Understanding Software-Defined Networking (SDN) Threats and Countermeasures

Slide Note
Embed
Share

Software-Defined Networking (SDN) revolutionizes network management by separating control and data planes, providing flexibility, and enabling innovative flow handling. This presentation explores SDN concepts, OpenFlow protocol, operational distinctions from legacy networks, and the importance of topology management. It delves into threats like network topology poisoning and emphasizes the need for robust countermeasures to safeguard network integrity.

saez948
saez948 Follow

Uploaded on Oct 01, 2024 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

E N D

Presentation Transcript

  1. Poisoning Network Visibility in Software-Defined Networks: New Attacks and Countermeasures Sungmin Hong, Lei Xu, Haopei Wang, Guofei Gu Present by He Zhang 1

  2. What is SDN? Software-Defined Networking (SDN) is a new programmable network framework tha decouples the control plane from the data plane. The data plane handles hardware level network packet processing based on high level policies from the control plane. SDN enables users to design and distribute innovative flow handling and network control algorithms conveniently, and add much more intelligence and flexibility to the control plane. 2

  3. SDN OpenFlow OpenFlow is a leading implementation of SDN that defines the communication protocol between the control plane and the data plane. The OpenFlow controller maintains topology information and provides visibility to upper services and applications. 3

  4. Operational Distinctions Between SDN and Legacy Networks The Distinctions Between Legacy Networks and OpenFlow Networks Highlighted in This Paper 4

  5. OpenFlow Topology Management Topology management includes three parts: switch discovery, host discovery and internal links (switch-to-switch link) discovery. It is controlled by Topology Management Services. Within the OpenFlow controller: Host Tracking Service (HTS) maintains a host profile that includes MAC address, IP address, location information and VLAN ID. Host profile is maintained to track the location of a host and is updated dynamically. Link Discovery Service (LDS) uses Open Flow Discovery Protocol (OFDP) to detect internal links between switches.trolled by Topology Management Services. 5

  6. Link Discovery Service The link discovery procedure in an Open-Flow network. Open Flow Discovery Protocol (OFDP), which refers to LLDP (Link Layer Discovery Protocol) packets, to detect internal links between switches. 6

  7. Threat If fundamental network topology information is poisoned, all the dependent network services will become immediately affected, causing catastrophic problems. Host location hijacking Attack and link fabrication attacks are two network topology poisoning attacks that are introduced in the paper. 7

  8. Host Tracking Services in current OpenFlow controller platforms (1) MAC address (2) IP address (3) Location information (i.e., the DPID and the port number of the attached switch as well as the last seen timestamp). 8

  9. Host Location Hijacking Attack Host Tracking Service maintains a host profile for each end host to track network mobility. The lack of consideration on security for the update process provides an opportunity for an adversary to tamper host location information which in turns affects routing decisions and hijack the traffic towards the host. 9

  10. Web Impersonation Attack 10

  11. Link Fabrication Attack OpenFlow adopts OFDP by utilizing LLDP packets for topology management. There exist security flaws during the link discovery procedure which opens the door to inject fake links into network topology. In a Fake LLDP Injection and by monitoring the traffic from OpenFlow switches, the attacker can obtain the genuine LLDP packet, modify the specific contents of the LLDP packet, generates fake LLDP packets to announce bogus internal links between two switches. In LLDP Relay , when receiving an LLDP packet from one target switch, the attacker repeats it to another target switch without any modification constructing a fake topology view 11

  12. LLDP Relay Here, we discuss two ways to build a communication channel to relay LLDP packets, by physical links and by a tunnel. 12

  13. Denial of Service Attack 13

  14. Man-In-The-Middle Attack 14

  15. Static Defense Strategies This defense is obviously not attractive as the manual management is tedious, error-prone and not scalable in practice. 15

  16. Dynamic Defense Strategies against Host Location Hijack Authenticate Host Entity: Authenticate a host by adding additional public-key infrastructure - a host encodes the new location information into an unused field of packet with the encryption using its private key This adds storage overhead for keeping public keys in the OpenFlow controller side and computation overhead for handling each Packet-In message. Overhead and cost for the management of all keys of hosts Verify the Legitimacy of Host Migration verify the legitimacy of the host migration by checking the precondition (Port-Down) and post condition (Host unreachable in old location) Performance overhead but lighter and more feasible 16

  17. Dynamic Defense Strategies against Link Fabrication Authentication for LLDP packets Adds extra controller-signed authenticator ((HMAC) code) TLVs in the LLDP packet and check the signature when receiving the LLDP packets. It fails to defend against the Link Fabrication attack in an LLDP relay/tunneling manner. Verification for Switch Port Property Check if any host resides inside the LLDP propagation If OpenFlow controllers detect host-generated traffic (e.g., DNS) from a specific switch port, Device Type of that port is set as HOST, otherwise switch ports are set as SWITCH. 17

