Security analysis of approaches to integrate middleboxes into software defined networks

Software-defined Networking (SDN) is a novel approach to manage enterprise and data center networks easily. Integration of middleboxes, which provides Network Functions (NF)s that are crucial for network security, performance and reliability, raises new challenges, for example, traversing middle-boxes in a given order makes routing more complex. Rerouted traffic flows require that the state of middleboxes that is no longer part of the route is transferred to middleboxes which becomes part of the route. Software-defined Middlebox PoLicy Enforcement (SIMPLE) and OpenNF are two approaches to integrate middleboxes in SDNs which address these challenges. Since they are responsible to enforce middlebox policies, possible design flaws in their architecture could lead to severe vulnerabilities and put security of the network at stake. Therefore, security analysis of SIMPLE and OpenNF was conducted using Microsoft's threat modeling approach called STRIDE, whose results show the threats on these approaches.

[1]  Kpatcha M. Bayarou,et al.  Security Analysis of Security Applications for Software Defined Networks , 2014, AINTEC.

[2]  Kpatcha M. Bayarou,et al.  Security Analysis of Software Defined Networking Architectures: PCE, 4D and SANE , 2014, AINTEC.

[3]  Nick McKeown,et al.  OpenFlow: enabling innovation in campus networks , 2008, CCRV.

[4]  Minlan Yu,et al.  SIMPLE-fying middlebox policy enforcement using SDN , 2013, SIGCOMM.

[5]  Kpatcha M. Bayarou,et al.  OrchSec: An orchestrator-based architecture for enhancing network-security using Network Monitoring and SDN Control functions , 2014, 2014 IEEE Network Operations and Management Symposium (NOMS).

[6]  Stephen T. Kent,et al.  IP Authentication Header , 1995, RFC.

[7]  S. Forrest,et al.  A History and Survey of Network Firewalls , 2014 .

[8]  Paul Smith,et al.  OpenFlow: A security analysis , 2013, 2013 21st IEEE International Conference on Network Protocols (ICNP).

[9]  Kpatcha M. Bayarou,et al.  Security Analysis of Software Defined Networking Applications for Monitoring and Measurement: sFlow and BigTap , 2015, CFI.

[10]  Tim Dierks,et al.  The Transport Layer Security (TLS) Protocol Version 1.2 , 2008 .

[11]  Karen A. Scarfone,et al.  Guide to Intrusion Detection and Prevention Systems (IDPS) , 2007 .

[12]  Aditya Akella,et al.  OpenNF , 2014, SIGCOMM.

[13]  Matt Holdrege,et al.  IP Network Address Translator (NAT) Terminology and Considerations , 1999, RFC.

[14]  Rahamatullah Khondoker,et al.  Security analysis of OpenDaylight, ONOS, Rosemary and Ryu SDN controllers , 2016, 2016 17th International Telecommunications Network Strategy and Planning Symposium (Networks).

[15]  Kpatcha M. Bayarou,et al.  AutoSecSDNDemo: Demonstration of automated end-to-end security in software-defined networks , 2016, 2016 IEEE NetSoft Conference and Workshops (NetSoft).