scispace - formally typeset
Search or ask a question
Proceedings ArticleDOI

Sdn Security: A Survey

TL;DR: This paper presents a comprehensive survey of the research relating to security in software-defined networking that has been carried out to date, and both the security enhancements to be derived from using the SDN framework and the security challenges introduced by the framework are discussed.
Abstract: The pull of Software-Defined Networking (SDN) is magnetic. There are few in the networking community who have escaped its impact. As the benefits of network visibility and network device programmability are discussed, the question could be asked as to who exactly will benefit? Will it be the network operator or will it, in fact, be the network intruder? As SDN devices and systems hit the market, security in SDN must be raised on the agenda. This paper presents a comprehensive survey of the research relating to security in software-defined networking that has been carried out to date. Both the security enhancements to be derived from using the SDN framework and the security challenges introduced by the framework are discussed. By categorizing the existing work, a set of conclusions and proposals for future research directions are presented.

Summary (2 min read)

II. SECURITY ANALYSES OF SDN

  • The basic properties of a secure communications network are: confidentiality, integrity, availability of information, authentication and non-repudiation [4].
  • The alterations to the network architecture introduced by SDN must be assessed to ensure that network security is sustained.
  • It controlled the network through the use of two components; a centralized controller responsible for enforcing global policy, and ethane switches, which simply forwarded packets based on rules in a flow table.
  • The authors found that the lack of TLS use could lead to fraudulent rule insertion and rule modification.
  • The authors discovered that numerous attacks between users of the testbed along with malicious propagation and flooding attacks to the wider internet were possible when using the ProtoGENI network.

III. SECURITY ENHANCEMENT USING SDN

  • The architecture of a software-defined network introduces potential for innovation in the use of the network.
  • The combination of the global or network-wide view and the network programmability supports a process of harvesting intelligence from existing Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS), for example, followed by analysis and centralized reprogramming of the network.
  • This approach can render the SDN more robust to malicious attack than traditional networks.

IV. SECURITY CHALLENGES WITH SDN

  • While security as an advantage of the SDN framework has been recognized, solutions to tackle the challenges of securing the SDN network are fewer in number.
  • SDNs provide us with the ability to easily program the network and to allow for the creation of dynamic flow policies.
  • Model checking combined with symbolic execution may be used to test OpenFlow applications for correctness [25].
  • Fresco [32] is one notable contribution; which presents an OpenFlow Security Application Development Framework incorporating FortNox [33]; a security enforcement kernel.
  • In a similar manner, the SDN security research work is classified in Table II by the layer/interface, which the analysis, enhancement or solution targets.

V. DISCUSSION

  • Considering the categorization of research work in Table II, it can be seen that there has been greater focus on exploiting SDN for enhanced network security than on generating solutions to the identifed security issues.
  • Without a fixed system to observe and prepare to attack, the strength of the attacker is reduced.
  • A minor observation from the content of Table II is that the majority of the work references or implements OpenFlow for the control-data interface.
  • Several Internet Engineering Task Force (IETF) groups have defined protocols regarding separation of forwarding and control planes, network configuration and routing.
  • In the Internet Research Task Force (IRTF) and the International Telecommunication Union - Telecommunication Standardization Sector (ITU-T), general SDN study groups have been launched in which security in SDN is an identified issue.

VI. CONCLUSION

  • There are two schools of thought on security in software-defined networking.
  • The first is that significant improvements in network security can be achieved by simultaneously exploiting the programmability and the centralized network view introduced by SDN.
  • The second is that these same two SDN attributes expose the network to a range of new attacks.
  • The authors analysis identifies that regardless of your school of thought, there is yet more to be done; more untapped potential and more unresolved challenges.
  • A concerted effort in both directions could yield a truly secure and reliable Software-Defined Network.

