deploy SDN in their networks, which is
almost a ten-fold increase from the data in 2014 [1]. Also,
according to a survey done by Juniper in 2014, out of 400 U.S.
Businesses, around 52.5 percent of the companies plan to adopt
SDN in the future. 27 percent out of these companies have stated
that they are ready or almost ready to adopt SDN [2].
SDN architecture is proposed to be widely deployed for branch
networks. Opendaylight (ODL) as an open source SDN controller
has gained prominence from contributions across the industry
and promises to become the most widely used open source
controller.
This White Paper discusses the implementation of a security
plugin that provides a single pane of glass for providing
information about controller security.
The controller is well accepted as the single most vulnerable
element in the network from a security point of view. It may be
threatened in multiple ways like denial of service attacks or
maliciously crafted data to force the controller to misbehave. The
threat to the controller arises from the north-bound, south-bound
and east-west interfaces in a myriad of ways.
If messages from north-bound applications are allowed to
communicate with the controller unchecked, then there is
possibility of message exchange with unauthenticated sources.
There is also a risk of the north-bound messages being modified
in transit by intermediate nodes and yet going undetected at the
controller unless message integrity verification is done. The same
concern exists for the other interfaces like the east-west
communication with peer controller and south-bound interface as
well. Possibility of a data flood from north-bound or south-bound
entities trying to bring down the controller is also probable.
If any of the above mentioned methods to over-whelm the
controller is successful, the ramifications of such attacks are huge
and has the potential to affect the entire network. Hence, it is
highly recommended that the security for the controller should be
granular and robust to be successfully able to be thwart attacks
from the network and hold back the attacker till the mitigation
system can detect the attack and block the source.
The paper starts off discussing the problems associated with
security in SDN in general and then covers the Opendaylight
specific issues in particular.
1. INTRODUCTION
1.1 Why SDN?
SDN is a term coined to exhibit the concept in networking where
the control plane is decoupled from the physical infrastructure
and is instead moved out into a separate entity called the
controller. The controller provides networking services that help
to manage the network and also determine how the data plane
flows are configured. Since the controller runs as a separate
software to manage the entire network, hence its termed as
‘Software Defined Networking’ aka SDN. The switches (physical
infrastructure), that handle the traffic flow, may be made
available from multiple vendors as long as they are compatible
with the protocol of communication between the controller and
the switch. This reduces dependency on any particular equipment
manufacturer and the service provider has the flexibility to use
switches of their choice that gives them the cost and operational
advantage. According to a survey by Spirent in 2014 covering
service providers that control 51% of global telecom capex, the
main driver for SDN adoption is revenue generation through
cloud services aided by SDN [3].
1.2 What is the Challenge with SDN
Security?
A recollection of the native network topology exhibits a network
that is a mix of routers and switches (combinedly referred to as
the network elements in future course of this paper)
interconnecting the LANs and the WANs to the end-points. The
network elements have the control plane and the data plane that
reside inside individual boxes and is responsible for session
establishment as well as data forwarding.
In a private network, security is deployed at the network gateway
and the De-Militarized Zones inside the network. A mix of
network (FW / Proxy Servers / IPS / IDS etc) and host based
(end-point FW / IDS etc.) security devices are used to protect
such networks.
With the advent of SDN, the network security has a whole new
network node to secure. That new network node is the SDN
Controller. While the controller provides a bird’s eye view of the
network and therefore acts as an enabler to program the
underlying network and also enhance its security, but, at the
same time it opens up a host of security issues due to its own
existence. The controller is susceptible to attacks from the users
and applications, the peer controller with which it talks to and
also from the underlying network elements that it controls.
Therefore, the SDN architecture has a new challenge on its hands
to protect the controller that forms the backbone of the network.
Copyright 2015 Page 1 of 7
2. While the network and transport protocol level vulnerabilities
needs to be addressed by the Operating System on which the
controller runs, there are other application layer security issues
that have to be handled at the controller.
We will discuss some of the application layer security issues in
the subsequent sections from the Opendaylight (ODL) controller
perspective.
The following figure is a diagrammatic representation of the
ODL controller vulnerabilities from the different interfaces.
Fig1. ODL Controller vulnerability from different interfaces
Apart than the controller, there are vulnerabilities exposed in the
SDN network under the purview of the ODL controller as well.
Discussions on the network vulnerabilities is outside the scope of
this paper.
2. THE GAPS IN ODL CONTROLLER
SECURITY:
This section delves briefly on the security solutions that have
already been implemented to protect the ODL controller and the
areas of vulnerability that still exist till date.
