Abstract
With the steady increase in the information and high network resource sharing, organizations require big data centers. To control the workload in the data centers and minimize the response time, effective load-balancing systems are necessary. The routing applications play an important role here. Some routing applications based on Software Defined Networking (SDN) like Plug-n-Serve, Hedera, ElasticTree suggest an efficient way to handle such a traffic load in the data centers. Centralised routing makes it possible to adjust the network elements like switches, ports, links dynamically as per the traffic load. The routing application takes control of data flow management in the data center system, finds a non-conflicting way for the flow and instructs the switches accordingly. Security of routing applications is important. If an attacker takes control over the data flow routing or scheduling, it can result in forwarding traffic to the servers/switches which are controlled by the attackers. The attacker can even shut down the data center system as some data centers may rely totally on routing application for data flow management. In this paper, several SDN routing applications are compared and detail analysis of two applications Plug-n-Serve and ElasticTree are performed. The architecture of these applications is explained and the security analysis is done using a threat analysis tool called STRIDE. We suggest some mitigation techniques for the well known threats like spoofing, tampering, repudiation etc. and also check if the application has an in-built countermeasure against these threats. In this paper, we describe how ElasticTree application by design provides some mitigation techniques against the threats and the mitigation techniques that the Plug-n-Serve application could use to avoid the threats.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
McKeown Nick et al (2008) OpenFlow: enabling innovation in campus networks. ACM SIGCOMM Comput Commun Rev 38(2):69–74
Handigol N et al (2009) Plug-n-Serve: load-balancing web traffic using Open-Flow. ACM Sigcomm Demo 4(5):6
Brandon H et al (2010) ElasticTree: saving energy in data center networks. In: NSDI, vol 10, pp 249–264
Rolbin M (2013) Early detection of network threats using Software Defined Network (SDN) and virtualization
Al-Fares M et al (2010) Hedera: dynamic flow scheduling for data center networks. In: NSDI, vol 10, pp 19–19
Kakadia D, Varma V (2012) Energy efficient data center networks—A SDN based approach. IBM Collaborative Academia Research Exchange
Real World Threat Modeling Using the PASTA Methodology (2012) OWASP. Technical report. https://www.owasp.org/images/a/aa/AppSecEU2012PASTA.pdf. Accessed 25 Sep 2017
Saitta P, Larcom B, Eddington M (2005) Trike v. 1 methodology document [draft]. http://dymaxion.org/trike/Trike_v1_Methodology_Documentdraft.pdf. Accessed 25 Sep 2017
Schneier B (1999) Attack trees. Dr. Dobb’s J. Technical report https://www.schneier.com/academic/archives/1999/12/attack_trees.html. Accessed 25 Sep 2017
Jurjens J (2002) UMLsec: Extending UML for secure systems development. In: International conference on the unified modeling language. Springer, pp 412–425
Alberts C et al (2003) Introduction to the OCTAVE approach. Carnegie Mellon University, Pittsburgh, PA
Alexander Ian (2003) Misuse cases: use cases with hostile intent. IEEE Softw 20(1):58–66
Lohr H et al (2009) Modeling trusted computing support in a protection profile for high assurance security kernels. In: International conference on trusted computing. Springer, pp 45–62
Qualitative Risk Analysis with the DREAD Model (2014) Technical report. http://resources.infosecinstitute.com/qualitative-risk-analysis-dread-model. Accessed 25 Sep 2017
Lund MS, Solhaug B, Stolen K (2010) Model-driven risk analysis: the CORAS approach. Springer Science & Business Media
Threat Modeling with STRIDE (2015, April 16) Technical report https://www.webtrends.com/blog/2015/04/threat-modeling-with-stride/. Accessed 25 Sep 2017
Authenticode (2015, April 16) Technical report. https://msdn.microsoft.com/en-us/4.library/ms537359(v=vs.85).aspx/. Accessed 25 May 2017
LeBlanc D, Howard M (2002) Writing secure code. Pearson Education
Housley R (2009) Digital signatures on internet-draft documents
Braga R, Mota E, Passito A (2010) Lightweight DDoS flooding attack detection using NOX/OpenFlow. In: 2010 IEEE 35th conference on local computer networks (LCN). IEEE, pp 408–415
Least Privilege (2015, April 16) Technical report. https://www.owasp.org/index.php/Least_privilege/. Accessed 25 Sep 2017
Shin S et al (2013) AVANT-GUARD: scalable and vigilant switch flow management in software-defined networks. In: Proceedings of the 2013 ACM SIGSAC conference on computer & communications security. ACM, pp 413–424
Hu H et al (2014) FLOWGUARD: building robust firewalls for softwaredefined networks. In: Proceedings of the third workshop on Hot topics in software defined networking. ACM, pp 97–102
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 Springer International Publishing AG
About this chapter
Cite this chapter
Sagare, A.A., Khondoker, R. (2018). Security Analysis of SDN Routing Applications. In: Khondoker, R. (eds) SDN and NFV Security. Lecture Notes in Networks and Systems, vol 30. Springer, Cham. https://doi.org/10.1007/978-3-319-71761-6_1
Download citation
DOI: https://doi.org/10.1007/978-3-319-71761-6_1
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-71760-9
Online ISBN: 978-3-319-71761-6
eBook Packages: EngineeringEngineering (R0)