outsmarting network security with sdn teleportation · •vital for national security. backdoors,...
TRANSCRIPT
![Page 1: Outsmarting Network Security with SDN Teleportation · •Vital for national security. Backdoors, exploits and 0days in Networking Equipment. Backdoors in SDN equipment •Does that](https://reader033.vdocuments.mx/reader033/viewer/2022060419/5f16c4574cb2d616386e42c2/html5/thumbnails/1.jpg)
Outsmarting Network Security with SDN Teleportation
KASHYAP THIMMARAJU (TU BERLIN, GERMANY)
LIRON SCHIFF (GUARDICORE LABS, ISRAEL)
STEFAN SCHMID (AALBORG UNIVERSITY, DENMARK)
IEEE EURO S&P, PARIS, FRANCEAPRIL 2017
![Page 2: Outsmarting Network Security with SDN Teleportation · •Vital for national security. Backdoors, exploits and 0days in Networking Equipment. Backdoors in SDN equipment •Does that](https://reader033.vdocuments.mx/reader033/viewer/2022060419/5f16c4574cb2d616386e42c2/html5/thumbnails/2.jpg)
Networking Equipment is Critical• It forms a technological foundation for communication
• It contributes to the economy
• Vital for national security
![Page 3: Outsmarting Network Security with SDN Teleportation · •Vital for national security. Backdoors, exploits and 0days in Networking Equipment. Backdoors in SDN equipment •Does that](https://reader033.vdocuments.mx/reader033/viewer/2022060419/5f16c4574cb2d616386e42c2/html5/thumbnails/3.jpg)
Backdoors, exploits and 0days in Networking Equipment
![Page 4: Outsmarting Network Security with SDN Teleportation · •Vital for national security. Backdoors, exploits and 0days in Networking Equipment. Backdoors in SDN equipment •Does that](https://reader033.vdocuments.mx/reader033/viewer/2022060419/5f16c4574cb2d616386e42c2/html5/thumbnails/4.jpg)
Backdoors in SDN equipment• Does that introduce new attacks?
• Can we detect backdoor activity?
![Page 5: Outsmarting Network Security with SDN Teleportation · •Vital for national security. Backdoors, exploits and 0days in Networking Equipment. Backdoors in SDN equipment •Does that](https://reader033.vdocuments.mx/reader033/viewer/2022060419/5f16c4574cb2d616386e42c2/html5/thumbnails/5.jpg)
Software Defined Networking (SDN)is a networking paradigm
● Separated planes● Centralized model
Data plane
Control plane
Switch
Controller
![Page 6: Outsmarting Network Security with SDN Teleportation · •Vital for national security. Backdoors, exploits and 0days in Networking Equipment. Backdoors in SDN equipment •Does that](https://reader033.vdocuments.mx/reader033/viewer/2022060419/5f16c4574cb2d616386e42c2/html5/thumbnails/6.jpg)
SDN Teleportation:An attack previously not possible
Traditional Networks
Software Defined Networks
Teleportation
Data plane
Control plane
Controlplane
![Page 7: Outsmarting Network Security with SDN Teleportation · •Vital for national security. Backdoors, exploits and 0days in Networking Equipment. Backdoors in SDN equipment •Does that](https://reader033.vdocuments.mx/reader033/viewer/2022060419/5f16c4574cb2d616386e42c2/html5/thumbnails/7.jpg)
SDN Teleportation poses several threats● Bypass security mechanisms
● Attack coordination
● Exfiltration
● Eavesdrop
![Page 8: Outsmarting Network Security with SDN Teleportation · •Vital for national security. Backdoors, exploits and 0days in Networking Equipment. Backdoors in SDN equipment •Does that](https://reader033.vdocuments.mx/reader033/viewer/2022060419/5f16c4574cb2d616386e42c2/html5/thumbnails/8.jpg)
The Teleportation Model
1)Switch to Controller
2)Controller to Switches
3)Destination Processing
Switch
Controller
(1) (2)
0110... (3)
Switch