Did you find this useful? Give us your feedback

Content maybe subject to copyright    Report

SDN Security: A Survey
Scott-Hayward, S., O'Callaghan, G., & Sezer, S. (2013). SDN Security: A Survey. In
2013 IEEE SDN for Future
Networks and Services (SDN4FNS)
(pp. 1-7). Institute of Electrical and Electronics Engineers (IEEE).
https://doi.org/10.1109/SDN4FNS.2013.6702553
Published in:
2013 IEEE SDN for Future Networks and Services (SDN4FNS)
Document Version:
Peer reviewed version
Queen's University Belfast - Research Portal:
Link to publication record in Queen's University Belfast Research Portal
Publisher rights
© 2013 IEEE. Personal use of this material is permitted. Permission from IEEE must be obtained for all other uses, in any current or future
media, including
reprinting/republishing this material for advertising or promotional purposes, creating new
collective works, for resale or redistribution to servers or lists, or reuse of any copyrighted
component of this work in other works.
General rights
Copyright for the publications made accessible via the Queen's University Belfast Research Portal is retained by the author(s) and / or other
copyright owners and it is a condition of accessing these publications that users recognise and abide by the legal requirements associated
with these rights.
Take down policy
The Research Portal is Queen's institutional repository that provides access to Queen's research output. Every effort has been made to
ensure that content in the Research Portal does not infringe any person's rights, or applicable UK laws. If you discover content in the
Research Portal that you believe breaches copyright or violates any law, please contact openaccess@qub.ac.uk.
Download date:09. Aug. 2022

Queen's University Belfast - Research Portal
SDN Security: A Survey
Scott-Hayward, S., O'Callaghan, G., & Sezer, S. (2013). SDN Security: A Survey. 56-62. Paper presented at
IEEE SDN for Future Networks and Services (SDN4FNS), Trento, Italy.10.1109/SDN4FNS.2013.6702553
Document Version:
Author final version (often known as postprint)
Link:
Link to publication record in Queen's University Belfast Research Portal
Publisher rights
(c) 2013. IEEE.
General rights
Copyright for the publications made accessible via the Queen's University Belfast Research Portal is retained by the author(s) and / or other
copyright owners and it is a condition of accessing these publications that users recognise and abide by the legal requirements associated
with these rights.
Take down policy
The Research Portal is Queen's institutional repository that provides access to Queen's research output. Every effort has been made to
ensure that content in the Research Portal does not infringe any person's rights, or applicable UK laws. If you discover content in the
Research Portal that you believe breaches copyright or violates any law, please contact openaccess@qub.ac.uk.
Download date:30. Jul. 2015

SDN Security: A Survey
Sandra Scott-Hayward, Gemma O’Callaghan and Sakir Sezer
Centre for Secure Information Technolocy (CSIT)
Queen’s University Belfast
Belfast, BT3 9D T, Northern Ireland
ABSTRACT—The pull of Software-Dened Networking
(SDN) is magnetic. There are few in the networking
community who have escaped its impact. As the benets of
network visibility and network device programmability are
discussed, the question could be asked as to who exactly will
benet? Will it be the network operator or will it, in fact,
be the netwo rk intruder? As SDN devices and systems hit
the market, security in SDN must be raised on the agenda.
This paper presents a comprehensive survey of the research
relating to security in software-dened networking that has
been carried out to date. Both the security enhancements to
be derived from using the SDN framework and the security
challenges introduced by the framework are discussed. By
categorizing the existing work, a set of conclusions and
proposals for future research directions are presented.
I. I
NTRODUCTION
Software-dened networking (SDN) is rapidly moving
from vision to reality with a host of SDN-enabled
devices in development and production. The combination
of separated control and data plane functionality and
programmability in the network, which have long been
discussed in the research world, have found their com-
mercial application in cloud computing and virtualization
technologies.
The advantages of SDN in various scenarios (e.g. the
enterprise, the datacenter etc.) and across various back-
bone networks have already been proven e.g. Google
B4 [1]. However, challenges exist for a full-scale carrier
network implementation of SDN. A number of these
challenges have been presented in [2]. One key area,
which is only beginning to receive the attention it
deserves, is that of security in SDN.
The SDN architecture can be exploited to enhance
network security with the provision of a highly reactive
security monitoring, analysis and response system. The
central controller is key to this system. Trafcanalysis
or anomaly-detection methods deployed in the network
generate security-related data, which can be regularly
transferred to the central controller. Applications can
be run at the controller to analyze and correlate this
feedback from the complete network. Based on the
analysis, new or updated security policy can be prop-
agated across the network in the form of ow rules.
This consolidated approach can efciently speed up the
control and containment of network security threats.
However, the same attributes of centralized control
and programmability associated with the SDN platform
introduce network security challenges. An increased
potential for Denial-of-Service (DoS) attacks due to
the centralized controller and ow-table limitation in
network devices is a prime example. Another issue of
concern based on open programmability of the network
is trust; both between applications and controllers, and
controllers and network devices.
A number of solutions to these SDN security chal-
lenges have been proposed in the literature. These range
from controller replication schemes through policy con-
ict resolution to authentication mechanisms. Similarly,
a number of proposals have been made to exploit the
SDN framework for enhanced network security.
An analysis of the security challenges of SDN is
presented in this paper. The individual security issues
are categorized according to the SDN layer affected
or targeted. The proposed and emerging solutions to
these challenges are then discussed and categorized. The
requirement for further work to establish a secure and
robust SDN is clearly identied from the gap between
the issues and the existing research. Without a signicant
increase in focus on security, it will not be possible for
SDN to support the evolving capability associated with,
for example, Network Functions Virtualization (NFV)
[3].
II. S
ECURITY
A
NALY S E S OF
SDN
The basic properties of a secure communications
network are: condentiality, integrity, availability of in-
formation, authentication and non-repudiation [4]. In
order to provide a network protected from malicious
attack or unintentional damage, security professionals
must secure the data, the network assets (e.g. devices)
and the communication transactions across the network.
The alterations to the network architecture introduced by
SDN must be assessed to ensure that network security
is sustained.
In an early iteration of what is kno wn today as SDN ,
Casado et al. [5] specically considered the security
aspects of a separate control and forwarding framework.
Their SANE architecture, proposed in 2006, centred on

