SECURITY IN SOFTWARE DEFINED NETWORKING: A REVIEW · classical and modern security primitives to this new paradigm. We realize that the security primitives have to be embedded at

http://www.iaeme.com/IJCET/index.asp 67 [email protected]

International Journal of Computer Engineering & Technology (IJCET) Volume 7, Issue 4, July–Aug 2016, pp. 67–72, Article ID: IJCET_07_04_007

Available online at

http://www.iaeme.com/ijcet/issues.asp?JType=IJCET&VType=7&IType=4

Journal Impact Factor (2016): 9.3590 (Calculated by GISI) www.jifactor.com

ISSN Print: 0976-6367 and ISSN Online: 0976–6375

© IAEME Publication

SECURITY IN SOFTWARE DEFINED NETWORKING:

A REVIEW

Ankita Dubey

Centre for Development of Advanced Computing,

Mumbai, India

Binny Khanna

Department of Computer Engineering MPSTME,

NMIMS Mumbai, India

ABSTRACT

Software Defined Networking (SDN) is the latest paradigm shift in the domain of enterprise

networking with clear & distinct advantages over classical view of networking. Many models and

architectures are being proposed to take advantage of the inherent advantages. The academia and

industry is excited about the possibilities of innovations. Although the advantages are obvious,

there have been concerns raised about the security of SDN. In this paper we have highlighted the

various challenges that are faced by academia and industry while implementing SDN in carrier

and enterprise markets. We have identified security concerns in SDN and have tried to apply

classical and modern security primitives to this new paradigm. We realize that the security

primitives have to be embedded at the protocol and architecture levels for a smooth and seamless

solution. This paper presents a review on security challenges of SDN.

Key words: E-Authentication, Security, Software Defined Networks.

Cite this Article Ankita Dubey and Binny Khanna, Security in Software Defined Networking: A

Review. International Journal of Computer Engineering and Technology, 7(4), 2016, pp. 67–72.

http://www.iaeme.com/ijcet/issues.asp?JType=IJCET&VType=7&IType=4

INTRODUCTION

Software Defined Networking abbreviated as SD is the latest and emerging approach of computer

networking which is being adapted by various institutes, organizations and companies for better and

smooth computer networking. This approach allows the network administrator to manage the networking

task with the abstraction of higher level functionalities [1]. SDN decouples the control and data planes and

works on the programming logics with a centralized controller.

SDN ARCHITECTURE

SDN is consists of three planes: application plane, Network control plane and data plane. This can be seen

in the Figure 1. The APIs between the application and control plane are comes under northbound interface

and the APIs between the control and data planes comes under the southbound interface.

http://www.iaeme.com/IJC

MERITS OF SDN

With the latest trends in technology like extensive use of mobile devices, server virtualization, cloud

computing etc. demands the fast and dynamic flow of data, but with the traditional network desi

is static in nature this is impossible to achieve rather moving to a mechanism which is dynamic and easily

shapes the traffic with the real time traffic management is indeed needed.

Some of the key computing trends driving the need for a new network paradigm

TRAFFIC PATTERN VARI

Earlier the client devices were limited to access the server as the technology has improved and new devices

has been included like mobile, desktop, laptops, tablets the traffic pattern has been changes now a client

can request the data from anywhere and from any device. Usages of private cloud public cloud and hybrid

clouds are increasing day by day.

Ankita Dubey and Binny Khanna

CET/index.asp 68


computing etc. demands the fast and dynamic flow of data, but with the traditional network desi


shapes the traffic with the real time traffic management is indeed needed.

Figure 1 SDN architecture [3]

Some of the key computing trends driving the need for a new network paradigm

TRAFFIC PATTERN VARIATIONS


e, desktop, laptops, tablets the traffic pattern has been changes now a client


[email protected]


computing etc. demands the fast and dynamic flow of data, but with the traditional network design which


Some of the key computing trends driving the need for a new network paradigm include [1]:


e, desktop, laptops, tablets the traffic pattern has been changes now a client


Security In Software Defined Networking: A Review


THE “CONSUMERIZATION OF IT”

Users have changed their accessing mediums and now one user has multiple devices with him/her to access

the corporate world. IT is pressurized to accommodate these personal devices in a fine-grained manner

while protecting corporate data and intellectual property and meeting compliance mandates.

ACCELERATION OF CLOUD

The embracing of public and private cloud services by the enterprises, resulting the growth of these

services. IT’s planning for cloud services must be done in an environment of increased security,

compliance, and auditing requirements, along with business reorganizations, consolidations, and mergers

that can change assumptions overnight.