  18. TopoGuard Prototype System - Automatic and real-time detection Extension Port Manager tracks dynamics of switch ports (ANY, SWITCH and HOST) Port Property maintains host list to verify the trustworthiness of a host migration. The Host Prober tests the liveness of the host in a specific location by issuing a host probing packet. topology Update Checker verifies the legitimacy of a host migration, the integrity/origin of an LLDP packet and switch port property 18

  19. Port Property Management Properties for each switch port in an OpenFlow controller. 19

  20. TopoGuard Implementation - Effectiveness A prototype implementation of TopoGuard on the master version of Floodlight. 20

  21. TopoGuard Implementation - Effectiveness When the compromised hosts start relaying LLDP packets, TopoGuard detects the violation of Device Type of particular ports 21

  22. TopoGuard Implementation - Performance The performance penalty imposed by TopoGuard mainly comes from the Link Discovery Module and the Packet-In message processing. Port Manager incurs a slight delay over the normal LLDP and host-generated packets processing. 22

  23. Summary SDN is a new programmable network framework. OpenFlow is a leading implementation of SDN. OpenFlow Topology Management services and examples of related security attacks. Propose TopoGuard framework for automatic and real-time detection extension to OpenFlow. 23

  24. Limitations OpenFlow is an open protocol but not mandatory for SDN and accordingly this is an OpenFlow specific research. The paper avoids some security features such as ARP and LLDP protection because of static nature. Holistic approach is not considered (SDN as part of the whole network). Security of the network and underlying networking components are essential for SDN security. The approach is considering topology management services security as a silo solution. Not considered in relation to other layers or components of SDN architecture. Performance and security issues that may arise as a result of the use of keyed-hash message authentication code (HMAC) as an optional TLV for LLDP packets. 24

  25. Contributions We perform the first security analysis on the SDN/OpenFlow Topology Management Service. In particular, we have discovered new vulnerabilities in the Device Tracking Service and Link Discovery Service in eight current mainstream SDN/OpenFlow controllers. We propose Network Topology Poisoning Attacks to exploit the vulnerabilities we have found. We demonstrate the feasibility of those attacks both in the Mininet emulation environment and a hardware SDN testbed. We investigate the defense space and propose automatic mitigation approaches against Network Topology Poisoning Attacks, along with a prototype defense system, Topo Guard, currently implemented in Flood-light, but could be easily extended to other controllers. Our evaluation shows that Topo Guard imposes only a negligible performance overhead. 25

  26. Quiz 1. To dynamically discover topology, the Link Discovery Service (LDS) inside OpenFlow controllers uses what protocol? 2. To build a communication channel to relay LLDP packets, adversary can sets up physical links between two switches. If this is not feasible, what can the adversary use ? 3. What is the role of TopoGuard? 26

  27. Thank you! 27

Related


Understanding Software-Defined Networking (SDN) and OpenFlow

Understanding Software-Defined Networking (SDN) and OpenFlow

pile_per
Evolution of Networking: Embracing Software-Defined Networks

Evolution of Networking: Embracing Software-Defined Networks

stalling_r
Virtual Labs on SDN and P4 Programmable Switches

Virtual Labs on SDN and P4 Programmable Switches

everly
Meridian: An SDN Platform for Cloud Network Services

Meridian: An SDN Platform for Cloud Network Services

aki_enc
Understanding Anti-Countermeasures in Credibility Assessment

Understanding Anti-Countermeasures in Credibility Assessment

raoul
Optical SDN/NFV User Guide for Network Control & Management

Optical SDN/NFV User Guide for Network Control & Management

zacaryst
Enhancing SDN Networks with GRAMI Software: A Study by Shlomi Nissim and Anat Bremler-Bar

Enhancing SDN Networks with GRAMI Software: A Study by Shlomi Nissim and Anat Bremler-Bar

kacey
Road Safety Countermeasures and Resources

Road Safety Countermeasures and Resources

colletti_z
Virtual Labs and Cybersecurity Overview at 2021 Winter ICT Educators Conference

Virtual Labs and Cybersecurity Overview at 2021 Winter ICT Educators Conference

ellierose
Detailed OpenFlow Emulation Using Mininet/OpenvSwitch

Detailed OpenFlow Emulation Using Mininet/OpenvSwitch

amilia
Adaptive Resilient Routing via Preorders in SDN

Adaptive Resilient Routing via Preorders in SDN

ryad
Exploring Source-Routed Forwarding in SDN-Based WANs

Exploring Source-Routed Forwarding in SDN-Based WANs

sha_kin
Simplifying Middlebox Policy Enforcement Using SDN

Simplifying Middlebox Policy Enforcement Using SDN

briceyd
PhD in Telematics Engineering: Traffic Prediction with Big Data Technologies

