Outsmarting Network Security with SDN Teleportation

Software-defined networking is considered a promising new paradigm, enabling more reliable and formally verifiable communication networks. However, this paper shows that the separation of the control plane from the data plane, which lies at the heart of Software-Defined Networks (SDNs), introduces a new vulnerability which we call \emph{teleportation}. An attacker (e.g., a malicious switch in the data plane or a host connected to the network) can use teleportation to transmit information via the control plane and bypass critical network functions in the data plane (e.g., a firewall), and to violate security policies as well as logical and even physical separations. This paper characterizes the design space for teleportation attacks theoretically, and then identifies four different teleportation techniques. We demonstrate and discuss how these techniques can be exploited for different attacks (e.g., exfiltrating confidential data at high rates), and also initiate the discussion of possible countermeasures. Generally, and given today's trend toward more intent-based networking, we believe that our findings are relevant beyond the use cases considered in this paper.Comment: Accepted in EuroSP'1

Software defined networking: meeting carrier grade requirements

Software Defined Networking is a networking paradigm which allows network operators to manage networking elements using software running on an external server. This is accomplished by a split in the architecture between the forwarding element and the control element. Two technologies which allow this split for packet networks are ForCES and Openflow. We present energy efficiency and resilience aspects of carrier grade networks which can be met by Openflow. We implement flow restoration and run extensive experiments in an emulated carrier grade network. We show that Openflow can restore traffic quite fast, but its dependency on a centralized controller means that it will be hard to achieve 50 ms restoration in large networks serving many flows. In order to achieve 50 ms recovery, protection will be required in carrier grade networks

LTE Spectrum Sharing Research Testbed: Integrated Hardware, Software, Network and Data

This paper presents Virginia Tech's wireless testbed supporting research on long-term evolution (LTE) signaling and radio frequency (RF) spectrum coexistence. LTE is continuously refined and new features released. As the communications contexts for LTE expand, new research problems arise and include operation in harsh RF signaling environments and coexistence with other radios. Our testbed provides an integrated research tool for investigating these and other research problems; it allows analyzing the severity of the problem, designing and rapidly prototyping solutions, and assessing them with standard-compliant equipment and test procedures. The modular testbed integrates general-purpose software-defined radio hardware, LTE-specific test equipment, RF components, free open-source and commercial LTE software, a configurable RF network and recorded radar waveform samples. It supports RF channel emulated and over-the-air radiated modes. The testbed can be remotely accessed and configured. An RF switching network allows for designing many different experiments that can involve a variety of real and virtual radios with support for multiple-input multiple-output (MIMO) antenna operation. We present the testbed, the research it has enabled and some valuable lessons that we learned and that may help designing, developing, and operating future wireless testbeds.Comment: In Proceeding of the 10th ACM International Workshop on Wireless Network Testbeds, Experimental Evaluation & Characterization (WiNTECH), Snowbird, Utah, October 201

A versatile telemetric system based on mixed Internet and wireless transmission

A novel telemetric technique for carrying data from distant field stations to a central point, upgrading an existing high cost network, is presented. This new technique can be applied for educational purposes since it enables students to overview the installation, operation and maintenance of a high tech complex network, spread in distances of the order of several hundreds of kilometres. The proposed technique followed by the appropriate visual aids can help students to understand better long distance data transmission

Toward Network-based DDoS Detection in Software-defined Networks

To combat susceptibility of modern computing systems to cyberattack, identifying and disrupting malicious traffic without human intervention is essential. To accomplish this, three main tasks for an effective intrusion detection system have been identified: monitor network traffic, categorize and identify anomalous behavior in near real time, and take appropriate action against the identified threat. This system leverages distributed SDN architecture and the principles of Artificial Immune Systems and Self-Organizing Maps to build a network-based intrusion detection system capable of detecting and terminating DDoS attacks in progress