iccit_nsu_comparative security analysis of software defined wireless networking (sdwn)- bgp and...
TRANSCRIPT
1
Paper ID: 236
Session: Security and Information Assurance
THE 19TH INTERNATIONAL CONFERENCE ON COMPUTER AND INFORMATION TECHNOLOGY (ICCIT 2016)
December 18th-20tjh ICCIT, Dhaka, Bangladesh
2
Mawlana Bhashani Science and Technology University, Bangladesh
BAC IT, BangladeshUniversity of Derby, England
Security Analysis of Software Defined Wireless Networking (SDWN) - BGP and NETCONF Protocols
Asma Islam Swapna, Mainul Kabir Aion, MD Rezaul Huda Reza
December 18th-20tjh ICCIT, Dhaka, Bangladesh
3
Presentation SummarySDN ?SDWN ?Emerging SDWN ProtocolsSDWN Security AspectsBGP DFDNETCONF DFDSTRIDE and DFDBGP STRIDE AnalysisNETCONF STRIDE AnalysisEvaluationConclusionReferences
December 18th-20tjh ICCIT, Dhaka, Bangladesh
4
Software Defined Networking (SDN)Current Network
Specialized Packet Forwarding Hardware
App App App
Specialized Packet Forwarding Hardware
App App App
Specialized Packet Forwarding Hardware
App App App
Specialized Packet Forwarding Hardware
App App App Specialized Packet Forwarding Hardware
OperatingSystem
OperatingSystem
OperatingSystem
OperatingSystem
OperatingSystem
App App App
Million of lines of source codeBillions of gates
Limitations ?
Source: Open Network Foundation NewsletterDecember 18th-20tjh ICCIT, Dhaka, Bangladesh
5
Software Defined Networking (SDN)
Source: Open Network Foundation Newsletter
Global Network View
Protocols Protocols
Control via forwarding interface
Network Operating System
Control Programs
Solution !Operating System for Networks
SDN providing network administrationFull hardware accessibility
December 18th-20tjh ICCIT, Dhaka, Bangladesh
6
Software Defined Networking (SDN) (Cont.)• Direct programmability in the network plane • Decouples the control plane from data
forwarding plane• Agile• Open standards-based and vendor-neutral
Enables- ScalabilityInformation hidingNetwork policy
Complete Resource UtilizationExpands local to globalSpans business network
Source: Open Network Foundation NewsletterDecember 18th-20tjh ICCIT, Dhaka, Bangladesh
7
Software Defined Wireless Networking
2G 3G 4G 5G Billions of wirelessly connected mobile devices
Need more wireless capacity !Heterogeneous network (LTE, wifi, wimax)
Solution SDN for wireless network!-Interface for controlling mobile nodes
-Customizable Mobility Management
Debut of pop in 2005, 2013December 18th-20tjh ICCIT, Dhaka, Bangladesh
8
Software Defined Wireless Networking (Cont.)
Underlying Network Security Secured information flow and Control plane
• Controller collects Mobile Nodes (MNs) information for packet transmission
• Composed of North-South and East-West network dimension
• Different protocols enable inter-controller communication for large wireless network
• Leverages Wireless mesh networks
December 18th-20tjh ICCIT, Dhaka, Bangladesh
9
Emerging SDWN ProtocolsBigger the network, greater the challenge in security management
BGPOF-ConfigNETCONFNFVOVSDB
4DPCESANE-based
SDN Architectures
SDN/SDWN Protocols
Source: McAfee Labs, 2015
Efficient RoutingConfigure Network DevicesLeverage SDWN/SDN controller
December 18th-20tjh ICCIT, Dhaka, Bangladesh
10
SDWN Security Aspects
ConfidentialityAuthenticityIntegrityAvailabilityConsistency
ICCIT, Dhaka, Bangladesh December 19th-20th
Source: L. Schehlmann, H. Baier,, Blessing or Curse? Revisiting Security Aspects of Software-Defined Networking, 2014.
