Security in OpenFlow-based SDN, opportunities and challenges

AbstractThe SDN paradigm profoundly affects the architecture of networks in favor of more adaptability to the needs for new value-added services. This article examines the positive and negative impacts of such a change on network security. While few in-depth studies have attempted to cover this issue in a comprehensive way, we first tried to define the most relevant axes of analyses with regard to this concept, namely availability, access control and application services oriented security. In relation to these axes as well as to the state of the art of security, a number of researches and studies that have addressed this issue by proposing solutions through the OpenFlow specification are analyzed with the aim to highlight the real opportunities and the real challenges brought by this new concept for the network security.

[1]  Syed Ali Khayam,et al.  Revisiting Traffic Anomaly Detection Using Software Defined Networking , 2011, RAID.

[2]  Sakir Sezer,et al.  Queen ' s University Belfast-Research Portal Are We Ready for SDN ? Implementation Challenges for Software-Defined Networks , 2016 .

[3]  Brent Byunghoon Kang,et al.  Rosemary: A Robust, Secure, and High-performance Network Operating System , 2014, CCS.

[4]  Fernando M. V. Ramos,et al.  Towards secure and dependable software-defined networks , 2013, HotSDN '13.

[5]  Rob Sherwood,et al.  The controller placement problem , 2012, HotSDN@SIGCOMM.

[6]  Guofei Gu,et al.  CloudWatcher: Network security monitoring using OpenFlow in dynamic cloud networks (or: How to provide security monitoring as a service in clouds?) , 2012, 2012 20th IEEE International Conference on Network Protocols (ICNP).

[7]  Pontus Sköldström,et al.  Scalable fault management for OpenFlow , 2012, 2012 IEEE International Conference on Communications (ICC).

[8]  Kevin Benton,et al.  OpenFlow vulnerability assessment , 2013, HotSDN '13.

[9]  Scott Shenker,et al.  Ethane: taking control of the enterprise , 2007, SIGCOMM.

[10]  Nabajyoti Medhi,et al.  FlowTrApp: An SDN based architecture for DDoS attack detection and mitigation in data centers , 2016, 2016 3rd International Conference on Signal Processing and Integrated Networks (SPIN).

[11]  Guofei Gu,et al.  Attacking software-defined networks: a first feasibility study , 2013, HotSDN '13.

[12]  Mabry Tyson,et al.  A security enforcement kernel for OpenFlow networks , 2012, HotSDN '12.

[13]  Tim Dierks,et al.  The Transport Layer Security (TLS) Protocol Version 1.2 , 2008 .

[14]  Rui Wang,et al.  An Entropy-Based Distributed DDoS Detection Mechanism in Software-Defined Networking , 2015, 2015 IEEE Trustcom/BigDataSE/ISPA.

[15]  Marek Amanowicz,et al.  Intrusion Detection in Software Defined Networks with Self-organized Maps , 2015 .

[16]  Theophilus Benson,et al.  Tolerating SDN Application Failures with LegoSDN , 2014, HotNets.

[17]  Andrei V. Gurtov,et al.  Enabling Secure Mobility with OpenFlow , 2013, 2013 IEEE SDN for Future Networks and Services (SDN4FNS).

[18]  Kim-Kwang Raymond Choo,et al.  Security, Privacy, and Anonymity in Computation, Communication, and Storage , 2017, Lecture Notes in Computer Science.

[19]  Basil S. Maglaris,et al.  Combining OpenFlow and sFlow for an effective and scalable anomaly detection and mitigation mechanism on SDN environments , 2014, Comput. Networks.

[20]  Mabry Tyson,et al.  FRESCO: Modular Composable Security Services for Software-Defined Networks , 2013, NDSS.

[21]  Narmeen Zakaria Bawany,et al.  DDoS Attack Detection and Mitigation Using SDN: Methods, Practices, and Solutions , 2017, Arabian Journal for Science and Engineering.

[22]  Rodrigo Braga,et al.  Lightweight DDoS flooding attack detection using NOX/OpenFlow , 2010, IEEE Local Computer Network Conference.

[23]  Fernando A. Kuipers,et al.  Fast Recovery in Software-Defined Networks , 2014, 2014 Third European Workshop on Software Defined Networks.

[24]  Giuseppe Bianchi,et al.  OpenState: programming platform-independent stateful openflow applications inside the switch , 2014, CCRV.

[25]  H. Kim,et al.  A SDN-oriented DDoS blocking scheme for botnet-based attacks , 2014, 2014 Sixth International Conference on Ubiquitous and Future Networks (ICUFN).

[26]  Edjard de Souza Mota,et al.  A replication component for resilient OpenFlow-based networking , 2012, 2012 IEEE Network Operations and Management Symposium.

[27]  Sanjay Jha,et al.  A Survey of Securing Networks Using Software Defined Networking , 2015, IEEE Transactions on Reliability.

[28]  Mohammed Moin Mulla,et al.  Detection of distributed denial of service attacks in software defined networks , 2016, 2016 International Conference on Advances in Computing, Communications and Informatics (ICACCI).

