Presentation is loading. Please wait.

Presentation is loading. Please wait.

SDN Security Matt Bishop, Brian Perry University of California at Davis 1GEC 22, March 24th, 2015.

Published byEdwina Long Modified over 9 years ago

Similar presentations

Presentation on theme: "SDN Security Matt Bishop, Brian Perry University of California at Davis 1GEC 22, March 24th, 2015."— Presentation transcript:

1 SDN Security Matt Bishop, Brian Perry University of California at Davis 1GEC 22, March 24th, 2015

2 Network Switches Conventional switch: closed system – Support manufacturer-specific control interfaces – Control, data planes embedded in them – Changes in protocols, services, etc. usually require replacing or updating switch SDN: decouple control, data planes – Control plane controlled by a centralized controller on a computer (PC, for example) – Can program switch via controller – Easy to propagate changes in protocols, services, etc. 2GEC 22, March 24th, 2015

3 What Does This Mean? Traditional set-up: Software-defined network: user switch server controller user SDN switch 3GEC 22, March 24th, 2015

4 Security Trust, maintenance, resilient design, etc. common to both Authentication, authorization in SDN network more complicated – As commands and changes come on the fly, need to be sure these come from an authorized source – Can have dynamic policy for handling flows – “Apps” can perform additional security functions 4GEC 22, March 24th, 2015

5 Security Using the Switch Switch provides, assists security mechanisms – OpenFlow Random Host Mutation – Provide data for anomaly-based intrusion detection (more accurate than ISP-driven IDS) – Enforce dynamic access control policies based on flow-level information – Various security applications Edge-based authentication gateways Security application development frameworks 5GEC 22, March 24th, 2015

6 Security of the Switch Software – Verify Various groups doing this with OpenFlow; not so much with others Check for misconfigurations within a single flow table – Implement a security enforcement kernel – Lots of control/data plane interactions can disrupt operations Link to controller(?) – Ensure connection to controller is secured (TLS) – Disable passive listening (require authentication) 6GEC 22, March 24th, 2015

7 Our Approach Controller is a ordinary computer — with all the vulnerabilities of an ordinary computer – So, attack that – Once in control of the controller, have fun! Also applies if we can impersonate the controller – Here’s where the listener port comes into play This also considers misconfigurations downloaded from the controller – Must assume humans are fallible 7GEC 22, March 24th, 2015

8 Consequences Confidentiality, integrity compromise user SDN switch controller server attacker 8GEC 22, March 24th, 2015

9 Consequences Availability compromise users SDN switch controller server victim … 9GEC 22, March 24th, 2015

10 Key Points You can gain security with SDN, but you can also lose security (and vice versa) Security problems with SDN can wreak havoc on networks that depend on them – Like GENI Introducing powerful technology also introduces the risk of that power being used against you – And the threats may not come from where you expect! 10GEC 22, March 24th, 2015

11 Conclusion Security of the switch is important Security of whatever can control the switch even more so – Most computers vulnerable to attack – Best to use dedicated, stripped-down system as controller – If you can isolate it, so much the better 11GEC 22, March 24th, 2015

12 Thanks to … Abhishek Gupta Saadet Sedef Savas Steven Templeton Funded by the GENI Projects Office through Contract #950012166, Prime Sponsor (NSF) Award CNS-1344668 12GEC 22, March 24th, 2015

13 About Me Matt Bishop Computer Security Laboratory Department of Computer Science University of California at Davis 1 Shields Ave. Davis, CA 95616-8562 USA phone: +1 (530) 752-8060 email: bishop@ucdavis.edu web: http://seclab.cs.ucdavis.edu/~bishop GEC 22, March 24th, 2015Slide #13

Download ppt "SDN Security Matt Bishop, Brian Perry University of California at Davis 1GEC 22, March 24th, 2015."

Similar presentations

The Whole/Hole of Security Public (DoD) v. Corporate Carl Bourland US Army Judge Advocate Generals Corps.

The Whole/Hole of Security Public (DoD) v. Corporate Carl Bourland US Army Judge Advocate Generals Corps.
HONEYPOTS Mathew Benwell, Sunee Holland, Grant Pannell.

