iccit_nsu_comparative security analysis of software defined wireless networking (sdwn)- bgp and...

1

Paper ID: 236

Session: Security and Information Assurance

THE 19TH INTERNATIONAL CONFERENCE ON COMPUTER AND INFORMATION TECHNOLOGY (ICCIT 2016)

December 18th-20tjh ICCIT, Dhaka, Bangladesh

2

Mawlana Bhashani Science and Technology University, Bangladesh

BAC IT, BangladeshUniversity of Derby, England

Security Analysis of Software Defined Wireless Networking (SDWN) - BGP and NETCONF Protocols

Asma Islam Swapna, Mainul Kabir Aion, MD Rezaul Huda Reza


3

Presentation SummarySDN ?SDWN ?Emerging SDWN ProtocolsSDWN Security AspectsBGP DFDNETCONF DFDSTRIDE and DFDBGP STRIDE AnalysisNETCONF STRIDE AnalysisEvaluationConclusionReferences


4

Software Defined Networking (SDN)Current Network

Specialized Packet Forwarding Hardware

App App App


App App App


App App App


App App App Specialized Packet Forwarding Hardware

OperatingSystem

OperatingSystem

OperatingSystem

OperatingSystem

OperatingSystem

App App App

Million of lines of source codeBillions of gates

Limitations ?

Source: Open Network Foundation NewsletterDecember 18th-20tjh ICCIT, Dhaka, Bangladesh

5

Software Defined Networking (SDN)

Source: Open Network Foundation Newsletter

Global Network View

Protocols Protocols

Control via forwarding interface

Network Operating System

Control Programs

Solution !Operating System for Networks

SDN providing network administrationFull hardware accessibility


6

Software Defined Networking (SDN) (Cont.)• Direct programmability in the network plane • Decouples the control plane from data

forwarding plane• Agile• Open standards-based and vendor-neutral

Enables- ScalabilityInformation hidingNetwork policy

Complete Resource UtilizationExpands local to globalSpans business network

Source: Open Network Foundation NewsletterDecember 18th-20tjh ICCIT, Dhaka, Bangladesh

7

Software Defined Wireless Networking

2G 3G 4G 5G Billions of wirelessly connected mobile devices

Need more wireless capacity !Heterogeneous network (LTE, wifi, wimax)

Solution SDN for wireless network!-Interface for controlling mobile nodes

-Customizable Mobility Management

Debut of pop in 2005, 2013December 18th-20tjh ICCIT, Dhaka, Bangladesh

8

Software Defined Wireless Networking (Cont.)

Underlying Network Security Secured information flow and Control plane

• Controller collects Mobile Nodes (MNs) information for packet transmission

• Composed of North-South and East-West network dimension

• Different protocols enable inter-controller communication for large wireless network

• Leverages Wireless mesh networks


9

Emerging SDWN ProtocolsBigger the network, greater the challenge in security management

BGPOF-ConfigNETCONFNFVOVSDB

4DPCESANE-based

SDN Architectures

SDN/SDWN Protocols

Source: McAfee Labs, 2015

Efficient RoutingConfigure Network DevicesLeverage SDWN/SDN controller


10

SDWN Security Aspects

ConfidentialityAuthenticityIntegrityAvailabilityConsistency

ICCIT, Dhaka, Bangladesh December 19th-20th

Source: L. Schehlmann, H. Baier,, Blessing or Curse? Revisiting Security Aspects of Software-Defined Networking, 2014.

11

Challenge Configure and managing large, scale-out, multi-domain, multi-controller based SDWN from security attacks

Network

Database

MemCacheWeb Server

Load Balancer

ApplicationServer

BGP - Efficient Dynamic Routing- Suitable for Comprehensive multi-layer autonomous system- Simpler than OSPF

NETCONF- Manipulates Network Device- XML-based encoding of protocol message and configuration data- Leverages SNMP


12

BGP DFDEmbedded with switch and router in SDWNSpeaker (Controller Switch) -Sends BGP message to router/switch -Speaks Policy Information Base (PIB) -advertises routes to the BGP peers Listener (Switch Controller) -Listens Policy Information Base (PIB) -Sends BGP message to BGP Controller -advertises flow configuration request to the BGP ControllerController -Set Policies -Exchange BGP message -Encode policy update with BGP messages -No individual flow response

BGP Data Flow Diagram


13

NETCONF DFD• Configures and manipulates SDWN device• Datastore holds complete set of configuration

data• CRUD operation to access datastore• RPC element to encode NETCONF request in

XML• Three state configuration- running, startup,

candidate.

NETCONF Data Flow Diagram

NETCONF Datastore

SDWN Switch

SDWN Controller

• Session oriented well-formed XML document type NETCONF message

• Secure Transport layer provides a communication path between the client and server.

• NACM for authentication, TLS/SSH for secure configuration


14

Threat ModelsElicitations and analysis of security threats, mechanisms in deployed designs and network• DREAD – SQL Injections, Microsoft, OpenStack• Octave – Large system and Application• STRIDE – Network System and Application, Microsoft• Generic Risk Model –• Guerilla Threat Modeling –• Process for Attack Simulation and Threat Analysis (PASTA) – last stage risk

management• Trike etc.


