abusing software defined networks...modern day networks vendor dependent difficult to scale complex...
TRANSCRIPT
![Page 1: Abusing Software Defined Networks...Modern Day Networks Vendor Dependent Difficult to scale Complex and Prone to Break Distributed and Often Inconsistent Configuration Uses inflexible](https://reader036.vdocuments.net/reader036/viewer/2022070711/5ec82d45b52b2a79ba48cd50/html5/thumbnails/1.jpg)
Black hat Europe 2014, Amsterdam
Abusing Software Defined Networks
![Page 3: Abusing Software Defined Networks...Modern Day Networks Vendor Dependent Difficult to scale Complex and Prone to Break Distributed and Often Inconsistent Configuration Uses inflexible](https://reader036.vdocuments.net/reader036/viewer/2022070711/5ec82d45b52b2a79ba48cd50/html5/thumbnails/3.jpg)
Overview
What is it?Exploiting it!Fixing it!Moving ForwardWrapping Up
![Page 4: Abusing Software Defined Networks...Modern Day Networks Vendor Dependent Difficult to scale Complex and Prone to Break Distributed and Often Inconsistent Configuration Uses inflexible](https://reader036.vdocuments.net/reader036/viewer/2022070711/5ec82d45b52b2a79ba48cd50/html5/thumbnails/4.jpg)
Modern Day Networks
Vendor DependentDifficult to scaleComplex and Prone to BreakDistributed and Often InconsistentConfigurationUses inflexible and difficult to innovateprotocolsUnable to Consider Other Factors
… And Good Luck If You WantTo Change It!
![Page 5: Abusing Software Defined Networks...Modern Day Networks Vendor Dependent Difficult to scale Complex and Prone to Break Distributed and Often Inconsistent Configuration Uses inflexible](https://reader036.vdocuments.net/reader036/viewer/2022070711/5ec82d45b52b2a79ba48cd50/html5/thumbnails/5.jpg)
Enter … Software Defined Networking
Separate the Control and Data PlaneForwarding Decisions Made By a ControllerSwitches and Routers Just Forward Packets
ControllersProgrammed with the IntelligenceFull visibility of the NetworkCan consider the totality of the networkbefore making any decisionEnforce Granular Policy
![Page 6: Abusing Software Defined Networks...Modern Day Networks Vendor Dependent Difficult to scale Complex and Prone to Break Distributed and Often Inconsistent Configuration Uses inflexible](https://reader036.vdocuments.net/reader036/viewer/2022070711/5ec82d45b52b2a79ba48cd50/html5/thumbnails/6.jpg)
Enter … Software Defined Networking
SwitchesBare-Metal OnlyAny Vendor … Hardware or Software
![Page 7: Abusing Software Defined Networks...Modern Day Networks Vendor Dependent Difficult to scale Complex and Prone to Break Distributed and Often Inconsistent Configuration Uses inflexible](https://reader036.vdocuments.net/reader036/viewer/2022070711/5ec82d45b52b2a79ba48cd50/html5/thumbnails/7.jpg)
Solves Lots of Problems
Less Expensive HardwareWith BGP
Maintenance Dry-OutCustomer Egress SelectionBetter BGP SecurityFaster ConvergenceGranular Peering at IXPs
![Page 8: Abusing Software Defined Networks...Modern Day Networks Vendor Dependent Difficult to scale Complex and Prone to Break Distributed and Often Inconsistent Configuration Uses inflexible](https://reader036.vdocuments.net/reader036/viewer/2022070711/5ec82d45b52b2a79ba48cd50/html5/thumbnails/8.jpg)
Expands Our Capability
Real-World Network Slicing of Flow SpaceNetwork and Server Load BalancingSecurity
Dynamic Access ControlAdaptive Traffic MonitoringAttack Detection and Mitigation
