The Security Challenges Of SDN And The Traditional Network

Improved Essays
SDN are next generation networks. They provide high flexibility, reliability, and security. The main difference between SDN and the traditional network is separation of control and data plane. In SDN, only the controller has the decision-making capabilities. Whereas switches are responsible for traffic forwarding. The controller and switches can be programmed dynamically or as needed. Applications communicate directly with the SDN controller via the northbound interface. This plane is also called as application plane. On the other hand, SDN data plane communicates via the southbound interface. The data plane contains the hardware infrastructure of the SDN (e.g. routers, switches, etc.). The controller is a software program that controls the …show more content…
Current SDN standard (Overflow) does not cover security aspect of the architecture~cite{Scott2015}. In this section, we will briefly discuss security challenges of SDN.

Some of the security threats to SDN are not new. They already exist for the traditional networks but their effect is much more devastating for SDN. DoS/DDoS attack is not new or limited to SDN but its effect is amplified several folds. If DDoS attack is launched on the controller from the southbound interface, its effect on the network will be much worse as compared to attack against a single node in the traditional network. On the other hand, if a successful controller spoofing attack is launched from the northbound interface then practically entire network is compromised~cite{Zhiyuan2015}.

SDN also presents some new and unique security challenges. Applications can dictate their networking requirements to the controller via northbound PAIS. In response, the controller converts those requirements into flows and installs them into the switches. Any malicious application can overwrite past policies/rules and make the network vulnerable (e.g. overwrite the old security rule with a new rule: bypass the firewall). There is no security mechanism in place to stop this kind of policy
…show more content…
An attacker can find out the action taken by the switch on a specific packet (Drop, forward, or send it to the controller) by doing processing time analysis. Having discovered the action, the attacker can easily craft such a packet that will be forwarded to the controller. It could lead to DDoS attack on the SDN controller~cite{Scott2015}.

Misconfiguration of the policies could be an issue in SDN. These policies are updated continuously as new security threats are detected. If there is inconsistency in network or security policies, it can open network to potential vulnerabilities and attacks. Currently, there is no protection from such misconfiguration of policies in Overflow.
Another concern for the SDN is system level security. It should be able to provide network audit all the time (e.g. which devices are up or down, network state etc). It can be a challenging task. For example, Overflow supports a fail-secure mode for switches, if they are disconnected from the controller they can choose to operate on their internal logic that might not be desired behavior. Therefore, it is important to understand the forwarding behavior of the switch during interruptions because in order to provide auditing and accountability such information should be managed by the

Related Documents

  • Improved Essays

    Nt1310 Unit 1 Lab 1

    • 439 Words
    • 2 Pages

    Speed, availability, and reliability are vital for a successful network infrastructure in terms of productivity and user experience. When first configuring this lab, I had to make the decision of whether or not to use one server to run all of the services or if the load should be distributed amongst multiple machines. I decided to go with the later, having a separate server hosting the wiki, another providing monitor services, and yet another acting as the DHCP, DNS and AD controller. While the last three were not required in the scope of this lab, I wanted to set up my initial network in a scalable manner, and this was the best solution for future growth. Distributing the services across multiple machines helps to reduce the processing that each box is required to do in order to fulfill requests.…

    • 439 Words
    • 2 Pages
    Improved Essays
  • Superior Essays

    The identity infrastructure is contained within Active Directory, which provides security, authentication, and authorization of identities (Training Solutions, 2014). The DHCP and DNS service are also provided to ensure reliable name resolution, and dynamic IP address assignment to the network devices that require dynamic IP address assignment. Finally, there are storage devices that contain a hybrid solution of storage area networks (SAN), and network attached storage (NAS).…

    • 922 Words
    • 4 Pages
    Superior Essays
  • Improved Essays

    A firewall controls access to the resources of a network through a positive control model. This means that the only traffic allowed onto the network is defined in the firewall policy, and all other traffic is denied. ¥ 1.5 LAN versus WAN LAN, which stands for local area network, and WAN, which stands for wide area network, are two types of networks that allow for interconnectivity between computers. As the naming conventions suggest, LANs are for smaller, more localized networking than in a home, business, school, etc.…

    • 611 Words
    • 3 Pages
    Improved Essays
  • Improved Essays

    To combat these concerns, the team focused on four different controls. Insider Attack: The setting on the firewalls was set to maximum. The setting allowed the network reject, block, or deny potentially malicious payloads that would allow access. Authentication, RBAC, IDPS, and firewalls were used in conjunction to reduce insider threat opportunities. Additionally, these systems notified network administrators of any foreign presence within the boundary.…

    • 1194 Words
    • 5 Pages
    Improved Essays
  • Improved Essays

    Nt1330 Unit 3 Assignment 1

    • 1123 Words
    • 5 Pages

    After this, a data packet is typically forwarded, to reach its destination node. Then, it directs the packet to the next station (network) on its journey by using information in its routing table/routing policy. This creates an overlay internetwork.…

