skip to main content
research-article

ANCHOR: Logically Centralized Security for Software-Defined Networks

Authors Info & Claims
Published:26 February 2019Publication History
Skip Abstract Section

Abstract

Software-defined networking (SDN) decouples the control and data planes of traditional networks, logically centralizing the functional properties of the network in the SDN controller. While this centralization brought advantages such as a faster pace of innovation, it also disrupted some of the natural defenses of traditional architectures against different threats. The literature on SDN has mostly been concerned with the functional side, despite some specific works concerning non-functional properties such as security or dependability. Though addressing the latter in an ad-hoc, piecemeal way may work, it will most likely lead to efficiency and effectiveness problems.

We claim that the enforcement of non-functional properties as a pillar of SDN robustness calls for a systemic approach. We further advocate, for its materialization, the reiteration of the successful formula behind SDN: ‘logical centralization’. As a general concept, we propose anchor, a subsystem architecture that promotes the logical centralization of non-functional properties. To show the effectiveness of the concept, we focus on security in this article: we identify the current security gaps in SDNs and we populate the architecture middleware with the appropriate security mechanisms in a global and consistent manner. Essential security mechanisms provided by anchor include reliable entropy and resilient pseudo-random generators, and protocols for secure registration and association of SDN devices.

We claim and justify in the article that centralizing such mechanisms is key for their effectiveness by allowing us to define and enforce global policies for those properties; reduce the complexity of controllers and forwarding devices; ensure higher levels of robustness for critical services; foster interoperability of the non-functional property enforcement mechanisms; and promote the security and resilience of the architecture itself. We discuss design and implementation aspects, and we prove and evaluate our algorithms and mechanisms, including the formalisation of the main protocols and the verification of their core security properties using the Tamarin prover.

