Controller-Oblivious Dynamic Access Control in Software-Defined Networks

Conventional network access control approaches are static (e.g., user roles in Active Directory), coarse-grained (e.g., 802.1x), or both (e.g., VLANs). Such systems are unable to meaningfully stop or hinder motivated attackers seeking to spread throughout an enterprise network. To address this threat, we present Dynamic Flow Isolation (DFI), a novel architecture for supporting dynamic, fine-grained access control policies enforced in a Software-Defined Network (SDN). These policies can emit and revoke specific access control rules automatically in response to network events like users logging off, letting the network adaptively reduce unnecessary reachability that could be potentially leveraged by attackers. DFI is oblivious to the SDN controller implementation and processes new packets prior to the controller, making DFI's access control resilient to a malicious or faulty controller or its applications. We implemented DFI for OpenFlow networks and demonstrated it on an enterprise SDN testbed with around 100 end hosts and servers. Finally, we evaluated the performance of DFI and how it enables a novel policy, which is otherwise difficult to enforce, that protects against a surrogate of the recent NotPetya malware in an infection scenario. We found that the threat was most limited in its ability to spread using our policy, which automatically restricted network flows over the course of the attack, compared to no access control or a static role-based policy.

[1]  Bo Yan,et al.  Adaptive Wildcard Rule Cache Management for Software-Defined Networks , 2018, IEEE/ACM Transactions on Networking.

[2]  Pavlin Radoslavov,et al.  ONOS: towards an open, distributed SDN OS , 2014, HotSDN.

[3]  Brighten Godfrey,et al.  VeriFlow: verifying network-wide invariants in real time , 2012, HotSDN '12.

[4]  Xin Jin,et al.  CoVisor: A Compositional Hypervisor for Software-Defined Networks , 2015, NSDI.

[5]  Glen Zorn,et al.  IEEE 802.1X Remote Authentication Dial In User Service (RADIUS) Usage Guidelines , 2003, RFC.

[6]  Russell J. Clark,et al.  Kinetic: Verifiable Dynamic Network Control , 2015, NSDI.

[7]  Sonia Fahmy,et al.  BEADS: Automated Attack Discovery in OpenFlow-Based SDN Systems , 2017, RAID.

[8]  Jason Lee,et al.  A first look at modern enterprise traffic , 2005, IMC '05.

[9]  William H. Sanders,et al.  Cross-App Poisoning in Software-Defined Networking , 2018, CCS.

[10]  Robin Sommer,et al.  Providing Dynamic Control to Passive Network Security Monitoring , 2015, RAID.

[11]  Rob Sherwood,et al.  Can the Production Network Be the Testbed? , 2010, OSDI.

[12]  Lei Xu,et al.  Poisoning Network Visibility in Software-Defined Networks: New Attacks and Countermeasures , 2015, NDSS.

[13]  William Enck,et al.  PivotWall: SDN-Based Information Flow Control , 2018, SOSR.

[14]  Marco Canini,et al.  A NICE Way to Test OpenFlow Applications , 2012, NSDI.

[15]  Betsy Beyer,et al.  BeyondCorp: A New Approach to Enterprise Security , 2014, login Usenix Mag..

[16]  Gail-Joon Ahn,et al.  FLOWGUARD: building robust firewalls for software-defined networks , 2014, HotSDN.

[17]  Vinod Yegneswaran,et al.  A Security-Mode for Carrier-Grade SDN Controllers , 2017, ACSAC.

[18]  Lei Xu,et al.  Towards SDN-Defined Programmable BYOD (Bring Your Own Device) Security , 2016, NDSS.

[19]  Lei Xu,et al.  Towards Fine-grained Network Security Forensics and Diagnosis in the SDN Era , 2018, CCS.

[20]  Lei Xu,et al.  Attacking the Brain: Races in the SDN Control Plane , 2017, USENIX Security Symposium.

[21]  George Varghese,et al.  Usenix Association 10th Usenix Symposium on Networked Systems Design and Implementation (nsdi '13) 99 Real Time Network Policy Checking Using Header Space Analysis , 2022 .

[22]  Srinivasan Seshan,et al.  PSI: Precise Security Instrumentation for Enterprise Networks , 2017, NDSS.

[23]  Jan Medved,et al.  OpenDaylight: Towards a Model-Driven SDN Controller architecture , 2014, Proceeding of IEEE International Symposium on a World of Wireless, Mobile and Multimedia Networks 2014.

[24]  Vinod Yegneswaran,et al.  DELTA: A Security Assessment Framework for Software-Defined Networks , 2017, NDSS.

[25]  Paul Barford,et al.  Controller-agnostic SDN Debugging , 2014, CoNEXT.

[26]  Martín Casado,et al.  Ethane: taking control of the enterprise , 2007, SIGCOMM '07.

[27]  Vijay Mann,et al.  SPHINX: Detecting Security Attacks in Software-Defined Networks , 2015, NDSS.

[28]  William Koch,et al.  Identifier Binding Attacks and Defenses in Software-Defined Networks , 2017, USENIX Security Symposium.

[29]  Vinod Yegneswaran,et al.  AVANT-GUARD: scalable and vigilant switch flow management in software-defined networks , 2013, CCS.