به سوی SDN (شبکه های تعریف شده نرم افزاری) امن و قابل اعتماد

ABSTRACT Towards Secure and Dependable Software-Defined Networks

Operating and maintaining a computer network is an arduous task. To express the required high-level network policies, network operators need to configure each individual network device separately | from a heterogeneous collection of switches, routers, middleboxes, etc. | using vendorspecific and low-level commands. In addition to configuration complexity, networks are dynamic, and operators have little or no mechanisms to automatically respond to network events. It is therefore difficult to enforce the required policies in such a continually changing environment.

With the separation of the control plane from the data plane that lays the ground to the Software Defined Networking paradigm, network switches 1 become simple forwarding devices and the control logic is implemented in a logically centralized controller | though in principle physically distributed [1]. In SDN, the controller is the entity that dictates the network behavior. The logical centralization of the control logic in a software module that runs in a standard server | the network operating system [2] | offers several benefits. First, it is simpler and less error-prone to modify network policies through software, than via low-level device configurations. Second, a control program can automatically react to spurious changes of the network state and thus maintain the high-level policies in place. Third, the centralization of the control logic in a controller with global knowledge of the network state simplifies the development of more sophisticated network functions. This ability to program the network in order to control the underlying data plane is therefore the crucial value proposition of SDN. SDN provides new ways to solve age-old problems in networking (e.g., routing [3]) while simultaneously enabling the introduction of sophisticated network policies, such as security and dependability. An example is Ethane [4], an SDN architecture that allows managers to enforce fine-grained access control policies. However, the security and dependability of the SDN itself has been a neglected topic up to now.

Only very recently has the community started to address these issues. Porras et al. [5] provided a security enforcement kernel in SDN controllers to allow security based prioritization. By extending the original idea, the same authors proposed FRESCO [6], a framework to ease the development and deployment of security applications in SDN. Since many commercial switches now support the OpenFlow 2 protocol [7], this technology has been deployed in a number of production networks. Security and dependability issues are therefore becoming a serious concern for the industry [8, 9].

Curiously, the main causes of concern lie in SDN’s main benefits: network programmability and control logic centralization. These capabilities actually introduce new fault and attack planes, which open the doors for new threats that did not exist before or were harder to exploit. Traditional networks have \natural protections” against what would be common vulnerabilities in regular IT systems. Namely, the closed (proprietary) nature of network devices, their fairly static design, the heterogeneity of software, and the decentralized nature of the control plane represent defenses against common threats. For example, an attack exploiting a peculiar vulnerability of a specific set of devices from a single vendor would potentially harm only part of the network.

This diversity is comparatively smaller in SDNs. A common standard (e.g., OpenFlow) among vendors and clients can also increase the risk, by the possible introduction of common faults in compliant implementations of the protocols and the control plane software. An attack similar to Stuxnet [10], a well-designed worm targeting very specific networked infrastructures, said to have impaired the operation of hundreds of those devices by modifying their control programs and configurations automatically, could have dramatic consequences in a highly configurable and programmable network. It is more than likely that such targeted attacks, also called advanced persistent threats [11], will be developed against SDNs, if the opportunity of success presents itself.

In summary, as we point out in this paper, SDNs bring a very fascinating dilemma: an extremely promising evolution of networking architectures, versus a dangerous increase in the threat surface. We should preserve the benefits of the first, by counteracting the dangers of the second. Therefore we argue, in this position paper, for the need to consider security and dependability as first class properties of future SDNs, which should be built into the design from the first hour and not bolted on.

We continue by describing several threat vectors that may enable the exploit of SDN vulnerabilities in Section 2. In Section 3 we investigate the open questions and sketch the design of a secure and dependable SDN control platform as an example materialization of the concept here advocated. In section 4 we conclude the paper.