References

  1. O. I. Abdullaziz, Y. J. Chen, and L. C. Wang. 2016. Lightweight authentication mechanism for software defined network using information hiding. In 2016 IEEE Global Communications Conference (GLOBECOM’16). IEEE, 1--6.Google ScholarGoogle Scholar
  2. David Adrian, Karthikeyan Bhargavan, Zakir Durumeric, Pierrick Gaudry, Matthew Green, J. Alex Halderman, Nadia Heninger, Drew Springall, Emmanuel Thomé, Luke Valenta, Benjamin VanderSloot, Eric Wustrow, Santiago Zanella-Béguelin, and Paul Zimmermann. 2015. Imperfect forward secrecy: How Diffie-Hellman fails in practice. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security (CCS’15). ACM, New York, NY, 5--17. Google ScholarGoogle ScholarDigital LibraryDigital Library
  3. Ijaz Ahmad, Suneth Namal, Mika Ylianttila, and Andrei Gurtov. 2015. Security in software defined networks: A survey. IEEE Communications Surveys 8 Tutorials 17, 4 (2015), 2317--2346.Google ScholarGoogle Scholar
  4. Adnan Akhunzada, Ejaz Ahmed, Abdullah Gani, Muhammad Khurram Khan, Muhammad Imran, and Sghaier Guizani. 2015. Securing software defined networks: Taxonomy, requirements, and open issues. IEEE Communications Magazine 53, 4 (2015), 36--44.Google ScholarGoogle ScholarDigital LibraryDigital Library
  5. Mohammad Al-Fares, Alexander Loukissas, and Amin Vahdat. 2008. A scalable, commodity data center network architecture. SIGCOMM Comput. Commun. Rev. 38, 4 (Aug. 2008), 63--74. Google ScholarGoogle ScholarDigital LibraryDigital Library
  6. Martin R. Albrecht, Davide Papini, Kenneth G. Paterson, and Ricardo Villanueva-Polanco. 2000. Factoring 512-bit RSA moduli for fun (and a profit of $9,000). In Proceedings of the International Conference on the Theory and Application of Cryptographic Techniques - EUROCRYPT 2000. Lecture Notes in Computer Science. Springer, 1--18. Google ScholarGoogle ScholarDigital LibraryDigital Library
  7. A. L. Aliyu, P. Bull, and A. Abdallah. 2017. A trust management framework for network applications within an SDN environment. In 2017 31st International Conference on Advanced Information Networking and Applications Workshops (WAINA’17). IEEE, 93--98.Google ScholarGoogle Scholar
  8. R. Alvizu, G. Maier, N. Kukreja, A. Pattavina, R. Morro, A. Capello, and C. Cavazzoni. 2017. Comprehensive survey on T-SDN: Software-defined networking for transport networks. IEEE Communications Surveys Tutorials PP, 99 (2017), 1--1.Google ScholarGoogle Scholar
  9. Anchor. 2018. Tamarin models for ANCHOR. Retrieved January 24, 2019 from http://www.jiangshanyu.com/doc/paper/ANCHOR-proof.zip.Google ScholarGoogle Scholar
  10. Markku Antikainen, Tuomas Aura, and MikkoSärelä. 2014. Spook in your network: Attacking an SDN with a compromised OpenFlow switch. In Secure IT Systems, Karin Bernsmed and Simone Fischer-Hübner (Eds.). Springer International Publishing, 229--244.Google ScholarGoogle Scholar
  11. R. K. Arbettu, R. Khondoker, K. Bayarou, and F. Weber. 2016. Security analysis of OpenDaylight, ONOS, Rosemary and Ryu SDN controllers. In 2016 17th International Telecommunications Network Strategy and Planning Symposium (Networks). IEEE, 37--44.Google ScholarGoogle Scholar
  12. Cyril Arnaud and Pierre-Alain Fouque. 2013. Timing attack against protected RSA-CRT implementation used in PolarSSL. In Topics in Cryptology - CT-RSA 2013, Ed Dawson (Ed.). Lecture Notes in Computer Science, Vol. 7779. Springer, Berlin, 18--33. Google ScholarGoogle ScholarDigital LibraryDigital Library
  13. R. Barrett, A. Facey, W. Nxumalo, J. Rogers, P. Vatcher, and M. St-Hilaire. 2017. Dynamic traffic diversion in SDN: Testbed vs mininet. In 2017 International Conference on Computing, Networking and Communications (ICNC). IEEE, 167--171.Google ScholarGoogle Scholar
  14. Lawrence E. Bassham, III, Andrew L. Rukhin, Juan Soto, James R. Nechvatal, Miles E. Smid, Elaine B. Barker, Stefan D. Leigh, Mark Levenson, Mark Vangel, David L. Banks, Nathanael Alan Heckert, James F. Dray, and San Vo. 2010. SP 800-22 Rev. 1a. A Statistical Test Suite for Random and Pseudorandom Number Generators for Cryptographic Applications. Technical Report. National Institute of Standards and Technology (NIST), Gaithersburg, MD. Google ScholarGoogle ScholarDigital LibraryDigital Library
  15. Theophilus Benson, Aditya Akella, and David A. Maltz. 2010. Network traffic characteristics of data centers in the wild. In ACM SIGCOMM IMC. ACM, New York, NY, 267--280. Google ScholarGoogle ScholarDigital LibraryDigital Library
  16. Theophilus Benson, Ashok Anand, Aditya Akella, and Ming Zhang. 2010. Understanding data center traffic characteristics. SIGCOMM Comput. Commun. Rev. 40, 1 (Jan. 2010), 92--99. Google ScholarGoogle ScholarDigital LibraryDigital Library
  17. Pankaj Berde, Matteo Gerola, Jonathan Hart, Yuta Higuchi, Masayoshi Kobayashi, Toshio Koide, Bob Lantz, Brian O’Connor, Pavlin Radoslavov, William Snow, et al. 2014. ONOS: Towards an open, distributed SDN OS. In Proceedings of the 3rd Workshop on Hot Topics in Software Defined Networking. ACM, 1--6. Google ScholarGoogle ScholarDigital LibraryDigital Library
