WWW.GTRI.COM SDN Security: Two Sides of the Same Coin Scott Hogg, CTO GTRI CCIE #5133, CISSP #4610 Thursday June 22, 2017 © 2017 Global Technology Resources, Inc. All rights reserved.
WWW.GTRI.COM
SDN Security:Two Sides of the Same Coin
Scott Hogg, CTO GTRICCIE #5133, CISSP #4610Thursday June 22, 2017
© 2017 Global Technology Resources, Inc. All rights reserved.
© 2017 Global Technology Resources, Inc. All Rights Reserved. 2
Today’s Agenda• Brief Review of Software Defined Networking (SDN)• Heads:
o Attack Vectors for SDN Systemso Securing an SDN System
• Tails:o SDN Security Use Cases and Applications
• Open Discussion (time permitting)
Defining SDN• Software-Defined Networking is an approach to
networking that separates the control plane from the forwarding plane to support virtualization.
• SDN is a new paradigm for network virtualization.
SDN High-Level Architecture
Controller
Network ElementNetwork Element
Network ElementNetwork Element
Network ElementNetwork Element
Network ElementNetwork Element
Application LayerOr
SDN Layer
Virtualized Application Services
Northbound API
Southbound API
Control LayerOr
Controller Layer
Data Plane LayerOr
Infrastructure Layer
Agent
AgentAgent
Agent
Controller
East/WestInterface
SDN Benefits• Greater span of control and network analytics and response.• Better intelligence with a global view of the network rather than each
network element looking at the network from its own viewpoint.• Improved application experience and empower the network
owner/operator.• Rapid deployment of applications using networking that supports
the application’s specific needs.• Simplified and automated IT administration.• Opportunity to open up the network to a diverse set of vendors
and disaggregation.
SDN Use Cases
SDN Use Cases
Heads: Security of SDN Systems• There are several attack vectors on SDN systems. The more
common SDN security concerns include:o Attacks targeting the SDN controller – either DoS or to instantiate
new flows (spoofing northbound API messages or spoofing southbound flows)
o Attacker creates their own controller and gets network elements to receive flows from that controller – spoofing flows from the legitimate controller
o Targeting the network elements – DoS or to instantiate new flowso Attacking the DCI/Overlay protocol (VXLAN, NVGRE, STT)
These protocols may lack authentication and encryption Either part of the protocol design or vendor implementation
© 2017 Global Technology Resources, Inc. All Rights Reserved. 8
SDN Security Considerations
© 2017 Global Technology Resources, Inc. All Rights Reserved. 9
Controller
Network ElementNetwork Element
Network ElementNetwork Element
Network ElementNetwork Element
Network ElementNetwork Element
SDN LayerVirtualized Application Services
Northbound API
Southbound API
Controller Layer
Data Plane LayerAgent
AgentAgent
Agent
Controller
SDN Vulnerability Genome Project
© 2017 Global Technology Resources, Inc. All Rights Reserved. 10Source: http://sdnsecurity.org/project_SDN-Security-Vulnerbility-attack-list.html
SDN Penetration Testing Framework• Proactively test your SDN controller prior to deployment• Fingerprint the controller and test encryption strength• KAIST students also created DELTA – a pentesting framework for
SDN (tests Floodlight, ONOS, OpenDaylight Helium)o https://github.com/OpenNetworkingFoundation/delta
• Same students at KAIST created Poseidon, an SDN-specific security scanner
• Hellfire Security SDN-Toolit v1.21 (Gregory Pickett)o http://www.hellfiresecurity.com/tools.htmo https://sourceforge.net/projects/sdn-toolkit/
• Traditional vulnerability scanners can be used to assess the control plane
© 2017 Global Technology Resources, Inc. All Rights Reserved. 11
Recent SDN System Vulnerabilities• Some versions of SDN systems may contain other opensource software
that is discovered to have vulnerabilities: bash, OpenSSH, OpenSSL, ntpd• Several vulnerabilities have been reported and fixed within OpenDaylight
o https://wiki.opendaylight.org/view/Security_Advisories• Netdump vulnerability took 4 months to correct
o http://seclists.org/bugtraq/2014/Aug/75• Now OpenDaylight project has security team in place• ONIE vulnerabilities identified in BigSwitch’s Switch Light controller,
Cumulus Linux, Mellanox-OS (August 2015)• CVE-2015-5699 - Cumulus Linux's Switch Configuration Tools Backend,
clcmd_server, Vulnerable to Local Privilege Escalation (August 11, 2015)• August 3, 2015 – Cisco APIC root access vulnerability
o http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150722-apic
© 2017 Global Technology Resources, Inc. All Rights Reserved. 12
Hardening an SDN System• Use TLS 1.3 (or UDP/DTLS) to authenticate and encrypt
traffic between network device agent and controller, authenticate controller and network devices/SDN agent using certificates
