This document discusses using the Keyless Signature Infrastructure (KSI) to secure Software Defined Networks (SDNs). SDNs centralize network control, which improves agility but also creates new security risks if the centralized control plane is compromised. KSI can help address these risks by cryptographically signing SDN configuration data and network policies. This allows any SDN component to independently verify that it is using untampered data, without requiring trust in the SDN controller. KSI signatures provide real-time detection of any unauthorized data changes. By integrating KSI, SDNs can assure the integrity of critical network control data and detect insider threats or data manipulation attempts.
2. USE OF A GLOBALLY DISTRIBUTED BLOCKCHAIN TO SECURE SDN PAGE 2 OF 20
3. USE OF A GLOBALLY DISTRIBUTED BLOCKCHAIN TO SECURE SDN PAGE 3 OF 20
Introduction
Due to environmental constraints, budget cutbacks, and
increased requirements to streamline data centers and
systems, departments and agencies in the federal, DOD
and Intel communities are looking to adopt industry best
practices such as Cloud, Managed Services and Software
Defined Networks (SDN). While all three are valuable
strategies to increase efficiencies while cutting cost, SDNs
enable cloud infrastructure and Managed or Shared ser-
vices to extend virtualization into the network plane. SDNs
allows enterprises to promote modernization and increased
command and control over assets via:
1. Increased cloud enablement and effectiveness
via virtualization across all network planes
2. Increased governance and control
over large, enterprise networks
3. Increased mission readiness and agility to react
and remediate network issues or breaches
4. Increased visibility and transparency into enterprise
and geographically dispersed networks.
With all progressive technology, the very tenets that allow
for increased capabilities will change the necessary secu-
rity posture to adequately protect the enterprise. SDNs are
similar to the adoption of previous architectures such as
SOA or Web Services, where new security mechanisms
and mitigations were required. With SDNs, the new ar-
chitecture changes the paradigm from a decentralized
aggregation of network assets to a more centralized and
streamlined model.
Traditionally, most large networks consist of a multitude of
routers, switches, gateways etc. that were managed almost
independently. As illustrated in Figure 1 below, require-
ments are gathered, aggregated, and executed in a mostly
manual method. Each Network Asset requires a configura-
tion that is updated manually via an authorized user. While
this provides some security through dissociation of assets,
it does not allow for an agile enterprise that provides real
time scaling, remediation and configuration.
Newest cyber threat will be data
manipulation, US intelligence chief says.
US intelligence chiefs are warning Congress that
the next phase of escalating online data theft is likely
to involve the manipulation of digital information.
http://www.iacpcybercenter.org/news/newest-cy-
ber-threat-will-be-datamanipulation-us-intelli-
gence-chief-says/
NSA Chief on data manipulation:
“Historically, we’ve largely been focused on stop-
ping the extraction of data and insights, whether
for intellectual property for commercial or criminal
advantage, but what happens when suddenly our
data is manipulated and you no longer can believe
what you’re physically seeing?” he said.
“As a military guy, who’s used to the idea that, ‘I can
look at a display, I can look at a set of data, and I
can very quickly draw conclusions and start to make
risk-based decisions quickly,’ what happens if that
gets called into question? I believe that’s going to
happen.
http://www.businessinsider.com/nsa-chief-de-
scribes-3-biggest-cyber-threats-2015-10
4. USE OF A GLOBALLY DISTRIBUTED BLOCKCHAIN TO SECURE SDN PAGE 4 OF 20
With a SDN, the network is abstracted from hardware ap-
pliances and bare metal assets. By abstracting the control
of these configurations and creating virtual network assets,
the applications, VMs and other components can connect
to these assets as they would on a traditional network,
but provides the enterprise with the ability to add, remove
and update the network assets in a dynamic and centrally
controlled model. Thus SDNs provides a robust and agile
network allowing for additional nodes and assets to be cre-
ated and removed with the same agility as creating a VM or
other virtualized or cloud asset.
INPUTS GOVERNANCE
SECURITY REQUIREMENTS
NETWORK REQUIREMENTS
MISSION REQUIREMENTS
LOGICAL MISSION
REQUIREMENTS
GOVERNANCE
STANDARD
CONFIGURATION
NETWORK ASSET
CONFIG
MANUAL
DEPLOY-
MENT
NETWORK ASSET
CONFIG
MANUAL
DEPLOY-
MENT
NETWORK ASSET
CONFIG
MANUAL
DEPLOY-
MENT
NETWORK ASSET
CONFIG
MANUAL
DEPLOY-
MENT
NETWORK ASSET
CONFIG
MANUAL
DEPLOY-
MENT
Figure 1 Traditional Network Configuration
With the centralization and aggregation of the control of
these virtual network assets, the security posture of the
enterprise shifts from a segregated, dissociated attack
plane to a more centralized and abstracted surface. By the
tenets of SDNs, the control mechanisms are managed by
a centralized control application that will logically store all
configurations for the network assets. Integrity and access
to these configurations is paramount for the system to
function correctly and defend against malicious behavior.
In order to provide accurate and protected configurations,
Keyless Signature Infrastructure (KSI) provides the re-
quired security posture to monitor and verify that assets are
accurate and accessible.
5. USE OF A GLOBALLY DISTRIBUTED BLOCKCHAIN TO SECURE SDN PAGE 5 OF 20
KSI is a data-centric security technology based on cryp-
tographic hash functions, requiring only the use of hash-val-
ues and binary trees. By integrating KSI into networks, irre-
spective of where an asset is transmitted or stored, every
component, configuration, and digital asset generated by
humans or machines can be tagged, tracked and located
with real-time verification independent of trusted admin-
istrators. KSI provides a truth-based system wherein the
need for trust can be completely eliminated. KSI provides
the capability to create a signature of the configuration
or control data upon creation and verification of that data
upon use by the network nodes or other assets.
Figure 2 SDN Configuration
By leveraging KSI technology, the components of a SDN
will have the ability to sign and verify data as it moves
between components. This provides the enterprise with a
data integrity infrastructure in which data can be signed
and verified in near-real time. The data residing in the
configuration storage is monitored and verified against the
associated signatures that were created upon the creation
of the configuration data. This allows for near-real time
enterprise data integrity checks before the network nodes
request to use a configuration. By monitoring the current
true configurations and verifying the configurations upon
network asset creation or change, the enterprise can as-
sure each network asset uses the correct configuration.
ASSETS
CONTROL
COMMAND
NETWORK ASSETNETWORK ASSETNETWORK ASSETNETWORK ASSET
NETWORK ASSETNETWORK ASSETNETWORK ASSETNETWORK ASSET
NETWORK ASSET
MANUAL
DEPLOYMENT
INPUTS
STANDARD
CONFIGURATION
STORAGE
GOVERNANCE
CONTROL
CURRENT MISSION CONFIGURATION
SITUATION
AWARENESS
SECURITY REQUIREMENTS
NETWORK REQUIREMENTS
MISSION REQUIREMENTS
LOGICAL MISSION
REQUIREMENTS
GOVERNANCE
ASSETS
SITUATIONAL AWARENESS
REPORTIN
MONITORING
SITUATION
AWARENESS
6. USE OF A GLOBALLY DISTRIBUTED BLOCKCHAIN TO SECURE SDN PAGE 6 OF 20
Introduction
to KSI
In the use of KSI, the root hash is calculated and “pub-
lished” in a distributed “calendar” database that every
customer (or subscriber) has a copy of. For every hash
value entered into the tree, there is a unique hash-chain,
or series of hash-values that allows the root hash-value to
be recreated. This hash chain is returned and stored as the
signature. A signature for a given digital asset identifies the
computation path, through the hash tree, from the asset’s
own hash value, up to the root calendar value. The signa-
ture also includes “sibling” values that were concatenated
at every step in the hash tree, which are necessary to rec-
reate the root hash. With access to the public “calendar”
database, anyone, anywhere, can receive data and verify
the signature, which includes indications of time, identity
and integrity, without reliance on a central trust authority.
TOP ROOT HASH VALUES
TIME
CALENDAR DATABASE
Figure 3 Calendar hash block chain
Every second, a federated and distributed binary tree is
generated using hash-values of data generated around the
globe within that second. A hash tree is essentially a binary
tree of hash values. Two input values, along with any other
desired parameters, are concatenated and run through a
hash function. This process is iterated, resulting in a single
root hash value.
The word “keyless” means that signatures can be verified
without assuming continued secrecy of any keys. While
shared secrets may still be used for authenticating clients
during the signature creation process, no keys are need-
ed for the signature verification itself. The integrity of the
signatures is protected using one-way, collision-free hash
functions.
7. USE OF A GLOBALLY DISTRIBUTED BLOCKCHAIN TO SECURE SDN PAGE 7 OF 20
The KSI infrastructure comprises four main components
- Cores, Aggregators, Verifiers and Gateways. The core
cluster manages the calendar and selects the top root hash
for each second. The aggregation network aggregates the
hash values and distributes the signatures. The verification
network provides widely witnessed access to the state of
the calendar. KSI signatures provide proof of signing enti-
ties, since parent aggregators accept requests only from
authenticated child aggregators.
Software Development Kits (SDKs) are required to inte-
grate KSI into end-user applications. Clients who wish
to digitally sign objects using KSI use the client side KSI
SDKs to communicate with a KSI gateway. The application
presents the data hash to the gateway, receives and must
then store the signature, and performs verification calls.
Figure 4 KSI Infrastructure
GATEWAY
SERVER
AGGREGATOR
CDN
APPLICATION
AGGREGATION
AND DELIVERY
NETWORK
EXTENDER
EXTENDER
EXTENDER
PRINT MEDIA
AGGREGATOR
AGGREGATOR
AGGREGATOR
CORE CLUSTER ELECTRONIC
MEDIA
CORE
News
News
KSI/HTTP KSI/HTTP
CALENDAR
BLOCKCHAIN
CALENDAR
BLOCKCHAIN
SDK
CALENDAR
BLOCKCHAIN
CALENDAR
BLOCKCHAIN
8. USE OF A GLOBALLY DISTRIBUTED BLOCKCHAIN TO SECURE SDN PAGE 8 OF 20
9. USE OF A GLOBALLY DISTRIBUTED BLOCKCHAIN TO SECURE SDN PAGE 9 OF 20
Figure 5 SDN Architecture and Threat Vectors Overview
KSI and SDN
Security
There are several known attack vectors on SDN:
• Malicious SDN applications
• Malicious controller that creates entries in
the flow tables of the network elements, thus
gaining complete control of the network.
• Malicious network element, admin
• Unauthorized access to an SDN controller,
network element or host connected to the SDN
• Unauthorized modification of data – network
policies, configuration files, network topology
• Destruction of essential SDN function/data
– loss of integrity and service disruption
MANAGEMENT
SDN APPLICATION
AGENT
OSS
OSS
APPLICATION PLANE
DATA PLANESOUTHBOUND API
NE (≥ 1)
MASTER RDB NE RESOURCES
COORDINATOR AGENT (≥ 1)
CONTROLLER PLANE
MASTER RDB SDN CONTROL LOGIC
COORDINATOR AGENT
OSS
NORTHBOUND API
SDN
CONTROLLER
Malicious
management
console,
malicious user
activity on the
console
Insertion of
rogue
controllers,
malicious user
activity on the
controller
Insertion of
malicious SDN
application
Malicious NE,
malicious
user activity
on the NE
The Open Networking Foundation (ONF) has recommen-
dations for securing SDNs (Reference #1). A subset of
these issues is addressed in the sections below.
Insider Threats
Breaches and a loss of trust (insider threat) are inevitable
in any networked environment and with that implicit trust is
gone. External, independently verifiable indicators of tam-
per are required, to establish ground truth. Insider threat is
a case of who watches the watcher.
10. USE OF A GLOBALLY DISTRIBUTED BLOCKCHAIN TO SECURE SDN PAGE 10 OF 20
KSI can watch the watcher (an insider with access or a
hacker with stolen credentials or elevated privileges) by
providing, external, immutable proof that the data sup-
porting the SDN is valid and unchanged from a point in
time forward. It can alert to an unanticipated modification
in moments. Additionally, KSI could enforce a two-person
protection to the underlying SDN data, further reducing
the ability for a single rogue administrator or hacker to do
damage. These steps mitigate the threat created by SDN’s
centralization of control - a key security concern with the
model.
