Cloud Computing Security: What Changes with Software-Defined Networking?
Broadly construed, Software-Defined Networking (SDN) refers to the use of a standards-based open architecture and its supporting open source and open interfaces technologies to enable the deployment, management, and operation of networks. While traditional network management relies on vendor-specific hardware, protocols, and software, SDN systems are architected to have well-defined control and data planes offering flexible management interfaces. The enhanced control enabled by SDN opens opportunities for better cloud security engineering. At the same time, new vulnerabilities are potentially exposed as new technologies are introduced. This chapter discusses how SDN impacts cloud security, and potential risks that need to be addressed when SDN is deployed within and across clouds.
KeywordsEntropy Migration Triad
This work is supported in part by National Science Foundation (NSF) grants No. 0910812, 1139707, 1240171 and the AT&T Foundation. Any opinions, findings and conclusions or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of the NSF, and AT&T Foundation.
- 1.Apache CloudStack Project. http://www.cloudstack.org. Cited 14 June 2013.
- 3.Bernstein D, Ludvigson E, Sankar K, Diamond S, and Morrow M (2009) Blueprint for the Intercloud - Protocols and Formats for Cloud Computing Interoperability. In Fourth International Conference on Internet and Web Applications and Services 2009 (ICIW ’09). 328–36. Venice/Mestre. doi:10.1109/iciw.2009.55.Google Scholar
- 4.Case JD, Fedor M, Schoffstall ML, and Davin J (1990) A Simple Network Management Protocol (SNMP). IETF RFC 1157, 1–36.Google Scholar
- 5.Google - IPv6 statistics. http://www.google.com/intl/en/ipv6/statistics.html. Cited 14 June 2013.
- 6.Greene K (2009) TR10: Software-Defined Networking. Technology Review (MIT). http://www2.technologyreview.com/article/412194/tr10-software-defined-networking/. Accessed 14 June 2013.
- 7.Gude N, Koponen T, Pettit J, Pfaff B, Casado M, McKeown N et al. (2008) NOX: towards an operating system for networks. ACM SIGCOMM Computer Communication Review 38, 105–10. doi:10.1145/1384609.1384625.Google Scholar
- 8.Handigol N, Heller B, Jeyakumar V, Maziéres D, and McKeown N (2012) Where is the debugger for my software-defined network? In Proceedings of the first workshop on Hot topics in software defined networks. Vol. pp. 55–60, ACM, Helsinki.Google Scholar
- 9.Hölzle U (2012) OpenFlow@Google. Open Networking Summit 2012. http://www.youtube.com/watch?v=VLHJUfgxEO4. Accessed 14 June 2013.
- 10.Internet Engineering Task Force. http://www.ietf.org. Cited 14 June 2013.
- 11.Internet2 (2012) Internet2 Innovation Platform FAQ. Internet2. http://www.internet2.edu/pubs/Internet2-Innovation-Platform-FAQ.pdf. Accessed 14 June 2013.
- 12.Interworking Task Group of IEEE 802.1 (2011) IEEE Standard for Local and metropolitan area networks–Media Access Control (MAC) Bridges and Virtual Bridged Local Area Networks. IEEE Std 802.1Q-2011 (Revision of IEEE Std 802.1Q-2005) 1–1364. doi:10.1109/ieeestd.2011.6009146.Google Scholar
- 13.Keahey K, Tsugawa M, Matsunaga A, and Fortes JAB (2009) Sky Computing. In IEEE Internet Computing. Vol. 13, pp. 43–51.Google Scholar
- 14.McKeown N (2008) Why can’t I innovate in my wiring closet? The Stanford Clean Slate Program. http://www.openflow.org/documents/OpenFlow.ppt. Accessed 14 June 2013.
