Sdn Security: A Survey
Summary (2 min read)
Link:
- Link to publication record in Queen's University Belfast Research Portal Publisher rights (c) 2013.
- If you discover content in the Research Portal that you believe breaches copyright or violates any law, please contact openaccess@qub.ac.uk.
- Both the security enhancements to be derived from using the SDN framework and the security challenges introduced by the framework are discussed.
- Applications can be run at the controller to analyze and correlate this feedback from the complete network.
- An increased potential for Denial-of-Service (DoS) attacks due to the centralized controller and flow-table limitation in network devices is a prime example.
II. SECURITY ANALYSES OF SDN
- The basic properties of a secure communications network are: confidentiality, integrity, availability of information, authentication and non-repudiation [4].
- The alterations to the network architecture introduced by SDN must be assessed to ensure that network security is sustained.
- It controlled the network through the use of two components; a centralized controller responsible for enforcing global policy, and ethane switches, which simply forwarded packets based on rules in a flow table.
- The authors found that the lack of TLS use could lead to fraudulent rule insertion and rule modification.
- The authors discovered that numerous attacks between users of the testbed along with malicious propagation and flooding attacks to the wider internet were possible when using the ProtoGENI network.
III. SECURITY ENHANCEMENT USING SDN
- The architecture of a software-defined network introduces potential for innovation in the use of the network.
- The combination of the global or network-wide view and the network programmability supports a process of harvesting intelligence from existing Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS), for example, followed by analysis and centralized reprogramming of the network.
- This approach can render the SDN more robust to malicious attack than traditional networks.
IV. SECURITY CHALLENGES WITH SDN
- While security as an advantage of the SDN framework has been recognized, solutions to tackle the challenges of securing the SDN network are fewer in number.
- SDNs provide us with the ability to easily program the network and to allow for the creation of dynamic flow policies.
- Model checking combined with symbolic execution may be used to test OpenFlow applications for correctness [25].
- Fresco [32] is one notable contribution; which presents an OpenFlow Security Application Development Framework incorporating FortNox [33]; a security enforcement kernel.
- In a similar manner, the SDN security research work is classified in Table II by the layer/interface, which the analysis, enhancement or solution targets.
V. DISCUSSION
- Considering the categorization of research work in Table II, it can be seen that there has been greater focus on exploiting SDN for enhanced network security than on generating solutions to the identifed security issues.
- Without a fixed system to observe and prepare to attack, the strength of the attacker is reduced.
- A minor observation from the content of Table II is that the majority of the work references or implements OpenFlow for the control-data interface.
- Several Internet Engineering Task Force (IETF) groups have defined protocols regarding separation of forwarding and control planes, network configuration and routing.
- In the Internet Research Task Force (IRTF) and the International Telecommunication Union - Telecommunication Standardization Sector (ITU-T), general SDN study groups have been launched in which security in SDN is an identified issue.
VI. CONCLUSION
- There are two schools of thought on security in software-defined networking.
- The first is that significant improvements in network security can be achieved by simultaneously exploiting the programmability and the centralized network view introduced by SDN.
- The second is that these same two SDN attributes expose the network to a range of new attacks.
- The authors analysis identifies that regardless of your school of thought, there is yet more to be done; more untapped potential and more unresolved challenges.
- A concerted effort in both directions could yield a truly secure and reliable Software-Defined Network.
Did you find this useful? Give us your feedback
Citations
3,589 citations
Cites background from "Sdn Security: A Survey"
...Different threat vectors have already been identified in SDN architectures [357], as well as several security issues and weaknesses in OpenFlow-based networks [507], [508], [509], [201], [510], [194], [511], [512]. While some threat vectors are common to existing networks, others are more specific to SDN, such as attacks on control plane communication and logically-centralized controllers. It is worth me...
[...]
1,968 citations
669 citations
Cites background from "Sdn Security: A Survey"
...3) Programmability of the network by external applications: The programmability of SDN supports a process of harvesting intelligence from existing Intrusion Detection Systems (IDSs) [72] and Intrusion Prevention Systems (IPSs) [33]....
[...]
...Security analysis has showed that the SDN framework suffers many security threats, including [33]:...
[...]
...The authors of [33] point out that three issues of SDN include trust between all involved layers, SDN’s control plane centralization and limited space in flow-tables....
[...]
...Based on the analysis, new or updated security policy can be propagated across the network in the form of flow rules [33]....
[...]
443 citations
Cites methods from "Sdn Security: A Survey"
...Similarly, OpenFlow has sprung from the ideas of the 4D project as stated in [12]....