![Page 9: Abusing Software Defined Networks...Modern Day Networks Vendor Dependent Difficult to scale Complex and Prone to Break Distributed and Often Inconsistent Configuration Uses inflexible](https://reader036.vdocuments.net/reader036/viewer/2022070711/5ec82d45b52b2a79ba48cd50/html5/thumbnails/9.jpg)
Emerging Standards
Old and BustedSNMPBGPNetconfLISPPCEP
New HotnessOVSDBOpenflow
![Page 10: Abusing Software Defined Networks...Modern Day Networks Vendor Dependent Difficult to scale Complex and Prone to Break Distributed and Often Inconsistent Configuration Uses inflexible](https://reader036.vdocuments.net/reader036/viewer/2022070711/5ec82d45b52b2a79ba48cd50/html5/thumbnails/10.jpg)
Introducing Openflow
Establishes ElementsControllerSecure ChannelForwarding Element
Defines …Forwarding ProcessMessaging Format
![Page 11: Abusing Software Defined Networks...Modern Day Networks Vendor Dependent Difficult to scale Complex and Prone to Break Distributed and Often Inconsistent Configuration Uses inflexible](https://reader036.vdocuments.net/reader036/viewer/2022070711/5ec82d45b52b2a79ba48cd50/html5/thumbnails/11.jpg)
Introducing Openflow
Forwarding ProcessCheck Flow TableIf Match Found, Execute ActionIf No Match, Send Packet to controllerUpdate Flow Table
Flow TablesMatch/Action Entries12 fields available for matchingWildcard matching available
![Page 12: Abusing Software Defined Networks...Modern Day Networks Vendor Dependent Difficult to scale Complex and Prone to Break Distributed and Often Inconsistent Configuration Uses inflexible](https://reader036.vdocuments.net/reader036/viewer/2022070711/5ec82d45b52b2a79ba48cd50/html5/thumbnails/12.jpg)
Introducing Openflow
![Page 13: Abusing Software Defined Networks...Modern Day Networks Vendor Dependent Difficult to scale Complex and Prone to Break Distributed and Often Inconsistent Configuration Uses inflexible](https://reader036.vdocuments.net/reader036/viewer/2022070711/5ec82d45b52b2a79ba48cd50/html5/thumbnails/13.jpg)
Leading Platforms
ProprietaryCisco Application Policy Infrastructure Controller (APIC)Cisco Extensible Network Controller (XNC)HP Virtual Application Networks (VAN) SDN ControllerIBM Programmable Network Controller
Open-SourceNox/PoxRyuFloodlightOpendaylight
![Page 14: Abusing Software Defined Networks...Modern Day Networks Vendor Dependent Difficult to scale Complex and Prone to Break Distributed and Often Inconsistent Configuration Uses inflexible](https://reader036.vdocuments.net/reader036/viewer/2022070711/5ec82d45b52b2a79ba48cd50/html5/thumbnails/14.jpg)
Floodlight
Open-Source Java ControllerPrimarily an Openflow-based controllerSupports Openflow v1.0.0Fork from the Beacon Java Openflow controllerMaintained by Big Switch Networks
![Page 15: Abusing Software Defined Networks...Modern Day Networks Vendor Dependent Difficult to scale Complex and Prone to Break Distributed and Often Inconsistent Configuration Uses inflexible](https://reader036.vdocuments.net/reader036/viewer/2022070711/5ec82d45b52b2a79ba48cd50/html5/thumbnails/15.jpg)
Opendaylight
Open-Source Java ControllerMany southbound options including OpenflowSupports Openflow v1.0.0 and v1.3.0Fork from the Beacon Java Openflow controllerA Linux Foundation Collaborative ProjectSupported by Citrix, Red Hat,Ericsson, Hewlett Packard,Brocade, Cisco, Juniper,Microsoft, and IBM
![Page 16: Abusing Software Defined Networks...Modern Day Networks Vendor Dependent Difficult to scale Complex and Prone to Break Distributed and Often Inconsistent Configuration Uses inflexible](https://reader036.vdocuments.net/reader036/viewer/2022070711/5ec82d45b52b2a79ba48cd50/html5/thumbnails/16.jpg)
So It’s Gonna Be All …
Not Exactly!