    • 1123 Words
    • 5 Pages
    Improved Essays
  • Improved Essays

    Figure 3 demonstrates the 3 layers that make up the SDN structure. Lowest layer represents the Infrastructure Layer or Forwarding Plane, mainly focusing on data forwarding but it also takes care of monitoring local information and gathering statistics. Next layer represents the Control Layer or Control Plane which is responsible for programming and managing the Forwarding Plane. Control Plane makes use of the information gathered by the Forwarding Plane in order to define the route and operation of the network.…

    • 640 Words
    • 3 Pages
    Improved Essays
  • Improved Essays

    VPN A virtual private network is used by organisations to help secure data on a network. It’s very hard to access these private networks meaning that the data becomes much more secure and it can be used across a large area of a network, including many computers. This isn’t an expensive thing to do anyone can do it by using simple publicly available infrastructures. VPN also makes use of encryption firewalls and authentications services when sending data across the web.…

    • 767 Words
    • 4 Pages
    Improved Essays
  • Decent Essays

    In OSI stack, presentation layer converts data transferred by the application layer of the transport node. The functions of presentation layer are : 1. Data transcription 2. Data reconstruction 3.…

    • 139 Words
    • 1 Pages
    Decent Essays
  • Superior Essays

    This will require the ability to perform certain automated tasks: “Deploy appropriate management systems that can support the provision of the services within the appropriate resources; Setting up VPNs on demand, depending on the user and network’s context; Support for automatic vertical handover to ensure the best possible access to the network; Support for the management communication overlays’ setting up with uniform distribution of traffic load; Reaction to Quality of Service degradations identifying their causes and restoring the services concerned in a transparent manner” (Davy, Steven, 2010, p. 106). Using the strongest possible encryption method for VPN access is also a way to continue to improve the security of the VPN. As additional encryption methods are introduced they need to be worked in to the VPN…

    • 2047 Words
    • 9 Pages
    Superior Essays
  • Improved Essays

    In the paper, [1], the author introduced two kinds of topology attacks focus on the architecture of SDN and emphasized the weakness of the host tracking service and the link discovery service. And then, the paper provides the security extension, called Topoguard, for the Floodlight v0.9 controller. A. Two topology attacks The first attack as we mentioned, Host Location Hijacking Attack, is to send a fake request that the target host migrates to a new location trying to intercept packets and connections to the target host. This attack uses the weakness of the host tracking service that the controller simply follows the latest Packet-in message and does not check the identity of the request.…

    • 647 Words
    • 3 Pages
    Improved Essays
  • Great Essays

    Abstract: With a specific end goal to outline and fabricate the secured network system, numerous elements must be thought seriously about, for example, the topology and position of hosts inside of the system, the determination of equipment and programming innovations, what's more, the cautious arrangement of every part. My paper will be an examination of the issues percentage in outlining a safe Local Area Network (LAN) and a best's portion practices proposed by security specialists. I will examine securing a LAN from network's perspective. [1] Introduction: With most complex innovations, there's not one size-fits-all arrangement regarding the matter of network administration. The needs and assets of every one of a kind association will relate…

    • 877 Words
    • 4 Pages
    Great Essays
  • Improved Essays

    User connectivity will be controlled and authenticated through active directory. User devices will require and object to be created in active directory which will be used to authenticate the device using 802.1x. When a user device is connected to the network it will initially communicate on a VLAN will only be allowed to communicate with active directory. Then once the device has been authenticated it will place the device on the appropriate VLAN that it will operate on. Any device that has not been set up in Active Directory will be placed into a null VLAN which will not grant access to the network.…

    • 707 Words
    • 3 Pages
    Improved Essays
  • Decent Essays

    Inspite of its conceptual elegance, RPC (Remote Procedure Call) have a few problems. Discuss any 3 of those in brief. Often times it is unclear who the client is and who the server is in certain situations, in these types of situations RPC would not be suitable. RPC also makes unexpected messages hard or impossible to send if the receiver of the message is not expecting the message.…

    • 412 Words
    • 2 Pages
    Decent Essays
  • Great Essays

    Industry Example DoD industry partners follow stringent change control processes for configuration management minimizing risk to the government. CISCO, an important industry partner not only implements a CM program for themselves they share their processes and methods as another business offering. Assess and Evaluate the RFC The potential impact to services and service assets and configurations needs to be fully considered prior to the change. Generic questions (such as the "seven Rs") provide a good starting point.…

    • 1234 Words
    • 5 Pages
    Great Essays
  • Great Essays

    Technology Framework Design In this section, we combine the user domain needs described in Part 1 of this proposal, the physical framework requirements described in Part 2, and the technology selections described in Part 3 to create the final Digital Edge Manufacturing network infrastructure proposal. Choosing the Cabling Used in the Network We considered infrastructure costs, speed, and reliability for cabling and adaptors. Our network employed hybrid type of network sine we use Ethernet cable, Wi-Fi and fiber optic as our media.…

    • 884 Words
    • 4 Pages
    Great Essays