Security threats and countermeasures of SDN(Software Defined Network)



Security for SDN (Software Defined Networks)
SDN (Software Defined Networks) – SDN is a network architecture which deals with network dynamics through software enabled control. Security for SDN has become an important concern. We discuss about security threats and their effects with this we also discuss about SDN Security Controls.
·        Security Threats : Denial of service(Dos), Information Disclosure, Spoofing, Tampering, Repudiation, Elevation of Privilege.
·        Security Controls : Access Control, firewalls, IDS(Intrusion detection system), IPS(Intrusion prevention system), policy management and auditing.

STRIDE(Spoofing, Tampering, Repudiation, Information Disclosure, Denial of service, Elevation of Privilege ) is a threat classification model developed by Microsoft for thinking about computer security threats.




SDN security threats and countermeasures:
We are going to use STRIDE threat model for analyzing the type of threats which are exposed to SDN networks. This threat model is very generic and it is applicable to all the networks in general. The attacks can also be based on what resources the SDN is using, so this attacks are very classified. For example, attacks on switches which include their flow tables, attacks on controllers which include central location for management. 

·        Spoofing : It is a process where all the network information such as IP address, MAC address, ARP etc. are forged to hide the identity of the attackers which done intentionally. Spoofing is the part of large attacks which include DNS amplification, Smurf and SYN flooding. For launching the Distributed denial of service attacks which is also called as DDOS attacks spoofed address are used. Now-a-days spoofing includes IP spoofing and ARP spoofing (Packet level attacks). To avoid unauthorized intrusion strong password and encryption methods should be enforced. To counter IP spoofing IP validation methods are also used. Another counter measure includes Software Defined Filtering Architecture (SEFA) which used for same IP based and router based spoofing. For spoofing occurrences
SEFA adds filtering rules.

·        Tampering : It is a process of modifying or destructing all the network information such as access lists, flows in flow tables, topology, policies. For example, injection of flow rules will lead to the network misbehavior. The injection of firewall rules allow the illegitimate hosts. Unintended traffic tampering can be prevented by SDN, as a flow based traffic management.
For some integrity attributes, packets can be inspected before they travel through some medium. By monitoring computers and distributing auditing tampering can be mitigated across many network points. In such situations  if one point is attacked then we can use other network points to detect and correct such tampering. For tampering purpose Transport Layer Security (TLS) is used.

·        Repudiation : It is a process of denying by one of the entities as it is not part of communication. Non-repudiation is a legal concept, which tries to make sure that denial does not occur. The receiver needs to verify that packets are sent from the actual sender included in the packet header and the sender needs to verify that packets sent to the actual receiver included in the packet header. Non Repudiation is all about accountability, which hold individuals entity.

·        Information disclosure : This attacks have no direct intention to destroy the network but to spy on the network information. Attackers initially tries to sniff the network information such as communications details among nodes, topology and nodes features. The impact of SDN architecture can be mixed on scanning attacks. Switches include flow rules in SDN. Man in the Middle (MiM) attack is an information disclosure type attack. There are two countermeasures, which are as follows:
1.     Scanning countermeasures : Scanning methods are used at the initial steps of this attacks. For potential information leakage and vulnerability the network scanners are used. For counter scanning attacks encryption methods are used.
2.     Information disclosure countermeasures : To filter traffic, white listing and black listing can be used. White and black listings are on IP and MAC addresses. They are also used in OpenFlow networks.

·        DOS : DOS stands for Denial of service, it is basically flooding the network with requests. This attacks are most dangerous threats for the network performance. This attacks also lead to increase in latency and drop of legitimate packets. DOS attack may disable the whole network or stop it from functioning. Its easy to detect all DoS attacks by flow level information.  Another simple method to detect DoS attacks is to keep monitoring how the traffic flows. A threshold value can be specified to considered large and abnormal traffic. And once this threshold value gets exceeded, a DoS occurrence can be notified and then controller can inserts a flow rule to drop packets.  


·        Elevation of privilege : In this attack , the attacker tries to elevate their access system resources and applications that requires special permission as they enter into the system. The ability to detect privilege elevation attacks requires a robust and intelligent auditing process. The idea of a fine grained RBAC system was proposed earlier which is based on OpenFlow. This idea gives emphasis on a flow basis rather than on a user or host basis. The advantage of this flow based authentication is that a user needs to be verified frequently on a flow by flow basis.
 

Comments

Post a Comment

Popular posts from this blog

Snort (Intrusion Detection System)

Snort is a rule based IDS. Snort works in three different modes which is as follows:     1) Sniffer Mode     2) Packet Logger Mode     3) Network Intrusion Detection Mode 1)       Sniffer Mode : Sniffer Mode allows you to dump data in the header and body of each packet to the screen when you are running Snort. To start the snort for displaying all application data, enter the command as follows: ./snort –d                     -> works in most of the version of snort ./snort –dv                  -> for getting an error message 2)       Packet Logger Mode : Packet Logger Mode is different from Sniffer mode because the packet data and headers are written to the hard drive of host on which the snort is running. For writing to the directory named log write the following command: ./snort –dev –l ./log For capturing the logging data on the local network, it is necessary to enter the ip address range of the network ./snort –dev –l ./log –h 192.1
Read more

Web Security

Things which can protect your system from intruders          1.  Keep platform up-to-date : It is one of best things that you can do to protect your website from intruders, you just have to make sure that installed platforms scripts are up-to-date. It is found that many of these tools are created as open-source software programs, so their code is easily available to black hat hackers. This code can be used for both in good intention by developers as well as bad intention by hackers. Developers will resolve the bugs and hackers will look for any security loopholes which will allow them to exploit the platform or any script. For an example, if anyone is running a website on WordPress, then the WordPress installation and plugins which are installed may be potentially vulnerable to attacks. Just make sure that you are using the newest version of platform and scripts, which will help minimizing the risk.      2.   Installation of security plugins:
Read more

Wireshark(Network Protocol Analyzer)

Wireshark and components – what does it do and how? Wireshark is a network monitoring tool which also called as network protocol analyzer or sniffer. It is free and open source tool. It is used for network trouble shooting and analysis. Wireshark is a cross platform based, it runs on many operating systems like Linux, MacOS, BSD, Solaris, Microsoft Windows etc. There is also a terminal version of wireshark which is called as TShark. Wireshark uses pcap to capture packets form the network. It is used for examining the details of traffic in the network. The information of the packet which is captured can give its transmit time, source ip address, destination ip address, protocol type, header data etc. So this information can be use in security and troubleshooting issues. The wireshark will display the information in three types of panels which are Packet list panel, Packet details panel, Packet byte panel. The packet list panel are the colored lines which are displayed at the top.
Read more