Challenges to SDN Controller Security

Hi Everyone!!!

Huawei has a latest SDN Controller "iMaster NCE". But when we talk about SDN controllers, there are some security challenges to it.Compared with conventional network devices, an SDN controller has the following security requirements:

• Openness: The SDN controller opens northbound APIs to integrate third-party applications (apps) into the network. To ensure openness does not lead to new risks, a comprehensive solution is required. As such, a strict privilege control and access control architecture is required.

• Centralization: After the control and forwarding planes are separated, the management and control functions of the entire network are implemented on one central node. If attackers have control of the SDN controller, they can inflict damage across the entire network, necessitating advanced system integrity protection and availability enhancement.

• Control and forwarding plane separation: Conventional network devices are designed based on the ITU-T X.805 architecture. The management, control, and forwarding planes are located inside the same NE, and related messages do not need to be exposed to the network. In the SDN solution, however, the control and management planes are far away from each other, which poses higher requirements on the confidentiality, integrity, and consistency of messages between forwarders and the controller.

Any type of security model requires joint collaboration between the data, control, and management planes to ensure overall security. As such, Huawei SDN solution uses Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege (STRIDE) for threat modeling and analysis in order to effectively identify SDN security risks.

SDN Security Risk Analysis on the Data Planes

In the SDN solution, the data plane is built on switches or routers. The following security risks are involved:

• Data breach: Information disclosure risks must be considered for data isolation between tenants and data flows based on VPNs, ACLs, and data flow tables.

• Traffic flooding: The data plane features strong data processing capabilities. On a telecom backbone network, small-burst traffic may cause ISPs, enterprises, or even end users to encounter denial of service (DoS) attacks. The SDN controller is required to deny attack traffic.

• NE DoS: A controller usually runs in a virtualized multi-machine environment, and offers a far higher computing capability than that of a forwarder. As such, a message burst from a controller may cause congestion on a forwarder, resulting in DoS.

SDN Security Risk Analysis on the Control Plane

When an SDN controller sends various control instructions to a forwarder, the confidentiality and integrity of the instructions must be well protected. To implement this, strict authentication and authorization must be implemented on both the controller and forwarder to prevent any abuse of control instructions.

• Identity authentication and authorization: The controller needs to authenticate messages from a forwarder, while the forwarder must authenticate instructions from the controller. Both require a strict security authentication and authorization mechanism to ensure that the identities of both parties are trustworthy.

• API access control: Forwarders open management and control APIs to the controller, and the controller must strictly authenticate the identities of operators and operated objects to prevent unauthorized use of APIs.

SDN Security Risk Analysis on the Management Plane

The management plane assumes core responsibilities for the SDN solution security. The management plane faces the security risks in the following aspects:

• Account management: The controller's user accounts must be assigned different privileges by role, and role-based access control (RBAC) must be implemented.

• Communication encryption: Encrypted transmission protocols and algorithms with high encryption strength must be used to encrypt communication data between the controller and forwarders, ensuring data confidentiality and integrity.

• Log audit: All controller operation events (including instructions and messages) for forwarders must be strictly and comprehensively logged for post-event audit. In addition, audit logs must be well stored, and proper access control privileges and integrity protection measures must be provided.

Hierarchical SDN Security Risk Analysis

SDN centralization enables a huge expansion of traffic loads and storage space over conventional network devices. Such devices are built on the embedded system architecture, which cannot meet the requirements of the large, centralized management and control platform. To address this issue, the SDN controller must use IT virtualization and cloudification technologies.

From the vertical and hierarchical perspective, the SDN solution faces the security risks in the following aspects:

Physical Layer

• Host security: Physical hosts, including the controller's server platform and the forwarders' hardware platforms, face service overload risks caused by insufficient computing resources. As such, proper protection measures must be taken.

• Hardware consistency: The controller is generally far away from forwarders. If the controller or forwarder is spoofed, severe security risks may be caused. The integrity and consistency of the hardware platforms must be ensured to prevent such risks.

HyperVisor

• To isolate either the controller or specific apps running on VMs, the corresponding VMs need to be isolated from each other. However, once the HyperVisor is compromised, VM isolation is no longer effective.

• The HyperVisor requires the trusted computing architecture to provide an integrity protection mechanism to prevent penetration and implantation and ensure border isolation.