11
Challenge Configure and managing large, scale-out, multi-domain, multi-controller based SDWN from security attacks
Network
Database
MemCacheWeb Server
Load Balancer
ApplicationServer
BGP - Efficient Dynamic Routing- Suitable for Comprehensive multi-layer autonomous system- Simpler than OSPF
NETCONF- Manipulates Network Device- XML-based encoding of protocol message and configuration data- Leverages SNMP
December 18th-20tjh ICCIT, Dhaka, Bangladesh
12
BGP DFDEmbedded with switch and router in SDWNSpeaker (Controller Switch) -Sends BGP message to router/switch -Speaks Policy Information Base (PIB) -advertises routes to the BGP peers Listener (Switch Controller) -Listens Policy Information Base (PIB) -Sends BGP message to BGP Controller -advertises flow configuration request to the BGP ControllerController -Set Policies -Exchange BGP message -Encode policy update with BGP messages -No individual flow response
BGP Data Flow Diagram
December 18th-20tjh ICCIT, Dhaka, Bangladesh
13
NETCONF DFD• Configures and manipulates SDWN device• Datastore holds complete set of configuration
data• CRUD operation to access datastore• RPC element to encode NETCONF request in
XML• Three state configuration- running, startup,
candidate.
NETCONF Data Flow Diagram
NETCONF Datastore
SDWN Switch
SDWN Controller
• Session oriented well-formed XML document type NETCONF message
• Secure Transport layer provides a communication path between the client and server.
• NACM for authentication, TLS/SSH for secure configuration
December 18th-20tjh ICCIT, Dhaka, Bangladesh
14
Threat ModelsElicitations and analysis of security threats, mechanisms in deployed designs and network• DREAD – SQL Injections, Microsoft, OpenStack• Octave – Large system and Application• STRIDE – Network System and Application, Microsoft• Generic Risk Model –• Guerilla Threat Modeling –• Process for Attack Simulation and Threat Analysis (PASTA) – last stage risk
management• Trike etc.
December 18th-20tjh ICCIT, Dhaka, Bangladesh
15
DFD elements can be vulnerable to one or many STRIDE threats.
STRIDE & Data Flow Diagram (DFD)
FlowVisor Data Flow Diagram
Spoofing
Information DIsclosure
Rrepudiation
Temparing
Denial of Service
Elevation of Privilege
STRIDE
Name STRIDE vulnerability
Definition
Data Flow Yes Data sent among network elements
Data Store Yes Stable Data
Process YesPrograms or applications that configures the system
Interactors YesEndpoints out of system scope to control
Trust Boundaries
YesSeparation between trusted and untrusted elements of the system
December 18th-20tjh ICCIT, Dhaka, Bangladesh
16
BGP Stride Analysis
• Third party deployment environment for data flow security
• Transport Layer security for each flow to encrypt routing message
• Access control mechanism, SIDR can leverage securing RIB
• No individual flow update and TCP reconnection
• Cleartext RIB and BGP message
• unauthorized access to SDWN devices
• No peer entity authentication
• RIB overflow
Threat Data Flow Data Store Process Interactors
Spoofing YES
Tempering YES YES YES
Repudiation YES
Information Disclosure
YES
Denial of Service YES YES YES
Elevation of Privilege
YES
December 18th-20tjh ICCIT, Dhaka, Bangladesh
17
NETCONF Stride Analysis
• Transport Layer security integrated with I2RS, IPFIX, NFV
• NETCONF Access control mechanism leverage confidentiality and integrity of SDWN controller, NETCONF devices
• Security in data flow; however, DoS risk in TL
• NETCONF Access control mechanism leverage confidentiality and integrity of SDWN controller, NETCONF devices
• TLS/SSH prone to vulnerability if operations are without global lock
Threat Data Flow Interactors
Spoofing YES
Tempering YES
Repudiation YES
Denial of Service YES
December 18th-20tjh ICCIT, Dhaka, Bangladesh
18
Evaluation BGP vulnerable in BGP data flow
and data store and prone to Tempering, DoS and routing information disclosure threat
NACM secures configuration datastore
NETCONF leverages SNMP, CLI in process stage
BGP with TLS deployable in AS-multi-controller SDWN scenario
NETCONF can be integrated with other routing protocols in any SDWN rather used alone, for large set of MN configuration.
