Mitigating Threats Emerging from the Interaction between SDN Apps and SDN (Configuration) Datastore

Software-defined networking (SDN) has established itself in networking and standardization efforts are under way to strengthen the next generation of this essential technology. The Network Management Datastore Architecture (NMDA), RFC 8342, is the notable achievement in this regard, which standardizes the two vital SDN datastores: configuration and operational. Even though the configuration datastore itself has been standardized, the guidelines for addressing its security as well as safeguarding interactions between SDN apps and SDN configuration datastore are hazy, which leaves room for security vulnerabilities. Both industry and academia have realized the threats that arise due to the interactions between SDN apps and the SDN configuration datastore. But, to date only partial solutions exist for the problem. In this paper, we focus on mitigating such threats by proposing four security design principles that we believe should be uniformly used across all SDN platforms: (i) authentication (of SDN apps), (ii) authorization (of SDN apps), (iii) accountability (of SDN apps), (iv) real-time conflict detection and resolution of configuration rules (belonging to the same/different SDN app/s). Based on these four security design principles, we develop and present a prototype implementation of the \foo\space framework, an open-source vendor independent system for ensuring secure interactions between SDN apps-SDN configuration datastore. We then evaluate the security of the \foo\space framework using two datasets: (i) real-world complicated cases of rule conflicts, (ii) 50,000+ real-world configuration (attack) rules. Our experiments reveal that the \foo\space system mitigates the threats that emerge from SDN apps-SDN configuration datastore interactions with a one-time latency of \approx7ms for the insertion of 50,000^\textth rule in the configuration datastore.

[1]  Phillip A. Porras,et al.  A Framework for Policy Inconsistency Detection in Software-Defined Networks , 2022, IEEE/ACM Transactions on Networking.

[2]  Mohsen Guizani,et al.  SILedger: A Blockchain and ABE-based Access Control for Applications in SDN-IoT Networks , 2021, IEEE Transactions on Network and Service Management.

[3]  Ashok Kumar Das,et al.  Designing Fine-Grained Access Control for Software-Defined Networks Using Private Blockchain , 2021, IEEE Internet of Things Journal.

[4]  Nadir Shah,et al.  ROCA: Auto‐resolving overlapping and conflicts in Access Control List policies for Software Defined Networking , 2021, Int. J. Commun. Syst..

[5]  Zhen Zhang,et al.  SEAPP: A secure application management framework based on REST API access control in SDN-enabled cloud environment , 2021, J. Parallel Distributed Comput..

[6]  Ravi Sandhu,et al.  ParaSDN: An Access Control Model for SDN Applications based on Parameterized Roles and Permissions , 2020, 2020 IEEE 6th International Conference on Collaboration and Internet Computing (CIC).

[7]  Ravi Sandhu,et al.  A Model for the Administration of Access Control in Software Defined Networking using Custom Permissions , 2020, 2020 Second IEEE International Conference on Trust, Privacy and Security in Intelligent Systems and Applications (TPS-ISA).

[8]  Zhenyu Wen,et al.  THP: A Novel Authentication Scheme to Prevent Multiple Attacks in SDN-Based IoT Network , 2020, IEEE Internet of Things Journal.

[9]  Vinod Yegneswaran,et al.  AudiSDN: Automated Detection of Network Policy Inconsistencies in Software-Defined Networks , 2020, IEEE INFOCOM 2020 - IEEE Conference on Computer Communications.

[10]  Ashok Kumar Das,et al.  On the Design of Blockchain-Based Access Control Scheme for Software Defined Networks , 2020, IEEE INFOCOM 2020 - IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS).

[11]  Dijiang Huang,et al.  Brew: A Security Policy Analysis Framework for Distributed SDN-Based Cloud Environments , 2019, IEEE Transactions on Dependable and Secure Computing.

[12]  Ravi Sandhu,et al.  SDN-RBAC: An Access Control Model for SDN Controller Applications , 2019, 2019 4th International Conference on Computing, Communications and Security (ICCCS).

[13]  K. D. Joshi,et al.  BEAM: BEhavior-Based Access Control Mechanism for SDN Applications , 2019, 2019 28th International Conference on Computer Communication and Networks (ICCCN).

[14]  Bryan C. Ward,et al.  Controller-Oblivious Dynamic Access Control in Software-Defined Networks , 2019, 2019 49th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN).

[15]  Ram Krishnan,et al.  A Formal Access Control Model for SE-Floodlight Controller , 2019, SDN-NFV@CODASPY.