a logically centralized controller responsible for authen-
tication of hosts and policy enforcement. At the time
of its proposal, this was considered to be an extreme
approach that would require a radical change to the
networking infrastructure and end-hosts, which could be
too restrictive for some enterprises.
Ethane [6] e xtended the work of SAN E but used an
approach, which required less alteration to the original
network. It controlled the network through the use of two
components; a centralized controller responsible for en-
forcing global policy, and ethane switches, which simply
forwardedpacketsbasedonrulesinaow table. This
simplied network control allowed the data and control
plane to be separated to allow for more programmability.
Although the Ethane architecture gave us a closer look
at what SDN and OpenFlow would become, it suffered
from a number of drawbacks. One of these is the fact
that application trafc could compromise network policy.
In today’s SDN architecture, applications are used to
provide various services, as, for example, with Network
Functions Virtualization (NFV). The compromise of
applications could potentially breach the entire network.
Considering the specic issues with security in SDN
from the perspective of the SDN framework (Fig. 1), we
can identify challenges associated with each layer of the
framework: application, control and data planes, and on
the interfaces between these layers.
Fig. 1. SDN Functional Architecture illustrating the data, control and
application layers and interfaces
A number of security analyses have recently been
performed, which have found that the altered elements
or relationship between elements in the SDN framework
introduce new vulnerabilities, which were not present
before SDN. One such paper [7] completes an analysis of
the OpenFlow protocol using the STRIDE threat analysis
methodology [8]. This paper focuses on the execution
of Information Disclosure and DoS attacks, which the
author established were possible to successfully execute.
Although a number of mitigation techniques are pro-
posed, these techniques are not proven in the work.
The OpenFlow switch specication [9] describes the
use of transport layer security (TLS) with mutual au-
thentication between the controllers and their switches.
However, the security feature is optional, and the stan-
dard of TLS is not specied. The lack of TLS adoption
by major vendors and the possibility of DoS attacks are
the focus of an OpenFlow vulnerability assessment [10].
The authors found that the lack of TLS use could lead
to fraudulent rule insertion and rule modication.
In [11] Kreutz et al. present a high-level analysis
of the overall security of SDN. They conclude that
due to the nature of the centralized controller and the
programmability of the network, new threats are intro-
duced requiring new responses. They propose a number
of techniques in order to address the various threats,
including replication, diversity and secure components.
Finally, the research network and testbed, ProtoGENI,
has also been analyzed [12]. The authors discovered that
numerous attacks between users of the testbed along
with malicious propagation and ooding attacks to the
wider internet were possible when using the ProtoGENI
network.
The results of these analyses indicate the range of
the security issues associated with the SDN framework.
In Table I, a categorization of the SDN security issues
is presented. A connection is drawn between the type
of issue/attack (e.g. unauthorized access) and the SDN
layer/interface affected by the issue/attack.
The control and data layers are identied in Table I as
clear targets of attack. This reects the main distinctions
between the traditional network and the SDN; that of
the centralized control element and the altered datapath
elements to support programmability.
Although this analysis points towards security issues
related to the control and data layers, there has been
limited research in the eld to tackle the challenges. In
fact, as detailed in the next section, greater attention has
been given to exploring the potential improv ements in
network security to be derived from the SDN framework.
III. S
ECURITY
E
NHANCEMENT USING
SDN
The architecture of a software-dened network intro-
duces potential for innovation in the use of the network.
The combination of the global or network-wide view
and the network programmability supports a process of
harvesting intelligence from existing Intrusion Detection
Systems (IDS) and Intrusion Prevention Systems (IPS),
for example, followed by analysis and centralized re-
programming of the network. This approach can render
the SDN more robust to malicious attack than traditional
networks.

