SDN Security - Scott Hogg - 2017-06-22...2017/06/22 · 5HFHQW 6'1 6\VWHP 9XOQHUDELOLWLHV •6RPH YHUVLRQV RI 6'1 V\VWHPV PD\ FRQWDLQ RWKHU RSHQVRXUFHVRIWZDUH WKDW LV GLVFRYHUHG WR

$Page 1: SDN Security - Scott Hogg - 2017-06-22...2017/06/22 · 5HFHQW 6'1 6\VWHP 9XOQHUDELOLWLHV •6RPH YHUVLRQV RI 6'1 V\VWHPV PD\ FRQWDLQ RWKHU RSHQVRXUFHVRIWZDUH WKDW LV GLVFRYHUHG WR$
WWW.GTRI.COM

SDN Security:Two Sides of the Same Coin

Scott Hogg, CTO GTRICCIE #5133, CISSP #4610Thursday June 22, 2017

© 2017 Global Technology Resources, Inc. All rights reserved.

© 2017 Global Technology Resources, Inc. All Rights Reserved. 2

Today’s Agenda• Brief Review of Software Defined Networking (SDN)• Heads:

o Attack Vectors for SDN Systemso Securing an SDN System

• Tails:o SDN Security Use Cases and Applications

• Open Discussion (time permitting)

Defining SDN• Software-Defined Networking is an approach to

networking that separates the control plane from the forwarding plane to support virtualization.

• SDN is a new paradigm for network virtualization.

SDN High-Level Architecture

Controller

Network ElementNetwork Element




Application LayerOr

SDN Layer

Virtualized Application Services

Northbound API

Southbound API

Control LayerOr

Controller Layer

Data Plane LayerOr

Infrastructure Layer

Agent

AgentAgent

Agent

Controller

East/WestInterface

SDN Benefits• Greater span of control and network analytics and response.• Better intelligence with a global view of the network rather than each

network element looking at the network from its own viewpoint.• Improved application experience and empower the network

owner/operator.• Rapid deployment of applications using networking that supports

the application’s specific needs.• Simplified and automated IT administration.• Opportunity to open up the network to a diverse set of vendors

and disaggregation.

SDN Use Cases

SDN Use Cases

Heads: Security of SDN Systems• There are several attack vectors on SDN systems. The more

common SDN security concerns include:o Attacks targeting the SDN controller – either DoS or to instantiate

new flows (spoofing northbound API messages or spoofing southbound flows)

o Attacker creates their own controller and gets network elements to receive flows from that controller – spoofing flows from the legitimate controller

o Targeting the network elements – DoS or to instantiate new flowso Attacking the DCI/Overlay protocol (VXLAN, NVGRE, STT)

These protocols may lack authentication and encryption Either part of the protocol design or vendor implementation


SDN Security Considerations


Controller





SDN LayerVirtualized Application Services

Northbound API

Southbound API

Controller Layer

Data Plane LayerAgent

AgentAgent

Agent

Controller

SDN Vulnerability Genome Project

© 2017 Global Technology Resources, Inc. All Rights Reserved. 10Source: http://sdnsecurity.org/project_SDN-Security-Vulnerbility-attack-list.html

SDN Penetration Testing Framework• Proactively test your SDN controller prior to deployment• Fingerprint the controller and test encryption strength• KAIST students also created DELTA – a pentesting framework for

SDN (tests Floodlight, ONOS, OpenDaylight Helium)o https://github.com/OpenNetworkingFoundation/delta

• Same students at KAIST created Poseidon, an SDN-specific security scanner

• Hellfire Security SDN-Toolit v1.21 (Gregory Pickett)o http://www.hellfiresecurity.com/tools.htmo https://sourceforge.net/projects/sdn-toolkit/

• Traditional vulnerability scanners can be used to assess the control plane


Recent SDN System Vulnerabilities• Some versions of SDN systems may contain other opensource software

that is discovered to have vulnerabilities: bash, OpenSSH, OpenSSL, ntpd• Several vulnerabilities have been reported and fixed within OpenDaylight

o https://wiki.opendaylight.org/view/Security_Advisories• Netdump vulnerability took 4 months to correct

o http://seclists.org/bugtraq/2014/Aug/75• Now OpenDaylight project has security team in place• ONIE vulnerabilities identified in BigSwitch’s Switch Light controller,

Cumulus Linux, Mellanox-OS (August 2015)• CVE-2015-5699 - Cumulus Linux's Switch Configuration Tools Backend,

clcmd_server, Vulnerable to Local Privilege Escalation (August 11, 2015)• August 3, 2015 – Cisco APIC root access vulnerability

o http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150722-apic


Hardening an SDN System• Use TLS 1.3 (or UDP/DTLS) to authenticate and encrypt

traffic between network device agent and controller, authenticate controller and network devices/SDN agent using certificates

