Upload
others
View
4
Download
0
Embed Size (px)
Citation preview
http://www.iaeme.com/IJCET/index.asp 67 [email protected]
International Journal of Computer Engineering & Technology (IJCET) Volume 7, Issue 4, July–Aug 2016, pp. 67–72, Article ID: IJCET_07_04_007
Available online at
http://www.iaeme.com/ijcet/issues.asp?JType=IJCET&VType=7&IType=4
Journal Impact Factor (2016): 9.3590 (Calculated by GISI) www.jifactor.com
ISSN Print: 0976-6367 and ISSN Online: 0976–6375
© IAEME Publication
SECURITY IN SOFTWARE DEFINED NETWORKING:
A REVIEW
Ankita Dubey
Centre for Development of Advanced Computing,
Mumbai, India
Binny Khanna
Department of Computer Engineering MPSTME,
NMIMS Mumbai, India
ABSTRACT
Software Defined Networking (SDN) is the latest paradigm shift in the domain of enterprise
networking with clear & distinct advantages over classical view of networking. Many models and
architectures are being proposed to take advantage of the inherent advantages. The academia and
industry is excited about the possibilities of innovations. Although the advantages are obvious,
there have been concerns raised about the security of SDN. In this paper we have highlighted the
various challenges that are faced by academia and industry while implementing SDN in carrier
and enterprise markets. We have identified security concerns in SDN and have tried to apply
classical and modern security primitives to this new paradigm. We realize that the security
primitives have to be embedded at the protocol and architecture levels for a smooth and seamless
solution. This paper presents a review on security challenges of SDN.
Key words: E-Authentication, Security, Software Defined Networks.
Cite this Article Ankita Dubey and Binny Khanna, Security in Software Defined Networking: A
Review. International Journal of Computer Engineering and Technology, 7(4), 2016, pp. 67–72.
http://www.iaeme.com/ijcet/issues.asp?JType=IJCET&VType=7&IType=4
INTRODUCTION
Software Defined Networking abbreviated as SD is the latest and emerging approach of computer
networking which is being adapted by various institutes, organizations and companies for better and
smooth computer networking. This approach allows the network administrator to manage the networking
task with the abstraction of higher level functionalities [1]. SDN decouples the control and data planes and
works on the programming logics with a centralized controller.
SDN ARCHITECTURE
SDN is consists of three planes: application plane, Network control plane and data plane. This can be seen
in the Figure 1. The APIs between the application and control plane are comes under northbound interface
and the APIs between the control and data planes comes under the southbound interface.
http://www.iaeme.com/IJC
MERITS OF SDN
With the latest trends in technology like extensive use of mobile devices, server virtualization, cloud
computing etc. demands the fast and dynamic flow of data, but with the traditional network desi
is static in nature this is impossible to achieve rather moving to a mechanism which is dynamic and easily
shapes the traffic with the real time traffic management is indeed needed.
Some of the key computing trends driving the need for a new network paradigm
TRAFFIC PATTERN VARI
Earlier the client devices were limited to access the server as the technology has improved and new devices
has been included like mobile, desktop, laptops, tablets the traffic pattern has been changes now a client
can request the data from anywhere and from any device. Usages of private cloud public cloud and hybrid
clouds are increasing day by day.
Ankita Dubey and Binny Khanna
CET/index.asp 68
With the latest trends in technology like extensive use of mobile devices, server virtualization, cloud
computing etc. demands the fast and dynamic flow of data, but with the traditional network desi
is static in nature this is impossible to achieve rather moving to a mechanism which is dynamic and easily
shapes the traffic with the real time traffic management is indeed needed.
Figure 1 SDN architecture [3]
Some of the key computing trends driving the need for a new network paradigm
TRAFFIC PATTERN VARIATIONS
Earlier the client devices were limited to access the server as the technology has improved and new devices
e, desktop, laptops, tablets the traffic pattern has been changes now a client
can request the data from anywhere and from any device. Usages of private cloud public cloud and hybrid
With the latest trends in technology like extensive use of mobile devices, server virtualization, cloud
computing etc. demands the fast and dynamic flow of data, but with the traditional network design which
is static in nature this is impossible to achieve rather moving to a mechanism which is dynamic and easily
Some of the key computing trends driving the need for a new network paradigm include [1]:
Earlier the client devices were limited to access the server as the technology has improved and new devices
e, desktop, laptops, tablets the traffic pattern has been changes now a client
can request the data from anywhere and from any device. Usages of private cloud public cloud and hybrid
Security In Software Defined Networking: A Review
http://www.iaeme.com/IJCET/index.asp 69 [email protected]
THE “CONSUMERIZATION OF IT”
Users have changed their accessing mediums and now one user has multiple devices with him/her to access
the corporate world. IT is pressurized to accommodate these personal devices in a fine-grained manner
while protecting corporate data and intellectual property and meeting compliance mandates.