HONEYPOTS Mathew Benwell, Sunee Holland, Grant Pannell.
CloudWatcher: Network Security Monitoring Using OpenFlow in Dynamic Cloud Networks or: How to Provide Security Monitoring as a Service in Clouds? Seungwon.

CloudWatcher: Network Security Monitoring Using OpenFlow in Dynamic Cloud Networks or: How to Provide Security Monitoring as a Service in Clouds? Seungwon.
September 10, 2012Introduction to Computer Security ©2004 Matt Bishop Slide #1-1 Chapter 1: Introduction Components of computer security Threats Policies.

September 10, 2012Introduction to Computer Security ©2004 Matt Bishop Slide #1-1 Chapter 1: Introduction Components of computer security Threats Policies.
Sponsored by the National Science Foundation Campus Policies for the GENI Clearinghouse and Portal Sarah Edwards, GPO March 20, 2013.

Sponsored by the National Science Foundation Campus Policies for the GENI Clearinghouse and Portal Sarah Edwards, GPO March 20, 2013.
Chap 1: Overview Concepts of CIA: confidentiality, integrity, and availability Confidentiality: concealment of information –The need arises from sensitive.

Chap 1: Overview Concepts of CIA: confidentiality, integrity, and availability Confidentiality: concealment of information –The need arises from sensitive.
Intrusion Detection Systems By: William Pinkerton and Sean Burnside.

Intrusion Detection Systems By: William Pinkerton and Sean Burnside.
Java Security: From HotJava to Netscape & Beyond Drew Dean, Edward W. Felten, Dan S. Wallach Department of Computer Science, Princeton University May,

Java Security: From HotJava to Netscape & Beyond Drew Dean, Edward W. Felten, Dan S. Wallach Department of Computer Science, Princeton University May,
Fundamentals of Computer Security Geetika Sharma Fall 2008.

Fundamentals of Computer Security Geetika Sharma Fall 2008.
1 Overview CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute March 8, 2004.

1 Overview CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute March 8, 2004.
System and Network Security Practices COEN 351 E-Commerce Security.

System and Network Security Practices COEN 351 E-Commerce Security.
 Single sign-on o Centralized and federated passport o Federated Liberty Alliance and Shibboleth  Authorization o Who can access which resource o ACM.

 Single sign-on o Centralized and federated passport o Federated Liberty Alliance and Shibboleth  Authorization o Who can access which resource o ACM.
Chapter 12 Network Security.

Chapter 12 Network Security.
A Security Pattern for a Virtual Private Network Ajoy Kumar and Eduardo B. Fernandez Dept. of Computer Science and Eng. Florida Atlantic University Boca.

A Security Pattern for a Virtual Private Network Ajoy Kumar and Eduardo B. Fernandez Dept. of Computer Science and Eng. Florida Atlantic University Boca.
Chapter 1: Introduction Components of computer security Threats Policies and mechanisms The role of trust Assurance Operational Issues Human Issues Computer.

Chapter 1: Introduction Components of computer security Threats Policies and mechanisms The role of trust Assurance Operational Issues Human Issues Computer.
Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE USC CSci530 Computer Security Systems Lecture.

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE USC CSci530 Computer Security Systems Lecture.
July 1, 2004Computer Security: Art and Science ©2002-2004 Matt Bishop Slide #1-1 Chapter 1: Introduction Components of computer security Threats Policies.

July 1, 2004Computer Security: Art and Science © Matt Bishop Slide #1-1 Chapter 1: Introduction Components of computer security Threats Policies.
Computer Security: Principles and Practice

Computer Security: Principles and Practice
Presented by C.SARITHA ( 07R91A0568) INTRUSION DETECTION SYSYTEM.

Presented by C.SARITHA ( 07R91A0568) INTRUSION DETECTION SYSYTEM.
Presented by, Sai Charan Obuladinne MYSEA Technology Demonstration.

Presented by, Sai Charan Obuladinne MYSEA Technology Demonstration.

Similar presentations

Ads by Google