  18. Daniel J. Bernstein, Tanja Lange, and Peter Schwabe. 2012. The security impact of a new cryptographic library. In LATINCRYPT. Lecture Notes in Computer Science, Vol. 7533. Springer, Berlin, 159--176. Google ScholarGoogle ScholarDigital LibraryDigital Library
  19. Daniel J. Bernstein. 2009. Introduction to Post-quantum Cryptography. Springer, Berlin, 1--14.Google ScholarGoogle Scholar
  20. Daniel J. Bernstein, Tanja Lange, and Ruben Niederhagen. 2016. Dual EC: A standardized back door. In The New Codebreakers. Springer, 256--281. Google ScholarGoogle ScholarDigital LibraryDigital Library
  21. A. Bessani, J. Sousa, and E. E. P. Alchieri. 2014. State machine replication for the masses with BFT-SMART. In 2014 44th Annual IEEE/IFIP International Conference on Dependable Systems and Networks. 355--362. Google ScholarGoogle ScholarDigital LibraryDigital Library
  22. Benjamin Beurdouche, Karthikeyan Bhargavan, Antoine Delignat-Lavaud, Cédric Fournet, Markulf Kohlweiss, Alfredo Pironti, Pierre-Yves Strub, and Jean Karim Zinzindohoue. 2015. A messy state of the union: Taming the composite state machines of TLS. In 2015 IEEE Symposium on Security and Privacy (SP’15). IEEE, 535--552. Google ScholarGoogle ScholarDigital LibraryDigital Library
  23. Karthikeyan Bhargavan, Barry Bond, Antoine Delignat-Lavaud, Cédric Fournet, Chris Hawblitzel, Catalin Hritcu, Samin Ishtiaq, Markulf Kohlweiss, Rustan Leino, Jay Lorch, et al. 2017. Everest: Towards a verified, drop-in replacement of HTTPS. In LIPIcs-Leibniz International Proceedings in Informatics, Vol. 71. Schloss Dagstuhl-Leibniz-Zentrum fuer Informatik.Google ScholarGoogle Scholar
  24. Karthikeyan Bhargavan, Cédric Fournet, Markulf Kohlweiss, Alfredo Pironti, and Pierre-Yves Strub. 2013. Implementing TLS with verified cryptographic security. In 2013 IEEE Symposium on Security and Privacy (SP’13). IEEE, 445--459. Google ScholarGoogle ScholarDigital LibraryDigital Library
  25. Kevin Bocek. 2015. Infographic: How an Attack by a Cyber-espionage Operator Bypassed Security Controls. Retrieved January 24, 2019 from https://www.venafi.com/blog/post/infographic-cyber-espionage-operator-bypassed-security-controls/.Google ScholarGoogle Scholar
  26. Fábio Botelho, Tulio A. Ribeiro, Paulo Ferreira, Fernando M. V. Ramos, and Alysson Bessani. 2016. Design and implementation of a consistent data store for a distributed SDN control plane. In 2016 12th European Dependable Computing Conference (EDCC’16). IEEE, 169--180.Google ScholarGoogle ScholarCross RefCross Ref
  27. Billy Bob Brumley and Nicola Tuveri. 2011. Remote timing attacks are still practical. In Computer Security - ESORICS 2011. Lecture Notes in Computer Science, Vol. 6879. Springer, Berlin, 355--371. Google ScholarGoogle ScholarDigital LibraryDigital Library
  28. D. Buhov, M. Huber, G. Merzdovnik, E. Weippl, and V. Dimitrova. 2015. Network security challenges in Android applications. In 2015 10th International Conference on Availability, Reliability and Security. 327--332. Google ScholarGoogle ScholarDigital LibraryDigital Library
  29. C. Cachin and A. Samar. 2004. Secure distributed DNS. In International Conference on Dependable Systems and Networks, 2004. 423--432. Google ScholarGoogle ScholarDigital LibraryDigital Library
  30. Martin Casado, Michael J. Freedman, Justin Pettit, Jianying Luo, Nick McKeown, and Scott Shenker. 2007. Ethane: Taking control of the enterprise. In ACM SIGCOM. ACM, 1--12. Google ScholarGoogle ScholarDigital LibraryDigital Library
  31. Martin Casado, Tal Garfinkel, Aditya Akella, Michael J. Freedman, Dan Boneh, Nick McKeown, and Scott Shenker. 2006. SANE: A protection architecture for enterprise networks. In Proceedings of the 15th Conference on USENIX Security Symposium - Volume 15 (USENIX-SS’06). USENIX Association, Berkeley, CA, Article 10. Google ScholarGoogle ScholarDigital LibraryDigital Library
  32. Po-Wen Chi, Chien-Ting Kuo, Jing-Wei Guo, and Chin-Laung Lei. 2015. How to detect a compromised SDN switch. In 1st IEEE Conference on Network Softwarization (NetSoft’15). IEEE, 1--6.Google ScholarGoogle Scholar
  33. P. M. Mohan, T. Truong-Huu, and M. Gurusamy. 2018. Towards resilient in-band control path routing with malicious switch detection in SDN. In 10th International Conference on Communication Systems Networks (COMSNETS'18). 9--16.Google ScholarGoogle Scholar
  34. Yen-Chun Chiu and Po-Ching Lin. 2017. Rapid detection of disobedient forwarding on compromised OpenFlow switches. In International Conference on Computing, Networking and Communications (ICNC’17). IEEE, 672--677.Google ScholarGoogle ScholarCross RefCross Ref
  35. Cisco. 2014. Annual Security Report. Retrieved January 24, 2019 from https://www.cisco.com/web/offer/gist_ty2_asset/Cisco_2014_ASR.pdf.Google ScholarGoogle Scholar
  36. Bob Cromwell. 2017. Massive Failures of Internet PKI. Retrieved January 24, 2019 from http://cromwell-intl.com/cybersecurity/pki-failures.html.Google ScholarGoogle Scholar