[16]  Gail-Joon Ahn,et al.  SDNSOC: Object Oriented SDN Framework , 2019, SDN-NFV@CODASPY.

[17]  Yue Zhang,et al.  BENBI: Scalable and Dynamic Access Control on the Northbound Interface of SDN-Based VANET , 2019, IEEE Transactions on Vehicular Technology.

[18]  Adam Doupé,et al.  AIM-SDN: Attacking Information Mismanagement in SDN-datastores , 2018, CCS.

[19]  William H. Sanders,et al.  Cross-App Poisoning in Software-Defined Networking , 2018, CCS.

[20]  Stephan Merz,et al.  Synaptic: A formal checker for SDN-based security policies , 2018, NOMS 2018 - 2018 IEEE/IFIP Network Operations and Management Symposium.

[21]  Jürgen Schönwälder,et al.  Network Management Datastore Architecture (NMDA) , 2018, RFC.

[22]  Farid Naït-Abdesselam,et al.  A comprehensive 3‐dimensional security analysis of a controller in software‐defined networking , 2018, Secur. Priv..

[23]  Bin Yuan,et al.  SecSDN-Cloud: Defeating Vulnerable Attacks Through Secure Software-Defined Networks , 2018, IEEE Access.

[24]  Vinod Yegneswaran,et al.  A Security-Mode for Carrier-Grade SDN Controllers , 2017, ACSAC.

[25]  Zong-Guo Xia,et al.  Authentication mechanism for network applications in SDN environments , 2017, 2017 20th International Symposium on Wireless Personal Multimedia Communications (WPMC).

[26]  Nan Zhang,et al.  HanGuard: SDN-driven protection of smart home WiFi devices from malicious mobile apps , 2017, WISEC.

[27]  Zonghua Zhang,et al.  Controller DAC: Securing SDN controller with dynamic access control , 2017, 2017 IEEE International Conference on Communications (ICC).

[28]  Brent Byunghoon Kang,et al.  Vulnerabilities of network OS and mitigation with state-based permission system , 2016, Secur. Commun. Networks.

[29]  Hongxin Hu,et al.  Enabling Dynamic Access Control for Controller Applications in Software-Defined Networks , 2016, SACMAT.

[30]  Bo Yang,et al.  SDNShield: Reconciliating Configurable Application Permissions for SDN App Markets , 2016, 2016 46th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN).

[31]  Xianbin Wang,et al.  Fast authentication in 5G HetNet through SDN enabled weighted secure-context-information transfer , 2016, 2016 IEEE International Conference on Communications (ICC).

[32]  Torsten Hoefler,et al.  SDNsec: Forwarding Accountability for the SDN Data Plane , 2016, 2016 25th International Conference on Computer Communication and Networks (ICCCN).

[33]  Otto Carlos Muniz Bandeira Duarte,et al.  AuthFlow: authentication and access control mechanism for software defined networking , 2016, Ann. des Télécommunications.

[34]  Seungwon Shin,et al.  The Smaller, the Shrewder: A Simple Malicious Application Can Kill an Entire SDN Environment , 2016, SDN-NFV@CODASPY.

[35]  Christian Banse,et al.  A Secure Northbound Interface for SDN Applications , 2015, 2015 IEEE Trustcom/BigDataSE/ISPA.

[36]  Yustus Eko Oktian,et al.  Secure your Northbound SDN API , 2015, 2015 Seventh International Conference on Ubiquitous and Future Networks.

[37]  Lei Xu,et al.  FloodGuard: A DoS Attack Prevention Extension in Software-Defined Networks , 2015, 2015 45th Annual IEEE/IFIP International Conference on Dependable Systems and Networks.

[38]  Fernando M. V. Ramos,et al.  Software-Defined Networking: A Comprehensive Survey , 2014, Proceedings of the IEEE.

[39]  Nick McKeown,et al.  OpenFlow: enabling innovation in campus networks , 2008, CCRV.

[40]  Kwok T Fung,et al.  Network Security Architectures , 2004 .

[41]  Hai Jin,et al.  A Fine-Grained Multi-Tenant Permission Management Framework for SDN and NFV , 2018, IEEE Access.

[42]  Yustus Eko Oktian,et al.  OAuthkeeper: An Authorization Framework for Software Defined Network , 2017, Journal of Network and Systems Management.

[43]  Vinod Yegneswaran,et al.  Securing the Software Defined Network Control Layer , 2015, NDSS.

[44]  Kostas Pentikousis,et al.  Software-Defined Networking (SDN): Layers and Architecture Terminology , 2015, RFC.