This week lecture has been very helpful to start working in assessment 4.

I have been focusing on finding more research papers as, with the 12 papers I have so far, it does not feel like I got enough material for this assessment.

I also did more reading on IEEE format writing.  Found few nice links

https://libraryguides.vu.edu.au/ieeereferencing/gettingstarted

https://www.youtube.com/watch?v=sEaMcAWV420

Assessment Submission

Project Title

Security Issues in Software Defined Networks

Blog URL

https://thinkspace.csu.edu.au/hjogoo

1.    Abstract

Software-Defined Network has emerged as an agile, robust, and flexible solution. A new network design that can efficiently handle the increasing demand for network traffic and dynamically adjust policies such as Quality of Service (QoS) to reduce latency and improve user experience. In a conventional network, the decision-making and management are distributed across various network components such as routers and switches. SDN aims to improve network management and programming by decoupling the data and the control plane. Therefore, allowing a network to be centrally managed and controlled. OpenFlow protocol provides the communications between controllers and switches. However, the dynamism of a programmable network, such as SDN, has also introduced critical security issues and is far from being secure and dependable. This research paper will investigate the security issues within and in between the data plane, control plane and application plane. Moreover, this paper also explores the mitigation strategies for these security issues.

2.    Introduction

Since the COVID-19 pandemic, the increasing demand for services such as video streaming, Voice Over IP (VOIP), and online meetings and the adoption of internet-based applications, the conventional network is becoming increasingly complex and challenging to manage. This has also increased the difficulty of ensuring basic essential properties of a network, such as confidentiality, integrity, and authentication (CIA). In a conventional IP-based network, the control plane computes the sophisticated networking functions, and the data plane forwards the traffic based on the policies of the control plane. Those two planes are coupled within the same device (Lee et al., 2020). Bandwidth that is allocated to services like VOIP and data are fixed. On a network with several endpoint devices, altering QoS to prioritise data can be a complicated task. In addition, the adoption of dynamic environments such as Kubernetes and VMWare, where virtual machines or containers are constantly being migrated and created, presents another challenge to the static nature of the conventional network.

Several solutions have been proposed to overcome this complexity, such as HTTP as the narrow waist, Named Data Networking (NDN) (Luo et al., 2015), programmable networks, and Software-Defined Networks (SDN). Among those proposed, SDN has gotten the attention of researchers as it allows an organisation to consolidate network functionalities into user-defined software [3]. The main characteristic of an SDN is that it combines the control and data plane into a single software control program. The aim is to design a more robust, dynamic, intelligent, agile, flexible, and simple network. SDN is a step towards establishing a dynamic and centralised environment of the traditional network.

However, moving the intelligence and control into a user-defined software that can be centrally managed has also introduced critical vulnerabilities in the control, infrastructure, and application plane. Vulnerabilities include Distributed Dos attacks (DDOS), spoofing attacks, authenticity, threats in the control plane, Man-In-The-Middle attack (MITM), and more.

The remaining part of this paper explain in depth how a Software-Defined Network works and its security risks. Later in the paper, we will also see countermeasures proposed in research papers and journals.

2.1  Background

An SDN consists of three layers; The infrastructure layer (bottom layer), the control layer, and the application layer (top layer). An SDN allows an organisation to consolidate multiple services into one common infrastructure.

The difference between an SDN and a traditional network is that a software component, the control plane, is introduced to control the network (Li et al., 2016). In an SDN network, the data and control planes are decoupled. This means that network control and programming are removed from the endpoints. Moving the intelligence away from hardware enables administrators to deploy and configure a network easily and quickly. This architecture also supports a set of APIs allowing network administrators to interact with network services such as routing and multicast to meet business objectives in real-time (Li et al., 2016). For example, a network administrator can programmatically adjust QoS and prioritise streaming traffic over voice traffic to allow management to have an online staff meeting.

In addition, when an unknown flow reaches the SDN switch, the switch forwards the request to the controller. The controller then computes the routing path and broadcasts it to all devices on the network. The devices themselves can only accept instructions from the control plane and do not need to understand different protocols from different manufacturers (Li et al., 2016).

2.2  Purpose and Justification

This research project aims to find the security risks in a Software-defined network within and between the application, control, and infrastructure layer. Having a centralised control plane introduces many security risks such as DDOS attacks, spoofing attacks, fake traffic flows, authenticity, forwarding device attacks availability, and man-in-the-middle attacks. The objective is to find and compare a few mitigation strategies for these underlined issues from research journals and conferences.

 2.3  Problem domain

The current trend of migrating to cloud services, such as Software-as-a-Service (SaaS), has amplified the complexity and difficulty of managing a conventional network. The COVID-19 pandemic has rushed this move, and more people are now working remotely, having online meetings and streaming movies more than before. The current network topology is challenging and complex to manage. A new network architecture that is intelligent, easy to operate, and where traffic priority can be adjusted based on demand is increasingly important to reduce data latency. Latency is the time taken for data to move from one point to another. I will try to answer some of the questions in this research project.

• What are the security risks within the Application layer?
• What are the security risks within the control plane?
• What are the security risks within the infrastructure plane?
• What are the security risks between the application, control, and infrastructure plane?
• What are the proposed mitigation strategies for these issues?

3.    Research Methodology

This research project will evaluate previously published journals and conferences. About twelve published journals, including conferences, with an impact factor higher than 1.5 and a low acceptance rate for conferences, resulting in a qualitative research methodology.  This research will highlight the security issues and mitigation strategies proposed by various researchers concerning security in software-defined networks.

3.1  Resource consulted.

All the resources used in this research project are accessed from the CSU library database (Primo) and listed below.