  37. Marc C. Dacier, Hartmut König, Radoslaw Cwalinski, Frank Kargl, and Sven Dietrich. 2017. Security challenges and opportunities of software-defined networking. IEEE Security 8 Privacy 15, 2 (2017), 96--100. Google ScholarGoogle ScholarDigital LibraryDigital Library
  38. Rogério Leão Santos De Oliveira, Christiane Marie Schweitzer, Ailton Akira Shinoda, and Ligia Rodrigues Prete. 2014. Using Mininet for emulation and prototyping software-defined networks. In 2014 IEEE Colombian Conference on Communications and Computing (COLCOM’14). IEEE, 1--6.Google ScholarGoogle ScholarCross RefCross Ref
  39. DigiCert Inc. 2017. Enabling Perfect Forward Secrecy. Retrieved January 24, 2019 from https://goo.gl/KhYtn8.Google ScholarGoogle Scholar
  40. Yevgeniy Dodis, David Pointcheval, Sylvain Ruhault, Damien Vergniaud, and Daniel Wichs. 2013. Security analysis of pseudo-random number generators with input: /Dev/random is not robust. In Proceedings of the 2013 ACM SIGSAC Conference on Computer and Communications Security (CCS’13). ACM, New York, NY, 647--658. Google ScholarGoogle ScholarDigital LibraryDigital Library
  41. Chris Edwards. 2014. Researchers probe security through obscurity. Commun. ACM 57, 8 (2014), 11--13. Google ScholarGoogle ScholarDigital LibraryDigital Library
  42. Manuel Egele, David Brumley, Yanick Fratantonio, and Christopher Kruegel. 2013. An empirical study of cryptographic misuse in Android applications. In Proceedings of the 2013 ACM SIGSAC Conference on Computer and Communications Security (CCS’13). ACM, New York, NY, 73--84. Google ScholarGoogle ScholarDigital LibraryDigital Library
  43. Shuqin Fan, Wenbo Wang, and Qingfeng Cheng. 2016. Attacking OpenSSL implementation of ECDSA with a few signatures. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security (CCS’16). ACM, 1505--1515. Google ScholarGoogle ScholarDigital LibraryDigital Library
  44. Andrew D. Ferguson, Arjun Guha, Chen Liang, Rodrigo Fonseca, and Shriram Krishnamurthi. 2013. Participatory networking: An API for application control of SDNs. In Proceedings of the ACM SIGCOMM 2013 Conference on SIGCOMM (SIGCOMM’13). ACM, New York, NY, 327--338. Google ScholarGoogle ScholarDigital LibraryDigital Library
  45. Niels Ferguson, Bruce Schneier, and Tadayoshi Kohno. 2011. Cryptography Engineering: Design Principles and Practical Applications. John Wiley 8 Sons. Google ScholarGoogle ScholarDigital LibraryDigital Library
  46. Ramon R. Fontes, Samira Afzal, Samuel H. B. Brito, Mateus A. S. Santos, and Christian Esteve Rothenberg. 2015. Mininet-WiFi: Emulating software-defined wireless networks. In 11th International Conference on Network and Service Management (CNSM’15). IEEE, 384--389. Google ScholarGoogle ScholarDigital LibraryDigital Library
  47. Albert Greenberg, James R. Hamilton, Navendu Jain, Srikanth Kandula, Changhoon Kim, Parantap Lahiri, David A. Maltz, Parveen Patel, and Sudipta Sengupta. 2009. VL2: A scalable and flexible data center network. SIGCOMM Comput. Commun. Rev. 39, 4 (Aug. 2009), 51--62. Google ScholarGoogle ScholarDigital LibraryDigital Library
  48. Albert Greenberg, Parantap Lahiri, David A. Maltz, Parveen Patel, and Sudipta Sengupta. 2008. Towards a next generation data center architecture: Scalability and commoditization. In Proceedings of the ACM Workshop on Programmable Routers for Extensible Services of Tomorrow (PRESTO’08). ACM, New York, NY, 57--62. Google ScholarGoogle ScholarDigital LibraryDigital Library
  49. Marcella Hastings, Joshua Fried, and Nadia Heninger. 2016. Weak keys remain widespread in network devices. In Proceedings of the 2016 ACM on Internet Measurement Conference. ACM, 49--63. Google ScholarGoogle ScholarDigital LibraryDigital Library
  50. Nadia Heninger, Zakir Durumeric, Eric Wustrow, and J. Alex Halderman. 2012. Mining your Ps and Qs: Detection of widespread weak keys in network devices. In Proceedings of the 21st USENIX Conference on Security Symposium (Security’12). USENIX Association, Berkeley, CA, 35--35. http://dl.acm.org/citation.cfm?id=2362793.2362828. Google ScholarGoogle ScholarDigital LibraryDigital Library
  51. Brad Hill. 2013. Failures of Trust in the Online PKI Marketplace Cannot be Fixed by “Raising the Bar” on Certificate Authority Security. Retrieved January 24, 2019 from http://csrc.nist.gov/groups/ST/ca-workshop-2013/cfp-submissions/hill_failures_to_trust.pdf.Google ScholarGoogle Scholar
  52. Yu-Chi Ho, Qian-Chuan Zhao, and D. L. Pepyne. 2003. The no free lunch theorems: Complexity and security. IEEE Trans. Automat. Control 48, 5 (2003), 783--793.Google ScholarGoogle ScholarCross RefCross Ref
  53. Jaap-Henk Hoepman and Bart Jacobs. 2007. Increased security through open source. Commun. ACM 50, 1 (Jan. 2007), 79--83. Google ScholarGoogle ScholarDigital LibraryDigital Library
  54. Hongxin Hu, Wonkyu Han, Gail-Joon Ahn, and Ziming Zhao. 2014. FLOWGUARD: Building robust firewalls for software-defined networks. In ACM SIGCOMM HotSDN. ACM, 97--102. Google ScholarGoogle ScholarDigital LibraryDigital Library
