Computer Networking-Software Defined Network

Questions: The purpose of this assignment is to develop skills to independently think of innovation. In this assignment students will first learn how to develop knowledge based on current state of the art of an emerging knowledge domain. Then they will learn how to identify plausible security issues in this emerging technology and finally learn the skill of adding knowledge to existing domain by theoretically developing the corresponding protection mechanism for a particular issue. Description of the assessment: Software Defined Networking (SDN) is a rising concept in computer networking. It is possible to centralize software logically in order to control the behaviour of the network. In contrast to conventional network, in SDN, a networks control logic is separated from the underlying physical routers and switches. This phenomenon allows network operators to write high-level control programs to specifying the behaviour of the whole network. This assignment includes four parts- 1. Literature review on Software Define Networking (SDN) You need to write 1000 word literature on SDN. Your literature should be supported by at least three (3) academic (Journal/Conference) papers chosen from the current state of the art. 2. Identify three current or future security issues in SDN In this section you will identify three security issues. These issues can be taken from current state of the art or could be evolved from your own independent innovative thinking. This section again must have to be supported by at least two (2) references. 3. Develop theoretical security framework against one of the identified security issues in (2) In this part you need to add knowledge to the existing knowledge domain of SDN. You need to choose one of the issues identified in previous section and develop a theoretical security framework for this particular security issue. 4. Create a 7-10 minutes presentation and present your work in front of big audiences. Answers: Software defined network Software Defined Network or SDN is a computer networking approach that allows managing the network services by the network managers. The network services could be managed through high level functionality abstraction.it is done through system decoupling, which has the function of making decisions about how the traffic is managed, by sending the traffic from the systems underlying towards forwarding the congested traffic to the final destination (Bernardo, Chua, 2015). Protocol The SDNs are usually associated with the protocol, OpenFlow and the other techniques involved are Open Network Environment from Cisco, Network Virtualization Platform from Nicira (Canini, et al. 2012). Concept The concept of the Software Defined Networking is a vital and present day need of the architecture that purports to be manageable, dynamic, adaptable and cost-effective, seeks to be compatible and suitable for the dynamic nature and high-bandwidth nature of the applications of today. These architectures enable the network managers to decouple the network control, enable the control over the network and forwarding functions, so that the control is programmable directly and abstracting the underlying infrastructure from the network services and applications (Feamster, 2010). When OpenFlow protocol is considered as foundational element to build the solutions of SDN, the architecture needs the following (Al-Shaer, et al, 2010), Directly Programmable Since the network control is decoupled from the forwarding function, the network control can be programmable directly. Centrally Managed Now the network intelligence can be centralized logically, in the SDN controllers that are software based and maintains a bird eye or global view of the network that look to be public and applications engines, as one logical switch. Agile The network wide traffic flow now can be adjusted dynamically so that the changing needs and demands are met, as the administrators can adjust the traffic dynamically, through gaining abstract control from forwarding. Open Standards-based and Vendor-Neutral The SDN can simplify the design and operation of the network, when it is implemented by the open standards, as the necessary instructions can be given by the controllers of SDN, rather than multiple protocols and devices that are vendor-specific. Programmatically Configured SDN allow the network managers to write the programs by themselves, to manage, configure, secure, and optimize the resources of the network, simply and quickly through automated and dynamic SDN programs, as these programs are independent from the proprietary software. Open Standards-based and Vendor Neutral SDN would simplify the operation and network design, when it is implemented by open standards, since the instructions are given by the controllers of the SDN, instead of the vendor specific or multiple devices and protocols. Need for sdn The existing traditional network architecture is ill-suited for todays storage needs and dynamic computing needs, enterprise data centres and carrier environments. The driving needs for the SDN paradigm are the following. Dynamically Changing Patterns of Traffic The traffic patterns have got dynamically changed, within the data centre of the enterprise. Unlike the present client server applications, in which there is bulk communication happens in between the client and server, the present applications need to have access to various servers and databases, creating huge traffic in the present east-west and north-south traffic pattern. In addition to that the users keep changing the patterns of the network traffic, to access applications and corporate content from various devices, trying to connect from anytime and anywhere. Hence, the managers of the enterprise data centres have been contemplating