SECURING CENTRALIZED SDN CONTROL WITH DISTRIBUTED BLOCKCHAIN TECHNOLOGY

Software Defined Networks (SDN) advocates segregation of network control logic, forwarding functions and management applications into different planes to achieve network programmability, automated and dynamic flow control in next generation networks. It promotes deployment of novel and augmented network management functions to have flexible, robust, scalable and cost-effective network deployments. All these features introduce new research challenges and require secure communication protocols among the segregated network planes. This manuscript focuses on the security issue of southbound interface which operates between the SDN control and data plane. We have highlighted the security threats associated with an unprotected southbound interface and the issues related with the existing TLS based security solution. A lightweight blockchain based decentralized security solution is proposed for southbound interface to secure the resources of logically centralized SDN controllers and distributed forwarding devices from opponents. The proposed mechanism can operate in multi-domain SDN deployment and can be used with wide range of network controllers and data plane devices. In addition to it, the proposed security solution is analyzed in terms of security features, communication and reauthentication overhead

Security attacks and solutions on SDN control plane: A survey

Sommario Software Defined Networks (SDN) è un modello di rete programmabile aperto promosso da ONF , che è stato un fattore chiave per le recenti tendenze tecnologiche. SDN esplora la separazione dei dati e del piano di controllo . Diversamente dai concetti passati, SDN introduce l’idea di separazione del piano di controllo (decisioni di instradamento e traffico) e piano dati (decisioni di inoltro basate sul piano di controllo) che sfida l’integrazione verticale raggiunta dalle reti tradizionali, in cui dispositivi di rete come router e switch accumulano entrambe le funzioni. SDN presenta alcuni vantaggi come la gestione centralizzata e la possibilità di essere programmato su richiesta. Oltre a questi vantaggi, SDN presenta ancora vulnerabilità di sicurezza e, tra queste,le più letali prendono di mira il piano di controllo. Come i controllers che risiedono sul piano di con- trollo gestiscono l’infrastruttura e i dispositivi di rete sottostanti (es. router/switch), anche qualsiasi insicurezza, minacce, malware o problemi durante lo svolgimento delle attività da parte del controller, possono causare interruzioni dell’intera rete. In particolare, per la sua posizione centralizzata, il con- troller SDN è visto come un punto di fallimento. Di conseguenza, qualsiasi attacco o vulnerabilità che prende di mira il piano di controllo o il controller è considerato fatale al punto da sconvolgere l’intera rete. In questa tesi, le minacce alla sicurezza e gli attacchi mirati al piano di controllo (SDN) sono identificati e classificati in diversi gruppi in base a come causano l’impatto sul piano di controllo. Per ottenere risultati, è stata condotta un’ampia ricerca bibliografica attraverso uno studio appro- fondito degli articoli di ricerca esistenti che discutono di una serie di attacchi e delle relative soluzioni per il piano di controllo SDN. Principalmente, come soluzioni intese a rilevare, mitigare o proteggere il (SDN) sono stati presi in considerazione le potenziali minacce gli attachi al piano di controllo. Sulla base di questo compito, gli articoli selezionati sono stati classificati rispetto al loro impatto potenziale sul piano di controllo (SDN) come diretti e indiretti. Ove applicabile, è stato fornito un confronto tra le soluzioni che affrontano lo stesso attacco. Inoltre, sono stati presentati i vantaggi e gli svantaggi delle soluzioni che affrontano diversi attacchi . Infine, una discussione sui risultati e sui esitti ottenuti durante questo processo di indagine e sono stati affrontatti suggerimenti di lavoro futuri estratti du- rante il processo di revisione. Parole chiave : SDN, Sicurezza, Piano di controllo, Denial of Service, Attacchi alla topologiaAbstract Software Defined Networks (SDN) is an open programmable network model promoted by ONF that has been a key-enabler of recent technology trends. SDN explores the separation of data and control plane. Different from the past concepts, SDN introduces the idea of separation of the control plane (routing and traffic decisions) and data plane (forwarding decisions based on the control plane) that challenges the vertical integration achieved by the traditional networks, in which network devices such as router and switches accumulate both functions. SDN presents some advantages such as centralized management and the ability to be programmed on demand. Apart from these benefits, SDN still presents security vulnerabilities and among them, the most lethal ones are targeting the control plane. As the controllers residing on the control plane manages the underlying networking infrastructure and devices (i.e., routers/switches), any security threat, malware, or issues during the carrying out of activities by the controller can lead to disruption of the entire network. In particular, due to its centralized position, the (SDN) controller is seen as a single point of failure. As a result, any attack or vulnerability targeting the control plane or controller is considered fatal to the point of disrupting the whole network. In this thesis, the security threats and attacks targeting the (SDN) control plane are identified and categorized into different groups by considering how they cause an impact to the control plane. To obtain results, extensive literature research has been carried out by performing an in-depth study of the existing research articles that discusses an array of attacks and their corresponding solutions for the (SDN) control plane. Mainly, the solutions intended to detect, mitigate, or protect the (SDN) control plane against potential threats and attacks have been considered. On basis of this task, the potential articles selected were categorized with respect to their impact to the (SDN) control plane as direct and indirect. Where applicable a comparison of the solutions addressing the same attack has been provided. Moreover, the advantages and disadvantages of the solutions addressing the respective attacks are presented. Finally, a discussion regarding the findings and results obtained during this su- veying process and future work suggestions extracted during the review process have been discussed. Keywords: SDN, Security, Control Plane, Denial of Service, Topology Attacks, Openflo

