sdn: is it a solution for network security?
Post on 19-Jan-2015
360 Views
Preview:
DESCRIPTION
TRANSCRIPT
SDN: is it a solution for network security?
Smelyanskiy R.L.Moscow State University, Computer Systems Laboratory
Applied Research Center for Computer Network
2013
10.04.2023 prof.R.Smelyanskiy MSU & ARCCN
Agenda
• What is SDN network?
• Term “protecting” could be many-sided…
• SDN control environment also needs to be protected.
2
10.04.2023 prof.R.Smelyanskiy MSU & ARCCN 3
Software defined evolution
Classic router
VLANRIP
OSPFIS-IS
ACL
MPLS…
10.04.2023 prof.R.Smelyanskiy MSU & ARCCN 4
Software defined evolution
Classic router
VLANRIP
OSPFIS-IS
ACL
MPLS…
10.04.2023 prof.R.Smelyanskiy MSU & ARCCN 5
Software defined evolution
Classic router
VLANRIP
OSPFIS-IS
ACL
MPLS…
10.04.2023 prof.R.Smelyanskiy MSU & ARCCN 6
Software defined evolution
VLAN
RIP
OSPF
IS-IS
ACL
MPLS
…
TCAMController
Switch
Flow Table
10.04.2023 prof.R.Smelyanskiy MSU & ARCCN 7
Software defined evolution
VLAN
RIP
OSPF
IS-IS
ACL
MPLS
…
TCAMController
Switch
Flow Table
Flow Table
MACsrc
MACdst
IPSrc
IPDst
TCPsport
TCPdport Action
**5.6.7.8*** port 1
Rule examples****00:1f:..* port 5
22***** drop
666205.6.7.81.2.3.400:1f:..00:20.. port 7
Switching
Firewall
FlowSwitching
Routing
10.04.2023 prof.R.Smelyanskiy MSU & ARCCN 8
Software defined evolution
VLAN
RIP
OSPF
IS-IS
ACL
MPLS
…
TCAMController
Switch
Flow Table
Flow Table
MACsrc
MACdst
IPSrc
IPDst
TCPsport
TCPdport Action
**5.6.7.8*** port 1
Rule examples****00:1f:..* port 5
22***** drop
666205.6.7.81.2.3.400:1f:..00:20.. port 7
Switching
Firewall
FlowSwitching
Routing
10.04.2023 prof.R.Smelyanskiy MSU & ARCCN 9
Software defined evolution
VLAN
RIP
OSPF
IS-IS
ACL
MPLS
…
TCAM
Switch
Flow Table APP
APP
APP
APP
APP
APP
APP
Controller
Net
wor
k op
erati
ng sy
stem
10.04.2023 prof.R.Smelyanskiy MSU & ARCCN 10
Software defined evolution
VLAN
RIP
OSPF
IS-IS
ACL
MPLS
…
Switch
APP
APP
APP
APP
APP
APP
APP
Controller
Net
wor
k op
erati
ng sy
stem
Switch
Switch
10.04.2023 prof.R.Smelyanskiy MSU & ARCCN 11
Software defined evolution
VLAN
RIP
OSPF
IS-IS
ACL
MPLS
…
Switch
APP
APP
APP
APP
APP
APP
APP
Controller
Net
wor
k op
erati
ng sy
stem
Switch
Switch
Free for innovationNetwork Global ViewFlexible for configurationCheep and simple switch devicesAdvantages
10.04.2023 prof.R.Smelyanskiy MSU & ARCCN 12
Software defined evolution
VLAN
RIP
OSPF
IS-IS
ACL
MPLS
…
Switch
APP
APP
APP
APP
APP
APP
APP
Controller
Net
wor
k op
erati
ng sy
stem
Switch
Switch
Free for innovationGlobal Network ViewFlexible for configurationCheep and simple network devicesAdvantages
10.04.2023 prof.R.Smelyanskiy MSU & ARCCN
Case studies
• Large Transit Service Provider• Big International Company– Multiple offices – VPN communications
• Network of Large Organization – Large internal networks – Various types of network activities
13
10.04.2023 prof.R.Smelyanskiy MSU & ARCCN 14
Security in traditional architecture networks
• Case studies:– Large Transit Service
Provider– Airport network– ISP (VPN provider)
• Tendencies– Traffic growth– Mobility
• Infrastructure• Software• Protocols
10.04.2023 prof.R.Smelyanskiy MSU & ARCCN
Term “protecting” could be many-sided…
15
Physical access
10.04.2023 prof.R.Smelyanskiy MSU & ARCCN
Airport example
16
10.04.2023 prof.R.Smelyanskiy MSU & ARCCN
Airport example
17
Control process
Control process
Control process
Control process
Control process
Control processtrespasser
10.04.2023 prof.R.Smelyanskiy MSU & ARCCN
Airport example
18
Control process
Control process
Control process
Control process
Control process
Control processtrespasser
MalwareControl process
10.04.2023 prof.R.Smelyanskiy MSU & ARCCN
Airport example
19
Control process
Control process
Control process
Control process
Server Room
Control process
Control processtrespasser
SDNController
Packetforwarding
Packetforwarding
Packetforwarding
Packetforwarding
Packetforwarding
10.04.2023 prof.R.Smelyanskiy MSU & ARCCN
Term “protecting” could be many-sided…
20
Network flow control
10.04.2023 prof.R.Smelyanskiy MSU & ARCCN 21
Network of Organization example
Tenant app
Tenant A
Tenant B
10.04.2023 prof.R.Smelyanskiy MSU & ARCCN 22
Network of Organization example
Tenant app
Tenant A
Tenant B
TrafficDst point
Traffic Src point
TrafficDst point
Accept
Drop
10.04.2023 prof.R.Smelyanskiy MSU & ARCCN 23
Network of Organization example
10.04.2023 prof.R.Smelyanskiy MSU & ARCCN 24
Network of Organization example
Firewallapp
Traffic Src point
TrafficDst point
Firewallrules
Firewallrules
10.04.2023 prof.R.Smelyanskiy MSU & ARCCN 25
SDN control environment also needs
to be protected.
