The Security Challenges Of SDN And The Traditional Network

Improved Essays
SDN are next generation networks. They provide high flexibility, reliability, and security. The main difference between SDN and the traditional network is separation of control and data plane. In SDN, only the controller has the decision-making capabilities. Whereas switches are responsible for traffic forwarding. The controller and switches can be programmed dynamically or as needed. Applications communicate directly with the SDN controller via the northbound interface. This plane is also called as application plane. On the other hand, SDN data plane communicates via the southbound interface. The data plane contains the hardware infrastructure of the SDN (e.g. routers, switches, etc.). The controller is a software program that controls the …show more content…
Current SDN standard (Overflow) does not cover security aspect of the architecture~cite{Scott2015}. In this section, we will briefly discuss security challenges of SDN.

Some of the security threats to SDN are not new. They already exist for the traditional networks but their effect is much more devastating for SDN. DoS/DDoS attack is not new or limited to SDN but its effect is amplified several folds. If DDoS attack is launched on the controller from the southbound interface, its effect on the network will be much worse as compared to attack against a single node in the traditional network. On the other hand, if a successful controller spoofing attack is launched from the northbound interface then practically entire network is compromised~cite{Zhiyuan2015}.

SDN also presents some new and unique security challenges. Applications can dictate their networking requirements to the controller via northbound PAIS. In response, the controller converts those requirements into flows and installs them into the switches. Any malicious application can overwrite past policies/rules and make the network vulnerable (e.g. overwrite the old security rule with a new rule: bypass the firewall). There is no security mechanism in place to stop this kind of policy
…show more content…
An attacker can find out the action taken by the switch on a specific packet (Drop, forward, or send it to the controller) by doing processing time analysis. Having discovered the action, the attacker can easily craft such a packet that will be forwarded to the controller. It could lead to DDoS attack on the SDN controller~cite{Scott2015}.

Misconfiguration of the policies could be an issue in SDN. These policies are updated continuously as new security threats are detected. If there is inconsistency in network or security policies, it can open network to potential vulnerabilities and attacks. Currently, there is no protection from such misconfiguration of policies in Overflow.
Another concern for the SDN is system level security. It should be able to provide network audit all the time (e.g. which devices are up or down, network state etc). It can be a challenging task. For example, Overflow supports a fail-secure mode for switches, if they are disconnected from the controller they can choose to operate on their internal logic that might not be desired behavior. Therefore, it is important to understand the forwarding behavior of the switch during interruptions because in order to provide auditing and accountability such information should be managed by the

Related Documents

  • Improved Essays

    In case a specific cloud is under attack, the cooperative IDS alert all other components in the system. Trustworthiness of a cloud is decided by voting, so that the overall system performance is not compromised. C) Cookie Poisoning It is method of modifying the contents of cookie by an attacker to gain unauthorized information about the user for the purpose of identity theft. Attacker…

    • 745 Words
    • 3 Pages
    Improved Essays
  • Improved Essays

    Port Scanning Policy

    • 729 Words
    • 3 Pages

    2. Policies Associated with vulnerability assessment and Penetration testing: Organizations should enforce policies that must be strictly adhered by all associated people to make penetration tests successful and maximize the vulnerability detection rate and fix the detected risks. a. Port Scanning Policy: 1. Purpose and Scope: The purpose of this port scan is to get the information about the devices connected in the network and get verified from the security officer so that none of the irrelevant ports are open and to make companies devices more secure.…

    • 729 Words
    • 3 Pages
    Improved Essays
  • Great Essays

    Security Countermeasures

    • 1615 Words
    • 7 Pages

    Subsequently, attacks against switches, routers, and networks may have serious consequences on the efficiency in addition to control functions of the power system. These attacks can take the form of network interference through the injection of ad-hoc crafted streams of packets designed to flood the network. Another form is single implementation vulnerability in which the goal is to exploit an irregularity of a particular model of network devices caused by implementation errors. Fortunately, the known threats or possible threats are considered in creating countermeasures (López, Setola, & Wolthusen, 2012, p. 224-226). Countermeasures are unequivocally essential to maintain control of the power systems.…

