As enterprises look to adopt Software Defined Networking (SDN), the top of mind issue is the concern for security. Enterprises want to know how SDN products will assure them that their applications, data and infrastructure will not be vulnerable. With the introduction of SDN, new strategies for securing the control plane traffic are needed. This article will review the attack vectors of SDN systems and share ways to secure the SDN-enabled virtualized network infrastructure. This article will then discuss the methods currently being considered to secure SDN deployments.
1. SDN Attack Vectors
Software-Defined Networking (SDN) is an approach to networking that separates the control plane from the forwarding plane to support virtualization. SDN is a new paradigm for network virtualization. Most SDN architecture models have three layers: a lower layer of SDN-capable network devices, a middle layer of SDN controller(s), and a higher layer that includes the applications and services that request or configure the SDN. Even though many SDN systems are relatively new and SDN is still in the realm of the early adopters, we can be sure, that as the technology matures and is more widely deployed, it will become a target for attackers.
We can anticipate several attack vectors on SDN systems. The more common SDN security concerns include attacks at the various SDN architecture layers. Let’s look at the anticipated attacks that could occur at each of these layers. Following is a picture to illustrate a typical SDN architecture and where attackers may be coming from.
1-1. Attacks at Data Plane Layer
Attackers could target the network elements from within the network itself. An attacker could theoretically gain unauthorized physical or virtual access to the network or compromise a host that is already connected to the SDN and then try to perform attacks to destabilize the network elements. This could be a type of Denial of Service (DoS) attack or it could be a type of fuzzing attack to try to attack the network elements.
There are numerous southbound APIs and protocols used for the controller to communicate with the network elements. These SDN southbound communications could use OpenFlow (OF), Open vSwitch Database Management Protocol (OVSDB), Path Computation Element Communication Protocol (PCEP), Interface to the Routing System (I2RS), BGP-LS, OpenStack Neutron, Open Management Infrastructure (OMI), Puppet, Chef, Diameter, Radius, NETCONF, Extensible Messaging and Presence Protocol (XMPP), Locator/ID Separation Protocol (LISP), Simple Network Management Protocol (SNMP), CLI, Embedded Event Manager (EEM), Cisco onePK, Application Centric Infrastructure (ACI), Opflex, among others. Each of these protocols has their own methods of securing the communications to network elements. However, many of these protocols are very new and implementers may not have set them up in the most secure way possible.
An attacker could also leverage these protocols and attempt to instantiate new flows into the device’s flow-table. The attacker would want to try to spoof new flows to permit specific types of traffic that should be disallowed across the network. If an attacker could create a flow that bypasses the traffic steering that guides traffic through a firewall the attacker would have a decided advantage. If the attacker can steer traffic in their direction, they may try to leverage that capability to sniff traffic and perform a Man in the Middle (MITM) attack.
An attacker would like to eavesdrop on flows to see what flows are in use and what traffic is being permitted across the network. The attacker would want to try to eavesdrop on southbound communication between the network element and the controller. This information could be useful for a replay attack or simply for reconnaissance purposes.
Many SDN systems are deployed within data centers and data centers are more frequently using Data Center Interconnect (DCI) protocols such as Network Virtualization using Generic Routing Encapsulation (NVGRE), Stateless Transport Tunneling (STT), Virtual Extensible LAN (VXLAN), Cisco Overlay Transport Virtualization (OTV), Layer 2 Multi-Path (L2MP), TRILL-based protocols (Cisco FabricPath, Juniper QFabric, Brocade VCS Fabric), Shortest Path Bridging (SPB), among others. These protocols may lack authentication and any form of encryption to secure the packet contents. These new protocols could possess vulnerabilities due to an aspect of the protocol design or the way the vendor or customer has implemented the protocol. An attacker could be motivated to create spoofed traffic in such a way that it traverses the DCI links or to create a DoS attack of the DCI connections.
1-2. Attacks at Controller Layer
It is obvious that the SDN controller is an attack target. An attacker would try to target the SDN controller for several purposes. The attacker would want to instantiate new flows by either spoofing northbound API messages or spoofing southbound messages toward the network devices. If an attacker can successfully spoof flows from the legitimate controller then the attacker would have the ability to allow traffic to flow across the SDN at their will and possibly bypass policies that may be relied on for security.
An attacker might try to perform a DoS of the controller or use another method to cause the controller to fail. The attacker might try to attempt some form of resource consumption attack on the controller to bog it down and cause it to respond extremely slowly to Packet_In events and make it slow to send Packet_Out messages.
Often times, SDN controllers run on some form of Linux operating system. If the SDN controller runs on a general purpose operating system, then the vulnerabilities of that OS become vulnerabilities for the controller. Often times the controllers are deployed into production using the default passwords and no security settings configured. The SDN engineers got it to “just barely” work and then didn’t want to touch it for fear of breaking it so the system ends up in production in a vulnerable configuration.
Lastly, it would be bad if an attacker created their own controller and got network elements to believe flows from the “rogue” controller. The attacker could then create entries in the flow tables of the network elements and the SDN engineers would not have visibility to those flows from the perspective of the production controller. In this case, the attacker would have complete control of the network.
