TECHNICAL REPORT
| Grantee |
Advanced Cyber Security Engineering Research Centre (ACSRC), The University of Newcastle
|
| Project Title | Securing Software Defined Network Architectures |
| Amount Awarded | USD 30,000 |
| Dates covered by this report: | 2022-01-28 to 2024-03-31 |
| Report submission date | 2024-06-13 |
| Economies where project was implemented | Australia |
| Project leader name |
Prof. Vijay Varadharajan
|
| Project Team |
Dr Uday Tupakula
Dr Kallol Karmakar
|
Project Summary
Software Defined Networking (SDN) is disruptive networking technology which adopts a centralized framework to facilitate fine-grained network management. Although SDN has several benefits, security in SDN is still in its infancy in the Asia Pacific region. In this project we will propose the design and development of techniques for detecting the attacks on SDN switches. We will also implement the proposed techniques and validate against different attacks on the switches. In particular, we will develop a Switch Security Application (SSA) for SDN Controller for detecting attacks on the switches.
Table of Contents
- Background and Justification
- Project Implementation Narrative
- Project Activities, Deliverables and Indicators
- Project Review and Assessment
- Diversity and Inclusion
- Project Communication
- Project Sustainability
- Project Management
- Project Recommendations and Use of Findings
- Bibliography
Background and Justification
Software-Defined Networking (SDN) is an innovative network paradigm which takes the control logic of the network system from forwarding devices such as routers and switches, and places it on the logically centralized controller. This enables direct programmability of network access and the conceptualization of technology for network services and applications. Infrastructure devices such as routers and switches operate as simple forwarding engines in this architecture, dealing with incoming packets according to a number of rules that are instantaneously produced by a controller in the control layer along with the predefined program logic. From a network management perspective, SDN defines a single control point for forwarding data flows across the entire network infrastructure which significantly simplifies the network management tasks.
However security in SDN is still in its infancy and there is need for significant work to deal with different attacks in SDN. In particular, the SDN architecture has a larger attack surface than traditional networks due to reasons such as single point failure of the controller and the possibility of malicious applications disrupting network operations systemically and significantly.
In this project we will develop taxonomy of attacks in the SDN data plane with main focus on the attacker model for SDN switches and propose techniques for detecting the attacks on switches. In particular, we will develop a Switch Security Application (SSA) for SDN Controller which makes use of trusted computing technology and specific modules for secure configuration, monitoring and detection of attacks on the switches.
Key Deliverables
| Deliverable | Status |
|---|---|
| Identification of security attacks against network switches from in SDN based Network Infrastructures | Completed |
| Applicability to Securing Emerging Internet of Things (IoT) Infrastructures | Completed |
Key Deliverables - Detail
| Deliverable: Identification of security attacks against network switches from in SDN based Network Infrastructures Status: Completed Start Date: April 4, 2022 Completion Date: Baseline:SDN based networks, providing greater programmability and flexibility to simultaneously accommodate diverse business-driven applications, introduces new cyber attacks creating a larger attack surface. Hence the need to develop a clear taxonomy of security attacks in SDN based network infrastructures Activities: -- Develop a taxonomy of attacks with a focus on the attacker model on the data plane and the switches. -- Identify attacks from different entities namely attacks from end hosts, attacks from malicious applications and attacks from Controller. -- Develop techniques for detecting attacks from end hosts, applications, and Controller. Outcomes: Report describing the taxonomy of attacks in SDN based networks Report describing techniques to detect security attacks against network switches in SDN infrastructures Additional Comments: |
| Deliverable: Applicability to Securing Emerging Internet of Things (IoT) Infrastructures Status: Completed Start Date: Completion Date: Baseline:Need for security services for protecting SDN based emerging applications Activities: Applicability of the proposed security architecture in securing emerging smart service oriented network infrastructures in industry Outcomes: Demonstration of the applicability of the proposed security architecture to securing emerging network infrastructures in industry. Additional Comments: |
Project Implementation Narrative
Project Story
The project starts off with an analysis of the attacks and threats in network infrastructures involving SDN. A key characteristic of SDN is its different planes such as the control plane with its software logic in the Controller and the data plane with its switches, and the protocol for interaction between these planes, namely the OpenFlow protocol. We analyse threats and attacks to the OpenFlow switches as they are easier to target for the attacker since they are at the edges of the network connected either to the clients or their gateways. We will also we address advanced virtual switch-related attacks specific to cloud infrastructure.
Having identified the threat framework, we develop a security architecture that can detect and prevent attacks on the SDN data plane. We present a Switch Security Management Architecture (SSMA) for SDN and explain its components and associated functions. The SSMA design is modular and can be extended based on new requirements or suit various SDN Controllers. We consider various scenarios discussing how the proposed security architecture can defend against attacks identified earlier.
Finally we will describe the implementation of the proposed security architecture and analyze its security and performance characteristics.
Project Activities
(1) Taxonomy of attacks in SDN
- During this stage we developed a taxonomy of attacks in the data plane with focus on the attacker model on the switches. We considered attacks from different entities such as attacks from end hosts, attacks from malicious applications and attacks from Controllers.
(2) Development of techniques for attack detection
- During this stage we designed and developed the Switch Security Application for monitoring and detecting attacks on the switches in SDN domain. The SSA was based on a modular design.