TABL E I
C
ATE G O R I ZAT I O N O F THE
S
ECURITY
I
SSUES ASSOCIATED WITH THE
SDN
FRAMEWORKBYLAYER
/
INTERFACE AFFECTED
SDN Layer Affected or Targeted
Security Issue/Attack Application App-Ctl Control Ctl-Data Data
Layer Interface Layer Interface Layer
Unauthorized Access e.g.
Unauthorized Controller Access X X X
Unauthenticated Application X X X
Data Leakage e.g.
Flow Rule Discovery (Side Channel Attack on Input Buffer) X
Forwarding Policy Discovery (Packet Processing Timing Analysis) X
Data Modication e.g.
Flow Rule ModicationtoModifyPackets X X X
Malicious Applications e.g.
Fraudulent Rule Insertion X X X
Controller Hijacking X X X
Denial of Service e.g.
Controller-Switch Communication Flood X X X
Switch Flow Table Flooding X
Conguration Issues e.g.
Lack of TLS (or other Authentication Technique) Adoption X X X
Policy Enforcement X X X
A. The SDN Middle-box
Traditional networks use middle-boxes to provide
network security functions. Recently, there has been
discussion about the integration of security middle-boxes
into SDN exploiting the benet of programmability to
redirect selected network trafc through the middle-
box. For example, the Slick architecture [13] proposes a
centralized controller, which is responsible for installing
and migrating functions onto custom middle-boxes. Ap-
plications can then direct the Slick controller to install
the necessary functions for routing particular ows based
on security requirements.
The FlowTags architecture [14] proposes the use of
minimally modied middle-boxes, which interact with
a SDN controller through a FlowTags Application Pro-
gramming Interface (API). FlowTags, consisting of traf-
c ow information, are embedded in packet headers to
provide ow tracking and enable controlled routing of
tagged packets. A clear disadvantage of this architecture
is the fact that it works with only pre-dened policies
and currently does not handle dynamic actions.
The SIMPLE policy enforcement layer [15] is an
approach for using SDN to manage middlebox deploy-
ments. In contrast to [13], [14], it requires no modi-
cations to SDN capabilities or middle-box functionality,
which makes it suitable for legacy systems.
Based on these proposals, it would appear that a sim-
ple approach to network security provision would be to
introduce an appropriate middle-box and programme the
network to direct selected trafc through the middle-box.
It is not, however, quite as straightforward as that. The
appropriate placement and integration of SDN middle-
boxes must be determined along with the performance
penalty that can be tolerated when trafcisdiverted
through an additional link. Such questions have not yet
been resolved.
However, as illustrated in Table I, the range of attacks
that pose threats to the network is well understood.
As such, beyond middle-boxes, a series of solutions
have been proposed, which specically exploit the SDN
framework to provide network security solutions.
B. SDN = “Security Dened Networking”?
Attackers use various scanning techniques to discover
vulnerable targets in the network. One defense presented
to thwart these attacks is the use of random virtual
Internet Protocol (IP) addresses using SDN [16]. This
technique uses the OpenFlow controller to manage a
pool of virtual IP addresses, which are assigned to hosts
within the network, hiding the real IP addresses from
the outside world. This presents moving target defense,
which is a form of adaptive cybersecurity.