• High-Availability (HA) controller architecture• Prevent unauthorized access to SDN control network• Use Out-of-Band (OOB) network for control traffic, OOB

and secure protocols for controller management and northbound communications


Hardening an SDN System (cont.)• Harden the controller and the network elements (typical

host hardening)• Closely monitor controllers for suspicious activity• Secure coding practices for all northbound applications

requesting SDN resources• Ability to validate flows in network device tables against

controller policy• Use Data Center Interconnect (DCI) protocols that can

authenticate tunnel endpoints and secure tunneled traffic


STIGs for SDN• Security Technical Implementation Guides (STIGs)

document the hardening procedures• DISA Draft SDN STIG version 1 - Information

Assurance Support Environment (IASE)o http://iase.disa.mil/stigs/net_perimeter/network-

infrastructure/Pages/policy.aspx• VMware NSX meets STIG for DOD FOUO

o http://www.gtri.com/bringing-sdn-federal-networks-vmware-nsx-stig-released/


Tails: SDN Security-Specific Use Case• SDN allows for creative new approaches to security• We will now review 5 SDN uses cases for security

o Traffic Filtering with SDN, Software-Defined Perimetero Network Slicing, Campus Slicing, Multi-Tenancy, Enclaves,

Isolation, Network Segmentationo DDoS Mitigationo Network Access Control (NAC)o Security Traffic Monitoring, Network Packet Brokero Moving Target Defense (MTD)


Traffic Filtering with SDN• That which is not permitted is denied – make the SDN

switches not transparent learning/forwarding• Cisco APIC configures the ACI policy for traffic

permitted between End Point Groups (EPGs) and for traffic steering – if not permitted, traffic is dropped

• Integrate SDN system with Cisco Identity Services Engine (ISE) for device profiling, user authentication, SGT, TrustSec tagging

• Traffic steering toward firewall or content filter, security service insertion between client and server


SDN Switches As Firewalls?


SDN Controller


SDN LayerNorthbound API

Southbound API

Controller Layer

Data Plane LayerAgent

AgentAgent

Agent




Software-Defined Perimeter (SDP)

Software Defined Perimeter (SDP)

• Cloud Security Alliance (CSA) SDP Working Group• https://cloudsecurityalliance.org/group/software-defined-perimeter/


on-demand, dynamically-provisioned, air gapped networks

Network Segmentation with SDN• Separating the network into logically separated networks• Network Slicing, Campus Slicing, Secured Enclaves, Micro-

Segmentation, Virtual Routing and Forwarding, etc.• Done by adding a slicing layer between the control plane and

the data plane, policies are slice-specific• Enforce strong isolation between slices - actions in one slice

do not affect another (Flowspace)• Examples: Cisco XNC with Networking Slicing application,

FlowVisor is a special purpose OpenFlow controller that acts as a transparent proxy between OpenFlow switches and multiple OpenFlow controllers


Network Segmentation with SDN• “Network Slicing” Use Case


Source: Cisco Extensible Network Controller Topology-Independent Forwarding and Network Slicing Applicationshttp://www.cisco.com/en/US/prod/collateral/netmgtsw/ps13397/ps13400/data_sheet_c78-729458.pdf

Network Segmentation with SDN• FlowVisor

performs policy checks across flowspace and enforces isolation between each slice


Source: Can the Production Network Be the Testbed?By Rob Sherwood, Glen Gibb, Kok-Kiong Yap, Guido Appenzeller ,Martin Casado, Nick McKeown, Guru Parulkar

DDoS Mitigation with SDN• SDN can be used to create a DDoS mitigation system• SDN network sends DDoS telemetry data to the DDoS

detection system (volumetric, app attacks, protocol DDoS)• DDoS detection system communicates with northbound API

which configures the policy on the controller for the destination of the attack

• SDN controller sends flows to network devices to drop suspicious inbound traffic toward victim

• Cleaned traffic is allowed to pass toward the destination• Examples: Radware Defense Flow, Radware Defense4All in

ODL Helium, A10 Networks Thunder Threat Protection System, Dispersive Technologies, others…


DDoS Mitigation with SDN• Radware

DefenseFlowintegrates with Cisco’s XNC, OpenDaylight, BigSwitch Floodlight, and NEC’s ProgrammableFlowOpenFlow-based switches and controller

© 2017 Global Technology Resources, Inc. All Rights Reserved. 24Source: http://www.radware.com/Products/DefenseFlow/

