OpenFlow Communications and TLS Security in Software-Defined Networks

The adoption of Software-Defined Networking (SDN), a networking approach where data traffic control and execution are made independent of each other, is an ongoing process that some companies are considering as an option but have not embraced yet due to different factors. Incorporating this new paradigm into an existing network defines a shift in networking technology with different benefits expected to derive from this implementation. These benefits include (1) the ability to use customised business specific applications, (2) reduce overhead costs on legacy network infrastructure, taking full control of network, (3) reduce network application update time, increase productivity, and (4) apply increased security among others. However, the security of SDN itself has been a subject of debate. This is mainly because, the communication standard used by SDN, known as OpenFlow, and developed by the Open Network Foundation, does not enforce the implementation of the Transport Layer Security (TLS) but defines it only as optional. This could then make the network infrastructure vulnerable and therefore affect the overall security of a company. Security plays a significant part in an organisation and it is one of the determinants of the success of SDN. OpenFlow security relies on the implementation of TLS, which has been proven vulnerable, and therefore bringing to mind the question on how secure organisation's data is when the implementation of secure data transfer is treated with laxity. This paper focuses on securing OpenFlow communication in SDN by summarising TLS security flaws and recommending ways of improving TLS security thereby securing OpenFlow communication

Keeping Authorities "Honest or Bust" with Decentralized Witness Cosigning

The secret keys of critical network authorities - such as time, name, certificate, and software update services - represent high-value targets for hackers, criminals, and spy agencies wishing to use these keys secretly to compromise other hosts. To protect authorities and their clients proactively from undetected exploits and misuse, we introduce CoSi, a scalable witness cosigning protocol ensuring that every authoritative statement is validated and publicly logged by a diverse group of witnesses before any client will accept it. A statement S collectively signed by W witnesses assures clients that S has been seen, and not immediately found erroneous, by those W observers. Even if S is compromised in a fashion not readily detectable by the witnesses, CoSi still guarantees S's exposure to public scrutiny, forcing secrecy-minded attackers to risk that the compromise will soon be detected by one of the W witnesses. Because clients can verify collective signatures efficiently without communication, CoSi protects clients' privacy, and offers the first transparency mechanism effective against persistent man-in-the-middle attackers who control a victim's Internet access, the authority's secret key, and several witnesses' secret keys. CoSi builds on existing cryptographic multisignature methods, scaling them to support thousands of witnesses via signature aggregation over efficient communication trees. A working prototype demonstrates CoSi in the context of timestamping and logging authorities, enabling groups of over 8,000 distributed witnesses to cosign authoritative statements in under two seconds.Comment: 20 pages, 7 figure

Security for Grid Services

Grid computing is concerned with the sharing and coordinated use of diverse resources in distributed "virtual organizations." The dynamic and multi-institutional nature of these environments introduces challenging security issues that demand new technical approaches. In particular, one must deal with diverse local mechanisms, support dynamic creation of services, and enable dynamic creation of trust domains. We describe how these issues are addressed in two generations of the Globus Toolkit. First, we review the Globus Toolkit version 2 (GT2) approach; then, we describe new approaches developed to support the Globus Toolkit version 3 (GT3) implementation of the Open Grid Services Architecture, an initiative that is recasting Grid concepts within a service oriented framework based on Web services. GT3's security implementation uses Web services security mechanisms for credential exchange and other purposes, and introduces a tight least-privilege model that avoids the need for any privileged network service.Comment: 10 pages; 4 figure