MORE BANDWIDTH FOR “BIG DATA”

As the users and devices are increasing the data is tremendously increasing as well and the fast processing

and parallel processing is the need to deal with “Big data”. The rise of massive data is one of the reasons to

have additional network capacities in the data centres for fast and dynamic controlling.

OPEN ISSUES

The problem of enabling network controlled by software, identification of open challenges and steps needs

to be taken to develop and introduce solutions for the network management which is dynamic and software

based [3].

Consistency

Consistency problem between the logical representation of the network resources at the network control

plane, and the physical resources in data plane. Keeping the consistency hampers the responsiveness of the

network.

Consistent network model at control plane requires well defined synchronized procedures execution

frequently in order to update the network control logical model with information from the data plane. This

leads to more resource consumption at SDNC and delays in the control channel, thus decreases the overall

responsiveness at control plane.

Optimization may improve responsiveness but may introduce uncoordinated behavior that in large

network it leads to non reliable systems with routing loops and black holes. Consistency improvement in

SDN is a hot research topic.

Synchronization & Concurrency

To achieve high scalability, flexibility and availability it has been identified that redundancy needs to be

there in control plane, though in different topologies one controller location is good for responsiveness but

not for fault tolerance requirements. Some researches has proved to use redundancy and distributed of

control logic and that introduces new problems like synchronization and concurrency issues. But here full

complex programmed network control logic gives high reliability and availability with numerous

concurrent process, Ericson’s knowledge based telephone exchange that is AXE 810 developed in 40 years

that implements control logic as standalone node, now used as central switch of many core network

implementations of Next Generation Networks and is reliable, robust and easy to scale solution, However

most solutions are not implemented but required in new network evolution phase 5G networks.

Synchronization and concurrency are big issues. As communication is a central element of these networks

and aiming to softwarify network engineering theory we may need to control harmonies execution of

numerous industries specific hardware related policies and numerous interacting industry standards. This is

actually one of the biggest concerns of further network evolution.



Security & Management

Centralized and programmatically controlled network which is growing day by day so its management is a

tedious job to do. On the other hand making the network resources accessible through APIs or software

programs the security becomes another big issue. For that PKI, cryptography, authentication algorithms,

cyber security controls, access control, network isolation and monitoring all these needs to be as a part of

software technology and are under investigation.

Effective Memory Management & Space issues

As the network goes large its resources and data related to the resources also increases and storing this big

data effectively and performing database operations on such huge data requires attention. One approach is

usage of hierarchy abstraction.

Limited Protocols

OpenFlow and NETCONF protocols have limited expressions and are not flexible enough with changes in

network configuration. Evolution of protocols needed.

Useful software technology should be developed which will be useful not only in a conceptual manner

but to the humans.

INFORMATION SECURITY OF SDN

SDN community has identified and resolved many security issues in SDN design but still additional issues

are arising due to the centralized architecture of SDN [5]

Confidentiality

This prevents disclosure of information to unauthorized or unintended entities. For this two common

methods are used i.e. encryption and access control.

Encryption of the communication channel used between data plane and controller which ensures that if

an intruder find the data but that will be of no use because he won’t be able to decrypt it or in plaintext

format. So as per the OpenFlow an encrypted channel can be established by Transport Layer Security

(TLS) and only authenticated user should be allowed access to data structures which enforce the access

control by using management interfaces of network devices and the controller, can be done by operating

system.

The impact of confidentiality is neutral in SDN and conventional networks because several techniques

to encrypt network communication channels and apply access control are already developed and could be

adapted to both network architectures.

Authenticity

Authenticity talks that entities are actually the one they claim to be. Mostly used cryptographic method to

ensure authenticity is a signature.

Network devices as well as the controller have to exchange keys (either secret ones for generating /

validating a MAC or public keys for asymmetric signatures). To ensure trust between the applications and

the controller, proposes the use of an autonomic trust management system to prevent that malicious

applications bind themselves to the controller to perform malicious actions. Authenticity for network

devices in SDN networks as well as in conventional networks evaluated as neutral, because techniques for

mutual authentication are already deployed. Authenticity of centralized controller and applications in SDN

networks evaluated as critical, because a malicious controller or application could compromise the

behavior of the whole network. Due to the lack of the controller and applications in conventional networks,

evaluated as uncritical.

Security In Software Defined Networking: A Review


Integrity

If the information is unmodified during its life cycle this means that the integrity of the information has

been maintained. In SDN networks, primarily the integrity of flow rules and messages transferred between

the layers has to be ensured. Integrity of messages could also be implemented by e.g., a message

authentication code (MAC). Integrity regarding flow/forwarding rules has been evaluated as critical in an

SDN network as well as in conventional networks, because modified rules could lead to undesirable

effects.

