Blessing or curse? Revisiting security aspects of Software-Defined Networking

Software-Defined Networking (SDN) is an emerging technology, physically separating data and control planes of network devices. From a security point of view SDN has two sides. First, it enables network security functions by design, because traffic flows can be redirected or filtered based on packet content or application layer state - functionality, which to date requires additional network security devices like fire-walls, intrusion detection systems or spam filters in conventional networks. On the other hand, due to physical separation of planes, SDN possibly offers additional attack vectors compared to traditional network architectures, which may severely impact overall network availability as well as confidentiality, authenticity, integrity and consistency of network traffic and control data. In this paper, we discuss and balance security provided by SDN with security threats of SDN also in respect of traditional networks. We develop an evaluation methodology for both sides and show that from a security point of view SDN is a blessing for today's and future network design and operation.

[1]  Hong Yan,et al.  A clean slate 4D approach to network control and management , 2005, CCRV.

[2]  Obi Akonjang,et al.  SANE: A Protection Architecture For Enterprise Networks , 2007 .

[3]  Scott Shenker,et al.  Ethane: taking control of the enterprise , 2007, SIGCOMM.

[4]  Nick McKeown,et al.  OpenFlow: enabling innovation in campus networks , 2008, CCRV.

[5]  Martín Casado,et al.  NOX: towards an operating system for networks , 2008, CCRV.

[6]  Rodrigo Braga,et al.  Lightweight DDoS flooding attack detection using NOX/OpenFlow , 2010, IEEE Local Computer Network Conference.

[7]  Zheng Yan,et al.  Autonomic Trust Management for a Component-Based Software System , 2011, IEEE Transactions on Dependable and Secure Computing.

[8]  Gunjan Tank,et al.  Software-Defined Networking-The New Norm for Networks , 2012 .

[9]  Guofei Gu,et al.  CloudWatcher: Network security monitoring using OpenFlow in dynamic cloud networks (or: How to provide security monitoring as a service in clouds?) , 2012, 2012 20th IEEE International Conference on Network Protocols (ICNP).

[10]  Mabry Tyson,et al.  A security enforcement kernel for OpenFlow networks , 2012, HotSDN '12.

[11]  Rob Sherwood,et al.  The controller placement problem , 2012, HotSDN@SIGCOMM.

[12]  Kevin Benton,et al.  OpenFlow vulnerability assessment , 2013, HotSDN '13.

[13]  Fernando M. V. Ramos,et al.  Towards secure and dependable software-defined networks , 2013, HotSDN '13.

[14]  Vinod Yegneswaran,et al.  A Framework For Integrating Security Services into Software-Defined Networks , 2013 .

[15]  Sakir Sezer,et al.  Sdn Security: A Survey , 2013, 2013 IEEE SDN for Future Networks and Services (SDN4FNS).

[16]  Guofei Gu,et al.  Attacking software-defined networks: a first feasibility study , 2013, HotSDN '13.

[17]  Sakir Sezer,et al.  Queen ' s University Belfast-Research Portal Are We Ready for SDN ? Implementation Challenges for Software-Defined Networks , 2016 .

[18]  Sajad Shirali-Shahreza,et al.  FleXam: flexible sampling extension for monitoring and security applications in openflow , 2013, HotSDN '13.

[19]  Paul Smith,et al.  OpenFlow: A security analysis , 2013, 2013 21st IEEE International Conference on Network Protocols (ICNP).

[20]  Vinod Yegneswaran,et al.  AVANT-GUARD: scalable and vigilant switch flow management in software-defined networks , 2013, CCS.

[21]  Sajad Shirali-Shahreza,et al.  Empowering Software Defined Network controller with packet-level information , 2013, 2013 IEEE International Conference on Communications Workshops (ICC).

[22]  Sajad Shirali-Shahreza,et al.  Efficient Implementation of Security Applications in OpenFlow Controller with FleXam , 2013, 2013 IEEE 21st Annual Symposium on High-Performance Interconnects.

[23]  Mabry Tyson,et al.  FRESCO: Modular Composable Security Services for Software-Defined Networks , 2013, NDSS.

[24]  Yi Wang,et al.  Towards a secure controller platform for openflow applications , 2013, HotSDN '13.

[25]  Vinod Yegneswaran,et al.  Model checking invariant security properties in OpenFlow , 2013, 2013 IEEE International Conference on Communications (ICC).

[26]  Sam Hartman,et al.  Security Requirements in the Software Defined Networking Model , 2013 .