Network Access Control (NAC) with SDN• SDN systems can prevent unauthorized access or isolate

compromised hosts to a quarantine network, Automated Malware Quarantine (AMQ)

• SDN systems can intervene in assigning addresses to nodes joining network based on their security posture

• Authenticated end nodes are able to send/receive if they pass security checks (AV running/updated, patched, registry key, …)

• End nodes can only send/receive with their assigned IP/MAC addresseso Source Address Validation Improvements (SAVI) and First Hop Security (FHS)o Direct end-node traffic to Cisco Cloud Threat Defense system, detect the

issue, check with ISE, set SGT=BAD, to contain the traffic• Examples: Cisco Cloud Threat Defense, HP VAN Sentinel Security

Application


SDN Security Components

© 2017 Global Technology Resources, Inc. All Rights Reserved. 26Source: 2014 Cisco Live BRKSEC-2760

Security Monitoring with SDN• Switches often lack sufficient resources to perform

packet/port mirroring/tapso Every IT silo/team wants their own tap/SPAN session (Network Packet

Broker (NPB))• Bi-directional packet capture is much better than NetFlow• Dedicated copper/optical packet monitoring switches can be

very expensive, many taps are required – no blocking ability• Tap Aggregation is an application that is simple for a SDN

controller and uses low-cost SDN-capable network devices• Examples: Cisco XNC with Monitor Manager and Nexus 3000

Tap Aggregation Switch, BigSwitch Big Tap Monitoring Fabric, Microsoft Distributed Ethernet Monitoring (DEMon)


Using SDN to Create a Packet Monitoring Systemhttp://www.networkworld.com/article/2226003/cisco-subnet/using-sdn-to-create-a-packet-monitoring-system.html

Security Monitoring with SDN• Cisco XNC Monitor Manager, Cisco Nexus Data Broker


Source: Cisco Nexus Data Brokerhttp://www.cisco.com/c/en/us/products/cloud-systems-management/nexus-data-broker/index.html

Moving Target IPv6 Defense (MT6D)• MT6D is a system created by

graduate students in the Information Technology Security Laboratory at Virginia Tech to obscure IPv6 addresses

• Periodically hiding/changing characteristics of victim to make it more difficult to find/attack

© 2017 Global Technology Resources, Inc. All Rights Reserved. 29Source: http://www4.ncsu.edu/~hp/Panos.pdf

Improved Security Through Automation• Concept of applying security through automation, CI-CD,

short-lived containers or cloud instances• Idempotency of automation tools like Puppet, Chef, Ansible

can restore configurations if out of alignment with manifests, playbooks, recipes

• “Infrastructure as Code” with security baked in from inception• Security can be “provable” and accelerate compliance audits• DevNetSecOps means teams must integrate and collaborate

o Converge Your Teams for Greater SDN/NFV Benefitso https://communities.cisco.com/people/[email protected]/blog/2016/

06/14/converge-your-teams-for-greater-sdnnfv-benefits


SDN Security Summary• SDN has the potential to provide many new creative

ways to connect and secure systems• SDN represents a new way of thinking, we all need to be

cognizant about this technology shift

• Heads: SDN systems are vulnerable to threats, but SDN implementations can be hardened against security attacks

• Tails: SDN systems can provide innovative security applications that are not possible with traditional methods


SDN & Security Resources• Solution Brief: SDN Security Considerations in the Data Center

o https://www.opennetworking.org/solution-brief-sdn-security-considerations-in-the-data-center

• SDN Security Challenges in SDN Environmentso https://www.sdxcentral.com/resources/security/security-challenges-sdn-software-

defined-networks/• SDN Security Attack Vectors and SDN Hardening

o http://www.networkworld.com/article/2840273/sdn/sdn-security-attack-vectors-and-sdn-hardening.html

• With Cisco ACI, Do You Still Need A Firewall?o https://cisco-

marketing.hosted.jivesoftware.com/people/[email protected]/blog/2015/03/02/with-cisco-aci-do-you-still-need-a-firewall

• Is an SDN Switch A New Form of a Firewall?o http://www.networkworld.com/article/2905257/sdn/is-an-sdn-switch-a-new-form-of-

a-firewall.html


WWW.GTRI.COM

Questions and AnswersNext Steps

Thank you!

[email protected]@scotthogg

SDN Security - Scott Hogg - 2017-06-22...2017/06/22 · 5HFHQW 6'1 6\VWHP 9XOQHUDELOLWLHV •6RPH YHUVLRQV RI 6'1 V\VWHPV PD\ FRQWDLQ RWKHU RSHQVRXUFHVRIWZDUH WKDW LV GLVFRYHUHG WR

Documents