Towards Secure Multi-tenant Virtualized Networks

Network virtualization enables multi-tenancy over physical network infrastructure, with a side-effect of increased network complexity. Software-defined networking (SDN) is a novel network architectural model -- one where the control plane is separated from the data plane by a standardized API -- which aims to reduce the network management overhead. However, as the SDN model itself is evolving, its application to multi-tenant virtualized networks raises multiple security challenges. In this paper, we present a security analysis of SDN-based multi-tenant virtualized networks: we outline the security assumptions applicable to such networks, define the relevant adversarial model, identify the main attack vectors for such network infrastructure deployments and finally synthesize a set of high-level security requirements for SDN-based multi-tenant virtualized networks. This paper sets the foundation for future design of secure SDN-based multi-tenant virtualized networks.

[1]  Sunay Tripathi,et al.  Crossbow: a vertically integrated QoS stack , 2009, WREN '09.

[2]  Russell J. Clark,et al.  Resonance: dynamic access control for enterprise networks , 2009, WREN '09.

[3]  Martín Casado,et al.  Onix: A Distributed Control Platform for Large-scale Production Networks , 2010, OSDI.

[4]  Fernando M. V. Ramos,et al.  Towards secure and dependable software-defined networks , 2013, HotSDN '13.

[5]  Martín Casado,et al.  NOX: towards an operating system for networks , 2008, CCRV.

[6]  Brent Byunghoon Kang,et al.  Rosemary: A Robust, Secure, and High-performance Network Operating System , 2014, CCS.

[7]  Danny Dolev,et al.  On the security of public key protocols , 1981, 22nd Annual Symposium on Foundations of Computer Science (sfcs 1981).

[8]  Scott Shenker,et al.  Ethane: taking control of the enterprise , 2007, SIGCOMM.

[9]  I. Baldine,et al.  Network Virtualization: Technologies, Perspectives, and Frontiers , 2013, Journal of Lightwave Technology.

[10]  Obi Akonjang,et al.  SANE: A Protection Architecture For Enterprise Networks , 2007 .

[11]  Rob Sherwood,et al.  FlowVisor: A Network Virtualization Layer , 2009 .

[12]  Hong Yan,et al.  A clean slate 4D approach to network control and management , 2005, CCRV.

[13]  Martín Casado,et al.  Abstractions for software-defined networks , 2014, Commun. ACM.

[14]  Mabry Tyson,et al.  A security enforcement kernel for OpenFlow networks , 2012, HotSDN '12.

[15]  Mabry Tyson,et al.  FRESCO: Modular Composable Security Services for Software-Defined Networks , 2013, NDSS.

[16]  Nick McKeown,et al.  OpenFlow: enabling innovation in campus networks , 2008, CCRV.

[17]  Haoyu Song,et al.  Protocol-oblivious forwarding: unleash the power of SDN through a future-proof forwarding plane , 2013, HotSDN '13.

[18]  Min Zhu,et al.  B4: experience with a globally-deployed software defined wan , 2013, SIGCOMM.