Citations
More filters
Journal ArticleDOI
01 Jan 2015
TL;DR: This paper presents an in-depth analysis of the hardware infrastructure, southbound and northbound application programming interfaces (APIs), network virtualization layers, network operating systems (SDN controllers), network programming languages, and network applications, and presents the key building blocks of an SDN infrastructure using a bottom-up, layered approach.
Abstract: The Internet has led to the creation of a digital society, where (almost) everything is connected and is accessible from anywhere. However, despite their widespread adoption, traditional IP networks are complex and very hard to manage. It is both difficult to configure the network according to predefined policies, and to reconfigure it to respond to faults, load, and changes. To make matters even more difficult, current networks are also vertically integrated: the control and data planes are bundled together. Software-defined networking (SDN) is an emerging paradigm that promises to change this state of affairs, by breaking vertical integration, separating the network's control logic from the underlying routers and switches, promoting (logical) centralization of network control, and introducing the ability to program the network. The separation of concerns, introduced between the definition of network policies, their implementation in switching hardware, and the forwarding of traffic, is key to the desired flexibility: by breaking the network control problem into tractable pieces, SDN makes it easier to create and introduce new abstractions in networking, simplifying network management and facilitating network evolution. In this paper, we present a comprehensive survey on SDN. We start by introducing the motivation for SDN, explain its main concepts and how it differs from traditional networking, its roots, and the standardization activities regarding this novel paradigm. Next, we present the key building blocks of an SDN infrastructure using a bottom-up, layered approach. We provide an in-depth analysis of the hardware infrastructure, southbound and northbound application programming interfaces (APIs), network virtualization layers, network operating systems (SDN controllers), network programming languages, and network applications. We also look at cross-layer problems such as debugging and troubleshooting. In an effort to anticipate the future evolution of this new paradigm, we discuss the main ongoing research efforts and challenges of SDN. In particular, we address the design of switches and control platforms—with a focus on aspects such as resiliency, scalability, performance, security, and dependability—as well as new opportunities for carrier transport networks and cloud providers. Last but not least, we analyze the position of SDN as a key enabler of a software-defined environment.

3,589 citations


Cites background from "Sdn Security: A Survey"

  • ...Different threat vectors have already been identified in SDN architectures [357], as well as several security issues and weaknesses in OpenFlow-based networks [507], [508], [509], [201], [510], [194], [511], [512]. While some threat vectors are common to existing networks, others are more specific to SDN, such as attacks on control plane communication and logically-centralized controllers. It is worth me...

    [...]

Posted Content
TL;DR: Software-Defined Networking (SDN) as discussed by the authors is an emerging paradigm that promises to change this state of affairs, by breaking vertical integration, separating the network's control logic from the underlying routers and switches, promoting (logical) centralization of network control, and introducing the ability to program the network.
Abstract: Software-Defined Networking (SDN) is an emerging paradigm that promises to change this state of affairs, by breaking vertical integration, separating the network's control logic from the underlying routers and switches, promoting (logical) centralization of network control, and introducing the ability to program the network. The separation of concerns introduced between the definition of network policies, their implementation in switching hardware, and the forwarding of traffic, is key to the desired flexibility: by breaking the network control problem into tractable pieces, SDN makes it easier to create and introduce new abstractions in networking, simplifying network management and facilitating network evolution. In this paper we present a comprehensive survey on SDN. We start by introducing the motivation for SDN, explain its main concepts and how it differs from traditional networking, its roots, and the standardization activities regarding this novel paradigm. Next, we present the key building blocks of an SDN infrastructure using a bottom-up, layered approach. We provide an in-depth analysis of the hardware infrastructure, southbound and northbound APIs, network virtualization layers, network operating systems (SDN controllers), network programming languages, and network applications. We also look at cross-layer problems such as debugging and troubleshooting. In an effort to anticipate the future evolution of this new paradigm, we discuss the main ongoing research efforts and challenges of SDN. In particular, we address the design of switches and control platforms -- with a focus on aspects such as resiliency, scalability, performance, security and dependability -- as well as new opportunities for carrier transport networks and cloud providers. Last but not least, we analyze the position of SDN as a key enabler of a software-defined environment.

