Internet Technologies of the New Generation

researches in the area of computer networks and internet technologies in Russia, developement of the most breakthrough computer networks technologies of the new generation

Security in Software-Defined Networks

Software-Defined Networks have two characteristics that make them particularly attractive to cyber criminals and rather unusual for less trained network administrators:

  1. The possibility of network management via software (which may have vulnerabilities);
  2. Centralized network management from the controller.

Thus, anyone who has access to servers that store software can potentially control the entire network.
For example: if you launched similar applications on four controllers OpenDayLight, Floodlight, Beacon and Pox: the first one provoked a memory leak, the second one was trying to get access to data structures, and the third one initiated system shutdown, you’ll see, that, all four controllers will collapse. This means that we have to pay enough attention to the isolation of one application from another in the controller, so that every application works in its sandbox Otherwise, we are going to have problems.

Some attacks are specific for SDN:
  • for the data plane - those are attacks using malicious code, DDoS attacks, attacks of network devices within the network, malicious devices on the network and software vulnerabilities, which include instability of a code to external influences and a code with vulnerabilities.
  • for the control plane - it is required to manage access authorization for applications networks, and to set up access authentication to the data plane for applications. Networks should meet the requirements of business applications, and logic of these applications determines the ways to ensure required security.

OpenFlow links use SSL / TLS protocols that are not mandatory, and authentication occurs between controllers and OpenFlow devices. At the level of the controller, it is necessary to ensure the safety of the controller itself, eliminating the possibility of its compromising, or this will allow the attacker to control the entire network. It is also important to ensure the integrity of the controller and strict access authentication, to prevent DDoS attacks on the controller and to prevent unwanted introduction of any information into it.
OpenFlow-switch compromising is a very big problem. From the point of view of traditional infrastructure, it is clear that we cannot put the router in public places, such as a train station, an airport or a business center. Otherwise, any router compromising will lead to compromising of an entire network. From this perspective, SDN is very useful: you can put a very simple and small OpenFlow-switch anywhere you like, hiding the intellect itself in a room under strong administrative control.

In SDN, problems with authentication, authorization and accounting are still to be solved, and this is exactly what ARCCN is trying to do.