Advertisement

Mobile Networks and Applications

, Volume 21, Issue 5, pp 764–776 | Cite as

Security in Software-Defined Networking: Threats and Countermeasures

  • Zhaogang Shu
  • Jiafu WanEmail author
  • Di Li
  • Jiaxiang Lin
  • Athanasios V. Vasilakos
  • Muhammad Imran
Article

Abstract

In recent years, Software-Defined Networking (SDN) has been a focus of research. As a promising network architecture, SDN will possibly replace traditional networking, as it brings promising opportunities for network management in terms of simplicity, programmability, and elasticity. While many efforts are currently being made to standardize this emerging paradigm, careful attention needs to be also paid to security at this early design stage. This paper focuses on the security aspects of SDN. We begin by discussing characteristics and standards of SDN. On the basis of these, we discuss the security features as a whole and then analyze the security threats and countermeasures in detail from three aspects, based on which part of the SDN paradigm they target, i.e., the data forwarding layer, the control layer and the application layer. Countermeasure techniques that could be used to prevent, mitigate, or recover from some of such attacks are also described, while the threats encountered when developing these defensive mechanisms are highlighted.

Keywords

Software-defined networking SDN Security Security countermeasures 

Notes

Acknowledgments

This work was supported in part by the Fundamental Research Funds for the Central Universities (No. 2015ZZ079), the Natural Science Foundation of Jiangxi Province, China (No. 20151BAB207024), the Natural Science Foundation of Fujian Province, China (No. 2014J05045), the Natural Science Foundation of Guangdong Province, China (No. 2015A030308002), and the National Natural Science Foundation of China (Nos. 61262013, 61572220, 41401458, 61363011, and 51575194). Imran’s work is supported by the Deanship of Scientific Research at King Saud University through Research group No. (RG # 1435-051).

