Thursday, December 5, 2019
Software Defined Network Organize and Maintain Services
Question: Discuss about theSoftware Defined Network for Organize and Maintain Services. Answer: Introduction Software defined network abbreviated as SDN is computer networking approach which allow administrators of network to monitor, organize and maintain services offered by the network infrastructure [1]. It centralizes the computing components which help control the properties of the network. Convectional network are different from Software defined Network in that the physical routers and switches are not separated as the case with SDN. This is important as allows network administrators to write level control programs to specify the attributes of the whole network. This is done through network abstraction whereby administrators remove additional properties from the network leaving just the essential ones [2]. Literarure Review This paper will review some done by fellow researchers on Software Defined Networking so as to get deep understanding of what has been done, what has not been done and what needs to be done [3]. New approaches and thorough analysis will be done so as to reveal the success and shortcomings of software defined networking An American author named Diego together with his colleagues Fernando and Ramos proposes a software defines environment to assist the software defined networking[4]. They argue that software defined network is the basis of advanced networking that is taking world by storm and will eventually the industry for good. They note a number of ways that SDN differs from the existing or traditional networks. Software defined networks is considered the interface between the control plane and data plane where it receives high speed network traffic from data plane and defines how it will be passed to control plane [2] Software defined network is the link between data plane and control plane where administrator can administer abstractions for network devices where they can hide the details of the network[1] The centralized logic center is centralized by Software defined network to give it a universal view of network resources and specification needed to build and optimize the global policy effectiveness [5]. Figure 1: SDN functionality planes Software defined network has slowly by slowly improved the state of network innovation by increasing network scalability, flexibility of performance[6]. Ease of network management is critical as it helps cut maintenance costs, however most network administrators argue that it is likely to be high at initial stage of set up but in the long run it goes down. Of most notable figure in software defined networking is IBM SDN environment which possess the main characteristics of SDN. These features in IBM SDN environment include reduced maintenance costs, scalability, improved and manageable performance and assured security[7]. However these authors fail to address how SDN use network resources better and efficiently. Moreover they have noticed the gap and explain that in the near future this will be addressed by use of tight tracking control loops that are able to do adaptive and clever network engineering together with cementing of network traffic as well as offer services of higher quality. IBM software define network virtualized environment has the ability for all rapid instantiation of virtualized networks and inter operate the products with Open stack neutron plugin which give API for virtual networking Neuron open stack plugin is made of network applications like middle box and Virtual machine placement which improves consciousness of the network. This is a promising feature of SDN-VE which is seen that after a few years it will be a platform for IBM to solve future problems. Though SDN-VE is a promising platform it comes with a number of challenges. Fernando and his fellow authors questions how will make the abstract network models design and implementation easy to understand and easily express policy. Another challenge they face is to build frameworks that give SDN controllers ability not be extended without conflicts to third party and lastly but not the least if how to offer self-management and self-turning of networks through intelligent use of resources Two other authors Michael and Wolfgang in their publication [8]propose SDN using applications, open flow protocols as well as architectural design choices. SDN southbound is implemented by an Open flow protocol. Open flow distinguish data plane from control plane by offering configurable forwarding plane hence considered pre dominant. Open flow architecture is composed of three main concepts namely open flow switches for Data plane, open flow controllers within data plane and secure control channel to offer links for control plane switches Figure 1: A 3 layered architecture showing open flow switches for control plane and open flow controllers for data plane All Open flow compliant switches are basic forwarding devices whose main function is to send packets to flow table which has a set of entries that match fields, counters and instructions. The fields are referred to as flow rules which in turn have flow entries. Figure 2: open switch flow table Open flow compliant switch is a basic forwarding device that its primarily function is to send packets according to flow table. Flow table has a set of entries that match fields, counters and instructions as shown below. These fields are called flow rules and flow entries. The header fields in figure 2 above comprise of wildcard the match a specified fields of packets Security Issues in SDN Three main features of SDN are inherent control, programmatic properties and predetermined network implementation [9]. To operate, maintain and secure a communication network is considered a challenge as the network administrators have to accept to deal with low level vendor preset configurations so that high policies of the network can be implemented. Despite efforts to make SDN networks easier to manage attacks to SDN layers has remained a threat to solve. The rigid nature of the underlying infrastructure is difficult to change, however it offers a platform for innovation and improvement. The infrastructure is vertically, closed and proprietary integrated [10]. Figure 4: SDN architecture showing the attack targetable layers This is the most common architectures with even the new technologies. It is expected that as technology matures more it will become an interest for attack to channel their efforts [6]. Most common security issues usually occur at the layers outlined above. This infrastructure delivers some weakness which can be easily be exploited by malicious users by launching attacks on each of the open flow protocol. The SDN attacks vectors that can be exploited by malicious peoples have been discussed below. Attack Vectors From figure 4 above we can clearly see three layers which offer platform for possible attacks. The layers include SDN data plane layer which has capable network devices, SDN controllers which the middle layer and applications and services layer which offer configurations to SDN SDN Layer Attacker This is security threat posed to northbound protocol. The north bound API for SDN layer are JSON, REST, XML, python, java, C, C++ and ruby. The northbound interface is the upper part of controller that is responsible for defining operation tasks and network policies as well as enforcing them into controller in an understandable form. Figure 5: northbound interface There has been little effort to determine, explain and implement northbound protocols as opposed to southbound protocols which could have opened flood gates to defining and implementation to reactive policies. As result the northbound is left exposed and is seen a weak point for attackers to use [10]. North bound API allows the network managers to configure parameters of network runtime for instance network admin may add and modify a list of end host using network control system so as to define who can access the network and block the rest from accessing. These APIs are revealed by HTTP server using the REST practices to allow access to network admin parameters using programming. This allows implementation of graphical user interface, command line interfaces and admin scripts which are good targets of attackers. The attackers focus on the NORTH BOUND API and try to compromise it to gain control of the network through the controller. In cases where the controller does not secure north bound API the attackers are able to create their own SDN policy which gives them absolute control of software defined environment. In case it uses default password them the attacker can create packets to the interface of the controller to allow querying and modification of SDN environment [11] Attacks on Data Plane Layer Malicious user of SDN may harness the malicious use to attacking of data plane layer so as to penetrate the network. If successful they gain access to virtual and physical components that allow modification of the host configuration which acts as their platform form attacks. This platform now allows them to maliciously attack the network infrastructure and compromise the good functionality of the entire network. They can launch attacks such as fuzzing attacks as well as denial of service (DOS)[12]. Southbound APIs are used to communicate with computing components of the network but they do not have secure implementation and no thorough research has been done on them as they have just entered the market. SDN systems use protocols with no encryption or authentication which expose the packets to attackers. The protocols are designed such that they are easily compromised by the attackers[10]. An attacker trys to leverage the South bound API protocols to start flows into flow table of the component. Then the attacker now can spoof the new flows and allows various network traffic flows across the network which have been already blocked by the network administrators. This is possible by creating a bypass traffic steering that focus the network to their direction and avoid the network firewalls. This results to man in the middles attacks and network sniffing. Also the attacker may now the flows and allowed traffic through the network as a result of eaves dropping at the south bound communication of controller and network component. Attacks to Control Layer Control layer attacks are central to spoofing of north bound and south bound API messages which allow attacks instantiate new flows in flow tables. This gives the attacker ability to control traffic through the SDN which allow bypassing of the implemented security protocols The attackers sometimes try to make the controller malfunction through denial of service attacks which is as result of consuming network resources and jamming the network to deny the controller access to the network. As a result the controller becomes slow to receive and sent packets. General purpose operating systems have their own problems which acts as a weak point for hackers. Their controllers are usually deployed using default passwords which dont allow configuration of security settings as the system engineers fear interfering with the system. This results to weak configurations [9]. The attackers sometimes try to create their own virtual controller to tap network elements by making them believe that the flows moving from their controllers are genuine. This give them a chance to instantiate flows to flow table in network elements. As a result the engineers are denied visibility to flows hence its hard for them to trace the source of problem. Resolving Security Issues of SDN Adding security to software defined networking is crucial without consideration of the architecture model used or the communication protocol used. The concept of everything which allow all devices that have an IP address connect to network can be a threat to the network however each network element can be secured. SDN has address these options by integrating security services into this systems [13]. The systems may include threat defense, content inspection and many others In this paper we discuss securing of data plane layer as a measure to control attacks to data plane layer Securing Data Plane Layer Most SDN system run on general purpose x32 bit system and use transport layer security to protect the control plane, however long life sessions make data plane vulnerable to attacks. The control plane need to be separated from major data flows via network security controls or using an out of band network [14]. Transport Layer Security (TLS) authenticates controllers and encrypt end points to protect from eavesdropping and spoofing of communications[6]. Some security protocols used by TLS sessions use either shared secret passwords or nonce or both to protect against replay attacks. The tunnel endpoints and tunnel traffic may be authenticated a certain type of data center interconnect or still use passwords or shared secrets. Some business enterprises have faith in some networks and believe they are inherently secure. Biblography [1] N. McKeown, "Software-defined Networking," infocom, california, 2011.[2] J. ONISICK, "Network Abstraction and Virtualization: Where to Start?," Define The Cloud, 19 June 2013. [3] N. B. C. L. R. 1.-R. John Glover, "Write a Literature Review," VCU Libraries, p. 1, 20 september 2016. [4] D. K. V. Fernando M. V. Ramos, Towards Secure and Dependable Software-Defined Networks, University of Lisbon, Portugal: LaSIGE/FCUL, 2012. [5] Kanika, "Difference Between Control Plane Data Plane," SDN tutorials, p. 1, 21 june 2016. [6] S. Hogg, "SDN Security Attack Vectors and SDN Hardening," Network World from IDG, 2014. [7] m. r. t, "OpenStack Neutron (formerly called Quantum)," tech target, london, 2016.[8] M. M. a. Braun Wolfgang, "Software-Defined Networking Using OpenFlow: Protocols, Applications and Architectural Design Choices," future internet, pp. 320-329, 2014. [9] A. R. Voellmy, "Programmable and Scalable Software-Defined Networking Controllers," 2014.[10] H. K. a. N. Feamster, "Softw are Denied Networks," Georgia, 2013.[11] A. R. Voellmy, "Programmable and Scalable Software-Defined Networking Controllers," 2014.[12] Y. Y. Y. YuHunag MinChi, " A Novel Design for Future On-Demand Service and Security.," in In Proceedings of the International Conference on Communication Technology (ICCT), Nanjing, 2011. [13] Open Networking Foundation, "Principles and Practices for Securing Software-Defined Networks," ONF TR-511, january 2015. [14] R. Millman, "How to secure the SDN infrastructure," in TechTarget, 2015. [15] D. O. J. C. D. W. F. J. C. M. B. V. M. J. M. T. R. R. C. Dixon, "software defined networking to support the software defined environment," International Business Machines Corporation, 2014. [16] C. C. P. B. S. N. Todd Aven, "Principles and Practices for securing Network Defined Networking," Open Networking Foundation, 2015. [17] J. W. D. L. J. L. A. V. V. M. I. Zhaogang Shu, "Security in Software-Defined Networking: Threats and Countermeasures," Springer Link, 2016. [10] Gladisch and W. Kellerer, "Software defined networking and network function virtualization", it - Information Technology, vol. 57, no. 5, 2015.[11] Gladisch and W. Kellerer, "Software defined networking and network function virtualization", it - Information Technology, vol. 57, no. 5, 2015. [12] Kirkpatrick, "Software-defined networking", Communications of the ACM, vol. 56, no. 9, p. 16, 2013.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.