15

DFD elements can be vulnerable to one or many STRIDE threats.

STRIDE & Data Flow Diagram (DFD)

FlowVisor Data Flow Diagram

Spoofing

Information DIsclosure

Rrepudiation

Temparing

Denial of Service

Elevation of Privilege

STRIDE

Name STRIDE vulnerability

Definition

Data Flow Yes Data sent among network elements

Data Store Yes Stable Data

Process YesPrograms or applications that configures the system

Interactors YesEndpoints out of system scope to control

Trust Boundaries

YesSeparation between trusted and untrusted elements of the system


16

BGP Stride Analysis

• Third party deployment environment for data flow security

• Transport Layer security for each flow to encrypt routing message

• Access control mechanism, SIDR can leverage securing RIB

• No individual flow update and TCP reconnection

• Cleartext RIB and BGP message

• unauthorized access to SDWN devices

• No peer entity authentication

• RIB overflow

Threat Data Flow Data Store Process Interactors

Spoofing YES

Tempering YES YES YES

Repudiation YES

Information Disclosure

YES

Denial of Service YES YES YES


YES


17

NETCONF Stride Analysis

• Transport Layer security integrated with I2RS, IPFIX, NFV

• NETCONF Access control mechanism leverage confidentiality and integrity of SDWN controller, NETCONF devices

• Security in data flow; however, DoS risk in TL

• NETCONF Access control mechanism leverage confidentiality and integrity of SDWN controller, NETCONF devices

• TLS/SSH prone to vulnerability if operations are without global lock

Threat Data Flow Interactors

Spoofing YES

Tempering YES

Repudiation YES

Denial of Service YES


18

Evaluation BGP vulnerable in BGP data flow

and data store and prone to Tempering, DoS and routing information disclosure threat

NACM secures configuration datastore

NETCONF leverages SNMP, CLI in process stage

BGP with TLS deployable in AS-multi-controller SDWN scenario

NETCONF can be integrated with other routing protocols in any SDWN rather used alone, for large set of MN configuration.

Comparison among sFlow and Flowvisor

Threat Data Flow

Data Store

Process Interactors

Spoofing BGP,NETCONF

Tempering BGP BGP NETCONF BGP

Repudiation BGP,NETCONF

Information Disclosure

BGP

Denial of Service

BGP,NETCONF

BGP BGP


BGP


19

Conclusion• Studied STRIDE security model for SDWN• Analyzed packet flow in SDWN environment if integrated with BGP protocol • Analyzed network device configuration data flow in SDWN environment

using NETCONF• Performed comparative side-by-side analysis of SDWN security risks in

using BGP and NETCONF protocol• Research outcome finds distinctive use cases for the two different

protocols• BGP provides efficient routing decision for AS-AS wherein NETCONF better

suits SDWN in configuring larger MN sets and network orchestration


20

Future WorkSDWN appliance in largeer network, i. e. data center

Vulnerabilithy assessment in SDWN orchestration

Analyzing and controlling routing preferences for SDWN


Network Management and Configuration research in SDWN data center etc.

21

ReferencesL. M. C. Carlos J Bernardos, Antonio De La Oliva and H. Jin, “An architecture for software defined wireless networking,” IEEE Wireless Communications, vol. 21, no. 3, pp. 52–61, 2014.

M. R. Sama, L. M. Contreras, J. Kaippallimalil, I. Akiyoshi, H. Qian, and H. Ni, “Software-defined control of the virtualized mobile packet core,” IEEE Communications Magazine, vol. 53, no. 2, pp. 107–115, 2015.

J. B. You Wang and K. Zhang, “Design and implementation of a software-defined mobility architecture for ip networks,” Mobile Networks and Applications, vol. 20, no. 1, pp. 40–52, 2015.

D. Klingel, R. Khondoker, R. Marx, and K. Bayarou, “Security analysis of software defined networking architectures: Pce, 4d and sane,” in Proceedings of the AINTEC 2014 on Asian Internet Engineering Conference. ACM, 2014, p. 15.

V. T. Costa and L. H. M. Costa, “Vulnerabilities and solutions for isolation in flowvisor-based virtual network environments,” Journal of Internet Services and Applications, vol. 6, no. 1, pp. 1–9, 2015.

V. Kotronis, X. Dimitropoulos, and B. Ager, “Outsourcing the routing control logic: better internet routing based on sdn principles,” in Proceedings of the 11th ACM Workshop on Hot Topics in Networks. ACM, 2012, pp. 55–60.

N. A. Jagadeesan and B. Krishnamachari, “Software-defined networking paradigms in wireless networks: a survey,” ACM Computing Surveys (CSUR), vol. 47, no. 2, p. 27, 2015.


22

Question & Answer !


23

Thanks!Asma Islam Swapna

Twitter: @AsmaSwapnaGithub: @AsmaSwapna

Tech site: www.asmaswapna.github.ioResearchGate: Asma_Swapna2

LinkedIn: asma0swapna


iccit_nsu_comparative security analysis of software defined wireless networking (sdwn)- bgp and...

Education