Comparison among sFlow and Flowvisor
Threat Data Flow
Data Store
Process Interactors
Spoofing BGP,NETCONF
Tempering BGP BGP NETCONF BGP
Repudiation BGP,NETCONF
Information Disclosure
BGP
Denial of Service
BGP,NETCONF
BGP BGP
Elevation of Privilege
BGP
December 18th-20tjh ICCIT, Dhaka, Bangladesh
19
Conclusion• Studied STRIDE security model for SDWN• Analyzed packet flow in SDWN environment if integrated with BGP protocol • Analyzed network device configuration data flow in SDWN environment
using NETCONF• Performed comparative side-by-side analysis of SDWN security risks in
using BGP and NETCONF protocol• Research outcome finds distinctive use cases for the two different
protocols• BGP provides efficient routing decision for AS-AS wherein NETCONF better
suits SDWN in configuring larger MN sets and network orchestration
December 18th-20tjh ICCIT, Dhaka, Bangladesh
20
Future WorkSDWN appliance in largeer network, i. e. data center
Vulnerabilithy assessment in SDWN orchestration
Analyzing and controlling routing preferences for SDWN
December 18th-20tjh ICCIT, Dhaka, Bangladesh
Network Management and Configuration research in SDWN data center etc.
21
ReferencesL. M. C. Carlos J Bernardos, Antonio De La Oliva and H. Jin, “An architecture for software defined wireless networking,” IEEE Wireless Communications, vol. 21, no. 3, pp. 52–61, 2014.
M. R. Sama, L. M. Contreras, J. Kaippallimalil, I. Akiyoshi, H. Qian, and H. Ni, “Software-defined control of the virtualized mobile packet core,” IEEE Communications Magazine, vol. 53, no. 2, pp. 107–115, 2015.
J. B. You Wang and K. Zhang, “Design and implementation of a software-defined mobility architecture for ip networks,” Mobile Networks and Applications, vol. 20, no. 1, pp. 40–52, 2015.
D. Klingel, R. Khondoker, R. Marx, and K. Bayarou, “Security analysis of software defined networking architectures: Pce, 4d and sane,” in Proceedings of the AINTEC 2014 on Asian Internet Engineering Conference. ACM, 2014, p. 15.
V. T. Costa and L. H. M. Costa, “Vulnerabilities and solutions for isolation in flowvisor-based virtual network environments,” Journal of Internet Services and Applications, vol. 6, no. 1, pp. 1–9, 2015.
V. Kotronis, X. Dimitropoulos, and B. Ager, “Outsourcing the routing control logic: better internet routing based on sdn principles,” in Proceedings of the 11th ACM Workshop on Hot Topics in Networks. ACM, 2012, pp. 55–60.
N. A. Jagadeesan and B. Krishnamachari, “Software-defined networking paradigms in wireless networks: a survey,” ACM Computing Surveys (CSUR), vol. 47, no. 2, p. 27, 2015.
December 18th-20tjh ICCIT, Dhaka, Bangladesh
22
Question & Answer !
December 18th-20tjh ICCIT, Dhaka, Bangladesh
23
Thanks!Asma Islam Swapna
Twitter: @AsmaSwapnaGithub: @AsmaSwapna
Tech site: www.asmaswapna.github.ioResearchGate: Asma_Swapna2
LinkedIn: asma0swapna
December 18th-20tjh ICCIT, Dhaka, Bangladesh