1-3. Attacks at SDN Layer
Attacking the security of the northbound protocol would also be a likely vector. There are many northbound APIs that are used by SDN controllers. Northbound APIs could use Python, Java, C, REST, XML, JSON, among others. If the attacker could leverage the vulnerable northbound API, then the attacker would have control over the SDN network through the controller. If the controller lacked any form of security for the northbound API, then the attacker might be able to create their own SDN policies and thus gain control of the SDN environment.
Often times, there is a default password that is used for a REST API which is trivial to determine. If an SDN deployment didn’t change this default password and the attacker could create packets toward the controller’s management interface, then the attacker could query the configuration of the SDN environment and put in their own configuration.
2. Hardening an SDN System
With the introduction of SDN, a new method is needed for securing the control plane traffic. In traditional IP networks the control plane security came in the form of routing protocol security measures that involved using MD5 for EIGRP, IS-IS, or OSPFv2, IPsec AH in the case of OSPFv3, or GTSM/ACLs/passwords for MP-BGP. Some implementers do not even follow these simple techniques for traditional IP networks. If they approach deployment of an SDN with the same disregard for security, then they will be exposing their organization to attacks. Let’s look at how one can secure an SDN system based on hardening the three layers illustrated in the above architecture diagram.
2-1. Securing the Data Plane Layer
Typical SDN systems leverage X86 processors and use TLS (formerly SSL) for the security of the control plane. These long-lived HTTP sessions are susceptible to a wide range of attacks that could jeopardize the integrity of the data plane. This would bypass the multi-tenancy of these solutions and cause cloud-based services to be compromised. Organizations should prefer to use TLS to authenticate and encrypt traffic between network device agent and controller. Using TLS helps to authenticate controller and network devices/SDN agent and avoid eavesdropping and spoofed southbound communications.
Depending on the southbound protocol being used, there may be options to secure this communications. Some protocols may be used within TLS sessions as previously mentioned. Other protocols may use shared-secret passwords and/or nonce to prevent replay attacks. Protocols like SNMPv3 offer more security than SNMPv2c and SSH is far better than Telnet. Other proprietary southbound protocols may have their own methods to authenticate network device agents and controllers and encrypt data between themselves, thus thwarting the attacker’s eavesdropping and spoofing.
Similarly, depending on the Data Center Interconnect (DCI) protocol being used, there may be configurable options to authenticate tunnel endpoints and secure tunneled traffic. Again, passwords/shared-secrets might be an option. However, some DCI protocols may not have any option for security.
Organizations may believe that a private network has certain inherent security. As organizations extend their virtual networks and SDNs to cloud services and to remote data centers, verifying the physical path may not be so easy. Preventing unauthorized access is easier when an organization controls the physical access, but as networks virtualize, the actual physical path gets a little murky. It is difficult to secure what you can’t see.
2-2. Securing the Controller Layer
The controller is a key attack target and therefore, it must be hardened. Hardening the security posture of the controller and the network elements typical comes down to host OS hardening. All the best practices for hardening public-facing Linux servers are applicable here. Still, organizations will will want to closely monitor their controllers for any suspicious activity.
Organizations will also want to prevent unauthorized access to SDN control network. SDN systems should allow for configuration of secure and authenticated administrator access to controller. Even Role-Based Access Control (RBAC) policies may be required for controller administrators. Logging and audit trails could be useful for checking for unauthorized changes by administrators or attackers alike.
If there is a DoS attack of the controller, then it is beneficial to have a High-Availability (HA) controller architecture. SDNs that use redundant controllers could suffer the loss of a controller and continue to function. This would raise the bar for an attacker trying to DoS all the controllers in the system. Besides, that attack would not be particularly stealthy and further the attacker’s aims of remaining undetected.
2-3. Securing the SDN Layer
Another protection measure is to use an Out-of-Band (OOB) network for control traffic. It is easier and less costly to construct an OOB network in a data center than across an enterprise WAN. Using an OOB network for the northbound and southbound communications could help secure the protocols for controller management.
Using TLS or SSH or another method to secure northbound communications and secure controller management would be considered a best practice. The communications from the applications and services requesting services or data from the controller should be secured using authentication and encryption methods.
Secure coding practices for all northbound applications requesting SDN resources should be a best practice. Not only are secure coding practices beneficial to the security of public-facing Internet web applications, but they are also applicable to northbound SDN connections.
There are some SDN systems that have the ability to validate flows in network device tables against controller policy. This type of checking (similar to FlowChecker) of the flows in the network devices against the policy in the policy could help identify discrepancies that are the result of an attack.
3. Summary
We can only try to anticipate what the attackers may try to target with SDNs. The deployments are new, the protocols are new, the controller software is new, and the history of past SDN attacks is unknown. Based on the SDN architecture, we can predict where an attacker may be likely to strike. If we put ourselves in the attacker’s shoes, we might be able to spot a weakness to exploit. Then we can harden that weakness ahead of time.
Before an organization embarks on an SDN deployment project, they should consider how they will secure the system during the early design stage. Don’t leave security until the final clean-up phase. If an organization waits until it is working, then hardening the northbound and southbound control messages may cause service-affecting problems. Like most things, setting it up right from the start will save organizations many problems down the road.
Scott