• Trust - Traditional SDN security solutions deploy
white lists to enforce trust between devices
and controllers in an SDN. KSI can be used to
offer integrity protection on these white lists.
• Mishandling of secrets - Unlike traditional public
key infrastructure (PKI) signatures, KSI does
not require the use of secrets to sign objects
or assets. Hence a malicious insider cannot
misuse any secrets to hide their tracks.
• Assured Identity - Authentication based on identity
is paramount to security of an SDN system for
impersonation prevention to ensure malicious entities
don’t tamper with the controller configuration.
KSI offers a means to cryptographically assure
robustness of endpoint identities by including
the identity as part of the KSI signature. (Refer
to #1 for further details on assured identity)
• Proof of participation - The KSI hash chain
contains the information needed to regenerate the
root hash value from a given leaf of the tree. The
hash chain proves that the input value was part
of the original set the tree was built upon. Thus,
KSI provides proof of participation of each SDN
node in any given hash chain, thus preventing
malicious nodes from hiding their tracks.
Data manipulation is a real threat. If the insider copied sen-
sitive company IP and then tried to delete/edit the log files
to remove traces of their actions, any software tool that is
monitoring the KSI-stamped logs would see a change alert
resulting from a failed KSI signature verification. This event
can be reported immediately so that the security operations
team can take appropriate action quickly. In the absence
of technology like KSI, the logs would typically need to be
examined manually/visually to interpret changes/malicious
events before any action taken, often far too late.
CIA Triad
• Confidentiality – Encryption is widely used to
provide confidentiality. However, without integrity,
encryption brings a false sense of security in
cases where malware can be introduced into
systems, compromising the integrity of the
system securing sensitive data assets.
• Integrity - Protecting the network policies,
configurations, and flow tables from intentional or
unintentional tampering helps contain the threats
in an SDN environment. There are more network-
accessible interfaces and network control information
is consolidated into a smaller number of locations
instead of being spread over the entire network.
• In the control plane, the logs and network
topology are prone to attacks.
• Southbound and Northbound APIs can be
spoofed and the attacker could create ‘rogue’
controllers to control the entire network.
• At the application plane, the SDN applications
and logs need to be protected from application
manipulation.
11. USE OF A GLOBALLY DISTRIBUTED BLOCKCHAIN TO SECURE SDN PAGE 11 OF 20
Former National Security Agency director
and retired Gen. Keith Alexander told FCW
on Oct. 22, 2015 – “The ability of an adversary to
manipulate the content of data stored on networks
is an “emerging art of war in cyberspace”.
The phenomenon is on the radar of U.S. intelligence
officials. Alexander’s successor as leader of NSA
and Cyber Command, Adm. Michael Rogers, and
Director of National Intelligence James Clapper
has warned that data manipulation is an emerging
cyberthreat.
The future might include “more cyber operations
that will change or manipulate electronic informa-
tion in order to compromise its integrity...instead
of deleting it or disrupting access to it,” Clapper
said in prepared testimony for a House Permanent
Select Committee on Intelligence hearing in Sep-
tember, 2015.
https://fcw.com/articles/2015/10/22/alexan-
der-datamanipulation.aspx?m=1
• Availability - Additionally, the centralized model
of SDN heightens the impact on the third leg of
security, availability. As with the OPM breach,
the loss of trust in the central database wreaks
havoc on their operation to this day. Imagine then
the impact of a loss of trust in the SDN data
assets. The campus, wide area or operational
network would have to be brought down. The most
massive denial of service imaginable. With KSI
instrumenting and providing integrity of the policy,
configuration and transport data, upon breach or
notification of tamper, KSI would provide ground
truth allowing near immediate restoration the
network to a known and trusted state. Only with
KSI is that known state externally verifiable with no
reliance on trusting the credentials or intentions
of a possibly compromised inside administrator.
12. USE OF A GLOBALLY DISTRIBUTED BLOCKCHAIN TO SECURE SDN PAGE 12 OF 20
KSI and SDN Use
Case Overview
While KSI is a cornerstone of the overall enterprise security
posture, KSI enables SDNs by adding a layer of integrity
to the data and ultimately trust in the switch to logical and
virtualized networking assets across the enterprise. While
each actual deployment of KSI with the different technol-
ogies has specific design details, the overall use case for
enabling SDNs with KSI has four key integration points in
the reference architecture shown in Figure 6 below.
In the reference implementation diagram above, the num-
bers depicted below highlight the integration between a
logical SDN stack and the enterprise KSI infrastructure.
The reference implementation diagram can be explained by
the following:
ASSETS
CONTROL
COMMAND
NETWORK ASSETNETWORK ASSETNETWORK ASSETNETWORK ASSET
NETWORK ASSETNETWORK ASSETNETWORK ASSETNETWORK ASSET
NETWORK ASSET
AUTOMATED
DEPLOYMENT
INPUTS
STANDARD
CONFIGURATION
STORAGE
GOVERNANCE
CONTROL
CURRENT MISSION CONFIGURATION
SITUATION
AWARENESS
SITUATION
AWARENESS
SECURITY REQUIREMENTS
NETWORK REQUIREMENTS
MISSION REQUIREMENTS
LOGICAL MISSION
REQUIREMENTS
GOVERNANCE
ASSETS
SITUATIONAL AWARENESS
REPORTIN
MONITORING
GUARDTIME
INFRASTRUCTURE
VERIFY DATA
SIGN DATA
1
2
3
4
Figure 6 KSI instrumented SDN
1. Sign Configuration Data – In this example, at
data flow 1, the original configuration upload that
comprises the configuration data to be stored or
uploaded to the Control applications is created
and uploaded to the Configuration Storage. This
data is signed prior to upload, which creates the
original KSI signature of that data. This signature
can be stored with the original configuration data or
stored in an external system (signature escrow).
2. Monitor Verification Data – Data flow 2 illustrates
the periodic monitoring of the current configuration
data. Since all data has been signed upon upload,
each configuration document can be verified
13. USE OF A GLOBALLY DISTRIBUTED BLOCKCHAIN TO SECURE SDN PAGE 13 OF 20
periodically against the signatures. The overall
state of the configuration data storage is also
signed and periodically verified against signatures
related to logical blocks of the data. This allows
for the configuration data storage to verify either
all or subsets of the storage data to recognize
any change to the storage environment.
3. Verify Deployment Inputs – Data flow 3 illustrates
the near-real-time verification of the configuration
stage to be deployed to network assets. For
example, before the control application creates
another node or network asset, the configuration
of that asset will be pulled from the Configuration
Storage Environment. The control application will
then again verify the configuration pulled against
the KSI infrastructure to assure the data about to
be deployed is accurate and has not been altered.
4. Network Asset Continuous Monitoring – Data flow
4 highlights the continuous monitoring of the actual
network nodes or assets. After the network asset is
deployed, each asset can periodically or continuously
verify its current configuration via the signature.
14. USE OF A GLOBALLY DISTRIBUTED BLOCKCHAIN TO SECURE SDN PAGE 14 OF 20
15. USE OF A GLOBALLY DISTRIBUTED BLOCKCHAIN TO SECURE SDN PAGE 15 OF 20
KSI instrumented
SDN environment
Figure 7 Traditional SDN – Sample configuration
Figure 7 below depicts a sample SDN configuration and
the potential threats.
Malicious console,
malicious activity
on the console
No Integrity
protection/
database tampering
Rogue controller,
malicious activity
on the controller
Malicious NE,
malicious activity
on the NE
WEB APP NETWORK
POLICIES
NETWORK AND
END-USER
DEVICE INFO
SDN CONTROLLER
AND APPS
NETWORK
ELEMENTS
OPENFLOW
16. USE OF A GLOBALLY DISTRIBUTED BLOCKCHAIN TO SECURE SDN PAGE 16 OF 20
17. USE OF A GLOBALLY DISTRIBUTED BLOCKCHAIN TO SECURE SDN PAGE 17 OF 20
Figure 8 KSI Instrumented SDN – Sample configuration
Currently, in the CIA triad, integrity has taken a back seat
and the databases holding critical information for function-
ing of the SDN are not protected from data manipulation.
Figure 8 depicts an example of an SDN deployment with
KSI instrumentation. Any data - network policies, end-user
device info, topology, configuration files etc that is written
into a database will be KSI signed via a call to KSI SDK.