• High-Availability (HA) controller architecture• Prevent unauthorized access to SDN control network• Use Out-of-Band (OOB) network for control traffic, OOB
and secure protocols for controller management and northbound communications
© 2017 Global Technology Resources, Inc. All Rights Reserved. 13
Hardening an SDN System (cont.)• Harden the controller and the network elements (typical
host hardening)• Closely monitor controllers for suspicious activity• Secure coding practices for all northbound applications
requesting SDN resources• Ability to validate flows in network device tables against
controller policy• Use Data Center Interconnect (DCI) protocols that can
authenticate tunnel endpoints and secure tunneled traffic
© 2017 Global Technology Resources, Inc. All Rights Reserved. 14
STIGs for SDN• Security Technical Implementation Guides (STIGs)
document the hardening procedures• DISA Draft SDN STIG version 1 - Information
Assurance Support Environment (IASE)o http://iase.disa.mil/stigs/net_perimeter/network-
infrastructure/Pages/policy.aspx• VMware NSX meets STIG for DOD FOUO
o http://www.gtri.com/bringing-sdn-federal-networks-vmware-nsx-stig-released/
© 2017 Global Technology Resources, Inc. All Rights Reserved. 15
Tails: SDN Security-Specific Use Case• SDN allows for creative new approaches to security• We will now review 5 SDN uses cases for security
o Traffic Filtering with SDN, Software-Defined Perimetero Network Slicing, Campus Slicing, Multi-Tenancy, Enclaves,
Isolation, Network Segmentationo DDoS Mitigationo Network Access Control (NAC)o Security Traffic Monitoring, Network Packet Brokero Moving Target Defense (MTD)
© 2017 Global Technology Resources, Inc. All Rights Reserved. 16
Traffic Filtering with SDN• That which is not permitted is denied – make the SDN
switches not transparent learning/forwarding• Cisco APIC configures the ACI policy for traffic
permitted between End Point Groups (EPGs) and for traffic steering – if not permitted, traffic is dropped
• Integrate SDN system with Cisco Identity Services Engine (ISE) for device profiling, user authentication, SGT, TrustSec tagging
• Traffic steering toward firewall or content filter, security service insertion between client and server
© 2017 Global Technology Resources, Inc. All Rights Reserved. 17
SDN Switches As Firewalls?
© 2017 Global Technology Resources, Inc. All Rights Reserved. 18
SDN Controller
Network ElementNetwork Element
SDN LayerNorthbound API
Southbound API
Controller Layer
Data Plane LayerAgent
AgentAgent
Agent
Network ElementNetwork Element
Network ElementNetwork Element
Network ElementNetwork Element
Software-Defined Perimeter (SDP)
Software Defined Perimeter (SDP)
• Cloud Security Alliance (CSA) SDP Working Group• https://cloudsecurityalliance.org/group/software-defined-perimeter/
© 2017 Global Technology Resources, Inc. All Rights Reserved. 19
on-demand, dynamically-provisioned, air gapped networks
Network Segmentation with SDN• Separating the network into logically separated networks• Network Slicing, Campus Slicing, Secured Enclaves, Micro-
Segmentation, Virtual Routing and Forwarding, etc.• Done by adding a slicing layer between the control plane and
the data plane, policies are slice-specific• Enforce strong isolation between slices - actions in one slice
do not affect another (Flowspace)• Examples: Cisco XNC with Networking Slicing application,
FlowVisor is a special purpose OpenFlow controller that acts as a transparent proxy between OpenFlow switches and multiple OpenFlow controllers
© 2017 Global Technology Resources, Inc. All Rights Reserved. 20
Network Segmentation with SDN• “Network Slicing” Use Case
© 2017 Global Technology Resources, Inc. All Rights Reserved. 21
Source: Cisco Extensible Network Controller Topology-Independent Forwarding and Network Slicing Applicationshttp://www.cisco.com/en/US/prod/collateral/netmgtsw/ps13397/ps13400/data_sheet_c78-729458.pdf
Network Segmentation with SDN• FlowVisor
performs policy checks across flowspace and enforces isolation between each slice
© 2017 Global Technology Resources, Inc. All Rights Reserved. 22
Source: Can the Production Network Be the Testbed?By Rob Sherwood, Glen Gibb, Kok-Kiong Yap, Guido Appenzeller ,Martin Casado, Nick McKeown, Guru Parulkar
DDoS Mitigation with SDN• SDN can be used to create a DDoS mitigation system• SDN network sends DDoS telemetry data to the DDoS
detection system (volumetric, app attacks, protocol DDoS)• DDoS detection system communicates with northbound API
which configures the policy on the controller for the destination of the attack
• SDN controller sends flows to network devices to drop suspicious inbound traffic toward victim
• Cleaned traffic is allowed to pass toward the destination• Examples: Radware Defense Flow, Radware Defense4All in
ODL Helium, A10 Networks Thunder Threat Protection System, Dispersive Technologies, others…