2.1 Controller defense already in place:
2.1.1 AAA project:
For a controller platform that supervises and manages the
network, it is important to have restrictive and role based access
for the users that log into it. This is essential to maintain the
identity of the users and provide security from controller access
falling into the wrong hands.
The AAA project is key to the authentication and authorization of
the users and applications that log on to the controller. This
ensures that the north-bound entities do not gain access to the
controller without their identities being verified and therefore,
protects the controller from rouge applications/users. It also
defines the services that users/applications can access based on
their role based access.
2.1.2 SSL/TLS based protection to the interfaces:
The HTTPS support for the Restconf interface brings in the
added security provided by the Secure Socket Layer. This adds to
the integrity check verification and encryption of the message
contents that are sent to the controller by the application.
Similarly, TLS based protection to the Openflow messages from
the network provides the necessary authentication, confidentiality
and integrity verification that is necessary to protect the network
nodes from a rouge controller and also for the controller itself to
verify identity of the network elements before exchanging data.
2.1.3 Service Function Chaining:
Service Function Chain which provides an ordered list of
network services provides a platform to program message flows
through chain of devices to aid in the network and controller
security. The chaining of the DPI / FW / IPS / IDS / Load
Balancers help secure the message flows and provides depth to
the perimeter security as per requirements of the network tenant.
2.1.4 Openflow Plugin Overload Protection:
The Openflow Plugin protection adds to the plugin protection
from a flurry of Packet-In messages from the network. It
maintains queues for each network switch with which it interacts
and ensures that the number of packets punted to the controller at
any point of time is limited by the size of the queue. The number
of packets in the queue is dependent on the rate of packets
punted from the network as well as the rate at which the packets
are de-queued for processing. If the queue gets full, then there
are resulting tail drops due to queue congestion.
2.2 The existing Controller Vulnerabilities:
Despite the closure of security gaps discussed in Sec-2.1 to
secure the ODL Controller, there are certain vulnerabilities that
still remain to be addressed. The following sections highlights
the vulnerabilities (which are not claimed to be an exhaustive
list) and sets the scope of this paper to discuss some of them in
detail along with their mitigation strategies and introduce the
concept of the Unified Security Plugin.
2.2.1 Controller security from packet-in attacks:
We have already discussed in the previous section that the
Openflow Plugin is protected from Packet-In messages via a
defense mechanism of Overload-Protection. However, this
mechanism of defense only helps to thwart off an immediate
attack on the plugin. It does not address the root of the issue
since it makes no attempt of identify the source of the attack.
Also, congestion of the queue does not necessarily identify an
attack. It is possible that the issue might be linked to a delay in
the de-queuing and processing of the packets thereby leading to a
build of congestion in queue.
However, on the contrary, if the queue is getting congested due
to heavy inflow of packets from the network, then measures need
to be adopted to identify the source of the packet influx and
block them. In order to do so, it is imperative that there needs to
be some application that can program the controller accordingly.
We will discuss more about the mitigation mechanism in a
subsequent section.
Copyright 2015 Page 2 of 7
3. 2.2.2 BGP Link-State connectivity and secured
exchange of SDNi messages:
The BGP plugin provides BGP Link-state Distribution as a
source of L3 topology information. The BGP Plugin sets up a
TCP connection with the peer before it starts exchanging the
link-state messages. However, the TCP connection is not a
secure one and is susceptible to MITM attack and DoS attacks.
Also, there is no authentication of the peer before a BGP session
is established. This is risky in particular if the SDNi application
is run in conjunction with BGP.
SDNi is an application that runs on top of the ODL controller to
establish east-west communication between peer controllers and
exchange various network information elements like topology,
policy, QoS details etc. with peer controller. This is particularly
useful to help identify the best path for packet delivery to the
destination node(s) in a CDN via multiple networks controlled by
separate ODL controllers.
The reason for the alarm with SDNi is because of the fact that it
leverages the BGP plugin to share important information with
peer controller(s). This exposes it to various risks like interaction
with rogue controllers or modification of data by intermediate
network elements which may go undetected. The impacts of such
attacks can be very disruptive. If any network element gets access
to the network sensitive data in the transit, it feeds the attacker
with extensive information to launch specific attacks on the
controller or its network and overwhelm them. Also, the rogue
controller may make it appear as if data path via its network
offers best bandwidth availability, thereby, forcing the network
data to be steered to its network for easy interception.
