Documente Academic
Documente Profesional
Documente Cultură
net/publication/282183741
CITATIONS READS
0 1,401
1 author:
Adnan Akhunzada
University of Malaya
55 PUBLICATIONS 278 CITATIONS
SEE PROFILE
Some of the authors of this publication are also working on these related projects:
All content following this page was uploaded by Adnan Akhunzada on 26 September 2015.
SDN layer/interface
SDN is an emerging Security
Security
solution
networking solutions Application Northbound Control Southbound Data
classification
paradigm that layer interface layer interface layer
L-IDS
OpenWatch
Security AVANT-GUARD
analysis
Header Space
Analysis
more curious about securing SDNs. On the con- IMPLEMENTATION OF SATISFACTORY AUDIT
trary, the other school of thought believes the
use of SDNs improve and enhance security. R. Skowyra et al. developed a model that satis-
Table 1 presents a comparative summary of the fies all requirements of a system design [4]. They
state-of-the-art SDN security solutions. discuss an infrastructure tool to specify and ana-
Some of the state-of-the-art solutions for lyze a real environment without relying on previ-
securing SDNs are discussed below. ous knowledge of formal languages or logic. The
authors further give an example of using an
SECURE DESIGN OF SDN OpenFlow-based network of learning switches to
The efforts put forward for a secure design of enable communication between mobile nodes.
SDN are extremely limited. Shin et al. propose This proposal considers the verification of net-
FRESCO, a security-specific application devel- work correctness and specification modeling
opment framework for OpenFlow networks [2]. while considering the scalability issues of Open-
FRESCO facilitates exporting the application Flow networks. Another contribution is present-
programming interface (API) scripts, which ed in [5], which allows the software developers
enables security experts to develop threat detec- of the SDN to trace the root cause of bugs by
tion logic and security monitoring as program- reconstructing the series of events causing that
ming libraries. However, the framework uses particular bug. The packet back-trace assists
FortNox, a security enforcement kernel [3]. It is SDN programmers in resolving logical errors,
an enforcement engine responsible for avoiding helps switch implementers to resolve the proto-
rule conflicts arising from different security col compatibility errors, and facilitates network
authorizations. The research work in this catego- operators in submitting complete bug reports to
ry is entirely based on the above two proposals vendors.
(FRESCO, FortNox) for secure design of SDNs.
The first proposal is a major contribution toward ENFORCEMENT OF SECURITY POLICY
secure programming, and has a direct impact on Enforcement of security policy is a serious issue
the application layer, control layer, and the in the dynamic environment of SDNs, and the
interfaces between the two layers except the data research community has given considerable
layer. The second proposal is more toward rule attention to this area. Son et al. [6] propose
conflicts and authorization having more of an FLOVER, a model checking system that verifies
effect on the control layer, and south and north- the flow policies against the network’s security
bound interfaces. It does not, however, improve policies. D. Kreutzer et al. [1] discuss other
the security of the application and infrastructure major contributions in this particular area. The
layers. VeriFlow scheme is used for verification of real-
time invariants. The paper also presents flow- and L-IDS [1]. CloudWatcher is a framework for
based policy enforcement using language-based monitoring clouds, whereas L-IDS, a learning
security. Moreover, the authors also discuss the intrusion detection system, is a security service
verification of the isolation of program traffic. embedded to protect mobile devices in a particu-
They also present use of binary decision dia- lar location.
grams for handling the misconfiguration of intra-
switch for a single flow. SECURITY ANALYSIS
Another major security contribution is of Per- J. Wang et al. [10] propose a systematic approach
mOF [7], a fine-grained permission system that to detect and resolve conflicts in an SDN fire-
comprises a set of OF-specific permissions and a wall by checking firewall authorization space and
runtime isolation mechanism for applying the flow space. The approach searches the flow
permissions. The set of OF-specific permissions paths in the whole network and checks the paths
are designed considering four different aspects: against all firewall deny rules to determine the
• Threat model conflicts with the firewall deny rules. The con-
• Controller implementation API set flict resolution strategies vary with the opera-
• Application functional requirements tions involved in the flow entries and flow rules.
• Control messages in OpenFlow The effectiveness and efficiency of the proposed
The proposed isolation mechanism isolates the approach is investigated using header space
controller and applications in a thread container. analysis.
The applications cannot call controller proce- S. Shin et al. [11] proposed two significant
dures or directly refer to the memory of the ker- changes in SDN. One extension is to the data
nel. The application and operating system are plane, called connection migration, which signifi-
also isolated by introducing a shim layer called cantly minimizes data-to-control-plane interac-
an access control layer between them. The shim tions, which increase during denial-of-service
layer is controlled by the kernel of the con- (DoS) attacks on the southbound interface.
troller. Another extension, called an actuating trigger, is
to expedite the responsiveness to the changing
SECURITY ENHANCEMENT flow dynamics within the SDN data plane. Actu-
Sajad et al. propose FleXam [8], a sampling ating triggers are introduced over the statistics
extension for OpenFlow that provides access to collection services of the data plane. Another
the controller of OpenFlow to get packet-level credible solutions is OpenWatch [12], an adap-
information. FleXam enables the controller to tive method for flow counting to detect anoma-
sample the packets stochastically or deterministi- lies in SDN.
cally considering the application requirements.
