Leveraging SDN to Improve the Security of DHCP Presented By Jacob H. Cox Jr. For SDN NFV Security Workshop 2016 On 10 March 2016
Outline Problem (rogue DHCP Servers) Traditional Mitigation Methods Related Work Network Flow Guard (NFG) DHCP (NFGD) Future work Conclusion
Problem Statement The tight coupling of control and data planes within traditional network devices make edge-device security solutions tediously complex, time consuming, expensive, and prone to error. SDN separates the control plane from the network's data plane to offer a simple and programmable means to dynamically control OpenFlow switches that theoretically enables new approaches to edge-device security. Objective: apply Network Flow Guard, a modular, SDN-based solution to mitigate or eliminate network security attack vectors in edge-devices.
How is DHCP Compromised DHCP Server (Broadcast) DHCP Discover (Port 68) DHCP Offer (Port 67) DHCP Request (Port 68) DHCP Server DHCP Discover ( 68) DHCP Offer (67) Network Attacks Blackhole (Common) Man-in-the-Middle DHCP Packets: Rfc 2131 Ethernet type = 2048 Protocol = 17 (UDP) Ports = 67/68) DHCP Request (68) Rogue Server Personal Router, Attacker, etc.
Rogue DHCP Mitigation/Detect Techniques Traditional DHCP Detection/Mitigation Related SDN Security Measures
Rogue DHCP Server Detection Methods DHCP server is suspected, network operators must still employ a variety of methods for locating the rogue server. Diagnosis procedures include: 1.Disable the main DHCP server, 2.Record IP address of the false default gateway, 3.Ping the default gateway to populate the host's ARP table, 4.View ARP table to obtain the IP:MAC association, 5.Run a continual ping to confirm when the device is taken down, 6.Review the MAC addresse table contained in each switch until the MAC is found, 7.Identifying the port hosting the offending MAC, and if found, (if multiple MACs, return to 6 and repeat) 8.Shut down the port O'Connor, T., “How to find a rogue dhcp server on your network.“ dhcp-server-your-network/, dhcp-server-your-network/
Mitigation Techniques Other Techniques: Enable DHCP snooping [1] (if available) on Network Switches; configure trust relationships for all switch ports individually Simple network management protocol (SNMP) to pull MAC addresses and ARP tables from the switch fabric to and the rogue server's MAC address [3] Use a multi-vendor tool, like Really Awesome New Cisco Cong Differ (RANCID) [2], to deploy DHCP snooping across affected LANS Sniffing Options like Wireshark and tcpdump Problems: Error Prone, Vendor familiarity Middleboxes Additional Network Operator Requirements [1] D. O'Connor. Dhcp snooping-filter those broadcasts! Dec [2] Rancid. [3] T. Oconnor. How to and a rogue dhcp server on your network. your-network/, 2013.
Rietz et al. developed an OpenFlow controller, using the RYU framework to handle all DHCP requests using an OpenFlow controller. Managed all DHCP offers Generated IP address and other network information Hosts are unable to detect other DHCP-requests or offers Prevents Rogue DHCP attacks Issues: Extensibility Added Burden Rogue DHCP Server Mitigation with SDN Rietz, R., Brinner, A., and Cwalinsky, R., “Improving network security in virtualized environments with OpenFlow," in Proceedings of the International Conference on Networked Systems, ser. NETSYS, Switch and DHCP Functions Other Modules Other Module Switch Mod DHCP Module Other Modules
Network Flow Guard DHCP (NFGD) NAT WWW POX Controller H1 H2 H3 OpenFlow Switch NFGC NFGD SimpleSwitch DHCP Server Southbound Interface Northbound Interface Pyretic 1) DHCP Disc(68) 3) DHCP Rqst (68) DHCP Disc(68) DHCP Rqst (68) 2) DHCP Offer(67) 3) DHCP Rqst (68) 1) DHCP Disc (68) 3) DHCP Rqst (68) 2) DHCP Offer(67) DHCP Offer(67) 2) DHCP Offer(67) 5) DHCP Offer(67) 4) DHCP Disc(68) Whitelist Rogue Server Note: Order for DHCP DISCOVERY, OFFER, and REQUEST shown for DHCP Server, H1, and H2 only. Implementation: Mininet Environment Pyretic Framework w/ POX controller Ubuntu 14.4 OS ISC-DHCP server UDHCPD (rogue server)
Network Flow Guard DHCP (NFGD) Once SDN is chosen, the solution is quite simple. Network operator records legitimate DHCP servers to a designated whitelist. NFG monitors all DHCP-offers, blocking those not found on the whitelist All protocols operate the same No changes required for switch application Security is handled by the switch, no middleboxes
Network Flow Guard DHCP (NFGD) Utilized the Pyretic Framework and a POX controller Key snippets of the NFG for DHCP module Fig 2. Snippet from dhcp_resolver(self,pkt): Fig. 1. Set Policy
Future Work Expand NFG to address additional edge-based security threats (e.g., ARP poisoining, rogue NAT devices, etc.) Develop a framework on top of Ryu to allow for modular security concepts like NFG
Conclusion NFG offers the following advantages for edge-device security Automated prevention of rogue DHCP servers Minimal Network operator involvement No change to existing Network Architectures or Protocols Easily updated to include additional security features
Leveraging SDN to Improve the Security of DHCP Questions??