(3) Implementation of Switch Security Application for SDN
- During this stage we implemented the SSA for ONOS SDN Controller. We tested the SSA against different attacks on the switches and also conducted a performance analysis of the SSA.
Challenges
There are several challenges in this project. The first one is getting an understanding of the various threats and attacks that can occur from various communities. This not only depends on the technologies but also how the technologies are being used by the various users. The second one is the need to prioritize these threats and come up with a suitable security architecture that is practical to be deployed in a real environment. This involves taking into account various tradeoffs such as the role of authorities, performance and the costs involved in terms of computations and resources. Then there are several challenges associated with the implementation. As these technologies are relatively new and there are different interactions between the various components, they can lead to several practical problems.
At present, we have carried out the first activity on the threat framework and developed the preliminary version of the security architecture in the second activity. We have attached Technical Reports describing our work.
Project Activities, Deliverables and Indicators
Beginning of project
| Activity | Description | #Months |
|---|---|---|
| Taxonomy of Attacks in SDN | During this stage we will develop taxonomy of attacks in the data plane with focus on the attacker model on the switches. We will consider attacks from different entities such as attacks from end hosts, attacks from malicious applications and attacks from Controllers. Also develop an attacker model for SDN - From the start of the project for 3 months (duration 3 months) | 3 |
Middle of project
| Activity | Description | #Months |
|---|---|---|
| Development of techniques for attack detection | During this stage we will design and develop the Security Architecture for SDN and Switch Security Application for monitoring and detecting attacks on the switches in SDN domain. The SSA will be based on a modular design approach. - From 2 months after the start of the project for 6 months (duration 8 months) | 8 |
End of project
| Activity | Description | #Months |
|---|---|---|
| Implementation of Switch Security Application for SDN | During this stage we will implement the SSA for ONOS SDN Controller. We will test the SSA against different attacks on the switches and also conduct performance analysis of the SSA - From 6 months after the start of the project for 6 months (duration 6 months) | 6 |
Project Review and Assessment
This is the Final Report
The project has carried out its activities in Stage 1, 2 and 3, and it has achieved all the objectives of all the 3 stages.
The important findings of the project have been described in detail in the attached three Technical Reports. They include a taxonomy of attacks in Software Defined Networks (SDN), design of a security architecture for SDN and the implementation and analysis of a system prototype
We have written 2 papers based on this work which have been published in international journals. See below.
With the dramatic growth in Internet of Things (IoT), a new scalable and efficient Internet network infrastructure is needed to cater for this changing demand from users and IoT devices. SDN is a vital component of this new network infrastructure. Hence our work on securing such SDN networks are critical to protecting data and resources on these emerging SDN-IoT based cloud and network infrastructures.
We have added further reflections from this project at the end.
Diversity and Inclusion
Our project team is a diverse team involved staff from different countries – Bangladesh and Australia. The researcher we employed on the implementation work is from Indonesia. We also have a female student from India who has just started working on this project.
Project Communication
We have produced 3 detailed Technical Reports based on this work, which are attached. This work has also formed the basis of two international publications.
Furthermore, this work has already to led presentations in India and in the US over the last few months. For instance, Dr Kallol K Karmakar from the project team presented some of this work at a University in India (Doon University) in Nov 2022. He also did a presentation in the Future Networks Security Working Group IEEE in the US East Coast in March 2023.
This work has led to the following two international journal publications.
- Karmakar, Kallol Krishna, V. Varadharajan, and U. Tupakula, “Policy driven security architecture for internet of things (IoT) infrastructure,” in Internet of Things Security and Privacy: Practical and Management Perspectives. CRC Press, Taylor Francis Group (Accepted), 2023.
- K. Karmakar, V. Varadharajan, M. Hitchens, U. Tupakula, P. Sariputra, "A Trust-aware OpenFlow Switching Framework for Software Defined Networks (SDN)", Accepted in Computer Networks, Elsevier ISSN 1389-1286, 2023
Project Sustainability
The project work has led to linkages with other organizations such as Data61 and Defense in the area of Software Defined Networks Security.
Currently this work has also been a catalyst in the initial formulation of an activity in the area of smart satellites.
Project Management
This is a small project involving some 3 people so far. In terms of project management and achieving its objectives, it has been quite smooth as the team members have worked well together.
Our organization is a large organization, where many projects are being carried out, and where admin people have significant experience. Hence it is no surprise that this project has not led to anything different in terms of administration.
Project Recommendations and Use of Findings
In terms of future planning for the technical community, in our view, the impact of this work will be mainly in the areas of 5G and beyond. In this context, we are already working on another paper based on this work that is on the “Security architecture and mechanisms for counteracting sophisticated attacks in 5G networks”.
Another contribution for the technical community is that this work could be directly relevant to the development of smart secure satellites of the future as SDN and NFV are likely to be key technologies which will be used in their design.
As mentioned above, this work has been of particular interest to Defense as they are planning to use SDN for securing their communications and networks. The application of this work to managing IoT infrastructures has been of interest to more commercial organizations such as Data61.
Bibliography
A full list of bibliography is given at the end of 3 Technical Reports. There are over 40 references listed at the end of these 3 Technical Reports.
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License 