1,968 citations

Journal ArticleDOI
TL;DR: This work can help to understand how to make full use of SDN's advantages to defeat DDoS attacks in cloud computing environments and how to prevent SDN itself from becoming a victim of DDoSDoS attacks, which are important for the smooth evolution ofSDN-based cloud without the distraction ofDDoS attacks.
Abstract: Distributed denial of service (DDoS) attacks in cloud computing environments are growing due to the essential characteristics of cloud computing. With recent advances in software-defined networking (SDN), SDN-based cloud brings us new chances to defeat DDoS attacks in cloud computing environments. Nevertheless, there is a contradictory relationship between SDN and DDoS attacks. On one hand, the capabilities of SDN, including software-based traffic analysis, centralized control, global view of the network, dynamic updating of forwarding rules, make it easier to detect and react to DDoS attacks. On the other hand, the security of SDN itself remains to be addressed, and potential DDoS vulnerabilities exist across SDN platforms. In this paper, we discuss the new trends and characteristics of DDoS attacks in cloud computing, and provide a comprehensive survey of defense mechanisms against DDoS attacks using SDN. In addition, we review the studies about launching DDoS attacks on SDN, as well as the methods against DDoS attacks in SDN. To the best of our knowledge, the contradictory relationship between SDN and DDoS attacks has not been well addressed in previous works. This work can help to understand how to make full use of SDN's advantages to defeat DDoS attacks in cloud computing environments and how to prevent SDN itself from becoming a victim of DDoS attacks, which are important for the smooth evolution of SDN-based cloud without the distraction of DDoS attacks.

669 citations


Cites background from "Sdn Security: A Survey"

  • ...3) Programmability of the network by external applications: The programmability of SDN supports a process of harvesting intelligence from existing Intrusion Detection Systems (IDSs) [72] and Intrusion Prevention Systems (IPSs) [33]....

    [...]

  • ...Security analysis has showed that the SDN framework suffers many security threats, including [33]:...

    [...]

  • ...The authors of [33] point out that three issues of SDN include trust between all involved layers, SDN’s control plane centralization and limited space in flow-tables....

    [...]

  • ...Based on the analysis, new or updated security policy can be propagated across the network in the form of flow rules [33]....

    [...]

Journal ArticleDOI
TL;DR: This paper analyzes security threats to application, control, and data planes of SDN and describes the security platforms that secure each of the planes followed by various security approaches for network-wide security in SDN.
Abstract: Software defined networking (SDN) decouples the network control and data planes. The network intelligence and state are logically centralized and the underlying network infrastructure is abstracted from applications. SDN enhances network security by means of global visibility of the network state where a conflict can be easily resolved from the logically centralized control plane. Hence, the SDN architecture empowers networks to actively monitor traffic and diagnose threats to facilitates network forensics, security policy alteration, and security service insertion. The separation of the control and data planes, however, opens security challenges, such as man-in-the middle attacks, denial of service (DoS) attacks, and saturation attacks. In this paper, we analyze security threats to application, control, and data planes of SDN. The security platforms that secure each of the planes are described followed by various security approaches for network-wide security in SDN. SDN security is analyzed according to security dimensions of the ITU-T recommendation, as well as, by the costs of security solutions. In a nutshell, this paper highlights the present and future security challenges in SDN and future directions for secure SDN.

443 citations


Cites methods from "Sdn Security: A Survey"

  • ...Similarly, OpenFlow has sprung from the ideas of the 4D project as stated in [12]....

    [...]

Journal ArticleDOI
TL;DR: This paper systematically review the security requirements, attack vectors, and the current security solutions for the IoT networks, and sheds light on the gaps in these security solutions that call for ML and DL approaches.
Abstract: The future Internet of Things (IoT) will have a deep economical, commercial and social impact on our lives. The participating nodes in IoT networks are usually resource-constrained, which makes them luring targets for cyber attacks. In this regard, extensive efforts have been made to address the security and privacy issues in IoT networks primarily through traditional cryptographic approaches. However, the unique characteristics of IoT nodes render the existing solutions insufficient to encompass the entire security spectrum of the IoT networks. Machine Learning (ML) and Deep Learning (DL) techniques, which are able to provide embedded intelligence in the IoT devices and networks, can be leveraged to cope with different security problems. In this paper, we systematically review the security requirements, attack vectors, and the current security solutions for the IoT networks. We then shed light on the gaps in these security solutions that call for ML and DL approaches. Finally, we discuss in detail the existing ML and DL solutions for addressing different security problems in IoT networks. We also discuss several future research directions for ML- and DL-based IoT security.

407 citations


Additional excerpts

  • ...php/Top_10-2017_Top_10 and applications [84], [85]....

