icces_2016_security analysis of software defined wireless network monitoring with sflow and...

Paper ID: COM205

Session I

IEEE International Conference on Communication and Electronics Systems (ICCES 2016)

October 21st-22nd 1ICCES, Coimbatore, India

Mawlana Bhashani Science and Technology University, BangladeshBAC IT, Bangladesh

University of Derby, England

Security Analysis of Software Defined Wireless Network Monitoring with sFlow and FlowVisor

Asma Islam Swapna, MD Rezaul Huda Reza, Mainul Kabir Aion


Presentation Summary

SDN ?

SDWN ?

Network Monitoring and Measurement

sFlow DFD

FlowVisor DFD

STRIDE and DFD

sFlow STRIDE Analysis

FlowVisor STRIDE Analysis

Evaluation

Conclusion

References


Software Defined Networking (SDN)

Current Network

ICCES, Coimbatore, India October 21st-22nd 4

Specialized Packet Forwarding Hardware

App App App


App App App


App App App


App App App Specialized Packet Forwarding Hardware

OperatingSystem

OperatingSystem

OperatingSystem

OperatingSystem

OperatingSystem

App App App

Million of lines of source code

Billions of gates

Limitations ?

Source: Open Network Foundation Newsletter

Software Defined Networking (SDN)

ICCES, Coimbatore, India October 21st-22nd 5Source: Open Network Foundation Newsletter

Global Network View

Protocols Protocols

Control via forwarding interface

Network Operating System

Control Programs

Solution !Operating System for Networks

SDN providing network administration

Full hardware accessibility

Software Defined Networking (SDN) (Cont.)• Direct programmability in the network plane

• Decouples the control plane from data forwarding plane

• Agile

• Open standards-based and vendor-neutral


Enables-ScalabilityInformation hidingNetwork policy

Complete Resource UtilizationExpands local to globalSpans business network

Source: Open Network Foundation Newsletter

Software Defined Wireless Networking

2G 3G 4G 5G Billions of wirelessly connected mobile devices

Need more wireless capacity !

Heterogeneous network (LTE, wifi, wimax)

Solution SDN for wireless network!

-Interface for controlling mobile nodes

-Customizable Mobility Management

ICCES, Coimbatore, India October 21st-22nd 7Debut of pop in 2005, 2013


Software Defined Wireless Networking (Cont.)

Underlying Network Security Secured information flow andControl plane

• Controller collects Mobile Nodes (MNs) information for packet transmission

• Composed of North-South and East-West network dimension

• Border Gateway Protocol (BGP) enables inter-controller communication for large wireless network

• Leverages Wireless mesh networks

Network Monitoring & MeasurementMeasure and detect intrusion,network threats and monitorsnetwork services


sFlowFlowVisorBigSwitchBigTapSevOne

4DPCESANE-based

SDN Architectures

Monitoring & Measuring Tools

Source: McAfee Labs, 2015

Network traffic visibilityInline and Out-of-bound MonitoringLeverage SDWN/SDN controller

Challenge

Monitoring Large, scale-out, multi-domain, multi-controller based SDWN


Network

Database

MemCacheWeb Server

Load Balancer

ApplicationServer

Solution !sFlow - Opensource

- Monitors Switches- Comprehensive multi-layer

visibility

FlowVisor- Non-vendordependednt- Proxy Controller between

SDWN switch and Controller - Isolates SDWN devices into

slices


sFlow DFDEmbedded with switch and router in SDWNAgents (Linux, Windows, Solaris, AIX)

-Remotely Configured-Management Information Base (MIB)-SNMP flow datagrams from switch tocollector

Collectors (sFlow-RT, sFlowTrend, sflowtool, third party etc.)

-Memcached hit-miss, traffic bytes, durations, keys in Data Store

-sFlow-RT controller collects traffic data from collectors, analyse each samples

- understands tcpdump-CLI operation

sFlow Data Flow Diagram

FlowVisor DFD


• OpenFlow proxy controller between SDWN• Switches and Controllers• Divides resources into slices and flowspace

for each slice• Slice Policy configures switches, routing,

packet forwarding• Production controller manages slice policy

rewrite

FlowVisor Data Flow Diagram

FlowVisor Controller and Slice Policy

SDWN Switch

SDWN Controller

• CLI allows flowvisor configuration • Slice processes are owned by the admin and groups of the network

operators• Isolated slice information: bandwidth, cpu, forwarding table, etc.

Threat Models

Elicitations and analysis of security threats, mechanisms in deployed designs and network• DREAD – SQL Injections, Microsoft, OpenStack

• Octave – Large system and Application

• STRIDE – Network System and Application, Microsoft

• Generic Risk Model –

• Guerilla Threat Modeling –

• Process for Attack Simulation and Threat Analysis (PASTA) – last stage risk management

• Trike etc.


DFD elements can be vulnerableto one or many STRIDE threats.