  55. L. S. Huang, S. Adhikarla, D. Boneh, and C. Jackson. 2014. An experimental study of TLS forward secrecy deployments. IEEE Internet Computing 18, 6 (Nov. 2014), 43--51.Google ScholarGoogle ScholarCross RefCross Ref
  56. IEEE Spectrum. 2015. Special Report: 50 Years of Moore’s Law. Retrieved January 24, 2019 from http://spectrum.ieee.org/static/special-report-50-years-of-moores-law.Google ScholarGoogle Scholar
  57. Sushant Jain, Alok Kumar, Subhasree Mandal, Joon Ong, Leon Poutievski, Arjun Singh, Subbaiah Venkata, Jim Wanderer, Junlan Zhou, Min Zhu, Jon Zolla, Urs Hölzle, Stephen Stuart, and Amin Vahdat. 2013. B4: Experience with a globally-deployed software defined WAN. In ACM SIGCOMM. ACM, New York, NY, 3--14. Google ScholarGoogle ScholarDigital LibraryDigital Library
  58. Andrzej Kamisiński and Carol Fung. 2015. FlowMon: Detecting malicious switches in software-defined networks. In SafeConfig. ACM, New York, NY, 39--45. Google ScholarGoogle ScholarDigital LibraryDigital Library
  59. Naga Katta, Haoyu Zhang, Michael Freedman, and Jennifer Rexford. 2015. Ravana: Controller fault-tolerance in software-defined networking. In Proceedings of the 1st ACM SIGCOMM Symposium on Software Defined Networking Research (SOSR’15). ACM, 1--12. Google ScholarGoogle ScholarDigital LibraryDigital Library
  60. Karamjeet Kaur, Japinder Singh, and Navtej Singh Ghumman. 2014. Mininet as software defined networking testing platform. In International Conference on Communication, Computing 8 Systems (ICCCS’14). 139--42.Google ScholarGoogle Scholar
  61. Z. K. Khattak, M. Awais, and A. Iqbal. 2014. Performance evaluation of OpenDaylight SDN controller. In 20th IEEE ICPADS. IEEE, 671--676.Google ScholarGoogle Scholar
  62. Soo Hyeon Kim, Daewan Han, and Dong Hoon Lee. 2013. Predictability of Android OpenSSL’s pseudo random number generator. In Proceedings of the 2013 ACM SIGSAC Conference on Computer and Communications Security (CCS’13). ACM, New York, NY, 659--668. Google ScholarGoogle ScholarDigital LibraryDigital Library
  63. Timo Kiravuo, Mikko Sarela, and Jukka Manner. 2013. A survey of ethernet LAN security. IEEE Communications Surveys 8 Tutorials 15, 3 (2013), 1477--1491.Google ScholarGoogle ScholarCross RefCross Ref
  64. Gerwin Klein, Kevin Elphinstone, Gernot Heiser, June Andronick, David Cock, Philip Derrin, Dhammika Elkaduwe, Kai Engelhardt, Rafal Kolanski, Michael Norrish, Thomas Sewell, Harvey Tuch, and Simon Winwood. 2009. seL4: Formal verification of an OS kernel. In ACM SIGOPS SOSP. ACM, New York, NY, USA, 207--220. Google ScholarGoogle ScholarDigital LibraryDigital Library
  65. Rowan Kloti, Vasileios Kotronis, and Paul Smith. 2013. OpenFlow: A security analysis. In 21st IEEE International Conference on Network Protocols (ICNP’13). IEEE, 1--6.Google ScholarGoogle ScholarCross RefCross Ref
  66. Teemu Koponen, Martin Casado, Natasha Gude, Jeremy Stribling, Leon Poutievski, Min Zhu, Rajiv Ramanathan, Yuichiro Iwata, Hiroaki Inoue, Takayuki Hama, and Scott Shenker. 2010. Onix: A distributed control platform for large-scale production networks. In OSDI. 351--364. Google ScholarGoogle ScholarDigital LibraryDigital Library
  67. D. Kreutz, A. Bessani, E. Feitosa, and H. Cunha. 2014. Towards secure and dependable authentication and authorization infrastructures. In 2014 IEEE 20th Pacific Rim International Symposium on Dependable Computing. IEEE, 43--52. Google ScholarGoogle ScholarDigital LibraryDigital Library
  68. Diego Kreutz, Oleksandr Malichevskyy, Eduardo Feitosa, Hugo Cunha, Rodrigo da Rosa Righi, and Douglas D. J. de Macedo. 2016. A cyber-resilient architecture for critical security services. Journal of Network and Computer Applications 63 (2016), 173--189. Google ScholarGoogle ScholarDigital LibraryDigital Library
  69. D. Kreutz, F. M. V. Ramos, P. Esteves Verissimo, C. Esteve Rothenberg, S. Azodolmolky, and S. Uhlig. 2015. Software-defined networking: A comprehensive survey. Proc. IEEE 103, 1 (Jan. 2015), 14--76.Google ScholarGoogle ScholarCross RefCross Ref
  70. Diego Kreutz, Fernando M. V. Ramos, and Paulo Verissimo. 2013. Towards secure and dependable software-defined networks. In ACM SIGCOMM HotSDN. ACM, New York, NY, 55--60. Google ScholarGoogle ScholarDigital LibraryDigital Library
  71. D. Kreutz, J. Yu, P. Esteves-Verissimo, C. Magalhaes, and F. M. V. Ramos. 2017. The KISS principle in software-defined networking: An architecture for keeping it simple and secure. ArXiv e-prints (Nov. 2017). arxiv:cs.NI/1702.04294Google ScholarGoogle Scholar
  72. D. Kreutz, J. Yu, P. Esteves-Verissimo, C. Magalhaes, and F. M. V. Ramos. 2018. The KISS principle in software-defined networking: A framework for secure communications. IEEE Security 8 Privacy 16, 5 (Sep. 2018), 60--70.Google ScholarGoogle Scholar
  73. D. Kreutz, J. Yu, F. M. V. Ramos, and P. Esteves-Verissimo. 2017. ANCHOR: Logically-centralized security for software-defined networks. ArXiv e-prints (2017). arxiv:cs.NI/1711.03636Google ScholarGoogle Scholar
  74. Bob Lantz, Brandon Heller, and Nick McKeown. 2010. A network in a laptop: Rapid prototyping for software-defined networks. In Proceedings of the 9th ACM SIGCOMM Workshop on Hot Topics in Networks. ACM, 19. Google ScholarGoogle ScholarDigital LibraryDigital Library
