SDN Security: Two Sides of the Same Coin

WWW.GTRI.COM
SDN Security:
Two Sides of the Same Coin
Scott Hogg, CTO GTRI
CCIE #5133, CISSP #4610
Thursday June 9, 2016
© 2016 Global Technology Resources, Inc.
All rights reserved.

© 2016 Global Technology Resources, Inc. All Rights Reserved.
2
Today’s Agenda
• Brief Review of Software Defined Networking (SDN)
• Heads:
o Attack Vectors for SDN Systems
o Securing an SDN System
• Tails:
o SDN Security Use Cases and Applications
• Open Discussion (time permitting)

Defining SDN
• Software-Defined Networking is an approach to
networking that separates the control plane from the
forwarding plane to support virtualization.
• SDN is a new paradigm
for network
virtualization.

SDN High-Level Architecture
Controller
Network
Element
Network
Element
Network
Element
Network
Element
Application Layer
Or
SDN Layer
Virtualized Application Services
Northbound API
Southbound API
Control Layer
Or
Controller Layer
Data Plane Layer
Or
Infrastructure Layer
Agent
Agent
Agent
Agent
Controller
East/West
Interface

SDN Benefits
• Greater span of control and network analytics and response.
• Better intelligence with a global view of the network rather than each
network element looking at the network from its own viewpoint.
• Improved application experience and empower the network
owner/operator.
• Rapid deployment of applications using networking that supports
the application’s specific needs.
• Simplified and automated IT administration.
• Opportunity to open up the network to a diverse set of vendors
and disaggregation.

Heads: Security of SDN Systems
• There are several attack vectors on SDN systems. The more
common SDN security concerns include:
o Attacks targeting the SDN controller – either DoS or to instantiate
new flows (spoofing northbound API messages or spoofing
southbound flows)
o Attacker creates their own controller and gets network elements to
receive flows from that controller – spoofing flows from the
legitimate controller
o Targeting the network elements – DoS or to instantiate new flows
o Attacking the DCI protocol – NVGRE, STT, VXLAN – these protocols
may lack authentication, with no encryption – this is either part of
the protocol design, or the way the vendor has implemented the
protocol
8

SDN Security Considerations
9
Controller
Network
Element
Network
Element
Network
Element
Network
Element
SDN Layer
Virtualized Application Services
Northbound API
Southbound API
Controller Layer
Data Plane Layer
Agent
Agent
Agent
Agent
Controller

SDN Vulnerability Genome Project
10
Source: http://sdnsecurity.org/project_SDN-Security-Vulnerbility-attack-list.html

Recent SDN System Vulnerabilities
• Some versions of SDN systems may contain other opensource software
that is discovered to have vulnerabilities: bash, OpenSSH, OpenSSL, ntpd
• Several vulnerabilities have been reported and fixed within OpenDaylight
o https://wiki.opendaylight.org/view/Security_Advisories
• Netdump vulnerability took 4 months to correct
o http://seclists.org/bugtraq/2014/Aug/75
• Now OpenDaylight project has security team in place
• ONIE vulnerabilities identified in BigSwitch’s Switch Light controller,
Cumulus Linux, Mellanox-OS (August 2015)
• CVE-2015-5699 - Cumulus Linux's Switch Configuration Tools Backend,
clcmd_server, Vulnerable to Local Privilege Escalation (August 11, 2015)
• August 3, 2015 – Cisco APIC root access vulnerability
o http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-
20150722-apic
11

Hardening an SDN System
• Use TLS 1.2 (or UDP/DTLS) to authenticate and encrypt traffic between network
device agent and controller, authenticate controller and network devices/SDN
agent using certificates
• High-Availability controller architecture
• Prevent unauthorized access to SDN control network
• Use Out-of-Band (OOB) network for control traffic, OOB and secure protocols for
controller management and northbound communications
• Harden the controller and the network elements (typical host hardening)
• Closely monitor controllers for suspicious activity
• Secure coding practices for all northbound applications requesting SDN resources
• Ability to validate flows in network device tables against controller policy
• Use Data Center Interconnect (DCI) protocols that can authenticate tunnel
endpoints and secure tunneled traffic
12

Tails: SDN Security-Specific Use Case
• SDN allows for creative new approaches to security
• We will now review 6 SDN uses cases for security
1. Traffic Filtering with SDN
2. Network Slicing, Campus Slicing, Multi-Tenancy,
Enclaves, Isolation, Network Segmentation
3. DDoS Mitigation
4. Network Access Control (NAC)
5. Security Traffic Monitoring
6. Moving Target Defense (MTD)
13

Traffic Filtering with SDN
• That which is not permitted is denied – make the SDN
switches not transparent learning/forwarding
• Cisco APIC-EM configures the ACI policy for traffic
permitted between End Point Groups (EPGs) and for
traffic steering – if not permitted, traffic is dropped
• Integrate SDN system with Cisco Identity Services Engine
(ISE) for device profiling, user authentication, SGT,
TrustSec tagging
• Traffic steering toward firewall or content filter, security
service insertion between client and server
14

SDN Switches As Firewalls?
15
SDN Controller
Network
Element
SDN Layer
Northbound API
Southbound API
Controller Layer
Data Plane Layer
Agent
Agent
Agent
Agent
Network
Element
Network
Element
Network
Element
Software-Defined Perimeter (SDP)

Network Segmentation with SDN
• Separating the network into logically separated networks
• Network Slicing, Campus Slicing, Secured Enclaves, Micro-
Segmentation, Virtual Routing and Forwarding, etc.
• Done by adding a slicing layer between the control plane and
the data plane, policies are slice-specific
• Enforce strong isolation between slices - actions in one slice
do not affect another (Flowspace)
• Examples: Cisco XNC with Networking Slicing application,
FlowVisor is a special purpose OpenFlow controller that acts
as a transparent proxy between OpenFlow switches and
multiple OpenFlow controllers
16

