SDN architecture, cyber security aspects

Open Flow is the most deployed Software Defined Networking (SDN) protocol, which allows us to decouple the control plane and data plane function of a network. This architecture transfers core functions from the routers and switches to centralized controllers. Due to centralized control, SDN architecture has specific capabilities that can be exploited to improve security tools and mitigate threats of traditional architecture networks more effective. This paper presents an overview of SDN architecture and Open Flow protocol, analysis of related security threats and mitigation techniques. Moreover, the most critical threats for data networks, which may be deployed soon in RF, are determined and mitigation approaches for these threats are proposed.

SDN, protection of information, SDN, Open Flow protocol, software-configurable network, information security

1. K. Calvert, S. Bhattacharjee, E. Zegura, and J. Sterbenz, Directions in Active Networks IEEE Communications magazine, р. 72-78, October 1998.

2. Diego Kreutz, Fernando MV Ramos, P Esteves Verissimo, Christian Esteve Rothenberg, Siamak Azodolmolky, and Steve Uhlig. Software-defined networking: A comprehensive survey. proceedings of the IEEE, 103[1]: 14-76, 2015.

3. Nick McKeown, Tom Anderson, Hari Balakrishnan, Guru Parulkar, Larry Peterson, Jennifer Rexford, Scott Shenker, and Jonathan Turner. Openflow: enabling innovation in campus networks. ACM SIGCOMM Computer Communication Review, 38[2]:69-74, 2008.

4. Diego Kreutz, Fernando Ramos, and Paulo Verissimo. Towards secure and dependable software-defined networks. In Proceedings of the second ACM SIGCOMM workshop on Hot topics in software defined networking, p. 55-60. 2013.

5. Смелянский Р. Л. Программно-конфигурируемые сети. Открытые системы. СУБД 9. 2012. с. 23-26.

6. OpenFlow Switch Specification Ver 1.5.1, 2016 [accessed January 11, 2016]. https://www.opennetworking.org/images/stories/downloads/sdn-resources/onf-specifications/openflow/openflow-switch-vl.5.1.pdf.

7. Никульчев Е. В., Паяин С. В., Плужник Е. В. Динамическое управление трафиком программно -конфигурируемых сетей в облачной инфраструктуре. Вестник РГРТУ. № 3. 2013. с. 45.

8. Sandra Scott-Hayward, Gemma O’Callaghan, and Sakir Sezer. Sdn security: A survey. In Future Networks and Services (SDN4FNS), 2013 IEEE SDN For, p. 1-7. IEEE, 2013.

9. Open Networking Fundation. Software-defined networking: The new norm for networks. ONF White Paper, 2012.

10. Kevin Benton, L Jean Camp, and Chris Small. Openflow vulnerability assessment. In Proceedings of the second ACM SIGCOMM workshop on Hot topics in software defined networking, p. 151-152. 2013.

11. Seungwon Shin and Guofei Gu. Attacking software-defined networks: A first feasibility study. In Proceedings of the second ACM SIGCOMM work- shop on Hot topics in software defined networking, p. 165-166. 2013.

12. Diego Kreutz, Fernando Ramos, and Paulo Verissimo. Towards secure and dependable software-defined networks. In Proceedings of the second ACM SIGCOMM workshop on Hot topics in software defined networking, p. 55-60. 2013.

13. Margaret Wasserman and Sam Hartman. Security analysis of the open networking foundation (onf) openflow switch specification. 2013.

14. Ehab Al-Shaer and Saeed Al-Haj. Flowchecker: Configuration analysis and verification of federated openflow infrastructures. In Proceedings of the 3rd ACM workshop on Assurable and usable security configuration, p. 37-44. 2010.

15. Seuk Son, Seungwon Shin, Vinod Yegneswaran, Phillip Porras, and Guofei Gu. Model checking invariant security properties in openflow. In Communications (ICC), 2013 IEEE International Conference on, p. 1974-1979. 2013.

16. Cole Schlesinger, Alec Story, Stephen Gutz, Nate Foster, and David Walker. Splendid isolation: Language-based security for software- defined networks. In Proc. of Workshop on Hot Topics in Software Defined Networking, 2012.

17. Xiong Liu, Haiwei Xue, Xiaoping Feng, and Yiqi Dai. Design of the multi-level security network switch system which restricts covert channel. In Communication Software and Networks (ICCSN), 2011 IEEE 3rd International Conference on, p. 233-237. 2011.

18. Guang Yao, Jun Bi, and Peiyao Xiao. Source address validation so- lution with openflow/nox architecture. In Network Protocols (ICNP), 2011 19th IEEE International Conference on, p. 7-12. 2011.

19. Jafar Haadi Jafarian, Ehab Al-Shaer, and Qi Duan. Openflow random host mutation: transparent moving target defence using software defined networking. In Proceedings of the first workshop on Hot topics in software defined networks, p. 127-132. 2012.

20. Philip Porras, Seungwon Shin, Vinod Yegneswaran, Martin Fong, Mabry Tyson, and Guofei Gu. A security enforcement kernel for openflow networks. In Proceedings of the first workshop on Hot topics in software defined networks, p. 121-126. 2012.

21. noxrepo/nox - C++ - GitHub, 2016 [accessed January 11, 2016]. https: //github.com/noxrepo/nox.

22. Seungwon Shin, Phillip Porras, Vinod Yegneswaran, and Guofei Gu. A framework for integrating security services into software- defined networks. Proceedings of the 2013 Open Networking Summit (Re- search Track poster paper), ser. ONS, 13, 2013.

23. Xitao Wen, Yan Chen, Chengchen Hu, Chao Shi, and Yi Wang. Towards a secure controller platform for openflow applications. In Proceedings of the second ACM SIGCOMM workshop on Hot topics in software defined networking, p. 171-172. 2013.

24. Seungwon Shin, Vinod Yegneswaran, Phillip Porras, and Guofei Gu. Avant-guard: Scalable and vigilant switch flow management in software-defined networks. In Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security, p. 413-424. 2013.

25. Junho Suh, H-g Choi, W Yoon, T You, T Kwon, and Y Choi. Implementation of a content-oriented networking architecture (cona): A focus on ddos countermeasure. In Proceedings of European NetFPGA developers workshop, 2010.

26. Chu Yu Hunag, Tseng Min Chi, Chen Yao Ting, Chou Yu Chieh, and Chen YanRen. A novel design for future on-demand service and security. In 2010 IEEE 12th International Conference on Communication Technology, p. 385-388. 2010.

27. Rodrigo Braga, Edjard Mota, and Alexandre Passito. Lightweight ddos flooding attack detection using nox/openflow. In Local Computer Networks (LCN), 2010 IEEE 35th Conference on, p. 408-415. 2010.

28. Yung-Li Hu, Wei-Bing Su, Li-Ying Wu, Yennun Huang, and Sy- Yen Kuo. Design of event-based intrusion detection system on openflow network. In Dependable Systems and Networks (DSN), 2013 43rd Annual IEEE/IFIP International Conference on, p. 1-2. 2013.

29. Chun-Jen Chung, Pankaj Khatkar, Tianyi Xing, Jeongkeun Lee, and Dijiang Huang. Nice: Network intrusion detection and countermeasure selection in virtual network systems. Dependable and Secure Computing, IEEE Transactions on, 10[4]: 198-211, 2013.