  75. Seungsoo Lee, Changhoon Yoon, Chanhee Lee, Seungwon Shin, Vinod Yegneswaran, and Phillip Porras. 2017. DELTA: A security assessment framework for software-defined networks. In Proceedings of NDSS, Vol. 17. 1--15.Google ScholarGoogle Scholar
  76. Wenjuan Li, Weizhi Meng, and Lam For Kwok. 2016. A survey on OpenFlow-based software defined networks: Security challenges and countermeasures. Journal of Network and Computer Applications 68 (2016), 126--139. Google ScholarGoogle ScholarDigital LibraryDigital Library
  77. Shih-Chun Lin, Pu Wang, and Min Luo. 2016. Control traffic balancing in software defined networks. Computer Networks 106 (2016), 260--271. Google ScholarGoogle ScholarDigital LibraryDigital Library
  78. Benjamin Livshits, Manu Sridharan, Yannis Smaragdakis, Ondřej Lhoták, J. Nelson Amaral, Bor-Yuh Evan Chang, Samuel Z. Guyer, Uday P. Khedker, Anders Møller, and Dimitrios Vardoulakis. 2015. In defense of soundiness: A manifesto. Commun. ACM 58, 2 (Jan. 2015), 44--46. Google ScholarGoogle ScholarDigital LibraryDigital Library
  79. D. Mahu, V. Dumitrel, and F. Pop. 2015. Secure entropy gatherer. In 2015 20th International Conference on Control Systems and Computer Science. 185--190.Google ScholarGoogle Scholar
  80. Konstantinos Manousakis and Georgios Ellinas. 2016. Attack-aware planning of transparent optical networks. Optical Switching and Networking 19 (2016), 97--109. Google ScholarGoogle ScholarDigital LibraryDigital Library
  81. G. Markowsky. 2013. Was the 2006 Debian SSL Debacle a system accident? In 2013 IEEE 7th International Conference on Intelligent Data Acquisition and Advanced Computing Systems (IDAACS’13), Vol. 2. IEEE, 624--629.Google ScholarGoogle ScholarCross RefCross Ref
  82. G. McGraw. 2004. Software security. IEEE Security Privacy 2, 2 (Mar 2004), 80--83. Google ScholarGoogle ScholarDigital LibraryDigital Library
  83. MEF. 2017. MEF. Retrieved January 24, 2019 from https://www.mef.net/.Google ScholarGoogle Scholar
  84. Simon Meier, Benedikt Schmidt, Cas Cremers, and David A. Basin. 2013. The TAMARIN prover for the symbolic analysis of security protocols. In CAV 2013, Saint Petersburg, Russia, July 13-19, 2013. 696--701.Google ScholarGoogle Scholar
  85. Michael Mimoso. 2016. GPG PATCHES 18-YEAR-OLD LIBGCRYPT RNG BUG. Retrieved January 24, 2019 from https://goo.gl/569rgJ.Google ScholarGoogle Scholar
  86. Namecheap.com. 2015. Cipher Suites Configuration (and forcing Perfect Forward Secrecy). Retrieved January 24, 2019 from https://goo.gl/TsvAKV.Google ScholarGoogle Scholar
  87. David Naylor, Alessandro Finamore, Ilias Leontiadis, Yan Grunenberger, Marco Mellia, Maurizio Munafo, Konstantina Papagiannaki, Peter Steenkiste. 2014. The cost of the “S” in HTTPS. In Proceedings of the 10th ACM Conference on Emerging Networking Experiments and Technologies (CoNEXT’14). ACM, New York, NY, 7.Google ScholarGoogle Scholar
  88. Roger M. Needham and Michael D. Schroeder. 1978. Using encryption for authentication in large networks of computers. Commun. ACM 21, 12 (Dec. 1978). Google ScholarGoogle ScholarDigital LibraryDigital Library
  89. NIST. 2017. NIST Statistical Test Suite. Retrieved January 24, 2019 from http://csrc.nist.gov/groups/ST/toolkit/rng/documentation_software.html.Google ScholarGoogle Scholar
  90. ONF. 2017. Open Networking Foundation. Retrieved January 24, 2019 from https://www.opennetworking.org/.Google ScholarGoogle Scholar
  91. OpenDaylight Project. 2018. Security Considerations. Retrieved January 24, 2019 from https://goo.gl/CBDi9s.Google ScholarGoogle Scholar
  92. OpenSSL.org. 2016. OpenSSL Security Advisory {10 Nov. 2016}. Retrieved January 24, 2019 from https://www.openssl.org/news/secadv/20161110.txt.Google ScholarGoogle Scholar
  93. Dave Otway and Owen Rees. 1987. Efficient and timely mutual authentication. SIGOPS Oper. Syst. Rev. 21, 1 (Jan. 1987), 8--10. Google ScholarGoogle ScholarDigital LibraryDigital Library
  94. Farzaneh Pakzad, Marius Portmann, Wee Lum Tan, and Jadwiga Indulska. 2016. Efficient topology discovery in OpenFlow-based software defined networks. Computer Communications 77 (2016), 52--61. Google ScholarGoogle ScholarDigital LibraryDigital Library
  95. Adrian Perrig, Robert Szewczyk, J. D. Tygar, Victor Wen, and David E. Culler. 2002. SPINS: Security protocols for sensor networks. Wirel. Netw. 8, 5 (Sept. 2002), 521--534. Google ScholarGoogle ScholarDigital LibraryDigital Library
  96. Pica8 Inc.2018. Pica8. Retrieved January 24, 2019 from https://www.pica8.com/.Google ScholarGoogle Scholar
  97. Pica8 Open Networking. 2018. PicOS Overview. Retrieved January 24, 2019 from https://goo.gl/Bvttv6.Google ScholarGoogle Scholar
  98. Ponemon Institute Research. 2018. The Cost 8 Consequences of Security Complexity. Retrieved January 24, 2019 from https://goo.gl/R9i6Lx.Google ScholarGoogle Scholar