References

  1. 1.
    Chen M, Zhang Y, Li Y, Mao S, Leung V (2015) EMC: emotion-aware mobile cloud computing in 5G. IEEE Netw 29(2):32–38CrossRefGoogle Scholar
  2. 2.
    Wan J, Yan H, Suo H, Li F (2011) Advances in cyber-physical systems research. KSII Trans Internet Inf Syst 5(11):1891–1908Google Scholar
  3. 3.
    Suo H, Liu Z, Wan J, Zhou K (2013) Security and privacy in mobile cloud computing. In: Proceedings of the 9th IEEE International Wireless Communications and Mobile Computing Conference, Cagliari, ItalyGoogle Scholar
  4. 4.
    Cisco Inc. (2013) Software-defined networking: why we like it and how we are building on it. White PaperGoogle Scholar
  5. 5.
    McKeown N, Anderson T, Balakrishnan H, Parulkar G, Peterson L, Rexford J, Turner J (2008) OpenFlow: enabling innovation in campus networks. ACM SIGCOMM Comput Commun Rev 38(2):69–74CrossRefGoogle Scholar
  6. 6.
    Liu J, Li Y, Chen M, Dong W, Jin D (2015) Software-defined internet of things for smart urban sensing. IEEE Commun Mag 53(9):55–63CrossRefGoogle Scholar
  7. 7.
    Hong CY, Kandula S, Mahajan R, Zhang M, Gill V, Nanduri M, Wattenhofer R (2013) Achieving high utilization with software-driven WAN. ACM SIGCOMM Comput Commun Rev 43(4):15–26CrossRefGoogle Scholar
  8. 8.
    Google Inc. (2012) Inter-datacenter WAN with centralized TE using SDN and OpenFlow. Open Network SubmitGoogle Scholar
  9. 9.
    Jain S, Kumar A, Mandal S, Ong J, Poutievski L, Singh A, Venkata S, Wanderer J, Zhou J, Zhou M, Zolia J, Hölzle U, Stuart S, Vahdat A (2013) B4: experience with a globally-deployed software defined WAN. In: Proceedings of the ACM SIGCOMM, pp 3–14Google Scholar
  10. 10.
  11. 11.
  12. 12.
    Ahmad I, Namal S, Ylianttila M, Gurtov A (2015) Security in software defined networks: a survey. IEEE Commun Surv Tutorials 17(4):2317–2346CrossRefGoogle Scholar
  13. 13.
    Zhang H (2014) A vision for cloud security. Netw Secur 2014(2):12–15CrossRefGoogle Scholar
  14. 14.
    Benton K, Camp L J, Small C (2013) Openflow vulnerability assessment. In: Proceedings of the second ACM SIGCOMM workshop on Hot topics in software defined networking, pp 151–152Google Scholar
  15. 15.
    Scott-Hayward S, O’Callaghan G, Sezer S (2013) Sdn security: a survey. In: IEEE SDN Future Networks and Services (SDN4FNS), pp 1–7Google Scholar
  16. 16.
    Pan P, Nadeau T (2011) Software driven networks problem statement. IETF Internet-DraftGoogle Scholar
  17. 17.
    Floodlight controller documentation for developers [Online]. Available: http://www.projectfloodlight.org/floodlight/
  18. 18.
    Gude N, Koponen T, Pettit J, Pfaff B, Casado M, McKeown N, Shenker S (2008) NOX: towards an operating system for networks. ACM SIGCOMM Comput Commun Rev 38(3):105–110CrossRefGoogle Scholar
  19. 19.
    OpenDaylight.[Online]. Available: http://www.opendaylight.org
  20. 20.
    Kreutz D, Ramos FM, Esteves Verissimo P, Esteve Rothenberg C, Azodolmolky S, Uhlig S (2015) Software-defined networking: a comprehensive survey. Proc IEEE 103(1):14–76CrossRefGoogle Scholar
  21. 21.
    Lara A, Kolasani A, Ramamurthy B (2014) Network innovation using openflow: a survey. IEEE Commun Surv Tutorials 16(1):493–512CrossRefGoogle Scholar
  22. 22.
    Bernardo DV (2014) Software-defined networking and network function virtualization security architecture. Internet Engineering Task Force. [Online]. Available: https://tools.ietf.org/html/ draft-bernardo-sec-arch- sdnnvfarchitecture-00
  23. 23.
    Yang M, Li Y, Jin D, Zeng L, Wu X, Vasilakos A (2015) Software-defined and virtualized future mobile and wireless networks: a survey. ACM/Springer Mob Netw Appl 20(1):4–18CrossRefGoogle Scholar
  24. 24.
    Yuan W, Deng P, Taleb T, Wan J, Bi C (2015) An unlicensed taxi identification model based on big data analysis. IEEE Trans Intell Transp Syst. doi: 10.1109/TITS.2015.2498180 Google Scholar
  25. 25.
    Jing Q, Vasilakos A, Wan J, Lu J, Qiu D (2014) Security of the internet of things: perspectives and challenges. Wirel Netw 20(8):2481–2501CrossRefGoogle Scholar
  26. 26.
    Namal S, Ahmad I, Gurtov A, Ylianttila M (2013) SDN based inter-technology load balancing leveraged by flow admission control. In: IEEE SDN for Future Networks and Services (SDN4FNS), pp 1–5Google Scholar
  27. 27.