![Page 9: Outsmarting Network Security with SDN Teleportation · •Vital for national security. Backdoors, exploits and 0days in Networking Equipment. Backdoors in SDN equipment •Does that](https://reader033.vdocuments.mx/reader033/viewer/2022060419/5f16c4574cb2d616386e42c2/html5/thumbnails/9.jpg)
Teleportation Techniques• Out-of-band Forwarding
• Flow (re-)configurations
• Switch Identification
![Page 10: Outsmarting Network Security with SDN Teleportation · •Vital for national security. Backdoors, exploits and 0days in Networking Equipment. Backdoors in SDN equipment •Does that](https://reader033.vdocuments.mx/reader033/viewer/2022060419/5f16c4574cb2d616386e42c2/html5/thumbnails/10.jpg)
Out-of-band Forwarding Teleportation● Complete packets from one
switch are teleported to
another switch
Packet-in
Packet-Out
![Page 11: Outsmarting Network Security with SDN Teleportation · •Vital for national security. Backdoors, exploits and 0days in Networking Equipment. Backdoors in SDN equipment •Does that](https://reader033.vdocuments.mx/reader033/viewer/2022060419/5f16c4574cb2d616386e42c2/html5/thumbnails/11.jpg)
Flow (Re-)Configuration Teleportation● Exploit the controllers
centralized control to
reconfigure the network
when a host moves across
the networkPack
et-in
Flow-add Packet-in
Flow-addFlow-delete
![Page 12: Outsmarting Network Security with SDN Teleportation · •Vital for national security. Backdoors, exploits and 0days in Networking Equipment. Backdoors in SDN equipment •Does that](https://reader033.vdocuments.mx/reader033/viewer/2022060419/5f16c4574cb2d616386e42c2/html5/thumbnails/12.jpg)
Switch Identification Teleportation● Impersonate the
Datapath-ID to
communicate
information Hello
Features-request Features-request
Features-reply
(DPID
=1) Features-reply (DPID=1)
Hello
![Page 13: Outsmarting Network Security with SDN Teleportation · •Vital for national security. Backdoors, exploits and 0days in Networking Equipment. Backdoors in SDN equipment •Does that](https://reader033.vdocuments.mx/reader033/viewer/2022060419/5f16c4574cb2d616386e42c2/html5/thumbnails/13.jpg)
Attacks using Teleportation● Bypass firewalls, IDS and IPS
● Exfiltration
● Man-in-the-middle
● Rendezvous/Attack coordination
![Page 14: Outsmarting Network Security with SDN Teleportation · •Vital for national security. Backdoors, exploits and 0days in Networking Equipment. Backdoors in SDN equipment •Does that](https://reader033.vdocuments.mx/reader033/viewer/2022060419/5f16c4574cb2d616386e42c2/html5/thumbnails/14.jpg)
Teleportation Bandwidth
![Page 15: Outsmarting Network Security with SDN Teleportation · •Vital for national security. Backdoors, exploits and 0days in Networking Equipment. Backdoors in SDN equipment •Does that](https://reader033.vdocuments.mx/reader033/viewer/2022060419/5f16c4574cb2d616386e42c2/html5/thumbnails/15.jpg)
Countermeasures● Packet-in-Packet-Out Watcher
● Audit-Trails and Accountability
● Enhanced IDS with Waypoint Enforcement
![Page 16: Outsmarting Network Security with SDN Teleportation · •Vital for national security. Backdoors, exploits and 0days in Networking Equipment. Backdoors in SDN equipment •Does that](https://reader033.vdocuments.mx/reader033/viewer/2022060419/5f16c4574cb2d616386e42c2/html5/thumbnails/16.jpg)
Conclusions● Introduced a conceptually novel SDN attack
● Teleportation enables several attacks
● Teleportation has high quality and throughput
● Suggested Teleportation countermeasures
![Page 17: Outsmarting Network Security with SDN Teleportation · •Vital for national security. Backdoors, exploits and 0days in Networking Equipment. Backdoors in SDN equipment •Does that](https://reader033.vdocuments.mx/reader033/viewer/2022060419/5f16c4574cb2d616386e42c2/html5/thumbnails/17.jpg)
Questions