Enhanced Security of Software-defined Network and Network Slice Through Hybrid Quantum Key Distribution Protocol

Software-defined networking (SDN) has revolutionized the world of technology as networks have become more flexible, dynamic and programmable. The ability to conduct network slicing in 5G networks is one of the most crucial features of SDN implementation. Although network programming provides new security solutions of traditional networks, SDN and network slicing also have security issues, an important one being the weaknesses related to openflow channel between the data plane and controller as the network can be attacked via the openflow channel and exploit communications with the control plane. Our work proposes a solution to provide adequate security for openflow messages through using a hybrid key consisting of classical and quantum key distribution protocols to provide double security depending on the computational complexity and physical properties of quantum. To achieve this goal, the hybrid key used with transport layer security protocol to provide confidentiality, integrity and quantum authentication to secure openflow channel. We experimentally based on the SDN-testbed and network slicing to show the workflow of exchanging quantum and classical keys between the control plane and data plane and our results showed the effectiveness of the hybrid key to enhance the security of the transport layer security protocol. Thereby achieving adequate security for openflow channel against classical and quantum computer attacks

Software-Defined Networking: A Comprehensive Survey

peer reviewedThe Internet has led to the creation of a digital society, where (almost) everything is connected and is accessible from anywhere. However, despite their widespread adoption, traditional IP networks are complex and very hard to manage. It is both difficult to configure the network according to predefined policies, and to reconfigure it to respond to faults, load, and changes. To make matters even more difficult, current networks are also vertically integrated: the control and data planes are bundled together. Software-defined networking (SDN) is an emerging paradigm that promises to change this state of affairs, by breaking vertical integration, separating the network's control logic from the underlying routers and switches, promoting (logical) centralization of network control, and introducing the ability to program the network. The separation of concerns, introduced between the definition of network policies, their implementation in switching hardware, and the forwarding of traffic, is key to the desired flexibility: by breaking the network control problem into tractable pieces, SDN makes it easier to create and introduce new abstractions in networking, simplifying network management and facilitating network evolution. In this paper, we present a comprehensive survey on SDN. We start by introducing the motivation for SDN, explain its main concepts and how it differs from traditional networking, its roots, and the standardization activities regarding this novel paradigm. Next, we present the key building blocks of an SDN infrastructure using a bottom-up, layered approach. We provide an in-depth analysis of the hardware infrastructure, southbound and northbound application programming interfaces (APIs), network virtualization layers, network operating systems (SDN controllers), network programming languages, and network applications. We also look at cross-layer problems such as debugging and troubleshooting. In an effort to anticipate the future evolution of this - ew paradigm, we discuss the main ongoing research efforts and challenges of SDN. In particular, we address the design of switches and control platforms—with a focus on aspects such as resiliency, scalability, performance, security, and dependability—as well as new opportunities for carrier transport networks and cloud providers. Last but not least, we analyze the position of SDN as a key enabler of a software-defined environment