STRIDE & Data Flow Diagram (DFD)

FlowVisor Data Flow Diagram

Spoofing

Information DIsclosure

Rrepudiation

Temparing

Denial of Service

Elevation of Privilege

STRIDE

Name STRIDE

vulnerability

Definition

Data Flow Yes Data sent among

network elements

Data Store Yes Stable Data

Process Yes

Programs or

applications that

configures the system

Interactors Yes

Endpoints out of

system scope to

control

Trust

Boundaries

Yes

Separation between

trusted and untrusted

elements of the

system

sFlow Stride Analysis

Threat Data Flow

DataStore

Solution

Tampering Yes Yes

ACL/RBAC/DAC for CLI, SNPMv3,

TLS

Information Disclosure

Yes Yes TLS

Denial of Services

(DoS)Yes Yes

AC in CLI for MIB security, TLS


• Third party deployment environment for data flow security

• Transport Layer security among agents to encrypt traffic information

• Access control mechanism, SNMP3 can leverage securing MIB

• Direct traffic information using SNMP

• DoS vulnerabilities in data store can cause unauthorized access to SDWN devices

• No Interactors for one way SNMP communication

FlowVisor Stride Analysis

Threat Data Flow Solution

Tampering Yes TLS

InformationDisclosure Yes TLS

Denial of Services (DoS)

Yes

Access Control in CLI for policy rewrite, TLS


• Transport Layer security among agents to defend policy rewrite

• Access control mechanism can leverage policy rewrite

• Attack on Production Control avails rewriting slice policy

• Switch configuration in data is secured with authentic flow entries store

• CLI secures slice policy with port number, host id and destination address

Evaluation

Threat Data Flow Data Store

Tampering FlowVisor, sFlow

sFlow

InformationDisclosure

FlowVisor, sFlow

sFlow

Denial of Service

FlowVisor, sFlow

sFlow


sFlow providing no security in data flow and data store and vulnerable to spoofing, DoSand information disclosure threat

Flowspace CLI secures switch configuration data store

Inherits security threat vulnerabilities in isolated slices and prone to Spoofing, Tampering and Information disclosure, even delay and Denial of Service threats in data flow.Comparison among sFlow and Flowvisor

Conclusion

• Studied STRIDE security model for SDWN

• Analyzed packet flow in SDWN environment using sFlow

• Analyzed packet flow in SDWN environment using FlowVisor

• Performed comparative side-by-side analysis of SDWN security risks in using sFLow and FlowVisor

• Research outcome finds FlowVisor providing security in data storage

• sFlow is vulnerable to spoofing, switch information temparing and DoSrisk


Future Work


Real time Prototyping of SDWN environment and monitoring performance

SDWN appliance in largeer network, i. e. data center

FlowVIsor Slicing and Isolation impact on real time SDWN prototyping

References

[1] C. J. Bernardos, A. De La Oliva, P. Serrano, A. Banchs, L. M. Contreras, H. Jin, and C. Juan, “An architecture for software defined wireless networking,” IEEE Wireless Communications, vol. 21, no. 3, pp. 52–61, 2014.

[2] M. R. Sama, L. M. Contreras, J. Kaippallimalil, I. Akiyoshi, H. Qian, and H. Ni, “Software-defined control of the virtualized mobile packet core,” IEEE Communications Magazine, vol. 53, no. 2, pp. 107–115, 2015.

[3] Y. Wang, J. Bi, and K. Zhang, “Design and implementation of a software-defined mobility architecture for ip networks,” Mobile Networks and Applications, vol. 20, no. 1, pp. 40–52, 2015.

[4] D. Klingel, R. Khondoker, R. Marx, and K. Bayarou, “Security analysis of software defined networking architectures: Pce, 4d and sane,” in Proceedings of the AINTEC 2014 on Asian Internet Engineering Conference. ACM, 2014, p. 15.

[5] M. Tasch, R. Khondoker, R. Marx, and K. Bayarou, “Security analysis of security applications for software defined networks,” in Proceedings of the AINTEC 2014 on Asian Internet Engineering Conference. ACM, 2014, p. 23.

[6] K. Giotis, C. Argyropoulos, G. Androulidakis, D. Kalogeras, and V. Maglaris, “Combining openflow and sflow for an effective and scalable anomaly detection and mitigation mechanism on sdn environments,” Computer Networks, vol. 62, pp. 122–136, 2014.

[7] A. Zaalouk, R. Khondoker, R. Marx, and K. Bayarou, “Orchsec: An orchestrator-based architecture for enhancing network-security using network monitoring and sdn control functions,” in 2014 IEEE Network Operations and Management Symposium (NOMS). IEEE, 2014, pp. 1–9.


Question & Answer !


Thanks!Asma Islam Swapna

Twitter: @AsmaSwapnaGithub: @AsmaSwapna

Tech site: www.asmaswapna.github.ioResearchGate: Asma_Swapna2

LinkedIn: asma0swapna