Heap/Stack

• Most attacks (for example, a conventional buffer overflow) are caused by loose border checks.

• Attackers usually leverage heap/stack execution defects to implant malicious instructions and initiate buffer overflow attacks.

• The data execution prevention (DEP), No eXecute (NX), and address space layout randomization (ASLR) mechanisms can be used for heap/stack security hardening.

VM Layer

• VMs use CGroup technology to restrict, collect statistics on, and separate the resources (such as CPU, memory, and disk I/O) of a process group, preventing certain processes from abusing system resources.

OS Layer

• The core security architecture of an OS must focus on access control and kernel security.

• Security-Enhanced Linux (SELinux) can be used to provision multiple access control models, such as DAC, MAC, and RBAC, in order to prevent the security vulnerabilities of a module from infecting others.

• In addition, the Linux kernel needs to be hardened.

App Layer

• Opening northbound apps may result in uncontrollable security risks, abuse of resources, and unauthorized access, introducing significant risks to network devices.

• The core of northbound app security is access control, which requires strict control on the access rights of objects (such as VPNs, tunnels, and interfaces) for subjects (apps and users).

Network Layer

• Information collection: Possible security defects and vulnerabilities are obtained by scanning ports and collecting information.

• Sniffing: Attackers monitor network data, such as plaintext passwords and configurations. They can easily access all plaintext information transmitted on a network using data packet sniffers, and can crack data packets encrypted using lightweight hash algorithms and decrypt payloads to obtain confidential data.

• Spoofing: Attackers fake their identities on a network using a fake source address or user ID. Attackers can conceal the initial attack source or bypass an access control list (ACL) that is used to restrict host access based on source address rules.

• DoS/DDoS: Authorized users cannot access servers or services.

System Layer

• Viruses, Trojan horses, and worms: Viruses are malicious programs designed to destroy OSs or apps. Trojan horses are viruses which include malicious code in seemingly harmless data files or executable programs. Worms are similar to Trojan horses but can duplicate themselves from one server to another. They can be difficult to detect as they do not regularly create visible files. Worms are usually noticed only when they start to occupy system resources, which causes the system to respond slowly or other programs to stop running.

• Footprint: Footprints include port scanning, ping scanning, and NetBIOS enumeration, and can be exploited by attackers to collect system-level information that may strengthen their attack. Footprints may reveal multiple types of information, such as account details, OS or software versions, server names, and specifics relating to the database architecture.

• Password cracking: If no anonymous connection to a server can be set up, attackers may attempt to establish a connection through authentication. For this purpose, the attacker must obtain a valid username and password. If the default username is used, hacking into the system becomes easier as the attacker only needs to crack the account password. If no password is set, or if the password is weak, the attacker can easily crack it.

• DoS: DoS attacks may take multiple forms and aim at several infrastructure targets. Attackers on a host can brutally attack apps in order to destroy services, or utilize the defects of services where apps reside or defects of the OS on a server to launch DoS attacks.

• Arbitrary code execution: If an attacker can execute malicious code on your server, the attacker can compromise server resources or attack downstream devices. If the server processes running such malicious code are executed beyond authority, arbitrary code execution causes greater risks. Common defects include servers subject to recursive routing or buffer overflow attacks due to missing patches. In this case, arbitrary code execution may occur.

• Unauthorized access: Unauthorized users may access information or perform operations if access control is improperly implemented.

Service and Application Layer

• Input authentication: an attempt to attack the system through buffer overflow, brute force cracking, and rainbow table attacks

• Identity authentication: network interception, brute force attacks, dictionary attacks, cookie replay, and credential theft

• Authorization: escalation of privilege, disclosure of confidential data, data tampering, and luring attacks

• Configuration management: unauthorized access to the management interface, unauthorized access to the configuration storage device, plaintext configuration retrieval, and unauthorized configuration access

• Sensitive data: access to sensitive data on storage devices, network eavesdropping, and data tampering

• Session management: session hijacking, session replay, and man-in-the-middle attacks

• Encryption: insecure key generation or management, and fragile or user-defined encryption technologies

• Parameter operation: character string querying, form field, cookie, and HTTP header operations

• Exception handling: information disclosure and DoS attacks

• Security auditing: users refusing to perform certain operations, attackers utilizing apps without tracing records, or attackers concealing their tracing records

I hope it was beneficial for you. In case of any questions, please do let me know in comments.