Towards Secure and Dependable
Software-Defined Networks
Fernando M. V. Ramos
LaSIGE/FCUL, University of Lisbon
[email protected]
http://www.di.fc.ul.pt/~fvramos/
Joint work with Diego Kreutz and Paulo Veríssimo
SDN in short
• Control and data planes decoupled
– An enabler for innovation
– More flexibility
• Logical centralization of network control
– Easier to observe/infer and reason about network
behavior
• Ability to program the network
– Instead of configuring it (in a tedious, error-prone
process)
Excellent, now we can program the network!
App1
App2
App3
…
AppN
Applications (control logic)
Global Network View
Network OS (programming abstractions,
data distribution, low level controls, etc.)
Wait, now others can program the network!
App1
App2
App3
…
AppN
Applications (control logic)
Global Network View
Network OS (programming abstractions,
data distribution, low level controls, etc.)
Nota Bene:
• Traditional networks have “natural
protections” against common threats and
vulnerabilities…
– closed (proprietary) nature of network devices
– heterogeneity of software
– decentralized nature of the control plane
• …that SDNs in principle do not.
Outline
Main threat vectors in SDNs
Security & Dependability by design
Final remarks
Outline
Main threat vectors in SDNs
Security & Dependability by design
Final remarks
Management connec on
(e.g., SSH )
SDN control protocol
(e.g., OpenFlow )
6
5
4
SDN
Controller
3
Admin
Sta on
ent
m
e
g
a
n
& Ma
l
o
r
t
n
Co
Data plane
physical / logical
connec ons
SDN
device
7
2
SDN
device
SDN
device
1
SDN
device
lane
Data P
Management connec on
(e.g., SSH )
SDN control protocol
(e.g., OpenFlow )
6
5
4
SDN
Controller
3
Threat vector 1
forged or faked traffic
flows
Admin
Sta on
ent
m
e
g
a
n
& Ma
l
o
r
t
n
Co
Data plane
physical / logical
connec ons
SDN
device
7
2
SDN
device
SDN
device
SDN
device
lane
Data P
1
Not specific to SDNs, but can be a door for augmented DoS attacks.
Possible solutions: IDS + rate bounds for control plane requests
Management connec on
(e.g., SSH )
SDN control protocol
(e.g., OpenFlow )
6
5
4
SDN
Controller
3
Threat vector 2
attacks on vulnerabilities
in switches
Admin
Sta on
ent
m
e
g
a
n
& Ma
l
o
r
t
n
Co
Data plane
physical / logical
connec ons
SDN
device
7
2
SDN
device
SDN
device
SDN
device
lane
Data P
1
Not specific to SDNs, but now the impact is potentially augmented.
Possible solutions: sw/hw attestation with autonomic trust management
Management connec on
(e.g., SSH )
SDN control protocol
(e.g., OpenFlow )
6
5
4
SDN
Controller
3
Threat vector 3
attacks on control plane
communication
Admin
Sta on
ent
m
e
g
a
n
& Ma
l
o
r
t
n
Co
Data plane
physical / logical
connec ons
SDN
device
7
2
SDN
device
SDN
device
SDN
device
lane
Data P
1
Specific to SDNs: communication with logically centralized controllers can be
exploited.
Possible solutions: threshold cryptography across controller replicas
Management connec on
(e.g., SSH )
SDN control protocol
(e.g., OpenFlow )
6
5
4
SDN
Controller
3
Threat vector 4
attacks on and
vulnerabilities in
controllers
Admin
Sta on
ent
m
e
g
a
n
& Ma
l
o
r
t
n
Co
Data plane
physical / logical
connec ons
SDN
device
7
2
SDN
device
SDN
device
SDN
device
lane
Data P
1
Specific to SDNs, controlling the controller may compromise the entire network.
Possible solutions: replication + diversity + recovery
Management connec on
(e.g., SSH )
SDN control protocol
(e.g., OpenFlow )
6
5
4
SDN
Controller
3
Threat vector 5
lack of mechanisms to
ensure trust between
the controller and
management apps
Admin
Sta on
ent
m
e
g
a
n
& Ma
l
o
r
t
n
Co
Data plane
physical / logical
connec ons
SDN
device
7
2
SDN
device
SDN
device
SDN
device
lane
Data P
1
Specific to SDNs, malicious applications can now be easily developed and deployed
on controllers.
Possible solutions: sw attestation with autonomic trust management
Management connec on
(e.g., SSH )
SDN control protocol
(e.g., OpenFlow )
Threat vector 6
attacks on and
vulnerabilities in
admin stations
6
5
4
SDN
Controller
3
Admin
Sta on
ent
m
e
g
a
n
& Ma
l
o
r
t
n
Co
Data plane
physical / logical
connec ons
SDN
device
7
2
SDN
device
SDN
device
SDN
device
lane
Data P
1
Not specific to SDNs, but now the impact is potentially augmented.
Possible solutions: double credential verification
Management connec on
(e.g., SSH )
SDN control protocol
(e.g., OpenFlow )
6
5
4
SDN
Controller
3
Threat vector 7
lack of trusted
resources for forensics
and remediation
Admin
Sta on
ent
m
e
g
a
n
& Ma
l
o
r
t
n
Co
Data plane
physical / logical
connec ons
SDN
device
7
2
SDN
device
SDN
device
SDN
device
lane
Data P
1
Not specific to SDNs, but it is still critical to assure fast recovery and diagnosis
when faults happen.
Possible solutions: indelible logging
Outline
Main threat vectors in SDNs
Security & Dependability by design
Final remarks
Sec&Dep tools to consider
• Replication
– Dynamic device association
– Self-healing mechanisms for perpetual operation
• Diversity
• (Autonomic) trust
– between controllers and devices
– between applications and controller software
Sec&Dep tools to consider
• Security domains
– kernel mode vs user mode
• Secure components for confidentiality
– To store sensitive data
• Fast and reliable software update and
patching
DESIGN OF A SEC&DEP SDN
CONTROL PLATFORM
v0.1
One single centralized controller
App A
Controller A
Multiple instances of a centralized controller
App A
Controller A
App A
Controller B
App A
Controller C
Master-slave controllers
App A
Controller A
App A
Controller B
App A
Controller C
Master-slave controllers
App A
App A
App A
East/Westbound API (data distribution service)
Controller A
Controller B
Controller C
(Aside: [strong] consistency matters)
• Inconsistencies may lead to
– network loops
– security issues
–…
One single app instance (App B) can now configure the whole network
App A
App B
App A
App A
East/Westbound API (data distribution service)
Controller A
Controller B
Controller C
Adding diversity
App A
App B
App A
App A
East/Westbound API (data distribution service)
Controller A
Controller B
Controller C
Adding diversity
App A
App B
App A
App A
Common Northbound API
East/Westbound API (data distribution service)
Controller A
Controller B
Controller C
Outline
Main threat vectors in SDNs
Security & Dependability by design
Final remarks
Our main message
• SDNs bring a very fascinating dilemma
– an extremely promising evolution of networking
architectures
versus
– a dangerous increase in the threat surface.
Check our HotSDN 2013 paper
(click link to download)
• Diego Kreutz, Fernando M. V. Ramos, Paulo
Veríssimo. Towards Secure and Dependable
Software-Defined Networks.
[email protected]
http://www.di.fc.ul.pt/~fvramos/