    [...]

References
More filters
Proceedings ArticleDOI
27 Aug 2013
TL;DR: This work presents the design, implementation, and evaluation of B4, a private WAN connecting Google's data centers across the planet, using OpenFlow to control relatively simple switches built from merchant silicon.
Abstract: We present the design, implementation, and evaluation of B4, a private WAN connecting Google's data centers across the planet. B4 has a number of unique characteristics: i) massive bandwidth requirements deployed to a modest number of sites, ii) elastic traffic demand that seeks to maximize average bandwidth, and iii) full control over the edge servers and network, which enables rate limiting and demand measurement at the edge.These characteristics led to a Software Defined Networking architecture using OpenFlow to control relatively simple switches built from merchant silicon. B4's centralized traffic engineering service drives links to near 100% utilization, while splitting application flows among multiple paths to balance capacity against application priority/demands. We describe experience with three years of B4 production deployment, lessons learned, and areas for future work.

2,226 citations


"Sdn Security: A Survey" refers background in this paper

  • ...Institute of Electrical and Electronics Engineers (IEEE). https://doi.org/10.1109/SDN4FNS.2013.6702553...

    [...]

Proceedings ArticleDOI
27 Aug 2007
TL;DR: Ethane allows managers to define a single network-wide fine-grain policy, and then enforces it directly, and this design is backwards-compatible with existing hosts and switches.
Abstract: This paper presents Ethane, a new network architecture for the enterprise. Ethane allows managers to define a single network-wide fine-grain policy, and then enforces it directly. Ethane couples extremely simple flow-based Ethernet switches with a centralized controller that manages the admittance and routing of flows. While radical, this design is backwards-compatible with existing hosts and switches.We have implemented Ethane in both hardware and software, supporting both wired and wireless hosts. Our operational Ethane network has supported over 300 hosts for the past four months in a large university network, and this deployment experience has significantly affected Ethane's design.

1,079 citations

Journal ArticleDOI
TL;DR: The question of how to achieve a successful carrier grade network with software-defined networking is raised and specific focus is placed on the challenges of network performance, scalability, security, and interoperability with the proposal of potential solution directions.
Abstract: Cloud services are exploding, and organizations are converging their data centers in order to take advantage of the predictability, continuity, and quality of service delivered by virtualization technologies. In parallel, energy-efficient and high-security networking is of increasing importance. Network operators, and service and product providers require a new network solution to efficiently tackle the increasing demands of this changing network landscape. Software-defined networking has emerged as an efficient network technology capable of supporting the dynamic nature of future network functions and intelligent applications while lowering operating costs through simplified hardware, software, and management. In this article, the question of how to achieve a successful carrier grade network with software-defined networking is raised. Specific focus is placed on the challenges of network performance, scalability, security, and interoperability with the proposal of potential solution directions.

943 citations


"Sdn Security: A Survey" refers background in this paper

  • ...Institute of Electrical and Electronics Engineers (IEEE). https://doi.org/10.1109/SDN4FNS.2013.6702553...

    [...]

Proceedings Article
02 Apr 2013
TL;DR: VeriFlow as discussed by the authors is a layer between a software-defined networking controller and network devices that checks for network-wide invariant violations dynamically as each forwarding rule is inserted, modified or deleted.
Abstract: Networks are complex and prone to bugs. Existing tools that check network configuration files and the data-plane state operate offline at timescales of seconds to hours, and cannot detect or prevent bugs as they arise. Is it possible to check network-wide invariants in real time, as the network state evolves? The key challenge here is to achieve extremely low latency during the checks so that network performance is not affected. In this paper, we present a design, VeriFlow, which achieves this goal. VeriFlow is a layer between a software-defined networking controller and network devices that checks for network-wide invariant violations dynamically as each forwarding rule is inserted, modified or deleted. VeriFlow supports analysis over multiple header fields, and an API for checking custom invariants. Based on a prototype implementation integrated with the NOX OpenFlow controller, and driven by a Mininet OpenFlow network and Route Views trace data, we find that VeriFlow can perform rigorous checking within hundreds of microseconds per rule insertion or deletion.