Contributions to Securing Software Updates in IoT

The Internet of Things (IoT) is a large network of connected devices. In IoT, devices can communicate with each other or back-end systems to transfer data or perform assigned tasks. Communication protocols used in IoT depend on target applications but usually require low bandwidth. On the other hand, IoT devices are constrained, having limited resources, including memory, power, and computational resources. Considering these limitations in IoT environments, it is difficult to implement best security practices. Consequently, network attacks can threaten devices or the data they transfer. Thus it is crucial to react quickly to emerging vulnerabilities. These vulnerabilities should be mitigated by firmware updates or other necessary updates securely. Since IoT devices usually connect to the network wirelessly, such updates can be performed Over-The-Air (OTA). This dissertation presents contributions to enable secure OTA software updates in IoT. In order to perform secure updates, vulnerabilities must first be identified and assessed. In this dissertation, first, we present our contribution to designing a maturity model for vulnerability handling. Next, we analyze and compare common communication protocols and security practices regarding energy consumption. Finally, we describe our designed lightweight protocol for OTA updates targeting constrained IoT devices. IoT devices and back-end systems often use incompatible protocols that are unable to interoperate securely. This dissertation also includes our contribution to designing a secure protocol translator for IoT. This translation is performed inside a Trusted Execution Environment (TEE) with TLS interception. This dissertation also contains our contribution to key management and key distribution in IoT networks. In performing secure software updates, the IoT devices can be grouped since the updates target a large number of devices. Thus, prior to deploying updates, a group key needs to be established among group members. In this dissertation, we present our designed secure group key establishment scheme. Symmetric key cryptography can help to save IoT device resources at the cost of increased key management complexity. This trade-off can be improved by integrating IoT networks with cloud computing and Software Defined Networking (SDN).In this dissertation, we use SDN in cloud networks to provision symmetric keys efficiently and securely. These pieces together help software developers and maintainers identify vulnerabilities, provision secret keys, and perform lightweight secure OTA updates. Furthermore, they help devices and systems with incompatible protocols to be able to interoperate

Design and Analysis of Anomaly Detection and Mitigation Schemes for Distributed Denial of Service Attacks in Software Defined Network. An Investigation into the Security Vulnerabilities of Software Defined Network and the Design of Efficient Detection and Mitigation Techniques for DDoS Attack using Machine Learning Techniques

Software Defined Networks (SDN) has created great potential and hope to overcome the need for secure, reliable and well managed next generation networks to drive effective service delivery on the go and meet the demand for high data rate and seamless connectivity expected by users. Thus, it is a network technology that is set to enhance our day-to-day activities. As network usage and reliance on computer technology are increasing and popular, users with bad intentions exploit the inherent weakness of this technology to render targeted services unavailable to legitimate users. Among the security weaknesses of SDN is Distributed Denial of Service (DDoS) attacks. Even though DDoS attack strategy is known, the number of successful DDoS attacks launched has seen an increment at an alarming rate over the last decade. Existing detection mechanisms depend on signatures of known attacks which has not been successful in detecting unknown or different shades of DDoS attacks. Therefore, a novel detection mechanism that relies on deviation from confidence interval obtained from the normal distribution of throughput polled without attack from the server. Furthermore, sensitivity analysis to determine which of the network metrics (jitter, throughput and response time) is more sensitive to attack by introducing white Gaussian noise and evaluating the local sensitivity using feed-forward artificial neural network is evaluated. All metrics are sensitive in detecting DDoS attacks. However, jitter appears to be the most sensitive to attack. As a result, the developed framework provides an avenue to make the SDN technology more robust and secure to DDoS attacks