10.04.2023 prof.R.Smelyanskiy MSU & ARCCN 26
SDN control environment security
10.04.2023 prof.R.Smelyanskiy MSU & ARCCN 27
Controller security app
Legal traffic
Malware traffic
Legal traffic
Legal traffic
Malware traffic
OF eventOF event
OF event
OF event
OF event
OF event
OF event
OF event
Security app
Security app
10.04.2023 prof.R.Smelyanskiy MSU & ARCCN 28
Switch-controller security
MalwareSwitch
10.04.2023 prof.R.Smelyanskiy MSU & ARCCN 29
Switch-controller security
Authenticationserver
MalwareSwitch
Internet Key Exchange, IPsec,
Kerberos and etc.
10.04.2023 prof.R.Smelyanskiy MSU & ARCCN 30
Controller-to-controller security
Controller-to-controller out-band protocol
Seems to be secure enough,
but an expensive solution
10.04.2023 prof.R.Smelyanskiy MSU & ARCCN 31
Controller-to-controller security
Controller-to-controller in-band protocol
Check policies
IsolateControllers traffic
andDatapath traffic
Special QoS
settings
Problem 1 Problem 2
Problem 3
32
Controllers requirements • c-applications should be reusable by different controllers placed
near-by each other;• different controller instances should be able to share the same
instance of a c-application;• controller should be trusted environment;• controller should be scalable; it means that if workload is
growing beyond the current computational power of controller then it should be able to get more computational power, for example by splitting its activity with another controller instance, placed on another physical resource;
• if some controller instance shut down than some other controllers placed nearby should be able to catch up those part of network switches were managed by those shut down.
10.04.2023 prof.R.Smelyanskiy MSU & ARCCN
10.04.2023 prof.R.Smelyanskiy MSU & ARCCN 33
Conclusion
• Software Defined Networking (SDN) has been rapidly developed.– Working in data centers– Replacing proprietary routers
• Splitting data plane and control plane brings advantages, but also opens new way to exploit such networks in malicious purposes.
The major advantages of SDN approach– programmable configuration – data plane and control plane separation– flexible data flow control
10.04.2023 prof.R.Smelyanskiy MSU & ARCCN
Switch - Controller security
49
host host host
Openflow switch
Controller
Control channel
hostLegal traffic
Malware traffic
Openflow event checker
Openflow event
Openflow event
Openflow event
Openflow eventOpenflow event
Openflow event
10.04.2023 prof.R.Smelyanskiy MSU & ARCCN
Switch - Controller security
50
host host host
Openflow switch
Controller
Control channel
hostLegal traffic
Malware traffic
Openflow event checker
Openflow event
Openflow event
Openflow event
Openflow eventOpenflow event
Openflow event
10.04.2023 prof.R.Smelyanskiy MSU & ARCCN
Switch - Controller security
51
host host host
Openflow switch
Controller
Control channel
hostLegal traffic
Malware traffic
Openflow event
Openflow event
Openflow event
Openflow eventOpenflow event
Openflow event
Vulnerable app
10.04.2023 prof.R.Smelyanskiy MSU & ARCCN
Switch - Controller security
52
host host host
Openflow switch
Controller
Control channel
hostLegal traffic
Malware traffic
Openflow event
Openflow event
Openflow event
Openflow eventOpenflow event
Openflow event
Vulnerable app
Security app
10.04.2023 prof.R.Smelyanskiy MSU & ARCCN
Controller-controller protocol security
53
host host host
Openflow switch
Controller
Control channel
host Controller
Controller-controller out-band protocol
Seems to be secure enough,
but an expensive solution
10.04.2023 prof.R.Smelyanskiy MSU & ARCCN
Controller-controller protocol security
54
host host host
Openflow switch
Controllerhost
Controller
Controller-controller out-band protocol
Controller-controller in-band protocol
Check policies
IsolateControllers traffic
andDatapath traffic
Special QoS
settings
top related