The rise of software-defined networks in recent years has allowed unprecedented agility in network configuration and orchestration. As physical links and configurations become virtualised, this has created many opportunities for dynamic and transparent deployment of services. This however, opens up a potential attack surface for new forms of attack. Thus, with the combination of SDN elements abstracting their administration to network administrators and the growing attack surface in network element software, this creates the possibility for malicious routers which do not comply with the higher-level abstractions used by their respective controllers. This paper focuses on building an assurable SDN network using Trusted computing mechanisms to: (A) provide a strong hardware-based platform identity to check that network element software is healthy, and (B) increase assurance that traffic flows are being forwarded to their intended destinations by dynamically monitoring the low-level configurations used to route virtual LANs. The architecture as a whole provides a mechanism to check the network posture, bridging the gap between the areas of remote attestation and virtual networking.
[1]
Ahmad-Reza Sadeghi,et al.
Property-based attestation for computing platforms: caring about properties, not mechanisms
,
2004,
NSPW '04.
[2]
Fernando M. V. Ramos,et al.
Towards secure and dependable software-defined networks
,
2013,
HotSDN '13.
[3]
Nick McKeown,et al.
OpenFlow: enabling innovation in campus networks
,
2008,
CCRV.
[4]
Ross J. Anderson,et al.
Authentication for Resilience: The Case of SDN
,
2013,
Security Protocols Workshop.
[5]
Adrian Perrig,et al.
Fleet: defending SDNs from malicious administrators
,
2014,
HotSDN.
[6]
Mabry Tyson,et al.
A security enforcement kernel for OpenFlow networks
,
2012,
HotSDN '12.
[7]
Martín Casado,et al.
Extending Networking into the Virtualization Layer
,
2009,
HotNets.
[8]
Trent Jaeger,et al.
Design and Implementation of a TCG-based Integrity Measurement Architecture
,
2004,
USENIX Security Symposium.