research-article

Free access

Towards secure and dependable software-defined networks

Authors:

Fernando M.V. Ramos, and

Paulo VerissimoAuthors Info & Claims

HotSDN '13: Proceedings of the second ACM SIGCOMM workshop on Hot topics in software defined networking

August 2013

Pages 55 - 60

https://doi.org/10.1145/2491185.2491199

Published: 16 August 2013 Publication History

Abstract

Software-defined networking empowers network operators with more flexibility to program their networks. With SDN, network management moves from codifying functionality in terms of low-level device configurations to building software that facilitates network management and debugging. By separating the complexity of state distribution from network specification, SDN provides new ways to solve long-standing problems in networking --- routing, for instance --- while simultaneously allowing the use of security and dependability techniques, such as access control or multi-path.

However, the security and dependability of the SDN itself is still an open issue. In this position paper we argue for the need to build secure and dependable SDNs by design. As a first step in this direction we describe several threat vectors that may enable the exploit of SDN vulnerabilities. We then sketch the design of a secure and dependable SDN control platform as a materialization of the concept here advocated. We hope that this paper will trigger discussions in the SDN community around these issues and serve as a catalyser to join efforts from the networking and security & dependability communities in the ultimate goal of building resilient control planes.

References

[1]

T. Koponen et al. "Onix: a distributed control platform for large-scale production networks". In: OSDI. 2010.

Digital Library

[2]

N. Gude et al. "NOX: towards an operating system for networks". In: Comp. Comm. Rev. (2008).

Digital Library

[3]

M. Caesar et al. "Design and implementation of a routing control platform". In: NSDI. 2005.

Digital Library

[4]

M. Casado et al. "Rethinking Enterprise Network Control". In: ACM Trans. on Networking 17.4 (2009).

Digital Library

[5]

P. Porras et al. "A security enforcement kernel for OpenFlow networks". In: HotSDN. ACM, 2012.

Digital Library

[6]

S. Shin et al. "FRESCO: Modular Composable Security Services for Software-Defined Networks". In: Internet Society NDSS. 2013.

[7]

N. McKeown et al. "OpenFlow: enabling innovation in campus networks". In: Comp. Comm. Rev. (2008).

Digital Library

[8]

S. Sorensen. Security implications of software-defined networks. 2012. url: http://goo.gl/BiXH2.

[9]

S. M. Kerner. Is SDN Secure? 2013. url: http://goo.gl/lPn2V.

[10]

D. Kushner. The Real Story of Stuxnet. 2013. url: http://goo.gl/HIEHQ.

[11]

C. Tankard. "Advanced Persistent threats and how to monitor and deter them". In: Network Sec. (2011).

[12]

Z. Yan and C. Prehofer. "Autonomic Trust Management for a Component-Based Software System". In: IEEE Trans. on Dep. and Sec. Computing 8.6 (2011).

Digital Library

[13]

R. Holz et al. "X.509 Forensics: Detecting and Localising the SSL/TLS Men-in-the-Middle". In: Computer Security. LNCS. 2012.

[14]

M. Georgiev et al. "The most dangerous code in the world: validating SSL certificates in non-browser software". In: ACM CCS. 2012.

Digital Library

[15]

R. Sherwood et al. FlowVisor: A Network Virtualization Layer. Tech. rep. Deutsche Telekom Inc. R&D Lab, Stanford, Nicira Networks, 2009.

[16]

Y. G. Desmedt. "Threshold cryptography". In: European Trans. on Telecommunications 5.4 (1994).

[17]

F. B. Schneider. "Implementing fault-tolerant services using the state machine approach: a tutorial". In: ACM Comput. Surv. 22.4 (Dec. 1990).

Digital Library

[18]

P. Sousa et al. "Highly Available Intrusion-Tolerant Services with Proactive-Reactive Recovery". In: IEEE Trans. Parallel Distrib. Syst. 21.4 (2010).