    • 1615 Words
    • 7 Pages
    Great Essays
  • Improved Essays

    However, mere detection does not provide the comprehensive analysis of the threats. Additional information such the origin and the intention of the threat are equally important. Moreover, a bigger attack could be preceded by small sniffing attacks to gauge the weakness in the security. Effective monitoring tools should be capable of detecting these forms of attacks, analyzing their intent and determine the scope of damage that could be caused in case of a security breach. Attacks such as DDoS (Distributed Denial of Service) target servers by sending large numbers of connection requests within a short span of time, which renders the server unresponsive.…

    • 810 Words
    • 4 Pages
    Improved Essays
  • Great Essays

    Risk Analysis Assignment

    • 1273 Words
    • 6 Pages

    (1) What are some safeguards to prevent any network or computer system attacks? One of the first ways than an organization can prevent a computer system attack is by installing a firewall. This will serve as a way to filter data between a host and another network. (2) Risk analysis is not a single activity, but rather a group of related activities. They typically take which sequence of steps?…

    • 1273 Words
    • 6 Pages
    Great Essays
  • Great Essays

    IT administrators will not suspect any malicious activity since connecting outside the network is not out of the ordinary (Cruz, 2013). In our case study, APT used social engineering techniques by crafting email content sent to users that seemed legitimate. Once in the ICS the attacker will look for valuable information and noteworthy assets and the data seen here as the pot of gold is then transfer to the C2 center through tools like Remote Access Trojans (RATs) and other customized tools. Information collected is then used for different purposes such as retaliation, sabotage, data theft, and damage to brand image and reputation. The APT is likely to install additional tools in order to gain access to servers that could contain users’ credentials.…

    • 1307 Words
    • 6 Pages
    Great Essays
  • Improved Essays

    Basically, the controller can change the forwarding behaviour of a switch by altering the forwarding table. This is where network programming languages are required in order to ease and automate the configuration and management of the network. The northbound API presents a network abstraction interface to the applications and management systems at the top of the SDN stack. The information from these applications is passed along through a southbound interface. The southbound interface allows a controller to define the behavior of switches at the bottom of the SDN "stack."…

    • 640 Words
    • 3 Pages
    Improved Essays
  • Great Essays

    Gamblebet Fraud Case Study

    • 1717 Words
    • 7 Pages

    Access control lists (ACLs) is very common in applying in a system for the development of access controls which have access rights to particular object. With the help of ACLs, GambleBet would be able to identify specific access if hacker attack on network or servers of GambleBet. There are three kinds of access control which are read, write and execute. GambleBet should know how controls are defined model of access which comprises Discretionary access control (DAC), mandatory access control (MAC), role based access control (RBAC) and rule-based access control (also…

    • 1717 Words
    • 7 Pages
    Great Essays
  • Improved Essays

    Operations management is the manage lifecycle and performance operations functionalities. It evaluates performance on how exactly APIs are performing within the system, develops reports for investigating APIs, allows a staging process to be set up for testing APIs ability to interact within the system, and over all help migrates versions of APIs easily into the system. Identity…

    • 1025 Words
    • 5 Pages
    Improved Essays
  • Great Essays

    Ipv6 Security Analysis

    • 2340 Words
    • 10 Pages

    In IPv4 networks, the policies of IDS can be automated, so any suspicious behavior or intrusion attempt will be recognized immediately and logged by HIDS or NIDS and the administrator will be warned. IPv6 provides many different new headers and extensions such as Hop-by-Hop, Routing, Fragment, Destination Options, Authentication, and Encapsulation Security payload. Unfortunately, must of the IDSs don’t support these new headers and extensions of IPv6 and some of them might be unaware of them. Also, IDS for IPv6 network must support and recognize 6to4 tunneled traffic and tie dual-stack nodes. V.…

    • 2340 Words
    • 10 Pages
    Great Essays