Design and Analysis of Anomaly Detection and Mitigation Schemes for Distributed Denial of Service Attacks in Software Defined Network. An Investigation into the Security Vulnerabilities of Software Defined Network and the Design of Efficient Detection and Mitigation Techniques for DDoS Attack using Machine Learning Techniques

Software Defined Networks (SDN) has created great potential and hope to overcome the need for secure, reliable and well managed next generation networks to drive effective service delivery on the go and meet the demand for high data rate and seamless connectivity expected by users. Thus, it is a network technology that is set to enhance our day-to-day activities. As network usage and reliance on computer technology are increasing and popular, users with bad intentions exploit the inherent weakness of this technology to render targeted services unavailable to legitimate users. Among the security weaknesses of SDN is Distributed Denial of Service (DDoS) attacks. Even though DDoS attack strategy is known, the number of successful DDoS attacks launched has seen an increment at an alarming rate over the last decade. Existing detection mechanisms depend on signatures of known attacks which has not been successful in detecting unknown or different shades of DDoS attacks. Therefore, a novel detection mechanism that relies on deviation from confidence interval obtained from the normal distribution of throughput polled without attack from the server. Furthermore, sensitivity analysis to determine which of the network metrics (jitter, throughput and response time) is more sensitive to attack by introducing white Gaussian noise and evaluating the local sensitivity using feed-forward artificial neural network is evaluated. All metrics are sensitive in detecting DDoS attacks. However, jitter appears to be the most sensitive to attack. As a result, the developed framework provides an avenue to make the SDN technology more robust and secure to DDoS attacks

Utilizing Advanced Network Context to Optimize Software-Defined Networks

Legacy network systems and protocols are mostly static and keep state information in silo-style storage, thus making state migration, transformation and re-use difficult. Software-Defined Network (SDN) approaches in unison with Network Function Virtualization (NFV) allow for more flexibility, yet they are currently restricted to a limited set of state migration options. Additionally, existing systems and protocols are mostly tailored to meet the requirements of specific application scenarios. As a result, the protocols cannot easily be adapted to novel application demands, organically growing networks, etc. Impeding the sharing of networking and system state, along with lacking support for dynamic transitions between systems and protocols, severely limits the ability to optimally manage resources and dynamically adapt to a desirable overall configuration. These limitations not only affect the network performance but also hinder the deployment of new and innovative protocols as a hard break is usually not feasible and thus full support for legacy systems is required. On the one hand, we propose a generalized way to collect, store, transform, and share context between systems and protocols in both the legacy Internet as well as NFV/SDN-driven networks. This allows us to share state information between multiple systems and protocols from NFs over BGP routers to protocols on all layers of the network stack. On the other hand, we introduce an architecture for designing modular protocols that are built with transition in mind. We argue that the modular design of systems and protocols can remove the key limitations of today’s monolithic protocols and allow for a more dynamic network management. First, we design and implement a Storage and Transformation Engine for Advanced Net- working context (STEAN) which constitutes a shared context storage, making network state information available to other systems and protocols. Its pivotal feature is the ability to allow for state transformation as well as for persisting state to enable future re-use. Second, we provide a Blueprint for Switching Between Mechanisms that serves as a framework and guideline for developers to standardize and ease the process of designing and implementing systems and protocols that support transitions as a first order principle. By means of experimentation, we show that our architecture covers a diverse set of challenging use cases in legacy systems—such as Wireless Multihop Networks (WMNs)—as well as in NFV/SDN-enabled systems. In particular, we demonstrate the feasibility of our approach by migrating state information between two instances of the PRADS NF in a virtualized Mininet environment, and show that our solution outperforms state of the art frameworks that are specifically built for NF migration. We further demonstrate that a dynamic switch between WMN routing protocols is possible at runtime and that the state information can be reutilized for bootstrapping novel protocol modules, thus minimizing the control overhead