- 15.McKeown N, Anderson T, Balakrishnan H, Parulkar G, Peterson L, Rexford J et al. (2008) OpenFlow: enabling innovation in campus networks. ACM SIGCOMM Computer Communication Review 38, 69–74. doi:10.1145/1355734.1355746.Google Scholar
- 16.Mehdi SA, Khalid J, and Khayam SA (2011) Revisiting traffic anomaly detection using software defined networking. In Proceedings of the 14th international conference on Recent Advances in Intrusion Detection (RAID’11). 161–80. Springer-Verlag, Menlo Park, CA. doi:10.1007/978-3-642-23644-0_9.CrossRefGoogle Scholar
- 17.Nadeau T and Pan P (2011) Software Driven Networks Problem Statement. IETF Internet-Draft (work-in-progress) draft-nadeau-sdnproblem-statement-01.Google Scholar
- 18.Nascimento MR, Rothenberg CE, Salvador MR, Corrêa CNA, Lucena SCd, and Magalhães MF (2011) Virtual routers as a service: the RouteFlow approach leveraging software-defined networks. In Proceedings of the 6th International Conference on Future Internet Technologies. 34–7. ACM, New York, NY, Seoul, Republic of Korea. doi:10.1145/2002396.2002405.Google Scholar
- 19.Nayak AK, Reimers A, Feamster N, and Clark R (2009) Resonance: dynamic access control for enterprise networks. In Proceedings of the 1st ACM workshop on Research on enterprise networking. 11–8. ACM, doi:10.1145/1592681.1592684.Google Scholar
- 20.NOX OpenFlow Controller. http://www.noxrepo.org. Cited 14 June 2013.
- 21.OpenFlow. http://www.openflow.org. Cited 14 June 2013.
- 22.OpenFlowSec. http://www.openflowsec.org. Cited 14 June 2013.
- 23.Open Networking Foundation. http://www.opennetworking.org. Cited 14 June 2013.
- 24.Open Networking Summit. http://www.opennetsummit.org. Cited 14 June 2013.
- 25.Piper S (2013) In Big Data Security for Dummies. John Wiley & Sons, Inc.Google Scholar
- 27.Reitblatt M, Foster N, Rexford J, and Walker D (2011) Consistent updates for software-defined networks: Change you can believe in! In Proceedings of the 10th ACM Workshop on Hot Topics in Networks. ACM, Cambridge. doi:10.1145/2070562.2070569.Google Scholar
- 28.Rothenberg CE, Nascimento MR, Salvador MR, Corrêa CNA, Lucena SCd, and Raszuk R (2012) Revisiting routing control platforms with the eyes and muscles of software-defined networking. In Proceedings of the first workshop on Hot topics in software defined networks. 13–8. ACM, Helsinki, Finland. doi:10.1145/2342441.2342445.Google Scholar
- 29.Sherwood R, Gibb G, Yap K-K, Appenzeller G, Casado M, McKeown N et al. (2009) FlowVisor: A Network Virtualization Layer. OpenFlow Switch Consortium, Tech. Rep. OPENFLOW-TR-2009-1.Google Scholar
- 30.Sherwood R, Gibb G, Yap K-K, Appenzeller G, Casado M, McKeown N et al. (2010) Can the Production Network Be the Testbed? In 9th USENIX Symposium on Operating Systems Design and Implementation (OSDI). 365–78. USENIX Association, Vancouver, BC, Canada.Google Scholar
- 31.Shin S and Gu G (2012) CloudWatcher: Network security monitoring using OpenFlow in dynamic cloud networks (or: How to provide security monitoring as a service in clouds?). In 2012 20th IEEE International Conference on Network Protocols (ICNP). 1–6. Austin, TX. doi:10.1109/icnp.2012.6459946.CrossRefGoogle Scholar
- 32.Skowyra R, Lapets A, Bestavros A, and Kfoury A (2013) Verifiably-Safe Software-Defined Networks for CPS. In Proceedings of the 2nd ACM International Conference on High Confidence Networked Systems (HiCoNS 2013), Philedelphia, PA, USA. ACM, Philadelphia.Google Scholar
- 33.Stabler G, Rosen A, Goasguen S, and Wang K-C (2012) Elastic IP and security groups implementation using OpenFlow. In Proceedings of the 6th international workshop on Virtualization Technologies in Distributed Computing Date. ACM, Delft, The Netherlands. doi:10.1145/2287056.2287069.Google Scholar
- 34.Waite A (2010) InfoSec Triads: Security/Functionality/Ease-of-use. http://blog.infosanity.co.uk/2010/06/12/infosec-triads-securityfunctionalityease-of-use/. Accessed 14 June 2013.
- 35.Yap K-K, Yiakoumis Y, Kobayashi M, Katti S, Parulkar G, and McKeown N (2011) Separating authentication, access and accounting: A case study with OpenWiFi. Technical report, OpenFlow 2011-1.Google Scholar