Availability

Availability means to access data, devices and services every time when it is needed. The obvious

bottleneck in our sample OpenFlow network is the controller. If the controller is unavailable due to mis-

configuration, a technical error or an attack (e.g. denial of service (DoS) attack), the network devices are

only able to enforce predefined rules. If an SDN switch is down due to technical errors or a DoS attack, the

controller could dynamically reprogram the network paths. Possible solutions to mitigate a DoS attack are

implementing a rate limiting, reducing the timeout of flow table entries or dropping packets of a DoS

attack. One solution discusses the placement and number of controllers to achieve redundancy.

Availability of network devices has been evaluated as neutral, due to the possibility to easily change

paths in SDN as well as in conventional networks. However, we evaluate the non-availability of the

controller in an SDN network as critical. Due to the lack of a controller in a conventional network, this

issue is evaluated as uncritical.

Consistency

If different applications are used to define flow rules, it is possible that the flow rules are not self-

consistent. Hence a mediator between applications and controller is needed to deal with conflicting rules.

One implementation to detect and mediate rule conflicts is FortNOX. The impact of conflicting rules

evaluated as critical for conventional as well as for SDN networks, because it could lead to unpredictable

network behavior in both architectures.

CONCLUSION

To ensure that the need of fast and dynamic computer networking is all secured enough to reply upon all

the listed and highlighted security issues should be taken care in SDN. SDN with the preventive security

issues will bring the solution to the dynamic and real time networking approach to its best form.

ACKNOWLEDGEMENTS

We are thankful to Dr. Zia Saquib, Executive Director C-DAC Mumbai and Dr. Padmaja Joshi, Joint

Director C-DAC Mumbai for helping us. We are grateful to Department of Computer Engineering

MPSTME, NMIMS Mumbai, to given us the opportunity to study SDN.

REFERENCES

[1] ONF White Paper Software-Defined Networking: The New Norm for Networks, April 13, 2012

[2] Ravi Sharma, Study of Latest Emerging Trends on Cyber Security and its challenges to Society

International Journal of Scientific & Engineering Research, 3(6), June 2012 1 ISSN 2229-5518

[3] T. Galinac Grbac, C.M. Caba, J. Soler, Software Defined Networking Demands on Software

Technologies, MIPRO 2015, 25–29 May 2015, Opatija, Croatia

[4] Dr. Peter R.J. Trim, Dr. Yang-Im Lee (2010). A Security Framework for Protecting Business,

Government and Society from Cyber Attacks. 5th International Conference on System of Systems

Engineering. 978-1-4244-8196-5/10, 2010 IEEEDOI 10.1109/SOSE.2010.414



[5] Lisa Schehlmann, Sebastian Abt , Harald Baier (2014). Blessing or Curse? Revisiting Security Aspects

of Software-Defined Networking. ISBN 978-3-901882-67-8, 10th CNSM and Worksho, IFIP.

[6] Mehiar Dabbagh, Bechir Hamdaoui, Mohsen Guizani, Ammar Rayes. (2015). Software-Defined

Networking Security: Pros and Cons. IEEE Communications Magazine — Communications Standards

Supplement. 0163-6804/15

[7] Adnan Akhunzada, Ejaz Ahmed, Abdullah Gani, Muhammad Khurram Khan, Muhammad Imran,

Sghaier Guizani. (2015). Securing Software Defined Networks:Taxonomy, Requirements, and Open

Issues. IEEE Communications Magazine. 0163-6804/15.

[8] Yustus Eko Oktian, SangGon Lee, HoonJae Lee, JunHuy Lam. (2015). Secure Your Northbound SDN

API. ICUFN. 978-1-4799-8993-5/15.

[9] Christopher C. Lamb, Gregory L. Heileman (2014). Towards Robust Trust in Software Defined

Networks. Globecom 2014 Workshop - The 6th IEEE International Workshop on Management of

Emerging Networks and Servicesy. 978-1-4799-7470-2/14.

[10] Ruikang Zhou, Zenghui Liu, Yingxu Lai, Jing Liu. (2015). Study on authentication protocol of SDN

trusted domain. IEEE Twelfth International Symposium on Autonomous Decentralized Systems. 978-1-

4799-8261-5/15. DOI 10.1109/ISADS.2015.29

[11] Varun S. Moruse and Miss. A. A. Manjrekar, Software Defined Network Based Firewall Technique.

International Journal of Computer Engineering and Technology, 4(2), 2013, pp. 598–606.

Documents

SECURITY IN SOFTWARE DEFINED NETWORKING: A REVIEW · classical and modern security primitives to this new paradigm. We realize that the security primitives have to be embedded at