Digital Library

[19]

G. Veronese et al. "Efficient Byzantine Fault-Tolerance". In: IEEE Trans. on Computers 62.1 (2013).

Digital Library

[20]

G. Veronese et al. \EBAWA: Efficient Byzantine Agreement for Wide-Area Networks". In: IEEE HASE. 2010.

Digital Library

[21]

R. Kapitza et al. "CheapBFT: resource-efficient byzantine fault tolerance". In: ACM EuroSys. 2012.

Digital Library

[22]

J. Hendricks, G. R. Ganger, and M. K. Reiter. "Low-overhead byzantine fault-tolerant storage". In: SIGOPS Oper. Syst. Rev. 41.6 (Oct. 2007).

Digital Library

[23]

P. Verissimo et al. "Intrusion-tolerant middleware: the road to automatic security". In: IEEE Security & Privacy 4.4 (2006).

Digital Library

[24]

J. Korniak. "The GMPLS Controlled Optical Networks as Industry Communication Platform". In: IEEE Trans. on Industrial Informatics 7.4 (2011).

[25]

S. Neti, A. Somayaji, and M. E. Locasto. "Software diversity: Security, Entropy and Game Theory". In: 7th USENIX HotSec. 2012.

Digital Library

[26]

M. Garcia et al. "Analysis of operating system diversity for intrusion tolerance". In: Software: Practice and Experience (2013).

[27]

B. Heller, R. Sherwood, and N. McKeown. "The controller placement problem". In: HotSDN. 2012.

Digital Library

[28]

J. C. Mogul and P. Congdon. "Hey, you darned counters!: get off my ASIC!" In: HotSDN. 2012.

Digital Library

[29]

A. Barth et al. The Security Architecture of the Chro-mium Browser. Tech. rep. Stanford University, 2008.

[30]

J. H. Perkins et al. "Automatically patching errors in deployed software". In: ACM SIGOPS SOSP. 2009.

Digital Library

[31]

N. Foster et al. "Frenetic: a network programming language". In: SIGPLAN Not. (2011).

Digital Library

[32]

A. Khurshid et al. "VeriFlow: verifying network-wide invariants in real time". In: HotSDN. 2012.

Digital Library

Cited By

Nawshin SIslam SShatabda S(2024)PCA-ANN: Feature selection based hybrid intrusion detection system in software defined networkJournal of Intelligent & Fuzzy Systems10.3233/JIFS-236340(1-18)Online publication date: 8-Apr-2024
https://doi.org/10.3233/JIFS-236340
Bahashwan AAnbar MManickam SIssa GAladaileh MAlabsi BRihan S(2024)HLD-DDoSDN: High and low-rates dataset-based DDoS attacks against SDNPLOS ONE10.1371/journal.pone.029754819:2(e0297548)Online publication date: 8-Feb-2024
https://doi.org/10.1371/journal.pone.0297548
Kim JSeo MMarin ELee SNam JShin S(2024) Ambusher : Exploring the Security of Distributed SDN Controllers Through Protocol State Fuzzing IEEE Transactions on Information Forensics and Security10.1109/TIFS.2024.340296719(6264-6279)Online publication date: 2024
https://doi.org/10.1109/TIFS.2024.3402967
Show More Cited By

Index Terms

Towards secure and dependable software-defined networks
1. Software and its engineering
  1. Software organization and properties
    1. Contextual software domains
      1. Operating systems

Recommendations

Survey on Software-Defined Networking
CloudCom-Asia 2015: Revised Selected Papers of the Second International Conference on Cloud Computing and Big Data - Volume 9106

Recently, both the academia and industry have initiated research directed toward the integration of software-defined networking SDN technologies into the next generation of networking. In this paradigm, SDN transfers the control function from the ...
Read More
On the Benchmarking Mainstream Open Software-Defined Networking Controllers
LANC '16: Proceedings of the 9th Latin America Networking Conference

Software-Defined Networking (SDN) has been one of the most successfull networking model over the past few years. The model decouples the network control and forwarding functions enabling the underlying infrastructure complexity to be programmed by ...
Read More
Security in Software Defined Networks: A Survey
Software defined networking (SDN) decouples the network control and data planes. The network intelligence and state are logically centralized and the underlying network infrastructure is abstracted from applications. SDN enhances network security by means ...
Read More