![Page 17: Abusing Software Defined Networks...Modern Day Networks Vendor Dependent Difficult to scale Complex and Prone to Break Distributed and Often Inconsistent Configuration Uses inflexible](https://reader036.vdocuments.net/reader036/viewer/2022070711/5ec82d45b52b2a79ba48cd50/html5/thumbnails/17.jpg)
Protocol Weaknesses
Encryption and Authentication via TLSMore of a suggestion than a requirement though …
Started Out GoodHeading Backwards
v1.0.0 over TLSv1.4.0 over TCP or TLS
![Page 18: Abusing Software Defined Networks...Modern Day Networks Vendor Dependent Difficult to scale Complex and Prone to Break Distributed and Often Inconsistent Configuration Uses inflexible](https://reader036.vdocuments.net/reader036/viewer/2022070711/5ec82d45b52b2a79ba48cd50/html5/thumbnails/18.jpg)
Protocol Weaknesses
ControllersFloodlight … NopeOpendaylight … Supported but not required
SwitchesArista … NoBrocade … Surprisingly, YesCisco … Another, YesDell … NoExtreme … Another, YesHP … No
![Page 19: Abusing Software Defined Networks...Modern Day Networks Vendor Dependent Difficult to scale Complex and Prone to Break Distributed and Often Inconsistent Configuration Uses inflexible](https://reader036.vdocuments.net/reader036/viewer/2022070711/5ec82d45b52b2a79ba48cd50/html5/thumbnails/19.jpg)
Protocol Weaknesses
SwitchesHuawei … NoIBM … NoJuniper … NoNEC … Another, YesNetgear … NoPronto … YesOVS … No
![Page 20: Abusing Software Defined Networks...Modern Day Networks Vendor Dependent Difficult to scale Complex and Prone to Break Distributed and Often Inconsistent Configuration Uses inflexible](https://reader036.vdocuments.net/reader036/viewer/2022070711/5ec82d45b52b2a79ba48cd50/html5/thumbnails/20.jpg)
Could Lead To …
Information Disclosure through InterceptionModification through Man-in-the-MiddleAnd all sorts of DoS Nastiness!
![Page 21: Abusing Software Defined Networks...Modern Day Networks Vendor Dependent Difficult to scale Complex and Prone to Break Distributed and Often Inconsistent Configuration Uses inflexible](https://reader036.vdocuments.net/reader036/viewer/2022070711/5ec82d45b52b2a79ba48cd50/html5/thumbnails/21.jpg)
DoS Nastiness
OpenflowCentralization Entails DependencyDependency Can Be ExploitedHow are vendors handing it?
FloodlightExplored by Solomon, Francis, and EitanTheir Results … Handling It Poorly
OpendaylightUnknown but worth investigatingIt is Java for God Sake!
![Page 22: Abusing Software Defined Networks...Modern Day Networks Vendor Dependent Difficult to scale Complex and Prone to Break Distributed and Often Inconsistent Configuration Uses inflexible](https://reader036.vdocuments.net/reader036/viewer/2022070711/5ec82d45b52b2a79ba48cd50/html5/thumbnails/22.jpg)
Tools
of-switch.pyImpersonates an Openflow switchUtilizes Openflow v1.0.0
of-flood.pyFloods an Openflow controllerDisrupting the network and bringing it downUtilizes Openflow v1.0.0
![Page 23: Abusing Software Defined Networks...Modern Day Networks Vendor Dependent Difficult to scale Complex and Prone to Break Distributed and Often Inconsistent Configuration Uses inflexible](https://reader036.vdocuments.net/reader036/viewer/2022070711/5ec82d45b52b2a79ba48cd50/html5/thumbnails/23.jpg)
Debug Ports
No EncryptionNo AuthenticationJust Full Control of the SwitchAll Via “dpctl” command-linetoolNot a problem yet …But Soon Will Be!
![Page 24: Abusing Software Defined Networks...Modern Day Networks Vendor Dependent Difficult to scale Complex and Prone to Break Distributed and Often Inconsistent Configuration Uses inflexible](https://reader036.vdocuments.net/reader036/viewer/2022070711/5ec82d45b52b2a79ba48cd50/html5/thumbnails/24.jpg)
Controller Weaknesses
FloodlightNo Encryption for Northbound HTTP APINo Authentication for Northbound HTTP API
OpendaylightEncryption for Northbound HTTP API
Turned Off by DefaultAuthentication for Northbound HTTP API
HTTP Basic AuthenticationDefault Password WeakStrong Passwords Turned Offby Default
![Page 25: Abusing Software Defined Networks...Modern Day Networks Vendor Dependent Difficult to scale Complex and Prone to Break Distributed and Often Inconsistent Configuration Uses inflexible](https://reader036.vdocuments.net/reader036/viewer/2022070711/5ec82d45b52b2a79ba48cd50/html5/thumbnails/25.jpg)
Could Lead To …
Information Disclosure through InterceptionTopologyCredentials
Information Disclosure throughUnauthorized Access
TopologyTargets
![Page 26: Abusing Software Defined Networks...Modern Day Networks Vendor Dependent Difficult to scale Complex and Prone to Break Distributed and Often Inconsistent Configuration Uses inflexible](https://reader036.vdocuments.net/reader036/viewer/2022070711/5ec82d45b52b2a79ba48cd50/html5/thumbnails/26.jpg)
And …
Topology, Flow, and Message Modification throughUnauthorized Access
Add AccessRemove AccessHide TrafficChange Traffic
![Page 27: Abusing Software Defined Networks...Modern Day Networks Vendor Dependent Difficult to scale Complex and Prone to Break Distributed and Often Inconsistent Configuration Uses inflexible](https://reader036.vdocuments.net/reader036/viewer/2022070711/5ec82d45b52b2a79ba48cd50/html5/thumbnails/27.jpg)
Identifying Controllers and Switches
Currently Listening on TCP Port 6633New Port Defined … TCP Port 6653Hello’s ExchangedFeature Request
Controller will sendSwitch will not
![Page 28: Abusing Software Defined Networks...Modern Day Networks Vendor Dependent Difficult to scale Complex and Prone to Break Distributed and Often Inconsistent Configuration Uses inflexible](https://reader036.vdocuments.net/reader036/viewer/2022070711/5ec82d45b52b2a79ba48cd50/html5/thumbnails/28.jpg)
Tools
of-check.pyIdentifies Openflow ServicesReports on their VersionsCompatible with any version of Openflow
of-enum.pyEnumerates Openflow EndpointsReports on their TypeCompatible with any version of Openflow
![Page 29: Abusing Software Defined Networks...Modern Day Networks Vendor Dependent Difficult to scale Complex and Prone to Break Distributed and Often Inconsistent Configuration Uses inflexible](https://reader036.vdocuments.net/reader036/viewer/2022070711/5ec82d45b52b2a79ba48cd50/html5/thumbnails/29.jpg)
Tools
of-enum.nseEnumerates Openflow EndpointsReports on their TypeCompatible with any version of Openflow
![Page 30: Abusing Software Defined Networks...Modern Day Networks Vendor Dependent Difficult to scale Complex and Prone to Break Distributed and Often Inconsistent Configuration Uses inflexible](https://reader036.vdocuments.net/reader036/viewer/2022070711/5ec82d45b52b2a79ba48cd50/html5/thumbnails/30.jpg)
Demonstration
![Page 31: Abusing Software Defined Networks...Modern Day Networks Vendor Dependent Difficult to scale Complex and Prone to Break Distributed and Often Inconsistent Configuration Uses inflexible](https://reader036.vdocuments.net/reader036/viewer/2022070711/5ec82d45b52b2a79ba48cd50/html5/thumbnails/31.jpg)
Some Attacks
Small Local Area NetworkOne Admin HostTwo User HostsOne ServerOne IDS
Attacker will …Identify TargetsEnumerate ACLsFind Sensors
![Page 32: Abusing Software Defined Networks...Modern Day Networks Vendor Dependent Difficult to scale Complex and Prone to Break Distributed and Often Inconsistent Configuration Uses inflexible](https://reader036.vdocuments.net/reader036/viewer/2022070711/5ec82d45b52b2a79ba48cd50/html5/thumbnails/32.jpg)
Tool
of-map.pyDownloads flows from an Openflow controllerUses the flows
To identify targets and target servicesTo build ACLsTo identify sensors
Works with Floodlight and Opendaylightvia JSON
![Page 33: Abusing Software Defined Networks...Modern Day Networks Vendor Dependent Difficult to scale Complex and Prone to Break Distributed and Often Inconsistent Configuration Uses inflexible](https://reader036.vdocuments.net/reader036/viewer/2022070711/5ec82d45b52b2a79ba48cd50/html5/thumbnails/33.jpg)
Demonstration
![Page 34: Abusing Software Defined Networks...Modern Day Networks Vendor Dependent Difficult to scale Complex and Prone to Break Distributed and Often Inconsistent Configuration Uses inflexible](https://reader036.vdocuments.net/reader036/viewer/2022070711/5ec82d45b52b2a79ba48cd50/html5/thumbnails/34.jpg)
And Some More Attacks …
Small Local Area NetworkOne Admin HostTwo User HostsOne ServerOne IDS
Attacker will …Gain Access to the ServerIsolate the AdministratorHide from the IDSAnd Attack the Server
![Page 35: Abusing Software Defined Networks...Modern Day Networks Vendor Dependent Difficult to scale Complex and Prone to Break Distributed and Often Inconsistent Configuration Uses inflexible](https://reader036.vdocuments.net/reader036/viewer/2022070711/5ec82d45b52b2a79ba48cd50/html5/thumbnails/35.jpg)
Tool
of-access.pyModifies flows on the network throughthe Openflow Controller
Adds or Removes access for hostsApplies transformations to theirnetwork activityHides activity from sensors
Works with Floodlight and Opendaylightvia JSON
![Page 36: Abusing Software Defined Networks...Modern Day Networks Vendor Dependent Difficult to scale Complex and Prone to Break Distributed and Often Inconsistent Configuration Uses inflexible](https://reader036.vdocuments.net/reader036/viewer/2022070711/5ec82d45b52b2a79ba48cd50/html5/thumbnails/36.jpg)
Demonstration
![Page 37: Abusing Software Defined Networks...Modern Day Networks Vendor Dependent Difficult to scale Complex and Prone to Break Distributed and Often Inconsistent Configuration Uses inflexible](https://reader036.vdocuments.net/reader036/viewer/2022070711/5ec82d45b52b2a79ba48cd50/html5/thumbnails/37.jpg)
And Now Some Pwnage …
Sorry Linux Foundation!
![Page 38: Abusing Software Defined Networks...Modern Day Networks Vendor Dependent Difficult to scale Complex and Prone to Break Distributed and Often Inconsistent Configuration Uses inflexible](https://reader036.vdocuments.net/reader036/viewer/2022070711/5ec82d45b52b2a79ba48cd50/html5/thumbnails/38.jpg)
Zero-Day Exploit
Opendaylight has other southbound APIs besides OpenflowNo Encryption for Southbound Netconf APINo Authentication for Southbound Netconf API
Just Connect and Exchange MessagesXML-RPCRemember Java?
Boom Goes OpendaylightAnd it runs as “Root”
![Page 39: Abusing Software Defined Networks...Modern Day Networks Vendor Dependent Difficult to scale Complex and Prone to Break Distributed and Often Inconsistent Configuration Uses inflexible](https://reader036.vdocuments.net/reader036/viewer/2022070711/5ec82d45b52b2a79ba48cd50/html5/thumbnails/39.jpg)
Demonstration
![Page 40: Abusing Software Defined Networks...Modern Day Networks Vendor Dependent Difficult to scale Complex and Prone to Break Distributed and Often Inconsistent Configuration Uses inflexible](https://reader036.vdocuments.net/reader036/viewer/2022070711/5ec82d45b52b2a79ba48cd50/html5/thumbnails/40.jpg)
If No Exploit …
Service Not Available or They Fix ItNot to WorryPassword Guess the !!!!!!
Default Password WeakStrong Passwords Turned OffNo Account LockoutNo SYSLOG Output
![Page 41: Abusing Software Defined Networks...Modern Day Networks Vendor Dependent Difficult to scale Complex and Prone to Break Distributed and Often Inconsistent Configuration Uses inflexible](https://reader036.vdocuments.net/reader036/viewer/2022070711/5ec82d45b52b2a79ba48cd50/html5/thumbnails/41.jpg)
Repeat!
Attacker will …Identify TargetsEnumerate ACLsFind SensorsGain Access to the ServerIsolate the AdministratorHide from the IDSAnd Attack the Server
And Pwn That Network Too!
![Page 42: Abusing Software Defined Networks...Modern Day Networks Vendor Dependent Difficult to scale Complex and Prone to Break Distributed and Often Inconsistent Configuration Uses inflexible](https://reader036.vdocuments.net/reader036/viewer/2022070711/5ec82d45b52b2a79ba48cd50/html5/thumbnails/42.jpg)
Other Exploits Waiting to Be Found!