some utility computing models that may include public cloud, private cloud or hybrid cloud that in turn result in additional traffic across the WAN. IT Consumerization The users of computer and mobile devices are employing the personal devices like tablets, smartphones and networks, increasingly, for accessing the corporate network. It is a challenge for the IT to accommodate increasing personal devices, at the same time protecting the intellectual property and corporate data to meet the mandates of compliance. Cloud Services Incline Enterprises are enthusiastic in embrace the private and public cloud services that result in enormous growth of the same services. They want agility for accessing infrastructure, application and other resources of IT, with increasing demand. However, planning is needed for increased companies, security and auditing requirements for cloud services, along with the considerations, business re0rgniazations and mergers that would change the assumptions dynamically. There is a need for the elastic scaling for storage, network and computing resources, ideally with common suite of tools from common viewpoint. Big Data and More Bandwidth To handle the mega datasets or big data needed today, requires, huge parallel processing needed on thousands of servers and it demands direct connections among them. The same need demands for additional network capacity of data centre. It has become a challenge to unimaginable levels of scaling the network, maintaining connectivity between any-to-any without breaking. Architecture and components The architecture of the Software Defined Network, as a high-level overview is shown in the following figure. Figure: SDN Architecture SDN App Applications of SDN are the programs that communicate the requirements of the network to the network behaviour desired, directly, programmatically and explicitly to the controller of the SDN through NBI or NorthBound Interface. They may also consume the networks abstracted view towards the internal decision to make the purposes. It consists of one or more drivers fo NBI and one SDN Application Logic. These applications may expose to the abstracted network control layer that offer one or more NBIs to higher levels through the respective agents of the NBI. SDN Controller SDN controller acts an entity that logically centralized and in-charge that Translates the SDN application layer requirements down to the data paths of the SDN Provide the applications of the SDN with the network abstract view that include the events and statistics. It has one or more NBI agents, control logic and CDPI (Control to Data-Plane Interface) driver. SDN Datapath SDN Datapath is considered as a network device that logically exposes uncontented control and visibility over its data processing and advertised forwarding capabilities. The physical substrate resources in a subset or whole are encompassed by the logical representation. It consists of one or zero traffic processing functions, one or more set of engines for traffic forwarding and CDPI agent. These functions and engines may include simple forwarding in between the internal traffic processing, external interfaces or termination functions. SDN datapaths would be contained in one network element, which is an integrated communications resources physical commination, managed as a single unit. It is also related with the multiple and elements fo the physical networks. SDN Cdpi The SDN Control to Data-Plane Interface is considered as an interface that is well defined in between SDN datapath and SDN controller that provide, Capabilities advertisement All forwarding operations programmatic control Statistics reporting Event notification CDPI is expected to implement in a vendor-neutral, interoperable and open ways. SDN Nbi SDN Northbound Interfaces are the interfaces in between the controller and applications of the SDN. It provides the abstract network view and help network behaviour direct expression enablement and requirements. It is possible to occur at nay abstraction level and across the functionality data sets. It is also expected in implementation of the interfaces in an interoperable, vendor-neutral and open ways. Security issues Most of the issues of security are more related to the security issues of the traditional networking. However, there are other issues too that are new. There are many attack vectors over the system of SDN. However, the more common ones are SDN are attacks over the architecture layers. The following are the attacks anticipated on the layers of the SDN. Attacks over Data Plane Layer Usually, the target for the network elements is right within the network itself. The attacker can possibly get an unauthorized access, either physically or virtually over the network or even try compromising the host, which is connected to the SDN and try attacking the network elements to disable. It is one kind of DoS (Denial of Service) attack or even could be a fuzzying attack that result to attack over the elements of the network. There are several APIs and protocols of southbound that are used to control for communicating the elements of the network, for communication. Though these protocols are built with own securing methods, to secure the network elements communication, there may be many of these protocols that may not be set in the best secured ways, as these are new. These protocols can be instrumental by the attackers to instantiate new flows into the flow tables of the devices. The can try to spoof the new flows in over to permit traffic of some specific types that are not allowed into the network. If an attacker is successful to initiate a flow that bypasses the steering of the traffic and that helps the traffic to guide through a firewall, the attacker is successful. Then the attacker will be able to steer the