PhD in Telematics Engineering: Traffic Prediction with Big Data Technologies

gunn_l
Enhancing Memcached Traffic Load Balancing using SDN

Enhancing Memcached Traffic Load Balancing using SDN

raega
Understanding NFV and SDN Controllers in Networking Architecture

Understanding NFV and SDN Controllers in Networking Architecture

mjerr
Understanding Malware: Types, Symptoms, and Countermeasures

Understanding Malware: Types, Symptoms, and Countermeasures

kennade
Introduction to Database Security and Countermeasures

Introduction to Database Security and Countermeasures

ailbe
Understanding Internet Threat Landscape and Countermeasures

Understanding Internet Threat Landscape and Countermeasures

kaczmarek_a
Understanding Security Threats and Countermeasures

Understanding Security Threats and Countermeasures

grob_aid
Nuclear Security and Regulatory Oversight in the Slovak Republic

Nuclear Security and Regulatory Oversight in the Slovak Republic

seymore_g
Workshop on Fine-grained Measurements App with P4 Programmable Switches

Workshop on Fine-grained Measurements App with P4 Programmable Switches

jream
Understanding Software-Defined Radio (SDR) with GNU Radio Introduction

Understanding Software-Defined Radio (SDR) with GNU Radio Introduction

auden
Understanding Software Processes and Models

Understanding Software Processes and Models

fatima

More Related Content

Diploma in Hardware & Networking: Upgrade Your IT Skills
Diploma in Hardware & Networking: Upgrade Your IT Skills
Benefits of Linux Open Networking & Software Defined Storage (SDS) for Cloud Environments
Benefits of Linux Open Networking & Software Defined Storage (SDS) for Cloud Environments
Evolution of Programmable Switches and Routers
Evolution of Programmable Switches and Routers
Understanding Software Measurement and Metrics in Software Engineering
Understanding Software Measurement and Metrics in Software Engineering
Insights from NATO Software Engineering Conferences and The Software Crisis of the Seventies
Insights from NATO Software Engineering Conferences and The Software Crisis of the Seventies
Software Cost Estimation in Software Engineering
Software Cost Estimation in Software Engineering
Proof Coring Works for Micropiles: A Technical Briefing by SS Liew Foundtest Drilling Sdn Bhd
Proof Coring Works for Micropiles: A Technical Briefing by SS Liew Foundtest Drilling Sdn Bhd
Securight Sdn. Bhd. - Leading Commercial Security Company in Malaysia
Securight Sdn. Bhd. - Leading Commercial Security Company in Malaysia
Benefits of Buying Property at Auctions by Arena Auctioneers Sdn Bhd
Benefits of Buying Property at Auctions by Arena Auctioneers Sdn Bhd
Investigating SDN Forwarding with RuleScope
Investigating SDN Forwarding with RuleScope
Understanding Malicious Software in Computer Security
Understanding Malicious Software in Computer Security
Understanding the Importance of Networking for Community Growth
Understanding the Importance of Networking for Community Growth
Dell ProSupport Networking Support Capabilities Update Sales Training
Dell ProSupport Networking Support Capabilities Update Sales Training
Maximizing Networking Opportunities at Career Fairs and Conferences
Maximizing Networking Opportunities at Career Fairs and Conferences
Growth of CA Firms through Networking & Merger
Growth of CA Firms through Networking & Merger
Networking and Partnership Formation for AECD at University of Gondar College of Education
Networking and Partnership Formation for AECD at University of Gondar College of Education
Understanding Security Threats and Vulnerabilities in Computer Systems
Understanding Security Threats and Vulnerabilities in Computer Systems
Understanding Threat Assessment in Conservation: Direct, Stress, and Indirect Threats
Understanding Threat Assessment in Conservation: Direct, Stress, and Indirect Threats
Networking: Mastering the Basics
Networking: Mastering the Basics
Coastal Challenges: Threats and Uses Analysis
Coastal Challenges: Threats and Uses Analysis
Integrating OpenContrail into Neutron Stadium - Networking Advancements
Integrating OpenContrail into Neutron Stadium - Networking Advancements
Essential Tips for Protecting Your Computer from Cyber Threats
Essential Tips for Protecting Your Computer from Cyber Threats
Understanding Cyber Threats in Today's Digital Landscape
Understanding Cyber Threats in Today's Digital Landscape
Recognizing and Preventing Insider Threats in National Security
Recognizing and Preventing Insider Threats in National Security