FloodlightNorthbound HTTP APISouthbound Openflow API
OpendaylightNorthbound HTTP APISouthbound Openflow APISouthbound Netconf API (TCP,SSH)Southbound Netconf Debug Port
![Page 43: Abusing Software Defined Networks...Modern Day Networks Vendor Dependent Difficult to scale Complex and Prone to Break Distributed and Often Inconsistent Configuration Uses inflexible](https://reader036.vdocuments.net/reader036/viewer/2022070711/5ec82d45b52b2a79ba48cd50/html5/thumbnails/43.jpg)
Other Exploits Waiting to Be Found!
OpendaylightJMX AccessOSGi ConsoleLisp Flow MappingODL Internal Clustering RPCODL ClusteringJava Debug Access
![Page 44: Abusing Software Defined Networks...Modern Day Networks Vendor Dependent Difficult to scale Complex and Prone to Break Distributed and Often Inconsistent Configuration Uses inflexible](https://reader036.vdocuments.net/reader036/viewer/2022070711/5ec82d45b52b2a79ba48cd50/html5/thumbnails/44.jpg)
Available Solutions
For NowFor the Future
![Page 45: Abusing Software Defined Networks...Modern Day Networks Vendor Dependent Difficult to scale Complex and Prone to Break Distributed and Often Inconsistent Configuration Uses inflexible](https://reader036.vdocuments.net/reader036/viewer/2022070711/5ec82d45b52b2a79ba48cd50/html5/thumbnails/45.jpg)
For Now
Transport Layer SecurityFeasible?Realistic?
Hardening … Duh!VLAN … It’s the Network Stupid!Code Review Anyone?
![Page 46: Abusing Software Defined Networks...Modern Day Networks Vendor Dependent Difficult to scale Complex and Prone to Break Distributed and Often Inconsistent Configuration Uses inflexible](https://reader036.vdocuments.net/reader036/viewer/2022070711/5ec82d45b52b2a79ba48cd50/html5/thumbnails/46.jpg)
For the Future
Denial of Service (SDN Architecture)Network PartitioningController ClusteringStatic Flow Entries
Modification (SDN Applications)Traffic CountersRespond to Abnormalities
Verification (SDN Operations)
![Page 47: Abusing Software Defined Networks...Modern Day Networks Vendor Dependent Difficult to scale Complex and Prone to Break Distributed and Often Inconsistent Configuration Uses inflexible](https://reader036.vdocuments.net/reader036/viewer/2022070711/5ec82d45b52b2a79ba48cd50/html5/thumbnails/47.jpg)
How Prevalent Is It Going To Be?
Gartner: 10 critical IT trends for the next fiveyearsMajor Networking Vendors Have Products orProducts Planned for SDNInformationWeek 2013 Survey
60% felt that SDN would be part oftheir network within 5 Years43% already have plans to put it inproduction
![Page 48: Abusing Software Defined Networks...Modern Day Networks Vendor Dependent Difficult to scale Complex and Prone to Break Distributed and Often Inconsistent Configuration Uses inflexible](https://reader036.vdocuments.net/reader036/viewer/2022070711/5ec82d45b52b2a79ba48cd50/html5/thumbnails/48.jpg)
Reported
While Data Centers/Clouds are the Killer App for SDNNIPPON EXPRESSFIDELITY INVESTMENTSVMWARE
Starting to see it moving toward theLAN
CaltechCern
And WANGoogle, NTT, and AT&T
![Page 49: Abusing Software Defined Networks...Modern Day Networks Vendor Dependent Difficult to scale Complex and Prone to Break Distributed and Often Inconsistent Configuration Uses inflexible](https://reader036.vdocuments.net/reader036/viewer/2022070711/5ec82d45b52b2a79ba48cd50/html5/thumbnails/49.jpg)
How It Could Go Right
Vendor Independence and ultimately lower costNetworks that match the application and thebusinesses needs not the other way aroundFaster Evolution of the Network
Production-Scale Simulationand ExperimentationExchangeable Network Aspects
Dynamic and Truly ActiveDefenses
![Page 50: Abusing Software Defined Networks...Modern Day Networks Vendor Dependent Difficult to scale Complex and Prone to Break Distributed and Often Inconsistent Configuration Uses inflexible](https://reader036.vdocuments.net/reader036/viewer/2022070711/5ec82d45b52b2a79ba48cd50/html5/thumbnails/50.jpg)
How It Could Go Wrong
Denial of ServicePeer NodeExternal NodeSelectively Dropping Traffic?