Therefore, there needs to be a mechanism in place to perform
authentication of the peer followed by adding confidentiality and
integrity checks in the message exchange procedure to make the
system more secure. The details of the mitigation solution
towards this end will be discussed in detail in a subsequent
section.
2.2.3 Protection of other South Bound plugins:
Other than the Openflow and BGP plugin, there are other
southbound plugins in Opendaylight controller like NETCONF,
SNMP, OVSDB etc. that can also open up vulnerabilities for the
controller. While some of the protocol based plugins operate over
a secured interface to protect against eavesdropping, they
however may not be protected from DoS attacks from the
underlying network elements.
Mitigation of the security issues that are opened up by these
South Bound plugins other than Openflow Plugin and BGP is not
discussed in this paper.
2.2.4 Secured exchange of data between clustered
controllers:
Controller clustering is important from the High-Availability
point of view especially since the controller is the programmer of
the underlying network. This not only adds redundancy to the
architecture but also increases the scalability of the model
Current ODL controller clustering is built on top of Infinispan
distributed-caching/data-grid platform. Infinispan uses Jgroups as
a reliable messaging layer for the cluster. Jgroups authorization
and encryption features need to be enabled to ensure the security
of the message exchange between the clusters.
Clustered controller security is outside the purview of this paper.
3. THE UNIFIED SECURITY PLUGIN:
While security has been operating mostly in silos in the native
networks, the SDN architecture provides a cost effective and
unique scope to unify the collation of information that can aid in
enhancing the security of the controller in particular and the
network in general. The plugin is being developed as part of the
ODL Beryllium Release [4].This is because the SDN controller
has a complete view of the network and can therefore tap into the
packet contents flowing in the network for better visibility.
The Unified Security Plugin (USecPlugin) is developed for ODL
controller as an infrastructure that provides a single pane of
visibility related to controller security. The plugin collates the
security related information from various interfaces and is made
available to the ODL northbound APIs for external parties to
retrieve the information. The security information could be handy
in identifying attacks on ports exposed by the SB plugins,
suspected controller intrusions or information about trusted
controllers in the network. Information collected at the plugin
may also be used to configure Firewalls and create IP Blacklists
for the network. The USecPlugin is designed to provide ‘security
service function’ for the Opendaylight controller.
The utility of the USecPlugin is better understood from the
perspective of the use cases described in the following sections 4
and 5. However, the USecPlugin may be further enhanced to
cover use cases related to controller security beyond what we
have described here.
4. CASE1 - THE PACKET-IN ATTACK
AND ITS MITIGATION:
4.1 Explaining Packet-In Attack and
Simulation
In an SDN architecture supporting Openflow switches, the
switches are flow programmed by the controller to determine the
path for the packet to its destination. When a packet arrives at an
Openflow switch, the packet header and metadata is matched
against the flow tables in the switch and instructions are
executed as per the flow table. If a matching flow table entry is
not found, then the packet might either be dropped or sent to the
controller based on the configuration of the table-miss flow entry.
Moreover, packets are sent to the controller if an explicit action
is present in the switch to handle incoming packets with an
action=CONTROLLER or a data packet arrives with an invalid
TTL. If the packet is sent to the controller over the control
channel, it is sent as a Packet-In message.
The structure of the Openflow message with Packet-In is
represented in the figure below:
Fig2. Openflow Message Structure with Packet-In
The Packet-In field of the Openflow message has the payload
containing information of the IPv4/ IPv6 address source and
destination for which the Packet-In message is crafted.
Once a connection has been established between the controller
and the switch, multiple packet-in messages from the switch can
force large scale consumption of CPU and memory utilization at
the controller. This can be exploited as a vulnerability by an
attacker that can force the Openflow plugin to be overwhelmed.
Copyright 2015 Page 3 of 7
4. In order to empirically prove the point, we carried out a Packet-In
attack on the controller running Opendaylight Helium SR3
release. The network simulation of the attack was done using
Mininet. Sustained Packet-In messages from Network were
created by configuring switch with default flow to ODL
controller in case of a table-miss entry. Packets were sent to the
controller at the rate of 20K PPS.
A diagrammatic representation of the problem is shown in the
figure below:
Fig3. Packet-In Attack
As a consequence of the attack, Controller CPU utilization shoots
up to ~150% (On dual-core x86 processor). Approximately 35%
Memory utilization is observed with system having 4GB RAM.
Additionally we could also observe the following statistics with
packet tail drops happening:
• Total Packets sent from the switch: 9600645 Packets.
• Total Packets count processed by Openflow Plugin in
Controller: 9001148
• ~ 6% packet drops on controller.