• “Network Slicing” Use Case
17
Source: Cisco Extensible Network Controller Topology-Independent Forwarding and Network Slicing Applications
http://www.cisco.com/en/US/prod/collateral/netmgtsw/ps13397/ps13400/data_sheet_c78-729458.pdf

• FlowVisor
performs
policy checks
across
flowspace and
enforces
isolation
between each
slice
18
Source: Can the Production Network Be the Testbed?
By Rob Sherwood, Glen Gibb, Kok-Kiong Yap, Guido Appenzeller ,Martin Casado, Nick McKeown, Guru Parulkar

DDoS Mitigation with SDN
• SDN can be used to create a DDoS mitigation system
• SDN network sends DDoS telemetry data to the DDoS
detection system (volumetric, app attacks, protocol DDoS)
• DDoS detection system communicates with northbound API
which configures the policy on the controller for the
destination of the attack
• SDN controller sends flows to network devices to drop
suspicious inbound traffic toward victim
• Cleaned traffic is allowed to pass toward the destination
• Examples: Radware Defense Flow, Radware Defense4All in
ODL Helium, A10 Networks Thunder Threat Protection
System, others…
19

DDoS Mitigation with SDN
• Radware
DefenseFlow
integrates with
Cisco’s XNC,
OpenDaylight,
BigSwitch Floodlight,
and NEC’s
ProgrammableFlow
OpenFlow-based
switches and
controller
20
Source: http://www.radware.com/Products/DefenseFlow/

Network Access Control (NAC) with SDN
• SDN systems can prevent unauthorized access or isolate compromised
hosts to a quarantine network, Automated Malware Quarantine (AMQ)
• SDN systems can intervene in assigning addresses to nodes joining
network based on their security posture
• Authenticated end nodes are able to send/receive if they pass security
checks (AV running/updated, patched, …)
• End nodes can only send/receive with their assigned IP/MAC addresses
o Source Address Validation Improvements (SAVI) and First Hop Security (FHS)
• Or direct end-node traffic to Cisco Cloud Threat Defense system, detect
the issue, check with ISE, set SGT=BAD, to contain the traffic
• Examples: Cisco Cloud Threat Defense, HP VAN Sentinel Security
Application
21

SDN Security Components
22
Source: 2014 Cisco Live BRKSEC-2760

Security Monitoring with SDN
• Switches often lack sufficient resources to perform
packet/port mirroring/taps
o Every IT silo/team wants their own tap/SPAN session (Network Packet
Broker (NPB))
• Bi-directional packet capture is much better than NetFlow
• Dedicated copper/optical packet monitoring switches can be
very expensive, many taps are required – no blocking ability
• Tap Aggregation is an application that is simple for a SDN
controller and uses low-cost SDN-capable network devices
• Examples: Cisco XNC with Monitor Manager and Nexus 3000
Tap Aggregation Switch, BigSwitch Big Tap Monitoring Fabric,
Microsoft Distributed Ethernet Monitoring (DEMon)
23
Using SDN to Create a Packet Monitoring System
http://www.networkworld.com/article/2226003/cisco-subnet/using-sdn-to-create-a-packet-monitoring-system.html

Security Monitoring with SDN
• Cisco XNC Monitor Manager, Cisco Nexus Data Broker
24
Source: Cisco Nexus Data Broker
http://www.cisco.com/c/en/us/products/cloud-systems-management/nexus-data-broker/index.html

Moving Target IPv6 Defense (MT6D)
• MT6D is a system created by
graduate students in the
Information Technology
Security Laboratory at
Virginia Tech to obscure IPv6
addresses
• Periodically hiding/changing
characteristics of victim to
make it more difficult to
find/attack
25
Source: http://www4.ncsu.edu/~hp/Panos.pdf

SDN Security Summary
• SDN has the potential to provide many new creative
ways to network and secure systems
• SDN represents a new way of thinking, we all need to be
cognizant about this technology shift
• Heads: SDN systems are vulnerable to threats, but SDN
implementations can be hardened against security
attacks
• Tails: SDN systems can provide innovative security
applications that are not possible with traditional
methods
26

SDN & Security Resources
• Solution Brief: SDN Security Considerations in the Data Center
o https://www.opennetworking.org/solution-brief-sdn-security-considerations-in-the-
data-center
• SDN Security Challenges in SDN Environments
o https://www.sdxcentral.com/resources/security/security-challenges-sdn-software-
defined-networks/
• SDN Security Attack Vectors and SDN Hardening
o http://www.networkworld.com/article/2840273/sdn/sdn-security-attack-vectors-and-
sdn-hardening.html
• With Cisco ACI, Do You Still Need A Firewall?
o https://cisco-
marketing.hosted.jivesoftware.com/people/shogg@gtri.com/blog/2015/03/02/with-
cisco-aci-do-you-still-need-a-firewall
• Is an SDN Switch A New Form of a Firewall?
o http://www.networkworld.com/article/2905257/sdn/is-an-sdn-switch-a-new-form-of-
a-firewall.html
27

FREE SDN Technology Review
• We are offering a FREE 3-hour (~1/2 day) SDN technology review
for your company
• Bring your networking, security, DevOps, and other technology
teams together
• Review SDN capabilities within your existing networked systems
• Discuss SDN architecture and design options
• Review network automation and network programmability potential
• Engage in conversation on securely deploying IPv6 and using SDN for
security

WWW.GTRI.COM
Questions and Answers
Next Steps
Thank you!
SHogg@GTRI.com
303-949-4865
@scotthogg

SDN Security: Two Sides of the Same Coin

Related slideshows

More Related Content

SDN Security: Two Sides of the Same Coin