MiTMEntire NetworksLocal Subnets or Hosts
Shadow OperationsDarknetsUber Admins
![Page 51: Abusing Software Defined Networks...Modern Day Networks Vendor Dependent Difficult to scale Complex and Prone to Break Distributed and Often Inconsistent Configuration Uses inflexible](https://reader036.vdocuments.net/reader036/viewer/2022070711/5ec82d45b52b2a79ba48cd50/html5/thumbnails/51.jpg)
Making the Difference
Traditional Means of Securing Controllers Still ApplySecurity Needs to Be Part of the Discussion
Until Now … How SDN Can Help SecurityBut How Secure is SDN?
Analyses being DoneBut By OutsidersTraditional Approach and 2-D
Controller’s Need A SecurityReference and Audit Capability
![Page 52: Abusing Software Defined Networks...Modern Day Networks Vendor Dependent Difficult to scale Complex and Prone to Break Distributed and Often Inconsistent Configuration Uses inflexible](https://reader036.vdocuments.net/reader036/viewer/2022070711/5ec82d45b52b2a79ba48cd50/html5/thumbnails/52.jpg)
SDN has the potential to turn the entire Internetinto a cloudBenefit would be orders of magnitude above whatwe see nowBut there is hole in the middle of it that couldeasily be filled by the likes of the NSA … orworse yet, ChinaLet’s Not Let That HappenAnd That Start’s Here
Final Thoughts
![Page 53: Abusing Software Defined Networks...Modern Day Networks Vendor Dependent Difficult to scale Complex and Prone to Break Distributed and Often Inconsistent Configuration Uses inflexible](https://reader036.vdocuments.net/reader036/viewer/2022070711/5ec82d45b52b2a79ba48cd50/html5/thumbnails/53.jpg)
Toolkit
SHA1 hash is 5de4f56de0ce24cc5b4fcd691ff4e7e910e0b80bUpdates can be found at http://www.hellfiresecurity.com/
![Page 54: Abusing Software Defined Networks...Modern Day Networks Vendor Dependent Difficult to scale Complex and Prone to Break Distributed and Often Inconsistent Configuration Uses inflexible](https://reader036.vdocuments.net/reader036/viewer/2022070711/5ec82d45b52b2a79ba48cd50/html5/thumbnails/54.jpg)
Linkshttp://www.sdncentral.com/https://www.opennetworking.org/http://www.projectfloodlight.org/http://www.opendaylight.org/https://www.coursera.org/course/sdnhttps://www.baycollege.edu/Academics/Areas-of-Study/Computer-Network-Systems/Faculty/Linderoth/2013-sdn-survey-growing-pains.aspxhttp://h17007.www1.hp.com/docs/reports/2013-Infonetics-Enterprise-SDNs-07-10-13.pdfhttp://www.openflowhub.org/blog/blog/2012/12/03/sdn-use-case-multipath-tcp-at-caltech-and-cern/http://www.networkworld.com/article/2167166/cloud-computing/vmware--we-re-building-one-of-the-biggest-sdn-deployments-in-the-industry.htmlhttp://www.networkcomputing.com/networking/inside-googles-software-defined-network/a/d-id/1234201?http://cseweb.ucsd.edu/~vahdat/papers/b4-sigcomm13.pdfhttp://viodi.com/2014/03/15/ntt-com-leads-all-network-providers-in-deployment-of-sdnopenflow-nfv-coming-soon/
![Page 55: Abusing Software Defined Networks...Modern Day Networks Vendor Dependent Difficult to scale Complex and Prone to Break Distributed and Often Inconsistent Configuration Uses inflexible](https://reader036.vdocuments.net/reader036/viewer/2022070711/5ec82d45b52b2a79ba48cd50/html5/thumbnails/55.jpg)