traffic in his or her direction and try to leverage the sniff traffic capability and can easily perform MITM (Man in the Middle) attack (Network World, 2014). Attack over Controller Layer SDN controller is an obvious target for attack by the attacker. The target for SDN controller is for several purposes. New flows can be instantiated by spoofing southbound messages or northbound API messages toward the devices of network. When the attacker is successful in doing so from a legitimate controller, then the attacker will get the ability to allow the flow of traffic over SDN according to his or her wish and can easily bypass the policies that are associated and relied over the security. The attacker may also try to DoS of the controller or any similar methods to interrupt or fail the controller. eventually, attack for the resource consumption can be attempted over the controller that would result in extremely slow response to the events of Packet_In or bog it down and it may slow down to send the Packet_Out messages. SDN controllers usually run on Linux operating system. But if SDN is operated on the other and regular operating systems, then the vulnerabilities related to the operating system will be the vulnerabilities of the SDN. Most of the times, deployment of the controllers are done into production with easier and default passwords with no configuration of the security settings. The SDN engineers usually do not want to touch, because of fear of breaking. Eventually, the SDN system is left with vulnerable configuration (Network World, 2014). Attacks at SDN Layer Attacking the northbound protocol security is also a likely and possible vector. SDN controller makes use of many of the northbound APIs. The northbound APIs can use Java, JSON, Python, REST, C and others. If the vulnerable northbound APIs can be leveraged by the attackers, then the control of the SDN controller and so the SDN network would be in control of the attacker. If the SDN controller lacks the security for northbound API in any form, then the attacker could then create SDN policies of own and can gain complete control of the entire environment of the SDN. Usually, REST API uses a default password that is trivial to determine. If the deployment of the SDN does not change the password that is default, then the attacker will be able to create his or her own packets for management interface of the controller and can query the SDN environment configuration and replace with a new own configuration(Network World, 2014). Security framework for one issue Securing the SDN Layer Out-of-Band (OOB) is a protection measure to control the network traffic. This network helps securing the controller management protocols, by using in the southbound and northbound communications. TLS or SSH or similar methods can be used to secure the controller management and northbound communications. Encryption and authenticable methods can be helpful for communication between data requesting services from the controller and applications (Network World, 2014). Presentations Slide 1 SDN Software Defined Network Computer networking approach Allows network managers to manage the network services, by high level functionality abstraction Abstraction done through system decoupling Sends congested traffic to the final destination, with appropriate decisions Protocol Open-Flow Other techniques Slide 2 Advantages (w.r.t. todays dynamic environment) Adaptable Dynamic Manageable Cost-effective Compatible Suitable Slide 3 Openflow Protocl Directly Programmable Centrally Managed Agile Open Standards-based and Vendor-Neutral Programmatically Configured Open Standards-based and Vendor Neutral Slide 4 Need for sdn Dynamically changing patterns of traffic IT Consumerization Cloud Services Incline Big Data and More Bandwidth Slide 5 Architecture Slide 6 Architecture components SDN App SDN Controller SDN Datapath SDN CDPI SDN NBI Slide 7 Security issues Slide 8 Security attacks Attacks over Data Plane Layer Attack over Controller Layer Attacks at SDN Layer Slide 9 Security framework Securing the SDN Layer OOB (Out-of-Band) protection measure References Network World, 2014, Securing SDN Deployments Right from the Start, Network World, viewed 23 May 2016. Bernardo and Chua, 2015,Introduction and Analysis of SDN and NFV Security Architecture (SA-SECA). 29th IEEE AINA. Canini, Marco and Venzano, Daniele and Peresini, Peter and Kostic, Dejan and Rexford, Jennifer; et al. 2012,.A NICE Way to Test OpenFlow Applications. NSDI. Al-Shaer, Ehab and Al-Haj, Saeed, 2010, "FlowChecker: Configuration analysis and verification of federated OpenFlow infrastructures".Proceedings of the 3rd ACM workshop on Assurable and usable security configuration Sherwood, Rob and Gibb, Glen and Yap, Kok-Kiong and Appenzeller, Guido and Casado, Martin and McKeown, Nick and Parulkar, Guru 2009. "Flowvisor: A network virtualization layer".OpenFlow Switch Consortium, Tech. Rep. Jafarian, Jafar Haadi and Al-Shaer, Ehab and Duan, Qi, 2012, "Openflow random host mutation: transparent moving target defense using software defined networking".Proceedings of the first workshop on Hot topics in software defined networks Jin, Ruofan and Wang, Bing, 2013, "Malware detection for mobile devices using software-defined networking".Research and Educational Experiment Workshop (GREE), 2013 Second GENI Feamster, Nick, 2010, "Outsourcing home network security".Proceedings of the 2010 ACM SIGCOMM workshop on Home networks Braga, Rodrigo and Mota, Edjard and Passito, Alexandre, 2010, "Lightweight DDoS flooding attack detection using NOX/OpenFlow".Local Computer Networks (LCN), 2010 IEEE 35th Conference on. Benton, Kevin and Camp, L Jean and Small, hris, 2013, "Openflow vulnerability assessment".Proceedings of the second ACM SIGCOMM workshop on Hot topics in software defined networking.