  99. Philip Porras, Seungwon Shin, Vinod Yegneswaran, Martin Fong, Mabry Tyson, and Guofei Gu. 2012. A security enforcement kernel for OpenFlow networks. In HotSDN. ACM, 6. Google ScholarGoogle ScholarDigital LibraryDigital Library
  100. Phillip A. Porras, Steven Cheung, Martin W. Fong, Keith Skinner, and Vinod Yegneswaran. 2015. Securing the software defined network control layer. In NDSS. Internet Society, 1--15.Google ScholarGoogle Scholar
  101. PwC, CSO magazine and CERT/CMU. 2014. US Cybercrime: Rising Risks, Reduced Readiness. Technical Report. PwC. 21 pages. Retrieved January 24, 2019 from http://www.pwc.com/us/en/increasing-it-effectiveness/publications/assets/2014-us-state-of-cybercrime.pdf.Google ScholarGoogle Scholar
  102. Zafar Ayyub Qazi, Cheng-Chun Tu, Luis Chiang, Rui Miao, Vyas Sekar, and Minlan Yu. 2013. SIMPLE-fying middlebox policy enforcement using SDN. In ACM SIGCOMM Computer Communication Review, Vol. 43. ACM, 27--38. Google ScholarGoogle ScholarDigital LibraryDigital Library
  103. Abbas Razaghpanah, Arian Akhavan Niaki, Narseo Vallina-Rodriguez, Srikanth Sundaresan, Johanna Amann, and Phillipa Gill. 2017. Studying TLS usage in Android apps. In Proceedings of the 13th ACM Conference on Emerging Networking Experiments and Technologies (CoNEXT’17). ACM, New York, NY, 7. Google ScholarGoogle ScholarDigital LibraryDigital Library
  104. Red Hat, Inc.2018. OpenShift SDN. Retrieved January 24, 2019 from https://docs.openshift.com/container-platform/3.7/architecture/networking/sdn.html.Google ScholarGoogle Scholar
  105. Francisco Javier Ros and Pedro Miguel Ruiz. 2014. Five nines of southbound reliability in software-defined networks. In Proceedings of the 3rd Workshop on Hot Topics in Software Defined Networking. ACM, 31--36. Google ScholarGoogle ScholarDigital LibraryDigital Library
  106. Ryu SDN Framework Community. 2018. Component-based software defined networking framework. Retrieved January 24, 2019 from https://osrg.github.io/ryu/.Google ScholarGoogle Scholar
  107. Dominik Samociuk. 2015. Secure communication between OpenFlow switches and controllers. AFIN 2015 (2015), 39.Google ScholarGoogle Scholar
  108. Bruce Schneier. 2012. Lousy Random Numbers Cause Insecure Public Keys. Retrieved January 24, 2019 from https://www.schneier.com/blog/archives/2012/02/lousy_random_nu.html.Google ScholarGoogle Scholar
  109. Bruce Schneier. 2015. Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World. W. W. Norton 8 Company. Google ScholarGoogle ScholarDigital LibraryDigital Library
  110. S. Scott-Hayward, S. Natarajan, and S. Sezer. 2016. A survey of security in software defined networks. IEEE Communications Surveys Tutorials 18, 1 (Firstquarter 2016), 623--654.Google ScholarGoogle ScholarDigital LibraryDigital Library
  111. Sandra Scott-Hayward, Sriram Natarajan, and Sakir Sezer. 2016. A survey of security in software defined networks. IEEE Communications Surveys 8 Tutorials 18, 1 (2016), 623--654.Google ScholarGoogle ScholarDigital LibraryDigital Library
  112. Stefano Secci, Kamel Attou, Dung Chi Phung, Sandra Scott-Hayward, Dylan Smyth, Suchitra Vemuri, and You Wang. 2017. ONOS Security and Performance Analysis: Report No. 1. Retrieved January 24, 2019 from https://goo.gl/QhWpNr.Google ScholarGoogle Scholar
  113. Y. Sheffer, R. Holz, and P. Saint-Andre. 2015. Recommendations for Secure Use of Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS). RFC 7525. Retrieved January 24, 2019 from https://tools.ietf.org/html/rfc7525.Google ScholarGoogle Scholar
  114. Seugwon Shin, Phillip Porras, Vinod Yegneswaran, Martin Fong, Guofei Gu, and Mabry Tyson. 2013. FRESCO: Modular composable security services for software-defined networks. In Internet Society NDSS. Internet Society, 1--16.Google ScholarGoogle Scholar
  115. Seungwon Shin, Yongjoo Song, Taekyung Lee, Sangho Lee, Jaewoong Chung, Phillip Porras, Vinod Yegneswaran, Jisung Noh, and Brent Byunghoon Kang. 2014. Rosemary: A robust, secure, and high-performance network operating system. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security (CCS'14). ACM, New York, NY, 78--89. Google ScholarGoogle ScholarDigital LibraryDigital Library
  116. Lenin Singaravelu, Calton Pu, Hermann Härtig, and Christian Helmuth. 2006. Reducing TCB complexity for security-sensitive applications: Three case studies. SIGOPS Oper. Syst. Rev. 40, 4 (April 2006), 161--174. Google ScholarGoogle ScholarDigital LibraryDigital Library
  117. Drew Springall, Zakir Durumeric, and J. Alex Halderman. 2016. Measuring the security harm of TLS crypto shortcuts. In IMC. ACM, New York, NY, USA, 33--47. Google ScholarGoogle ScholarDigital LibraryDigital Library
  118. Philip B. Stark. 2017. Don’t Bet on your Random Number Generator. Retrieved January 24, 2019 from https://github.com/pbstark/pseudorandom/blob/master/prngLux17.ipynb.Google ScholarGoogle Scholar
  119. Udo Steinberg and Bernhard Kauer. 2010. NOVA: A microhypervisor-based secure virtualization architecture. In Proceedings of the 5th European Conference on Computer Systems (EuroSys’10). ACM, New York, NY, 209--222. Google ScholarGoogle ScholarDigital LibraryDigital Library
