Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

SDN security attack vectors and SDN hardening

Scott Hogg | Nov. 12, 2014
Securing SDN deployments right from the start.

As enterprises look to adopt Software Defined Networking (SDN), the top of mind issue is the concern for security. Enterprises want to know how SDN products will assure them that their applications, data and infrastructure will not be vulnerable. With the introduction of SDN, new strategies for securing the control plane traffic are needed. This article will review the attack vectors of SDN systems and share ways to secure the SDN-enabled virtualized network infrastructure. This article will then discuss the methods currently being considered to secure SDN deployments.

1. SDN Attack Vectors
Software-Defined Networking (SDN) is an approach to networking that separates the control plane from the forwarding plane to support virtualization.  SDN is a new paradigm for network virtualization. Most SDN architecture models have three layers: a lower layer of SDN-capable network devices, a middle layer of SDN controller(s), and a higher layer that includes the applications and services that request or configure the SDN. Even though many SDN systems are relatively new and SDN is still in the realm of the early adopters, we can be sure, that as the technology matures and is more widely deployed, it will become a target for attackers.

We can anticipate several attack vectors on SDN systems. The more common SDN security concerns include attacks at the various SDN architecture layers.  Let's look at the anticipated attacks that could occur at each of these layers. Following is a picture to illustrate a typical SDN architecture and where attackers may be coming from.

sdn sec 1d
Click to enlarge.

1-1. Attacks at Data Plane Layer
Attackers could target the network elements from within the network itself.  An attacker could theoretically gain unauthorized physical or virtual access to the network or compromise a host that is already connected to the SDN and then try to perform attacks to destabilize the network elements.  This could be a type of Denial of Service (DoS) attack or it could be a type of fuzzing attack to try to attack the network elements.

There are numerous southbound APIs and protocols used for the controller to communicate with the network elements.  These SDN southbound communications could use OpenFlow (OF), Open vSwitch Database Management Protocol (OVSDB), Path Computation Element Communication Protocol (PCEP), Interface to the Routing System (I2RS), BGP-LS, OpenStack Neutron, Open Management Infrastructure (OMI), Puppet, Chef, Diameter, Radius, NETCONF, Extensible Messaging and Presence Protocol (XMPP), Locator/ID Separation Protocol (LISP), Simple Network Management Protocol (SNMP), CLI, Embedded Event Manager (EEM), Cisco onePK, Application Centric Infrastructure (ACI), Opflex, among others.  Each of these protocols has their own methods of securing the communications to network elements.  However, many of these protocols are very new and implementers may not have set them up in the most secure way possible.

 

1  2  3  4  5  Next Page 

Sign up for Computerworld eNewsletters.