870 citations

01 Jan 2009
TL;DR: This paper builds a research platform which allows multiple network experiments to run side-by-side with production traffic while still providing isolation and hardware forwarding speeds and presents a new approach to switch virtualization in which the same hardware forwarding plane can be shared among multiple logical networks, each with distinct forwarding logic.
Abstract: Network virtualization has long been a goal of of the network research community. With it, multiple isolated logical networks each with potentially different addressing and forwarding mechanisms can share the same physical infrastructure. Typically this is achieved by taking advantage of the flexibility of software (e.g. [20, 23]) or by duplicating components in (often specialized) hardware[19]. In this paper we present a new approach to switch virtualization in which the same hardware forwarding plane can be shared among multiple logical networks, each with distinct forwarding logic. We use this switch-level virtualization to build a research platform which allows multiple network experiments to run side-by-side with production traffic while still providing isolation and hardware forwarding speeds. We also show that this approach is compatible with commodity switching chipsets and does not require the use of programmable hardware such as FPGAs or network processors. We build and deploy this virtualization platform on our own production network and demonstrate its use in practice by running five experiments simultaneously within a campus network. Further, we quantify the overhead of our approach and evaluate the completeness of the isolation between virtual slices.

843 citations

Frequently Asked Questions (21)
Q1. What are the contributions in "Sdn security: a survey" ?

As the benefits of network visibility and network device programmability are discussed, the question could be asked as to who exactly will benefit ? This paper presents a comprehensive survey of the research relating to security in software-defined networking that has been carried out to date. Both the security enhancements to be derived from using the SDN framework and the security challenges introduced by the framework are discussed. 

There is further potential in this area to exploit the dynamic and adaptive capabilities of the SDN framework using methods of moving target defense. An increased emphasis on this now could avoid a reduction in the performance and capability of future SDNs as a result of retrofit security solutions. Considering the breadth of potential security issues outlined in Table I, it is clear that a significant increase in effort is required to identify solutions to these challenges. 

The lack of TLS adoption by major vendors and the possibility of DoS attacks are the focus of an OpenFlow vulnerability assessment [10]. 

The FlowTags architecture [14] proposes the use of minimally modified middle-boxes, which interact with a SDN controller through a FlowTags Application Programming Interface (API). 

The work to identify and correct securityrelated limitations of the OpenFlow protocol should be considered in the design and development of alternative protocols. 

for example, [20], provides dynamic access control enforced by network devices themselves based on higher-level security policies. 

The SDN architecture can be exploited to enhance network security with the provision of a highly reactive security monitoring, analysis and response system. 

Naous et al. [21] put forward the ident++ protocol to query endhosts and users for additional information in order to make forwarding decisions; their argument being that the central controller could become a bottleneck. 

Model-checking becomes an important step in detecting inconsistencies in policies from multiple applications or installed across multiple devices. 

Another issue of concern based on open programmability of the network is trust; both between applications and controllers, and controllers and network devices. 

These include IETF ForCES (Forwarding and Control Element Separation), PCE (Path Computation Element), Netconf (Network Configuration), LISP (Locator/ID Separation Protocol)and I2RS (Interface to the Routing System). 

In [30], the authors propose the use of language-based security to enable flow-based policy enforcement along with network isolation. 

The first is that significant improvements in network security can be achievedby simultaneously exploiting the programmability and the centralized network view introduced by SDN. 

In the Internet Research Task Force (IRTF) and the International Telecommunication Union - Telecommunication Standardization Sector (ITU-T), general SDN study groups have been launched in which security in SDN is an identified issue. 

As such, beyond middle-boxes, a series of solutions have been proposed, which specifically exploit the SDN framework to provide network security solutions. 

Since the beginning of 2013, various working groups have been established in both the standardization industry and industry research groups. 

Considering the specific issues with security in SDN from the perspective of the SDN framework (Fig. 1), the authors can identify challenges associated with each layer of the framework: application, control and data planes, and on the interfaces between these layers. 

It is, therefore, essential, that techniques, methods and policies to overcome the SDN security challenges are explored and defined to enable robust and reliable wide area SDN deployments. 

This paper focuses on the execution of Information Disclosure and DoS attacks, which the author established were possible to successfully execute. 

A clear disadvantage of this architecture is the fact that it works with only pre-defined policies and currently does not handle dynamic actions. 

Although FortNox provides numerous components, which are necessary for enforcing security, the authors feel that much work is still needed to offer a comprehensive suite of applications.