In order to plug this vulnerability, queue based handling of
Packet-In messages is already designed and implemented in
ODL, thereby providing the first level of defense to the controller
against such attacks.
A snapshot of the resource utilization on the system running the
controller is displayed in the figure below:
Fig4. Resource utilization of system during Packet-In Attack
From the snapshot, it is visible that the CPU utilization is
significantly higher due to the packet-in attack. Also, the figures
shared earlier shows an approximate 6% packet drop due to the
attack. This implies that if there is an attack happening with fast
punting of packets to the controller from any port in the switch,
then packets coming through other ports in the same switch and
sent as packet-in message to the controller will start getting
impacted as well due to the packet drops.
So, while the queue based packet handling at the controller is
able to fend off the packet-in attack, it is having collateral impact
on the resource utilization and packet handling.
4.2 Attack Mitigation from Packet-In
Messages:
Considering the collateral impacts of a Packet-In attack as
discussed in Sec-3.1, it is imperative that we look at means to
mitigate such attacks rather than just thwarting them. Also, a
deep-dive into the details of the source of packet-in attack is
necessary to be able to build an information base to protect the
system from such future attacks.
In order to build a solution to mitigate the problem, details of the
rate of packet influx for Packet-In messages from Openflow
plugin is required. This information is used to design a system
for detecting an impending attack. The details of the design is
discussed below.
4.2.1 Designing the Mitigation System:
In order to have a mitigation system in place, four key factors
need to be kept in mind:
a) There needs to be a fair estimate of the rate of packet influx to
be able to figure out an impending and/or actual attack on the
system.
b) The source of the packet-in messages needs to be identified.
c) Design a notification mechanism to send notifications to
interested parties when an attack is impending or detected.
d) Have a persistent database to record the source of high Packet-
In messages for current or any future reference.
The design factors are discussed in detail below:
The estimation of the packet influx in the system can be
calculated by registering the USecPlugin for notification of
Packet-In messages from the Openflow plugin. Once registered,
plugin starts receiving continuous notification from the Openflow
plugin whenever a Packet-In message is received from the
network. The Packet-In message notification is received with the
‘Data-Path Id’ of the switch and the node-connector information
to identify the port (in the switch). This information is collated
over a period of time continuously (when there is no attack from
the network) to calculate the average rate of packet influx (Sav)
on per switch basis.
Collecting of the above mentioned information for extended
period of time provides us with the historical levels of average
packet-influx for a switch at peace-time levels. USecPlugin
screens samples of Packet-In message payload contents at regular
intervals of time to get the source address of legal packets at
peace-time and stores the same in a persistent database. These
source addresses will be maintained in a White-List of addresses
for future reference. With the peace-time level packet influx rate
already calculated, next the USecPlugin compares the packet
influx rate on a continuous basis and raise the first alarm
(Alarm1) for a switch if the present influx rate on the switch (Sp)
is a certain percentage value (which is configurable) – referred to
as the Low Water mark (Nlw), over and above the historical
average for a configured period of time (t1).
Copyright 2015 Page 4 of 7
5. Calculation -
Alarm1: if ‘Sp > ((100 + Nlw ) * Sav ) / 100’ for time ‘t1’
Nlw is the ‘Low Water’ mark percentage value.
‘t1’ is the time for which the Low Water mark breach should
happen to raise Alarm1.
[Both Nlw and ‘t1’ are configurable values]
Once Alarm1 is raised, USecPlugin screens the payload of
Packet-In messages on the affected switch to get the source
address for the messages. This information is crucial to identify
particular source address or group of source addresses for the
high influx Packet-In messages. All source addresses recorded
for the Packet-In messages for switch are stored in a temporary
data-store along with the influx packet rate, dp-id and node-
connector value.
If the high influx of packet-in messages is a result of a sudden
spike and Sp eventually goes below the Low Water mark (and
stays below the mark) for t2 seconds, then Alarm1 is cleared off.
[t2 is a configurable value and may be of value greater than or
equal to t1 ]. Along with clearing off the alarm, the source
addresses, influx packet rate, dp-id and node-connector values
written to the temporary data-sore since Alarm1 are also cleared
off. This event is classified as a ‘Temporary Spike’.
On the contrary, if Sp persistently stays above the Low Water
mark and eventually hits the High Water mark (which is
determined by a certain percentage value Nhw over and above the
historical average), then the second alarm (Alarm2) is raised for
the switch.