ACCELERATION OF CLOUD
The embracing of public and private cloud services by the enterprises, resulting the growth of these
services. IT’s planning for cloud services must be done in an environment of increased security,
compliance, and auditing requirements, along with business reorganizations, consolidations, and mergers
that can change assumptions overnight.
MORE BANDWIDTH FOR “BIG DATA”
As the users and devices are increasing the data is tremendously increasing as well and the fast processing
and parallel processing is the need to deal with “Big data”. The rise of massive data is one of the reasons to
have additional network capacities in the data centres for fast and dynamic controlling.
OPEN ISSUES
The problem of enabling network controlled by software, identification of open challenges and steps needs
to be taken to develop and introduce solutions for the network management which is dynamic and software
based [3].
Consistency
Consistency problem between the logical representation of the network resources at the network control
plane, and the physical resources in data plane. Keeping the consistency hampers the responsiveness of the
network.
Consistent network model at control plane requires well defined synchronized procedures execution
frequently in order to update the network control logical model with information from the data plane. This
leads to more resource consumption at SDNC and delays in the control channel, thus decreases the overall
responsiveness at control plane.
Optimization may improve responsiveness but may introduce uncoordinated behavior that in large
network it leads to non reliable systems with routing loops and black holes. Consistency improvement in
SDN is a hot research topic.
Synchronization & Concurrency
To achieve high scalability, flexibility and availability it has been identified that redundancy needs to be
there in control plane, though in different topologies one controller location is good for responsiveness but
not for fault tolerance requirements. Some researches has proved to use redundancy and distributed of
control logic and that introduces new problems like synchronization and concurrency issues. But here full
complex programmed network control logic gives high reliability and availability with numerous
concurrent process, Ericson’s knowledge based telephone exchange that is AXE 810 developed in 40 years
that implements control logic as standalone node, now used as central switch of many core network
implementations of Next Generation Networks and is reliable, robust and easy to scale solution, However
most solutions are not implemented but required in new network evolution phase 5G networks.
Synchronization and concurrency are big issues. As communication is a central element of these networks
and aiming to softwarify network engineering theory we may need to control harmonies execution of
numerous industries specific hardware related policies and numerous interacting industry standards. This is
actually one of the biggest concerns of further network evolution.
Ankita Dubey and Binny Khanna
http://www.iaeme.com/IJCET/index.asp 70 [email protected]
Security & Management
Centralized and programmatically controlled network which is growing day by day so its management is a
tedious job to do. On the other hand making the network resources accessible through APIs or software
programs the security becomes another big issue. For that PKI, cryptography, authentication algorithms,
cyber security controls, access control, network isolation and monitoring all these needs to be as a part of
software technology and are under investigation.
Effective Memory Management & Space issues
As the network goes large its resources and data related to the resources also increases and storing this big
data effectively and performing database operations on such huge data requires attention. One approach is
usage of hierarchy abstraction.
Limited Protocols
OpenFlow and NETCONF protocols have limited expressions and are not flexible enough with changes in
network configuration. Evolution of protocols needed.
Useful software technology should be developed which will be useful not only in a conceptual manner
but to the humans.
INFORMATION SECURITY OF SDN
SDN community has identified and resolved many security issues in SDN design but still additional issues
are arising due to the centralized architecture of SDN [5]
Confidentiality
This prevents disclosure of information to unauthorized or unintended entities. For this two common
methods are used i.e. encryption and access control.
Encryption of the communication channel used between data plane and controller which ensures that if
an intruder find the data but that will be of no use because he won’t be able to decrypt it or in plaintext
format. So as per the OpenFlow an encrypted channel can be established by Transport Layer Security
(TLS) and only authenticated user should be allowed access to data structures which enforce the access
control by using management interfaces of network devices and the controller, can be done by operating
system.
The impact of confidentiality is neutral in SDN and conventional networks because several techniques
to encrypt network communication channels and apply access control are already developed and could be
adapted to both network architectures.
Authenticity
Authenticity talks that entities are actually the one they claim to be. Mostly used cryptographic method to
ensure authenticity is a signature.
Network devices as well as the controller have to exchange keys (either secret ones for generating /
validating a MAC or public keys for asymmetric signatures). To ensure trust between the applications and
the controller, proposes the use of an autonomic trust management system to prevent that malicious
applications bind themselves to the controller to perform malicious actions. Authenticity for network
devices in SDN networks as well as in conventional networks evaluated as neutral, because techniques for
mutual authentication are already deployed. Authenticity of centralized controller and applications in SDN
networks evaluated as critical, because a malicious controller or application could compromise the
behavior of the whole network. Due to the lack of the controller and applications in conventional networks,
evaluated as uncritical.