  120. The OpenStack project. 2018. OpenStack. Retrieved January 24, 2019 from https://www.openstack.org/.Google ScholarGoogle Scholar
  121. Apostol Vassilev and Timothy A. Hall. 2014. The importance of entropy to information security. Computer 47, 2 (2014), 78--81. Google ScholarGoogle ScholarDigital LibraryDigital Library
  122. Verizon. 2015. Data Breach Investigations Report. Retrieved January 24, 2019 from http://www.verizonenterprise.com/DBIR/2015/.Google ScholarGoogle Scholar
  123. VMware, Inc. 2018. NSX Data Center. Retrieved January 24, 2019 from https://www.vmware.com/products/nsx.html.Google ScholarGoogle Scholar
  124. T. Wan, A. Abdou, and P. C. van Oorschot. 2017. A framework and comparative analysis of control plane security of SDN and conventional networks. ArXiv e-prints (March 2017). arxiv:cs.NI/1703.06992Google ScholarGoogle Scholar
  125. Shie-Yuan Wang. 2014. Comparison of SDN OpenFlow network simulator and emulators: EstiNet vs. Mininet. In IEEE Symposium on Computers and Communication (ISCC’14). IEEE, 1--6.Google ScholarGoogle ScholarCross RefCross Ref
  126. Dan Williams and Ricardo Koller. 2016. Unikernel monitors: Extending minimalism outside of the box. In 8th USENIX Workshop on Hot Topics in Cloud Computing (HotCloud’16). USENIX Association, 71--76. Google ScholarGoogle ScholarDigital LibraryDigital Library
  127. Jiaqi Yan and Dong Jin. 2015. VT-Mininet: Virtual-time-enabled Mininet for scalable and accurate software-defined network emulation. In Proceedings of the 1st ACM SIGCOMM Symposium on Software Defined Networking Research. ACM, 27. Google ScholarGoogle ScholarDigital LibraryDigital Library
  128. Frances F. Yao and YiqunLisa Yin. 2005. Design and analysis of password-based key derivation functions. In Topics in Cryptology (CT-RSA’05), Alfred Menezes (Ed.). Lecture Notes in Computer Science, Vol. 3376. Springer, Berlin, 245--261. Google ScholarGoogle ScholarDigital LibraryDigital Library
  129. Yuval Yarom and Naomi Benger. 2014. Recovering OpenSSL ECDSA nonces using the FLUSH+RELOAD cache side-channel attack. IACR Cryptology ePrint Archive 2014 (2014), 140.Google ScholarGoogle Scholar
  130. Changhoon Yoon, Seungsoo Lee, Heedo Kang, Taejune Park, Seungwon Shin, Vinod Yegneswaran, Phillip Porras, and Guofei Gu. 2017. Flow wars: Systemizing the attack surface and defenses in software-defined networks. IEEE/ACM Transactions on Networking 25, 6 (2017), 3514--3530. Google ScholarGoogle ScholarDigital LibraryDigital Library
  131. Jiangshan Yu, Mark Ryan, and Cas Cremers. 2017. DECIM: Detecting Endpoint Compromise in Messaging. Cryptology ePrint Archive, Report 2015/486. http://eprint.iacr.org/2015/486.Google ScholarGoogle Scholar
  132. Jiangshan Yu, Mark Ryan, and Cas Cremers. 2017. DECIM: Detecting endpoint compromise in messaging. IEEE Trans. Information Forensics and Security 13, 1 (Jan. 2018), 106--118.Google ScholarGoogle Scholar
  133. Jiangshan Yu and Mark Dermot Ryan. 2015. Device attacker models: Fact and fiction. In Security Protocols XXIII - 23rd International Workshop, Cambridge, UK, March 31 - April 2, 2015, Revised Selected Papers. 158--167. Google ScholarGoogle ScholarDigital LibraryDigital Library
  134. Kim Zetter. 2015. Researchers Solve Juniper Backdoor Mystery; Signs Point to NSA. Retrieved January 24, 2019 from https://www.wired.com/2015/12/researchers-solve-the-juniper-mystery-and-they-say-its-partially-the-nsas-fault/.Google ScholarGoogle Scholar
  135. Y. Zhao, L. Iannone, and M. Riguidel. 2015. On the performance of SDN controllers: A reality check. In 2015 IEEE Conference on Network Function Virtualization and Software Defined Network (NFV-SDN’15). 79--85.Google ScholarGoogle Scholar
  136. Lidong Zhou, Fred B. Schneider, and Robbert Van Renesse. 2002. COCA: A secure distributed online certification authority. ACM Trans. Comput. Syst. 20, 4 (Nov. 2002), 329--368. Google ScholarGoogle ScholarDigital LibraryDigital Library
  137. Y. Zhou and X. Jiang. 2012. Dissecting Android malware: Characterization and evolution. In 2012 IEEE Symposium on Security and Privacy. IEEE, 95--109. Google ScholarGoogle ScholarDigital LibraryDigital Library

Index Terms

  1. ANCHOR: Logically Centralized Security for Software-Defined Networks

                  Recommendations

                  Comments

                  Login options

                  Check if you have access through your login credentials or your institution to get full access on this article.

                  Sign in

                  Full Access

                  PDF Format

                  View or Download as a PDF file.

                  PDF

                  eReader

                  View online with eReader.

                  eReader

                  HTML Format

                  View this article in HTML Format .

                  View HTML Format
                  About Cookies On This Site

                  We use cookies to ensure that we give you the best experience on our website.

                  Learn more

                  Got it!