Аспекты информационной безопасности архитектуры SDN

OpenFlow является наиболее распространенным протоколом архитектуры Software Defined Networking (SDN), которая разделяет функции управления сетевыми устройствами и передачи данных. Она переносит основные функции управления с маршрутизаторов и коммутаторов на централизованные контроллеры. Благодаря централизованному управлению сетью и программируемости контроллеров, архитектура SDN обладает потенциалом, который может быть использован для модернизации средств обеспечения безопасности и реализации более эффективных методов противодействия угрозам, свойственных традиционной архитектуре сетей передачи данных. В работе представлен обзор архитектуры SDN и протокола OpenFlow, анализ угроз и технологии их нейтрализации для архитектуры SDN и протокола OpenFlow, а также определены критичные угрозы для тех сетей OpenFlow, которые в скором времени могут появиться в РФ; предложены способы противодействия данным угрозам.

защита информации, протокол OpenFlow, программно-конфигурируемые сети, информационная безопасность

1. K. Calvert, S. Bhattacharjee, E. Zegura, and J. Sterbenz, Directions in Active Networks IEEE Communications magazine, р. 72-78, October 1998.

2. Diego Kreutz, Fernando MV Ramos, P Esteves Verissimo, Christian Esteve Rothenberg, Siamak Azodolmolky, and Steve Uhlig. Software-defined networking: A comprehensive survey. proceedings of the IEEE, 103[1]: 14-76, 2015.

3. Nick McKeown, Tom Anderson, Hari Balakrishnan, Guru Parulkar, Larry Peterson, Jennifer Rexford, Scott Shenker, and Jonathan Turner. Openflow: enabling innovation in campus networks. ACM SIGCOMM Computer Communication Review, 38[2]:69-74, 2008.

4. Diego Kreutz, Fernando Ramos, and Paulo Verissimo. Towards secure and dependable software-defined networks. In Proceedings of the second ACM SIGCOMM workshop on Hot topics in software defined networking, p. 55-60. 2013.

5. Смелянский Р. Л. Программно-конфигурируемые сети. Открытые системы. СУБД 9. 2012. с. 23-26.

6. OpenFlow Switch Specification Ver 1.5.1, 2016 [accessed January 11, 2016]. https://www.opennetworking.org/images/stories/downloads/sdn-resources/onf-specifications/openflow/openflow-switch-vl.5.1.pdf.

7. Никульчев Е. В., Паяин С. В., Плужник Е. В. Динамическое управление трафиком программно -конфигурируемых сетей в облачной инфраструктуре. Вестник РГРТУ. № 3. 2013. с. 45.

8. Sandra Scott-Hayward, Gemma O’Callaghan, and Sakir Sezer. Sdn security: A survey. In Future Networks and Services (SDN4FNS), 2013 IEEE SDN For, p. 1-7. IEEE, 2013.

9. Open Networking Fundation. Software-defined networking: The new norm for networks. ONF White Paper, 2012.

10. Kevin Benton, L Jean Camp, and Chris Small. Openflow vulnerability assessment. In Proceedings of the second ACM SIGCOMM workshop on Hot topics in software defined networking, p. 151-152. 2013.

11. Seungwon Shin and Guofei Gu. Attacking software-defined networks: A first feasibility study. In Proceedings of the second ACM SIGCOMM work- shop on Hot topics in software defined networking, p. 165-166. 2013.

12. Diego Kreutz, Fernando Ramos, and Paulo Verissimo. Towards secure and dependable software-defined networks. In Proceedings of the second ACM SIGCOMM workshop on Hot topics in software defined networking, p. 55-60. 2013.

13. Margaret Wasserman and Sam Hartman. Security analysis of the open networking foundation (onf) openflow switch specification. 2013.

14. Ehab Al-Shaer and Saeed Al-Haj. Flowchecker: Configuration analysis and verification of federated openflow infrastructures. In Proceedings of the 3rd ACM workshop on Assurable and usable security configuration, p. 37-44. 2010.

15. Seuk Son, Seungwon Shin, Vinod Yegneswaran, Phillip Porras, and Guofei Gu. Model checking invariant security properties in openflow. In Communications (ICC), 2013 IEEE International Conference on, p. 1974-1979. 2013.

16. Cole Schlesinger, Alec Story, Stephen Gutz, Nate Foster, and David Walker. Splendid isolation: Language-based security for software- defined networks. In Proc. of Workshop on Hot Topics in Software Defined Networking, 2012.

17. Xiong Liu, Haiwei Xue, Xiaoping Feng, and Yiqi Dai. Design of the multi-level security network switch system which restricts covert channel. In Communication Software and Networks (ICCSN), 2011 IEEE 3rd International Conference on, p. 233-237. 2011.

18. Guang Yao, Jun Bi, and Peiyao Xiao. Source address validation so- lution with openflow/nox architecture. In Network Protocols (ICNP), 2011 19th IEEE International Conference on, p. 7-12. 2011.

19. Jafar Haadi Jafarian, Ehab Al-Shaer, and Qi Duan. Openflow random host mutation: transparent moving target defence using software defined networking. In Proceedings of the first workshop on Hot topics in software defined networks, p. 127-132. 2012.

20. Philip Porras, Seungwon Shin, Vinod Yegneswaran, Martin Fong, Mabry Tyson, and Guofei Gu. A security enforcement kernel for openflow networks. In Proceedings of the first workshop on Hot topics in software defined networks, p. 121-126. 2012.

21. noxrepo/nox - C++ - GitHub, 2016 [accessed January 11, 2016]. https: //github.com/noxrepo/nox.

22. Seungwon Shin, Phillip Porras, Vinod Yegneswaran, and Guofei Gu. A framework for integrating security services into software- defined networks. Proceedings of the 2013 Open Networking Summit (Re- search Track poster paper), ser. ONS, 13, 2013.

23. Xitao Wen, Yan Chen, Chengchen Hu, Chao Shi, and Yi Wang. Towards a secure controller platform for openflow applications. In Proceedings of the second ACM SIGCOMM workshop on Hot topics in software defined networking, p. 171-172. 2013.

24. Seungwon Shin, Vinod Yegneswaran, Phillip Porras, and Guofei Gu. Avant-guard: Scalable and vigilant switch flow management in software-defined networks. In Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security, p. 413-424. 2013.

25. Junho Suh, H-g Choi, W Yoon, T You, T Kwon, and Y Choi. Implementation of a content-oriented networking architecture (cona): A focus on ddos countermeasure. In Proceedings of European NetFPGA developers workshop, 2010.

26. Chu Yu Hunag, Tseng Min Chi, Chen Yao Ting, Chou Yu Chieh, and Chen YanRen. A novel design for future on-demand service and security. In 2010 IEEE 12th International Conference on Communication Technology, p. 385-388. 2010.

27. Rodrigo Braga, Edjard Mota, and Alexandre Passito. Lightweight ddos flooding attack detection using nox/openflow. In Local Computer Networks (LCN), 2010 IEEE 35th Conference on, p. 408-415. 2010.

28. Yung-Li Hu, Wei-Bing Su, Li-Ying Wu, Yennun Huang, and Sy- Yen Kuo. Design of event-based intrusion detection system on openflow network. In Dependable Systems and Networks (DSN), 2013 43rd Annual IEEE/IFIP International Conference on, p. 1-2. 2013.

29. Chun-Jen Chung, Pankaj Khatkar, Tianyi Xing, Jeongkeun Lee, and Dijiang Huang. Nice: Network intrusion detection and countermeasure selection in virtual network systems. Dependable and Secure Computing, IEEE Transactions on, 10[4]: 198-211, 2013.