Security In Software Defined Networking: A Review
http://www.iaeme.com/IJCET/index.asp 71 [email protected]
Integrity
If the information is unmodified during its life cycle this means that the integrity of the information has
been maintained. In SDN networks, primarily the integrity of flow rules and messages transferred between
the layers has to be ensured. Integrity of messages could also be implemented by e.g., a message
authentication code (MAC). Integrity regarding flow/forwarding rules has been evaluated as critical in an
SDN network as well as in conventional networks, because modified rules could lead to undesirable
effects.
Availability
Availability means to access data, devices and services every time when it is needed. The obvious
bottleneck in our sample OpenFlow network is the controller. If the controller is unavailable due to mis-
configuration, a technical error or an attack (e.g. denial of service (DoS) attack), the network devices are
only able to enforce predefined rules. If an SDN switch is down due to technical errors or a DoS attack, the
controller could dynamically reprogram the network paths. Possible solutions to mitigate a DoS attack are
implementing a rate limiting, reducing the timeout of flow table entries or dropping packets of a DoS
attack. One solution discusses the placement and number of controllers to achieve redundancy.
Availability of network devices has been evaluated as neutral, due to the possibility to easily change
paths in SDN as well as in conventional networks. However, we evaluate the non-availability of the
controller in an SDN network as critical. Due to the lack of a controller in a conventional network, this
issue is evaluated as uncritical.
Consistency
If different applications are used to define flow rules, it is possible that the flow rules are not self-
consistent. Hence a mediator between applications and controller is needed to deal with conflicting rules.
One implementation to detect and mediate rule conflicts is FortNOX. The impact of conflicting rules
evaluated as critical for conventional as well as for SDN networks, because it could lead to unpredictable
network behavior in both architectures.
CONCLUSION
To ensure that the need of fast and dynamic computer networking is all secured enough to reply upon all
the listed and highlighted security issues should be taken care in SDN. SDN with the preventive security
issues will bring the solution to the dynamic and real time networking approach to its best form.
ACKNOWLEDGEMENTS
We are thankful to Dr. Zia Saquib, Executive Director C-DAC Mumbai and Dr. Padmaja Joshi, Joint
Director C-DAC Mumbai for helping us. We are grateful to Department of Computer Engineering
MPSTME, NMIMS Mumbai, to given us the opportunity to study SDN.
REFERENCES
[1] ONF White Paper Software-Defined Networking: The New Norm for Networks, April 13, 2012
[2] Ravi Sharma, Study of Latest Emerging Trends on Cyber Security and its challenges to Society
International Journal of Scientific & Engineering Research, 3(6), June 2012 1 ISSN 2229-5518
[3] T. Galinac Grbac, C.M. Caba, J. Soler, Software Defined Networking Demands on Software
Technologies, MIPRO 2015, 25–29 May 2015, Opatija, Croatia
[4] Dr. Peter R.J. Trim, Dr. Yang-Im Lee (2010). A Security Framework for Protecting Business,
Government and Society from Cyber Attacks. 5th International Conference on System of Systems
Engineering. 978-1-4244-8196-5/10, 2010 IEEEDOI 10.1109/SOSE.2010.414
Ankita Dubey and Binny Khanna
http://www.iaeme.com/IJCET/index.asp 72 [email protected]
[5] Lisa Schehlmann, Sebastian Abt , Harald Baier (2014). Blessing or Curse? Revisiting Security Aspects
of Software-Defined Networking. ISBN 978-3-901882-67-8, 10th CNSM and Worksho, IFIP.
[6] Mehiar Dabbagh, Bechir Hamdaoui, Mohsen Guizani, Ammar Rayes. (2015). Software-Defined
Networking Security: Pros and Cons. IEEE Communications Magazine — Communications Standards
Supplement. 0163-6804/15
[7] Adnan Akhunzada, Ejaz Ahmed, Abdullah Gani, Muhammad Khurram Khan, Muhammad Imran,
Sghaier Guizani. (2015). Securing Software Defined Networks:Taxonomy, Requirements, and Open
Issues. IEEE Communications Magazine. 0163-6804/15.
[8] Yustus Eko Oktian, SangGon Lee, HoonJae Lee, JunHuy Lam. (2015). Secure Your Northbound SDN
API. ICUFN. 978-1-4799-8993-5/15.
[9] Christopher C. Lamb, Gregory L. Heileman (2014). Towards Robust Trust in Software Defined
Networks. Globecom 2014 Workshop - The 6th IEEE International Workshop on Management of
Emerging Networks and Servicesy. 978-1-4799-7470-2/14.
[10] Ruikang Zhou, Zenghui Liu, Yingxu Lai, Jing Liu. (2015). Study on authentication protocol of SDN
trusted domain. IEEE Twelfth International Symposium on Autonomous Decentralized Systems. 978-1-
4799-8261-5/15. DOI 10.1109/ISADS.2015.29
[11] Varun S. Moruse and Miss. A. A. Manjrekar, Software Defined Network Based Firewall Technique.
International Journal of Computer Engineering and Technology, 4(2), 2013, pp. 598–606.