© 2017 Global Technology Resources, Inc. All Rights Reserved. 23
DDoS Mitigation with SDN• Radware
DefenseFlowintegrates with Cisco’s XNC, OpenDaylight, BigSwitch Floodlight, and NEC’s ProgrammableFlowOpenFlow-based switches and controller
© 2017 Global Technology Resources, Inc. All Rights Reserved. 24Source: http://www.radware.com/Products/DefenseFlow/
Network Access Control (NAC) with SDN• SDN systems can prevent unauthorized access or isolate
compromised hosts to a quarantine network, Automated Malware Quarantine (AMQ)
• SDN systems can intervene in assigning addresses to nodes joining network based on their security posture
• Authenticated end nodes are able to send/receive if they pass security checks (AV running/updated, patched, registry key, …)
• End nodes can only send/receive with their assigned IP/MAC addresseso Source Address Validation Improvements (SAVI) and First Hop Security (FHS)o Direct end-node traffic to Cisco Cloud Threat Defense system, detect the
issue, check with ISE, set SGT=BAD, to contain the traffic• Examples: Cisco Cloud Threat Defense, HP VAN Sentinel Security
Application
© 2017 Global Technology Resources, Inc. All Rights Reserved. 25
SDN Security Components
© 2017 Global Technology Resources, Inc. All Rights Reserved. 26Source: 2014 Cisco Live BRKSEC-2760
Security Monitoring with SDN• Switches often lack sufficient resources to perform
packet/port mirroring/tapso Every IT silo/team wants their own tap/SPAN session (Network Packet
Broker (NPB))• Bi-directional packet capture is much better than NetFlow• Dedicated copper/optical packet monitoring switches can be
very expensive, many taps are required – no blocking ability• Tap Aggregation is an application that is simple for a SDN
controller and uses low-cost SDN-capable network devices• Examples: Cisco XNC with Monitor Manager and Nexus 3000
Tap Aggregation Switch, BigSwitch Big Tap Monitoring Fabric, Microsoft Distributed Ethernet Monitoring (DEMon)
© 2017 Global Technology Resources, Inc. All Rights Reserved. 27
Using SDN to Create a Packet Monitoring Systemhttp://www.networkworld.com/article/2226003/cisco-subnet/using-sdn-to-create-a-packet-monitoring-system.html
Security Monitoring with SDN• Cisco XNC Monitor Manager, Cisco Nexus Data Broker
© 2017 Global Technology Resources, Inc. All Rights Reserved. 28
Source: Cisco Nexus Data Brokerhttp://www.cisco.com/c/en/us/products/cloud-systems-management/nexus-data-broker/index.html
Moving Target IPv6 Defense (MT6D)• MT6D is a system created by
graduate students in the Information Technology Security Laboratory at Virginia Tech to obscure IPv6 addresses
• Periodically hiding/changing characteristics of victim to make it more difficult to find/attack
© 2017 Global Technology Resources, Inc. All Rights Reserved. 29Source: http://www4.ncsu.edu/~hp/Panos.pdf
Improved Security Through Automation• Concept of applying security through automation, CI-CD,
short-lived containers or cloud instances• Idempotency of automation tools like Puppet, Chef, Ansible
can restore configurations if out of alignment with manifests, playbooks, recipes
• “Infrastructure as Code” with security baked in from inception• Security can be “provable” and accelerate compliance audits• DevNetSecOps means teams must integrate and collaborate
o Converge Your Teams for Greater SDN/NFV Benefitso https://communities.cisco.com/people/[email protected]/blog/2016/
06/14/converge-your-teams-for-greater-sdnnfv-benefits
© 2017 Global Technology Resources, Inc. All Rights Reserved. 30
SDN Security Summary• SDN has the potential to provide many new creative
ways to connect and secure systems• SDN represents a new way of thinking, we all need to be
cognizant about this technology shift
• Heads: SDN systems are vulnerable to threats, but SDN implementations can be hardened against security attacks
• Tails: SDN systems can provide innovative security applications that are not possible with traditional methods
© 2017 Global Technology Resources, Inc. All Rights Reserved. 31
SDN & Security Resources• Solution Brief: SDN Security Considerations in the Data Center
o https://www.opennetworking.org/solution-brief-sdn-security-considerations-in-the-data-center
• SDN Security Challenges in SDN Environmentso https://www.sdxcentral.com/resources/security/security-challenges-sdn-software-
defined-networks/• SDN Security Attack Vectors and SDN Hardening
o http://www.networkworld.com/article/2840273/sdn/sdn-security-attack-vectors-and-sdn-hardening.html
• With Cisco ACI, Do You Still Need A Firewall?o https://cisco-
marketing.hosted.jivesoftware.com/people/[email protected]/blog/2015/03/02/with-cisco-aci-do-you-still-need-a-firewall
• Is an SDN Switch A New Form of a Firewall?o http://www.networkworld.com/article/2905257/sdn/is-an-sdn-switch-a-new-form-of-
a-firewall.html
© 2017 Global Technology Resources, Inc. All Rights Reserved. 32