    Dierks T (2008) The transport layer security (TLS) protocol version 1.2 [Online]. Available: http://tools.ietf.org/html/rfc5246
  28. 28.
    Wasserman M, Hartman S (2013) Security analysis of the open networking foundation (ONF) OpenFlow switch specification. Internet Engineering Task Force. [Online]. Available: https://tools.ietf.org/html/ draft-mrw-SDNec-openflow-analysis-02
  29. 29.
    Al-Shaer E, Al-Haj S (2010) FlowChecker: configuration analysis and verification of federated OpenFlow infrastructures. In: Proceedings of the 3rd ACM Workshop on Assurable and Usable Security Configuration, pp 37–44Google Scholar
  30. 30.
    Porras P, Shin S, Yegneswaran V, Fong M, Tyson M, Gu G (2012) A security enforcement kernel for OpenFlow networks. In: Proceedings of the First Workshop on Hot Topics in Software Defined Networks, pp 121–126Google Scholar
  31. 31.
    Khurshid A, Zhou W, Caesar M, Godfrey P (2012) Veriflow: verifying network-wide invariants in real time. ACM SIGCOMM Comput Commun Rev 42(4):467–472CrossRefGoogle Scholar
  32. 32.
    Fonseca P, Bennesby R, Mota E, Passito A (2012) A replication component for resilient OpenFlow-based networking. In: IEEE Network Operations and Management Symposium (NOMS), pp 933–939Google Scholar
  33. 33.
    Sherwood R, Gibb G, Yap K K, Appenzeller G, Casado M, McKeown N, Parulkar G (2009) Flowvisor: a network virtualization layer. OpenFlow Switch Consortium, Tech. RepGoogle Scholar
  34. 34.
    Yao G, Bi J, Xiao P (2011) Source address validation solution with OpenFlow/NOX architecture. In: 19th IEEE International Conference on Network Protocols (ICNP), pp 7–12Google Scholar
  35. 35.
    Braga R, Mota E, Passito A (2010) Lightweight DDoS flooding attack detection using NOX/OpenFlow. In: IEEE 35th Conference on Local Computer Networks (LCN), pp 408–415Google Scholar
  36. 36.
    Nayak A K, Reimers A, Feamster N, Clark R (2009). Resonance: dynamic access control for enterprise networks. In: Proceedings of the 1st ACM Workshop on Research on Enterprise Networking, pp 11–18Google Scholar
  37. 37.
    Shin S, Yegneswaran V, Porras P, Gu G (2013) Avant-guard: scalable and vigilant switch flow management in software-defined networks. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security, pp 413–424Google Scholar
  38. 38.
    Wang H, Xu L, Gu G (2015) FloodGuard: a dos attack prevention extension in software-defined networks. In: 45th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), pp 239–250Google Scholar
  39. 39.
    Lim S, Ha J I, Kim H, Kim Y, Yang S (2014) A SDN-oriented DDoS blocking scheme for botnet-based attacks. In: IEEE Sixth International Conference on Ubiquitous and Future Networks (ICUFN), pp 63–68Google Scholar
  40. 40.
    IETF Locator/ID Separation Protocol (LISP) [Online]. Available: http://datatracker.ietf.org/wg/lisp/
  41. 41.
    Suh J, Choi H G, Yoon W, You T, Kwon T, Choi Y (2010) Implementation of a Content-Oriented Networking Architecture (CONA): a focus on DDoS Countermeasure. In: Proceedings of European NetFPGA Developers WorkshopGoogle Scholar
  42. 42.
    Scott-Hayward S (2015) Design and deployment of secure, robust, and resilient SDN Controllers. In: 1st IEEE Conference on Network Softwarization (NetSoft), pp 1–5Google Scholar
  43. 43.
    Li H, Li P, Guo S, Nayak A (2014) Byzantine-resilient secure software-defined networks with multiple controllers in cloud. IEEE Trans Cloud Comput 2(4):436–447CrossRefGoogle Scholar
  44. 44.
    Phemius K, Bouet M, Leguay J (2014) Disco: distributed multi-domain sdn controllers. In: IEEE Network Operations and Management Symposium (NOMS), pp 1–4Google Scholar
  45. 45.
    Big Switch Inc. (2012) Developing floodlight modules. floodlight OpenFlow controller Tech. Rep.Google Scholar
  46. 46.
    Advanced message queuing protocol. [Online]. Available: http://www.amqp.org
  47. 47.
    Voellmy A, Wang J (2012) Scalable software defined network controllers. In: Proceedings of the ACM SIGCOMM 2012 Conference on Applications, Technologies, Architectures, and Protocols for Computer Communication, pp 289–290Google Scholar
  48. 48.
    Tootoonchian A, Ganjali Y (2010) HyperFlow: a distributed control plane for OpenFlow. In: Proceedings of the 2010 Internet Network Management Conference on Research on Enterprise Networking. USENIX Association, pp 3–3Google Scholar