Consequently, such applications can directly run
on a small network’s controller. Moreover, FleX-
TAXONOMY OF SDN SECURITY
am eliminates flow setup time and reduces the The taxonomy is based on the literature of SDN
control plane load. Other prominent solutions security as shown in Fig. 2. The existing solu-
for security enhancement are CloudWatcher [9] tions can be categorized based on the following
Protection Affected
Security threats Security requirements Targeted layers/interfaces
techniques functionalities
Robustness, system
Software failure High assurance All functionalities All layers
integrity protection
Robustness, system
Hardware failure High assurance All functionalities Control layer, data layer
integrity protection
Data integrity
User data alteration Ensuring data integrity Data management Data layer
functionality in SDN
parameters: solution categories, SDN layers/ monitoring for security purposes, and malware
interfaces, security measures, simulation envi- protection to avoid stealthy scanning and propa-
ronment, and security objectives. Secure design gation. Besides, securing the architecture of OF
is the primary issue of SDN, although it is not networks and defense against different DoS
considered as part of the initial design. There attacks are considered objectives.
are very few proposals on secure design of the
SDN. The contributions in this area are still lim-
ited, and it deserves more comprehensive SECURITY THREATS AND
research attention. Researchers have also con-
tributed toward auditing of SDN environment
POSSIBLE ATTACKS IN SDN
for security and accountability purposes. More- In this section, we present some of the possible
over, major contributions of the researcher are threats and attacks in SDN that are presented in
based on security enforcement policy, and this Tables 2 and 3, respectively. Operating system
particular area really incurs attention in the alteration represents the destruction or alteration
dynamic SDN environment. Besides, much of of components or the complete operating system
the work is done on security enhancement using of SDN elements such as a controller or for-
SDN, and very few contributions are on security warder nodes. The operating system can be made
analysis. The security solutions also address secure by ensuring system integrity, which can be
issues of different layers/interfaces of SDN. Dif- achieved by implementing trusted computing. The
ferent layers/interfaces are targeted for defense threat can target all layers of SDN and can affect
against various possible attacks and exploita- the management of running services and applica-
tions. However, these security research contribu- tions in SDNs. Software framework alteration
tions defending each layer/interface are mainly identifies the destruction or alteration of middle-
based on the broad mechanisms of security. The ware and components of the software framework.
security mechanisms are given as access control, Similar to the operating system alteration threat,
authentication, authorization, encryption, intru- the software framework alteration can also be
sion detection, intrusion prevention, and recov- made secure by protecting system integrity
ery. The taxonomy also presents classification through trusted computing. Software framework
based on the simulation/emulation environment. alteration also affects all layers of SDN.
The majority of the networks are designed fol- The software failure threat represents a gen-
lowing the OpenFlow (OF) standards to conduct eral software failure in any of the software com-
their corresponding experiments. The major ponents comprising the software framework,
security objectives are auditing and accountabili- applications, and operating system. The threat
ty. The other security objectives include rapid can be mitigated by employing high assurance
design and development of secure applications, techniques and ensuring the robustness of a sys-
tem. The entire set of functionalities is affected can be mitigated by use of digital signatures of
by the software failure threat, and the threat can SDN software modules. The threat mitigation
target all layers of SDN architecture. The hard- requires the assurance of system integrity, identi-
ware failure threat represents the generic failure ties verification, and accountability. Application
of hardware in any of the components. Similar management is affected by the threat activation,
to the software failure threat, the hardware fail- which can target the control layer, control-data
ure threat can be reduced by employing high interface, and data layer of SDN.
assurance techniques and ensuring the robust- Apart from security threats, there are a num-
ness of a system. The entire set of functionalities ber of possible attacks in SDN. The checks in
is affected by the hardware failure threat, which Table 3 show these security attacks affecting the
can target control and data layers. corresponding layers/interfaces in the following
The configuration data alteration threat repre- example scenarios. Even so, these security issues
sents the destruction or alteration of configuration may potentially affect each layer/interface of the
data that is required by SDN to perform different SDN. Availability-related attacks refer to various
functions. Configuration data can be removed or DoS attacks. For example, the communication
modified from the SDN platform. The threat can flooding attack is possible between the switch and
be mitigated by ensuring data integrity in SDN the controller, and will affect all the correspond-
middleware. The threat can target the control ing three layers. However, this flooding attack can
layer, control-data interface, and data layer, and also be generated through switch flow tables,
can affect resource and application management. which will ultimately affect the data layer only.