Alarm2: if ‘Sp > ((100 + Nhw ) * Sav ) / 100’
[Nhw is a configurable value]
Alarm2 is classified as a ‘Permanent Spike’.
Along with the raising of the Alarm2, the temporary data in the
data-store is removed and written to a persistent database. This
is intended to help mitigate the Packet-In attack and correlating
the source address for similar attacks in future. The source of
attack is populated in a Black List of IP addresses with a count of
the number of times it has triggered an attack. If the same source
figures in the list of White Listed IP Address, then it is removed
from that list. The same source addresses can be used for
deriving correlation if any other forms of attack are detected and
reported to the USecPlugin in future.
While we previously talked about the logic for generation of
alarms based on calculation of the historical peace time packet
influx rates of a switch, the implementation also provides an
alternative option to the controller user to configure specific
values of packet rates for low and high water marks on the basis
of which alarms need be raised instead of relying on peace time
readings. This option offers additional flexibility to the user for
tweaking the alarm generation system as per choice and
requirement of the network.
The alarms that are generated are meant for consumption by
third-party external applications that may want to utilize the
information for mitigation of the Packet-In attack. Depending on
the different alarms that are registered for by the applications,
the USecPlugin will notify the same back to the applications.
Also, the USecPlugin provides Restconf interfaces to the
applications to fetch the details of the source address(es), influx
packet rate(s), dp-id(‘s) and node-connector information that may
be involved in the Packet-In attack. This is a polling mechanism
in addition to the notification mechanism mentioned earlier.
The methodology adopted by the application to correlate the
information from the USecPlugin and formulate strategy for
attack mitigation is left to the third-party application logic and
outside the purview of this paper.
5. CASE2 - SECURED EXCHANGE OF
SDNI MESSAGES:
5.1 Preview to BGP and SDNi concepts:
As discussed earlier in Sec-2.2.2, the BGP link state protocol
serves to exchange the network topology with peer networks for
optimized routing. The SDNi project in Opendaylight is designed
to establish communication between multiple SDN controllers.
The data shared is control plane parameters like Topology,
Quality of Service (QoS), policy etc.
Since SDNi uses BGP session to exchange information with peer
controller(s), therefore, the steps to initiate exchange messages is
as follows:
1. First establish a TCP connection between two controllers to
exchange BGP information.
2. Establish a BGP connection between the BGP speakers in the
controller.
3. Start sending and receiving the NLRI updates between the
controllers, containing the QoS and other updates depending
on the use cases designed with SDNi.
5.2 Security Concerns with SDNi:
Since SDNi depends on the Topology, QoS. Policy and other info
shared by peer controllers for conceptualizing Bandwidth-On-
Demand or servicing CDN, it is important to ensure the
following:
1. Authenticity of the peer controller(s).
2. Data Integrity verification check for the information shared
by inter-subnet controllers.
3. Encryption of data exchanged to protect the network details
from being exposed to the external entities in the network.
If the peer controller remains unauthenticated, it raises the
spectre of a MITM attack resulting in bogus session
establishment with rogue peer controller.
A diagrammatic representation of the problem is shown in the
figure below:
Fig5. MITM Attack (Bogus Session)
Authenticity of the controller is essential to ensure that the peers
that interact with each other verify that none of the controllers
are masquerading.
Copyright 2015 Page 5 of 7
6. 5.3 MITM Attack Mitigation:
The implementation in its present form in the ODL Controller
Lithium Release verifies the authenticity of the peer using TCP
MD5 authentication mechanism as detailed in RFC 2385
(Protection of BGP Sessions via the TCP MD5 Signature
Option).
The implementation of the TCP MD5 authentication is optional
configuration in ODL controller considering that it needs support
for the same on the peer controller before it can be deployed. If
the peer controller does not support the authentication
mechanism, then there is presently no other way in which the
peer controller may be authenticated before a BGP Session
establishment. However, keeping in mind that authentication is
an important aspect before SDNi sessions are established,
therefore, there needs to be a mechanism for determining
whether the peer is authenticated. Only if the peer controller is
authenticated should an SDNi session be ideally established to
prevent MITM attacks.
Considering that the TCP MD5 authentication is based on the
shared password used for creation of the MD5 digest, the
authentication mechanism is not a full proof one. Also,
maintaining the same password forever is not suggested from
security perspective lest it may get leaked to the attacker at some
point of time. However, changing the password and sharing the
same with the peer is also a challenge and leaves the possibility
of a security breach.