  49. 49.
    Liu J et al (2016) Leveraging software-defined networking for security policy enforcement. Inf Sci 327:288–299CrossRefGoogle Scholar
  50. 50.
    Heller B, Sherwood R, McKeown N (2012) The controller placement problem. In: Proceedings of the First Workshop on Hot Topics in Software Defined Networks, ACM, pp 7–12Google Scholar
  51. 51.
    Bari MF, Roy AR, Chowdhury SR, Zhang Q, Zhani MF, Ahmed R, Boutaba R (2013) Dynamic controller provisioning in software defined networks. In: 2013 9th IEEE International Conference on Network and Service Management (CNSM), pp 18–25Google Scholar
  52. 52.
    Hock D, Hartmann M, Gebert S, Jarschel M, Zinner T, Tran-Gia P (2013) Pareto-optimal resilient controller placement in SDN-based core networks. In: 25th IEEE International Conference on Teletraffic Congress (ITC), pp 1–9Google Scholar
  53. 53.
    Security-enhanced floodlight. [Online]. Available: http://www. sdncentral.com/education/toward-secure-sdn-controllayer/2013/10/Google Scholar
  54. 54.
    Shin S, Porras P, Yegneswaran V, Fong M, Gu G, Tyson M (2013) FRESCO: Modular Composable Security Services for Software-Defined Networks. In : Proceedings of Network and Distributed Security Symposium, pp 1-16Google Scholar
  55. 55.
    Shin S, Porras P, Yegneswaran V, Gu G (2013) A framework for integrating security services into software-defined networks. In: Proceedings of the 2013 Open Networking Summit (Research Track poster paper)Google Scholar
  56. 56.
    Kreutz D, Ramos F, Verissimo P (2013) Towards secure and dependable software-defined networks. In: Proceedings of the Second ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking, pp 55–60Google Scholar
  57. 57.
    Wen X, Chen Y, Hu C, Shi C, Wang Y (2013) Towards a secure controller platform for openflow applications. In: Proceedings of the Second ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking, pp 171–172Google Scholar
  58. 58.
    Canini M, Venzano D, Peresini P, Kostic D, Rexford J (2012) A NICE way to test OpenFlow applications. In: Proceedings of the 9th USENIX Conference on Networked Systems Design and ImplementationGoogle Scholar
  59. 59.
    Skowyra R, Lapets A, Bestavros A, Kfoury A (2013) Verifiably-safe software-defined networks for CPS. In: Proceedings of the 2nd ACM International Conference on High Confidence Networked Systems, pp. 101–110Google Scholar
  60. 60.
    Ball T, Bjmer N, Gember A, Itzhaky S, Karbyshev A, Sagiv M, Valadarsky A (2014) Vericon: towards verifying controller programs in software-defined networks. ACM SIGPLAN Not 49(6):282–293CrossRefGoogle Scholar
  61. 61.
    Son S, Shin S, Yegneswaran V, Porras P, Gu G (2013) Model checking invariant security properties in OpenFlow. In: 2013 I.E. International Conference on Communications (ICC), pp 1974–1979Google Scholar
  62. 62.
    Mai H, Khurshid A, Agarwal R, Caesar M, Godfrey P, King S (2011) Debugging the data plane with anteater. ACM SIGCOMM Comput Commun Rev 41(4):290–301CrossRefGoogle Scholar
  63. 63.
    Kazemian P, Chan M, Zeng H, Varghese G, McKeown N, Whyte S (2013) Real time network policy checking using header space analysis. In: USENIX Symposium on Networked Systems Design and Implementation, pp 99–111Google Scholar
  64. 64.
    Kazemian P, Varghese G, McKeown N (2012) Header space analysis: static checking for networks. In: USENIX Symposium on Networked Systems Design and Implementation NSDI, pp 113–126Google Scholar
  65. 65.
    Wang J, Wang Y, Hu H, Sun Q, Shi H, Zeng L (2013) Towards a security-enhanced firewall application for openflow networks. In: Cyberspace Safety and Security, Springer International Publishing, pp. 92–103Google Scholar

Copyright information

© Springer Science+Business Media New York 2016

Authors and Affiliations

  • Zhaogang Shu
    • 1
  • Jiafu Wan
    • 2
    Email author
  • Di Li
    • 2
  • Jiaxiang Lin
    • 1
  • Athanasios V. Vasilakos
    • 3
  • Muhammad Imran
    • 4
  1. 1.Fujian Agriculture and Forestry UniversityFuzhouChina
  2. 2.South China University of TechnologyGuangzhouChina
  3. 3.Lulea University of TechnologyLuleåSweden
  4. 4.King Saud UniversityRiyadhSaudi Arabia

Personalised recommendations