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

HotSDN '13: Proceedings of the second ACM SIGCOMM workshop on Hot topics in software defined networking

August 2013

182 pages

ISBN:9781450321785

DOI:10.1145/2491185

Program Chairs:
Nate Foster
Cornell University
,
Rob Sherwood
Big Switch Networks

Copyright © 2013 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGCOMM: ACM Special Interest Group on Data Communication

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 16 August 2013

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

SIGCOMM'13

Sponsor:

SIGCOMM

SIGCOMM'13: ACM SIGCOMM 2013 Conference

August 16, 2013

Hong Kong, China

Acceptance Rates

HotSDN '13 Paper Acceptance Rate 38 of 84 submissions, 45%;

Overall Acceptance Rate 88 of 198 submissions, 44%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

497
Total Citations
View Citations
6,576
Total Downloads

Downloads (Last 12 months)438
Downloads (Last 6 weeks)62

Other Metrics

View Author Metrics

Citations

Cited By

Nawshin SIslam SShatabda S(2024)PCA-ANN: Feature selection based hybrid intrusion detection system in software defined networkJournal of Intelligent & Fuzzy Systems10.3233/JIFS-236340(1-18)Online publication date: 8-Apr-2024
https://doi.org/10.3233/JIFS-236340
Bahashwan AAnbar MManickam SIssa GAladaileh MAlabsi BRihan S(2024)HLD-DDoSDN: High and low-rates dataset-based DDoS attacks against SDNPLOS ONE10.1371/journal.pone.029754819:2(e0297548)Online publication date: 8-Feb-2024
https://doi.org/10.1371/journal.pone.0297548
Kim JSeo MMarin ELee SNam JShin S(2024) Ambusher : Exploring the Security of Distributed SDN Controllers Through Protocol State Fuzzing IEEE Transactions on Information Forensics and Security10.1109/TIFS.2024.340296719(6264-6279)Online publication date: 2024
https://doi.org/10.1109/TIFS.2024.3402967
Agapiou SPeratikou AStavrou S(2024)Providing Network Resilience through an Intelligent SDN Network2024 Panhellenic Conference on Electronics & Telecommunications (PACET)10.1109/PACET60398.2024.10497027(1-6)Online publication date: 28-Mar-2024
https://doi.org/10.1109/PACET60398.2024.10497027
Eugster P(2024)Toward Robust Control for 6G NetworksIEEE Network10.1109/MNET.2023.333060638:3(254-260)Online publication date: May-2024
https://doi.org/10.1109/MNET.2023.3330606
Mateus JZodi GBagula A(2024)Federated Learning-Based Solution for DDoS Detection in SDN2024 International Conference on Computing, Networking and Communications (ICNC)10.1109/ICNC59896.2024.10556115(875-880)Online publication date: 19-Feb-2024
https://doi.org/10.1109/ICNC59896.2024.10556115
Kloth SRettore PZißner PSantos BSevenich P(2024)Towards a Cyber Defense System in Software-Defined Tactical Networks2024 International Conference on Military Communication and Information Systems (ICMCIS)10.1109/ICMCIS61231.2024.10540952(1-8)Online publication date: 23-Apr-2024
https://doi.org/10.1109/ICMCIS61231.2024.10540952
Shirsath VChandane MLal CConti M(2024)SYNTROPY: TCP SYN DDoS attack detection for Software Defined Network based on Rényi entropyComputer Networks10.1016/j.comnet.2024.110327244(110327)Online publication date: May-2024
https://doi.org/10.1016/j.comnet.2024.110327
Kim JSeo MLee SNam JYegneswaran VPorras PGu GShin S(2024)Enhancing security in SDN: Systematizing attacks and defenses from a penetration perspectiveComputer Networks10.1016/j.comnet.2024.110203241(110203)Online publication date: Mar-2024
https://doi.org/10.1016/j.comnet.2024.110203
Latah MKalkan K(2024)HostSec: A blockchain-based authentication framework for SDN hostsPeer-to-Peer Networking and Applications10.1007/s12083-024-01714-x17:4(2354-2370)Online publication date: 10-May-2024
https://doi.org/10.1007/s12083-024-01714-x
Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents