SDN security

SDN, that use OpenFlow control protocol, have a number of properties which are well suited for building secure and manageable computing environment:

  • Data flow paradigm is more convenient for security provision, because it offers service-oriented end-to-end connections model, immune to traditional routing restrictions.
  • Logically centralized management allows to provide effective defense and monitoring of the emergence of threats all over the network.
  • Granular management of security policy can be based on problems being solved, services currently being used, organizational and geographical criteria, not on the physical configuration.
  • The transition to management through programming allows to perform dynamical and flexible configuration of security policy.


The following works are carried out on this issue:

  • Development of system for controlling applications access to controller resources
    In order to implement their logic, SDN applications gain access to various kinds of operations over network and controller resources, including critical ones. Like any other software, SDN applications can contain errors and vulnerabilities that can lead to unplanned application behavior. Therefore, to meet the information security requirements, SDN controllers must provide policies of access to network devices and controller resources management interfaces.
  • The analysis of SDN protocols security
    SDN protocols provide direct access and ability to manipulate the data plane of the entire network. Exploitation of possible vulnerabilities of these protocols can lead not only to capture of certain network devices, but also to comprometation of the entire network. Therefore, in order to avoid negative consequences of computer attacks, it's necessary to analyze the security of SDN protocols.
  • Development of intrusion detection systems
    The transition to the SDN ideology allows to transfer a number of functions, which are currently performed by separate specialized devices, to the SDN control plane. Such solutions can be more effective and also have a number of advantages, both technical and economic. One of the types of such functions can be the functions of the intrusion detection system.
  • Detection of compromised switches in SDN
    Like any other software or hardware, SDN switches can contain errors that lead to vulnerabilities, the exploitation of which can lead to the capture of SDN switch by an attacker. Inspite of network management functions are transferred to the controller, compromising one switch by an attacker can lead to disruption of the network's operations or to the security breach of data transmitted over the network. Therefore, there have to be methods, which will help to detect compromised switches.


Publications:

Задача обнаружения скомпрометированных коммутаторов в SDN сетях. (The task of detecting compromised switches in SDN networks)
Исследование методов проведения атаки Man-in-the-Middle в программно-конфигурируемых сетях. (Investigation of Man-in-the-Middle attack methods in SDN)
Обеспечение контроля доступа приложений к ресурсам контроллера программно конфигурируемых сетей. (Ensuring control of applications access to the controller resources in SDN networks)