The KSI signature that is returned is stored in the local sig-
nature database along with any pertinent metadata. Data
from the SDN database is periodically verified against the
GUARDTIME
KSI BLOCKCHAIN
INFRASTRUCTURE
KSI BLOCKCHAIN
SDK / MIDDLEWARE
API APPS SOCAPI
DIGITAL FINGERPRINT + METADATA
INDUSTRIAL SCALE
BLOCKCHAIN
SIGNATURE REPOSITORY
+ METADATA
HTTP
HTTP ENTERPRISE
INTEGRATION
NETWORK
POLICIES
NW AND END-USER
DEVICE INFO
INTEGRITY
AUTHENTICITY
NON-REPUDIATION
PERIODIC VERIFICATION
INTEGRITY / AUTHENTICITY FULL TRACEABILITY CHAIN-OF-CUSTODY
BACKEND DATABASE
(APACHE, CASSANDRA,
OTHERS)
GOVERNANCE
SIGNATURE
ESCROW DB
Defensible End-to-End Lineage
VERIFY DATA
VERIFY DATA
SIGN DATA
EVIDENCE
EXPORT
previously stored KSI signature using the KSIverify API call.
Any change/tamper of the KSI-stamped data results in a
KSI verification failure. Thus all SDN critical data stored in
the database is protected against data manipulation.
SDN system logs shall be KSI signed to ensure they are
not tampered with, thus providing auditors with ‘clean’ data.
A potentially malicious insider in a KSI controlled environ-
ment will quickly realize that they cannot cover their tracks,
and that their activities will be detected and responded to
swiftly.
18. USE OF A GLOBALLY DISTRIBUTED BLOCKCHAIN TO SECURE SDN PAGE 18 OF 20
19. USE OF A GLOBALLY DISTRIBUTED BLOCKCHAIN TO SECURE SDN PAGE 19 OF 20
Conclusion
There is no silver bullet for the threats that mire an SDN
environment, but most current controls are woefully inad-
equate when it comes to integrity. “Trusted” entities are
frequently able to circumvent the access controls and other
security mechanisms in place, and remove evidence of their
activities.
No security solution is effective unless
the system can guarantee, irrefutably,
that the logs or applications have not
been tampered with, or there is a way
to verify beyond doubt that your se-
curity measures are working. Incorrect
information can lead to unexpected
system behavior.
The application of KSI will materially
improve enterprise environments
for controlling insider threat and by
providing a real deterrent. Advanced
dashboards can be built to extract KSI
attributed information from the system
and promote custom integration with
legacy SIEMs.
All critical components in an SDN net-
work are essentially attributable, and
the evidence of interactions between
users and these assets immutable.
With KSI, you can continue to trust
your administrators and users, but
more importantly you can now inde-
pendently verify their actions.
Key differentiators provided by a KSI instrumented SDN environment are:
• Long-term integrity – KSI offers integrity protection on the contents
ie on policies, configurations, topology that might be stored
in any backend database including but not limited to Apache
Cassandra. KSI provides an immutable chain of custody, with
independent proof of time, integrity, and proof that events occurred
in the correct order while ensuring no human interference.
• Inherent auditability and forensics - Logged data will help
auditors uniquely identify the entities involved in a particular
action and also the sequence of actions. KSI enables auditability
and transparency of evidence that in turn offers provable
compliance with regulatory and governance frameworks.
• Data lineage - All signature and verification operations in
a KSI instrumented system can be tracked as changes are
made to the SDN controllers/associated databases.
• Secure Provenance - KSI offers a means to cryptographically
verify ownership of a file or digital asset in a way that it
cannot be denied by the party modifying the object.
• Quantum Immunity - KSI is quantum immune i.e. keyless signatures
are resistant to quantum computational attacks, unlike traditional
public key cryptosystems like RSA - since they are purely based on
cryptographic hash functions that are second pre-image resistant
Whilst an effective solution to the variety of threats faced
by an SDN environment has so far proved elusive, KSI
now offers a truly scalable solution based on mathematical
certainty to offer 100% detection, accountability and audit-
ability, and across highly complex systems.