[...]
407 citations
Additional excerpts
...php/Top_10-2017_Top_10 and applications [84], [85]....
[...]
References
2,226 citations
"Sdn Security: A Survey" refers background in this paper
...Institute of Electrical and Electronics Engineers (IEEE). https://doi.org/10.1109/SDN4FNS.2013.6702553...
[...]
1,079 citations
943 citations
"Sdn Security: A Survey" refers background in this paper
...Institute of Electrical and Electronics Engineers (IEEE). https://doi.org/10.1109/SDN4FNS.2013.6702553...
[...]
870 citations
843 citations
Related Papers (5)
Frequently Asked Questions (21)
Q2. What are the future works in "Sdn security: a survey" ?
There is further potential in this area to exploit the dynamic and adaptive capabilities of the SDN framework using methods of moving target defense. An increased emphasis on this now could avoid a reduction in the performance and capability of future SDNs as a result of retrofit security solutions. Considering the breadth of potential security issues outlined in Table I, it is clear that a significant increase in effort is required to identify solutions to these challenges.
Q3. What are the main concerns of an OpenFlow vulnerability assessment?
The lack of TLS adoption by major vendors and the possibility of DoS attacks are the focus of an OpenFlow vulnerability assessment [10].
Q4. What is the main purpose of the FlowTags architecture?
The FlowTags architecture [14] proposes the use of minimally modified middle-boxes, which interact with a SDN controller through a FlowTags Application Programming Interface (API).
Q5. What should be considered in the design and development of alternative protocols?
The work to identify and correct securityrelated limitations of the OpenFlow protocol should be considered in the design and development of alternative protocols.
Q6. What is the meaning of dynamic access control?
for example, [20], provides dynamic access control enforced by network devices themselves based on higher-level security policies.
Q7. What is the key to the security of the network?
The SDN architecture can be exploited to enhance network security with the provision of a highly reactive security monitoring, analysis and response system.
Q8. What is the argument of Naous et al.?
Naous et al. [21] put forward the ident++ protocol to query endhosts and users for additional information in order to make forwarding decisions; their argument being that the central controller could become a bottleneck.
Q9. What is the importance of model checking?
Model-checking becomes an important step in detecting inconsistencies in policies from multiple applications or installed across multiple devices.
Q10. What is the main issue of concern based on open programmability of the network?
Another issue of concern based on open programmability of the network is trust; both between applications and controllers, and controllers and network devices.
Q11. What are some of the protocols that are being developed by IETF?
These include IETF ForCES (Forwarding and Control Element Separation), PCE (Path Computation Element), Netconf (Network Configuration), LISP (Locator/ID Separation Protocol)and I2RS (Interface to the Routing System).
Q12. What is the main idea behind the proposed use of language-based security?
In [30], the authors propose the use of language-based security to enable flow-based policy enforcement along with network isolation.
Q13. What is the first school of thought on security in software-defined networking?
The first is that significant improvements in network security can be achievedby simultaneously exploiting the programmability and the centralized network view introduced by SDN.
Q14. In what industry working groups have security in SDN been identified?
In the Internet Research Task Force (IRTF) and the International Telecommunication Union - Telecommunication Standardization Sector (ITU-T), general SDN study groups have been launched in which security in SDN is an identified issue.
Q15. What are the solutions that have been proposed beyond middle-boxes?
As such, beyond middle-boxes, a series of solutions have been proposed, which specifically exploit the SDN framework to provide network security solutions.
Q16. In what industry groups have various working groups been established?
Since the beginning of 2013, various working groups have been established in both the standardization industry and industry research groups.
Q17. What are the challenges associated with the SDN framework?
Considering the specific issues with security in SDN from the perspective of the SDN framework (Fig. 1), the authors can identify challenges associated with each layer of the framework: application, control and data planes, and on the interfaces between these layers.
Q18. What is the importance of a comprehensive review of the research work on security in SDN?
It is, therefore, essential, that techniques, methods and policies to overcome the SDN security challenges are explored and defined to enable robust and reliable wide area SDN deployments.
Q19. What is the main focus of the paper?
This paper focuses on the execution of Information Disclosure and DoS attacks, which the author established were possible to successfully execute.
Q20. What is the disadvantage of the Slick architecture?
A clear disadvantage of this architecture is the fact that it works with only pre-defined policies and currently does not handle dynamic actions.
Q21. What is the main idea behind the FortNox security application development framework?
Although FortNox provides numerous components, which are necessary for enforcing security, the authors feel that much work is still needed to offer a comprehensive suite of applications.