[29]  Jun Bi,et al.  On the cascading failures of multi-controllers in Software Defined Networks , 2013, 2013 21st IEEE International Conference on Network Protocols (ICNP).

[30]  David Walker,et al.  A compiler and run-time system for network programming languages , 2012, POPL '12.

[31]  Marco Canini,et al.  FatTire: declarative fault tolerance for software-defined networks , 2013, HotSDN '13.

[32]  Dave Katz,et al.  Bidirectional Forwarding Detection (BFD) , 2010, RFC.

[33]  Yang Kun,et al.  DDoS Attack in Software Defined Networks: A Survey , 2019 .

[34]  Vinod Yegneswaran,et al.  A Framework For Integrating Security Services into Software-Defined Networks , 2013 .

[35]  Krzysztof Cabaj,et al.  SDN Architecture Impact on Network Security , 2014, FedCSIS.

[36]  Min Zhu,et al.  B4: experience with a globally-deployed software defined wan , 2013, SIGCOMM.

[37]  David Walker,et al.  Frenetic: a network programming language , 2011, ICFP.

[38]  Minlan Yu,et al.  FlowTags: enforcing network-wide policies in the presence of dynamic middlebox actions , 2013, HotSDN '13.

[39]  Jun Bi,et al.  Source address validation solution with OpenFlow/NOX architecture , 2011, 2011 19th IEEE International Conference on Network Protocols.

[40]  Michiaki Hayashi,et al.  Scalable OpenFlow Controller Redundancy Tackling Local and Global Recoveries , 2013 .

[41]  Didier Colle,et al.  OpenFlow: Meeting carrier-grade recovery requirements , 2013, Comput. Commun..

[42]  Sriram Natarajan,et al.  A Software defined Cloud-Gateway automation system using OpenFlow , 2013, 2013 IEEE 2nd International Conference on Cloud Networking (CloudNet).

[43]  Yi Wang,et al.  Towards a secure controller platform for openflow applications , 2013, HotSDN '13.

[44]  Paul Hudak,et al.  Nettle: Functional Reactive Programming for OpenFlow Networks , 2010 .

[45]  Vinod Yegneswaran,et al.  Securing the Software Defined Network Control Layer , 2015, NDSS.

[46]  Nick McKeown,et al.  OpenFlow: enabling innovation in campus networks , 2008, CCRV.

[47]  Sebastian Abt,et al.  Blessing or curse? Revisiting security aspects of Software-Defined Networking , 2014, 10th International Conference on Network and Service Management (CNSM) and Workshop.

[48]  Ahmed Toumanari,et al.  Survey of Security in Software-Defined Network , 2017 .

[49]  Vinod Yegneswaran,et al.  Flow Wars: Systemizing the Attack Surface and Defenses in Software-Defined Networks , 2017, IEEE/ACM Transactions on Networking.

[50]  Marco Canini,et al.  A NICE Way to Test OpenFlow Applications , 2012, NSDI.

[51]  Sakir Sezer,et al.  OperationCheckpoint: SDN Application Control , 2014, 2014 IEEE 22nd International Conference on Network Protocols.

[52]  Lei Xu,et al.  FloodGuard: A DoS Attack Prevention Extension in Software-Defined Networks , 2015, 2015 45th Annual IEEE/IFIP International Conference on Dependable Systems and Networks.

[53]  Otto Carlos Muniz Bandeira Duarte,et al.  AuthFlow: authentication and access control mechanism for software defined networking , 2016, Ann. des Télécommunications.

[54]  Obi Akonjang,et al.  SANE: A Protection Architecture For Enterprise Networks , 2007 .

[55]  Vainius Dangovas,et al.  SDN-Driven Authentication and Access Control System , 2014 .

[56]  Poul E. Heegaard,et al.  Impact of SDN Controllers Deployment on Network Availability , 2017, ArXiv.

[57]  Jeff Langford Implementing Least Privilege at your Enterprise , 2019 .

[58]  Yang Xu,et al.  DDoS attack detection under SDN context , 2016, IEEE INFOCOM 2016 - The 35th Annual IEEE International Conference on Computer Communications.

[59]  S. Thamarai Selvi,et al.  DDoS detection and analysis in SDN-based environment using support vector machine classifier , 2014, 2014 Sixth International Conference on Advanced Computing (ICoAC).

[60]  Ross J. Anderson,et al.  Authentication for Resilience: The Case of SDN , 2013, Security Protocols Workshop.

[61]  Nick Feamster,et al.  Procera: a language for high-level reactive network control , 2012, HotSDN '12.

[62]  Sam Hartman,et al.  Security Requirements in the Software Defined Networking Model , 2013 .

[63]  Andrei V. Gurtov,et al.  Security in Software Defined Networks: A Survey , 2015, IEEE Communications Surveys & Tutorials.

[64]  Marco Canini,et al.  Automatic failure recovery for software-defined networks , 2013, HotSDN '13.

[65]  Fernando M. V. Ramos,et al.  On the Feasibility of a Consistent and Fault-Tolerant Data Store for SDNs , 2013, 2013 Second European Workshop on Software Defined Networks.