Objective To investigate how software defined networking (SDN) can mitigate or eliminate network security attack vectors in network edge-devices. We propose Network Flow Guard (NFG) as a novel, modular, and SDN-based solution to counter known security vulnerabilities. Specifically, this project seeks to detect and remove rogue DHCP servers from the network.
NAT WWW POX Controller H1 H2 H3 H4 OpenFlow Switch NFGC NFGD SimpleSwitch DHCP Server Southbound Interface Northbound Interface Pyretic 1) DHCP Disc(68) 3) DHCP Rqst (68) DHCP Disc(68) DHCP Rqst (68) 2) DHCP Offer(67) 3) DHCP Rqst (68) 1) DHCP Disc (68) 3) DHCP Rqst (68) DHCP Disc (68) DHCP Rqst (68) 2) DHCP Offer(67) DHCP Offer(67) 2) DHCP Offer(67) DHCP Offer(67) 5) DHCP Offer(67) 4) DHCP Disc(68) Whitelist Rogue Server Note: Order for DHCP DISCOVERY, OFFER, and REQUEST shown for DHCP Server, H1, and H2 only. Network Flow Guard How DHCP works RFC 2131* How DHCP is compromised Implications of compromise How NFG prevents rogue DHCP behavior *Rfc2131, dynamic host configuration protocol. 1) In accordance with RFC 2131, DHCP enables hosts to submit a DHCP Discover packet for broadcast to the network. The switch receives this packet and allows it to be broadcast to the network. Ideally, only the DHCP sever will respond to the request, providing its DHCP offer. Receiving the offer, the host responds with a DHCP request to signal its acceptance of the IP, gateway, and mask. Other hosts can update their ARP tables. 2) So how is DHCP compromised, a rogue DHCP server can also listen for such discoveries and make its own DHCP offer. It now becomes a race. Whose offer gets to the host first. If the rogue server does, then the host accepts the rogues provided IP, GW, and mask. 3) The implications are that the affected host may now be subjected to a man-in-the-middle attack, referred to a malicious web site, or have its traffic black holed (dropped packets) 4) NFG prevents this by monitoring all port 67 traffic (mandated my RFC 2131 for DHCP offers) and verifies via the network operator provided whitelist, that the DHCP Offer is coming from an authorized server. If this is not the case, the flow rules in the switch are set to drop the packet, so that the host only receives the offer from the known good server. 5) NFG used a coupler module (NFGC) to couple our DHCP (NFGD) module with an already utilized Simple Switch Application. It requires no change to the existing infrastructure and place minimal burden on the POX controller So, that’s the high-level view of what Network Flow Guard is doing. Let’s take a closer look at the Pyretic implementation and how NFG handles incoming packets from the switch.
Rogue DHCP Server Mitigation with SDN Rietz et al. developed an OpenFlow controller, using the RYU framework to handle all DHCP requests using an OpenFlow controller. Managed all DHCP offers Generated IP address and other network information Hosts are unable to detect other DHCP-requests or offers Prevents Rogue DHCP attacks Issues: Extensibility Added Burden Rietz, R., Brinner, A., and Cwalinsky, R., “Improving network security in virtualized environments with OpenFlow," in Proceedings of the International Conference on Networked Systems, ser. NETSYS, Other Modules Other Module Switch Mod DHCP Module Other Modules