In order to make communication more secure, the TCP
connection for BGP Link-State protocol should be secured with a
SSL/TLS security to encrypt the data and ensure data integrity
verification. Again, the SSL/TLS security is dependent on
whether the peer controller also supports the same for added
security. The SDNi session establishment may optionally want to
establish session with peer controllers that have the SSL/TLS
security layer on top of the TCP connection.
Keeping the above security mechanisms in mind, the information
about the authentication or encryption on the interface connection
to the peer controller is updated in the USecPlugin. Whenever
SDNi wants to establish a new session with peer controller, it
should check the USecPlugin for the security related information
before it decides on the session establishment.
However, for providing Authentication, Integrity Check and
Encryption, it is advisable to add SSL/TLS security on a TCP
connection before establishing a BGP session.
6. USecPlugin Architecture:
Having detailed out the use cases for the USecPlugin in sections
4 and 5, this section gives an overview of the architecture for the
plugin.
Fig6: Unified Security Plugin architecture
The above figure shows the architecture of the USecPlugin which
provides Security Service function for the ODL Controller. The
USecPlugin registers for the Packet-Notifications in MD-SAL.
These notifications are received from the Openflow Plugin for
detecting Packet-In Attack. The Openflow plugin also writes the
contents of the Packet-In messages to the OF Data Store. The
USecPlugin needs to access the OF Data Store to access the
Packet-In message metadata.
The USecPlugin has its own data store in MD Sal to temporarily
store the Packet-In message metadata as detailed in Sec 4.2.1
above. The temporarily stored metadata is written to the
persistent database when the attack is confirmed.
Similarly, for protection of the SDNi application, the
authentication of peer controller and interface security details of
the inter-SDN connection is updated to the USecPlugin and
stored in a persistent database. USecPlugin exposes a NB API for
the SDNi application to fetch information related to east-west
interface security before exchanging the network updates.
The USecPlugin is developed in a modular manner leaving scope
to extend for other security related events in the controller that
may require to be store in a central repository.
7. ONCLUSION
The USecPlugin is a novel design to provide a centralized
database of all security related information for the ODL
controller. Though the plugin has been conceptualized for the
ODL controller, the same can be implemented for other SDN
controllers as well to add visibility to security related information
for controllers. As discussed above, the utility of the plugin is not
restricted to the use cases discussed above and can be extended
to cover other types of controller vulnerabilities exposed by the
application protocols that are running in the controller.
The collation of security related information by the USecPlugin
allows for running analytics based engine to detect anomalous
Copyright 2015 Page 6 of 7
7. behavior which could point to an impending attack. This makes
handling of security in controller much more intelligent and
adaptable for user to configure threshold parameters as per
network fluctuations.
The USecPlugin is not designed to add layers of security within
the controller since that is not the objective of the controller.
There are separate security appliances that can run separately
outside the controller to protect the network nodes including the
controller. The USecPlugin just acts as an enabler to add
visibility to any security risks arising out of the events handled
within the controller. This helps to make security more granular
and program the network to mitigate risks by integrating with
third party external application.
8. ABBREVIATIONS
AAA – Authentication Authorization Accounting
API – Application Programming Interface
BGP – Border Gateway Protocol
CDN – Content Delivery Network
DoS – Denial of Service
DPI – Deep Packet Inspection
FW - Firewall
HTTPS – Hyper Text Transport Protocol Secure
IDS – Intrusion Detection System
IPS – Intrusion Prevention System
MD5 – Message Digest 5
MITM – Man In The Middle
NETCONF – Network Configuration Protocol
NFV - Network Function Virtualization
NLRI - Network Layer Reachability Information
OF – Open Flow
ODL - Opendaylight
OVSDB – Open vSwitch Database Management Protocol
PPS – Packets Per Second
RFC – Request For Comments
QoS – Quality of Service
SDN - Software Defined Network
SDNi – Inter-Software Defined Network
SNMP – Simple Network Management Protocol
SSL – Security Socket Layer
TCP – Transport Control Protocol
TLS – Transport Layer Security
TTL – Time To Live
9. REFERENCES
[1] http://blogs.gartner.com/andrew-
lerner/2014/12/08/predicting-sdn-adoption/
[2] http://newsroom.juniper.net/press-releases/new-juniper-
networks-study-finds-u-s-companies-sp-nyse-jnpr-1134411
[3] Infonetics Research: SDN and NFV Strategies: Global
Service Provider Survey, March 2014 (51% of world
telecom capex)
[4] https://wiki.opendaylight.org/view/Project_Proposals:Contro
ller_Shield
Copyright 2015 Page 7 of 7