The configuration data extraction threat is an Moreover, due to the dynamic SDN environ-
eavesdropping threat, where an attacker gathers ment, security policy enforcement related attacks
configuration data that can be used in subsequent will affect the upper three layers, if the underlying
attacks. Configuration data extraction requires two layers are not protected by Transport Layer
confidentiality protection and ensuring data Security (TLS) security or other authentication
integrity functionality in SDN. The threat targets techniques. However; the existing higher ver-
the control layer, control-data interface, and data sion of OpenFlow protocol uses TLS between
layer. Unauthorized access to SDN services identi- the data and control layer. Furthermore, autho-
fies a security breach, where an authorized SDN rization related attacks can lead to illegal access
entity can access services of SDN for which the to the controller, which will certainly affect the
entity does not have the proper access level. The lower three layers. Unauthentic applications can
threat can be mitigated by deploying a secure cause damage to the corresponding three higher
administration module and ensuring system layers. Data alteration can be done through the
integrity. The security requirement for mitigating modification of flow rules and will cause damage
the threat is identification verification. The threat to the data layer only. However, a malicious
can affect all functionalities and can target all lay- application can target all the corresponding lay-
ers and interfaces of SDN. ers, and this will remain a challenge for SDNs.
User data alteration is a threat that represents Malicious applications can be used to insert fake
the destruction or alteration of user data such as rules affecting the upper three layers/interfaces
customized profiles of user traffic. The user data and can also be used to hijack the controller,
alteration threat can be mitigated by ensuring which will affect the layers down the stream.
data integrity. The threat can affect the data man- There is also a possibility of side channel attacks.
agement and target the data layer. Masquerading For instance, an input buffer can be used for the
as an authorized SDN controller identifies the discovery of flow rules, and analyzing the time of
activation of malicious software on an SDN plat- packet processing may lead to discover the for-
form such as the controller platform. The threat warding policy.
[11] S. Shin et al., “AVANT-GUARD: Scalable and Vigilant A BDULLAH G ANI (abdullahgani@ieee.org) is an associate
Switch Flow Management in Software-Defined Net- professor at the Department of Computer System and
OpenFlow must not works,” Proc.2013 ACM SIGSAC Conf. Computer & Technology, University of Malaya. His academic qualifica-
Communications Security, 2013, pp. 413–24. tions were obtained from UK’s universities: Bachelor’s
be the only protocol [12] Y. Zhang, “An adaptive Flow Counting Method for and Master’s degrees from the University of Hull, and a
considered for SDN; Anomaly Detection in SDN,” Proc. 9th ACM Conf. Ph.D. from the University of Sheffield. He has published
Emerging Networking Experiments and Technologies more than 100 academic papers in conferences and
there can be other 2013, pp. 25–30. respected journals. His research interests include self-
[13] A. Akhunzada et al., “Man-At-The-End Attacks: Analysis, organized systems, reinforcement learning, and wireless-
options. The security Taxonomy, Human Aspects, Motivation and Future Direc- related networks.
tions,” J. Network and Computer Applications, 2014.
measures include [14] L. Wei et al., “Security and Privacy for Storage and MUHAMMAD KHURRAM KHAN (mkhurram@ksu.edu.sa) is work-
secure coding, Computation in Cloud Computing,” Info. Sciences, vol. ing at the Center of Excellence in Information Assurance,
258, 2014, pp. 371–86. King Saud University, Saudi Arabia. He has edited seven
deployment of [15] Q. Duan, Y. Yan, and A. V. Vasilakos, “A Survey on books and proceedings published by Springer-Verlag and
Service-Oriented Network Virtualization Toward Conver- IEEE. He has published more than 200 papers in interna-
integrity checks, and, gence of Networking and cloud Computing,” IEEE tional journals and conferences. He is an inventor of 10
Trans. Network and Service Management, vol. 9, no. 4, U.S./PCT patents. He is Editor-in-Chief of a well-reputed
most importantly, 2012, pp. 373–92. journal, Telecommunication Systems (Springer), and a
digital signing of the member of several editorial boards. His research interests
EJAZ AHMED (ejazahmed@ieee.org) is a Ph.D. candidate at SGHAIER GUIZANI (sguizani@alfaisal.edu) is an assistant pro-
the University of Malaya. Before that, he worked as a fessor at the Electrical Engineering Department, Alfaisal
research associate at CogNet (Cognitive Radio Research University, Riyadh, Saudi Arabia. He received his B.S. from
Lab) SEECS, NUST Pakistan, and CoReNet (Center of the State University of New York at Binghamton in 1990,
Research in Networks and Telecom), Maju, Islamabad, Pak- his M.S. from North Carolina State University in 1992, and
istan. Currently, he is an active researcher at the Centre for his Ph.D. from the University of Quebec, Trois Rivieres,
Mobile Cloud Computing Research (C4MCCR), University of Canada, in 2006, all in electrical and computer engineer-
Malaya, Kuala Lumpur, Malaysia. His areas of interest ing. His research interests are in the areas of wireless com-
include software-defined networks, cognitive radio set- munication, computer networks, computer security, RFID,
works, and mobile cloud computing. and optical fiber communication systems.