• Web of Science
• IEEE
• ACM Digital Library
• Springer Link

3.2  Ethics

Data collected from published journals will be used with honesty and integrity. All journals and conferences will be appropriately referenced using the APA 7 referencing methodology.

4.    Preliminary Literature review

Although the SDN architecture is a revolution in network control and management, deployment of the SDN in a production environment is still in its infancy, and a considerable amount of work and research still needs to be done concerning security (Masoudi & Ghaffari, 2016). All layers and interfaces are vulnerable to specific attacks. Substantial research has been done to find the best mitigation strategy for known weaknesses. The following subsection highlights several authors’ research on a few vulnerabilities and mitigation strategies.

4.1  Application layer

Applications with high privilege can be compromised to encompass the execution of system commands, such as interfering with the network API. This can affect the confidentiality and availability of an SDN network. The authors (Chica et al., 2020) identified two possible security issues in the application layer.

• Service neutralisation: where a malicious application successfully installs itself on top of the controller and manipulates the control packet. The malicious software can disrupt service by dropping or inspecting service packets to gather sensitive information.
• Attacks on vulnerable northbound API: Misconfigured and vulnerabilities in the northbound API can be leveraged to terminate applications using system commands.

On the other hand, the authors (Nisar et al., 2020) identified a few resolutions, such as Vericon and PermOF. Vericon’s primary responsibility is ensuring that software in SDN is performing as expected. PermOF’s primary function is to isolate and check application permissions and allow OpenFlow controllers to control rights.

4.2  Control layer

The control plane is the heart of the SDN architecture. Attacks on the control layer will highly impact availability. According to the authors (Dayal et al., 2016) and (Singh & Behal, 2020), Distributed Denial-Of-Service attack (DDOS) is the easiest target on a control plane. Dayal et al. and the authors (Shi et al., 2017) suggested that a compromised controller may perform attacks such as Dos, fake flows rules insertion, fake information (blackhole), spoofing and operating system vulnerability.

On the other hand, the authors (Singh & Behal, 2020) focused mainly on DDoS detection and mitigation strategies in SDN. They identified two DDoS mitigation strategies, Machine learning and Information theory-based DDoS defence solution.

Moreover, the authors (Li et al., 2016) suggested validating the source address by the controller as a mitigation strategy for spooking attacks. They have identified using HyperFlow, a distributed event-based control plane for OpenFlow.

In addition, the authors (Abdou et al., 2018) proposed two models of the control plane as an improvement to this layer.

• A security-oriented control plane.

The authors recommend using the NOX protocol on the control plane as it provides greater flexibility to the management plane.

• A control plane security extension and APIs

The authors have proposed a few security extensions such as VeriFlow and Flow Visor.

4.3  Infrastructure plane

An attack on the infrastructure plane could affect confidentiality and availability. The authors (Shi et al., 2017) have listed vulnerabilities such as spoofing attacks, Eavesdropping, flow table overflow and repudiation as potential vulnerabilities to the infrastructure layer. The authors (Lee et al., 2020) state that switches are vulnerable to performance degradation if an adversary generates meaningless flows to other hosts to trigger a flooding attack (PACKET_IN) to the controller.

On the other hand, the authors (Li et al., 2016) have identified a few mitigation strategies, such as using OpenFlow about flow tables, control mode, and OpenFlow protocol embedded in the router, also known as Open-Router, as a possible mitigation strategy for spoofing attacks.

4.4  API interface

If messages between a controller and a switch or an application are unencrypted, a Man-In-The-Middle (MITM) attack could confuse the control pane. The authors (Lee et al., 2020) have pointed out that an attacker could guess the topology in use by simply sniffing control messages. Moreover, the attacker could also insert malicious content into the control packets.

On the other hand, the authors in (Li et al., 2016) suggest encryption is necessary to protect the inter-plane communications. They also proposed monitoring the OpenFlow as a prevention strategy. To addon, the authors in (Shin et al., 2013) proposed the use of AVANT-GUARD as a DDoS strategy between the data plane and the control plane.

5.    Project Plan

5.1  Deliverables

The research project will generate the following.

• Milestones; Abstract, Project Plan, Annotated Bibliography, Report, and video presentation
• Work breakdown structure
• Gantt Chart
• Risk analysis
• A recorded video presentation of the research project

5.2  Work breakdown structure (WBS)

5.3   Risk Analysis

This research project presents no risk in any possible avenue as all research is based on previous studies performed by researchers.

5.4  Gantt Chart

6.    References

Abdou, A., Oorschot, P. C. v., & Wan, T. (2018). Comparative Analysis of Control Plane Security of SDN and Conventional Networks. IEEE Communications Surveys & Tutorials, 20(4), 3542-3559. https://doi.org/10.1109/COMST.2018.2839348

Chica, J. C. C., Imbachi, J. C., & Vega, J. F. B. (2020). Security in SDN: A comprehensive survey. Journal of Network and Computer Applications, 159, Article 102595. https://doi.org/10.1016/j.jnca.2020.102595

Dayal, N., Maity, P., Srivastava, S., & Khondoker, R. (2016). Research Trends in Security and DDoS in SDN. Security and Communication Networks, 9(18), 6386-6411. https://doi.org/10.1002/sec.1759

Lee, S., Kim, J., Woo, S., Yoon, C., Scott-Hayward, S., Yegneswaran, V., Porras, P., & Shin, S. (2020). A comprehensive security assessment framework for software-defined networks. Computers & Security, 91, Article 101720. https://doi.org/10.1016/j.cose.2020.101720

Li, W. J., Meng, W. Z., & Kwok, L. F. (2016). A survey on OpenFlow-based Software Defined Networks: Security challenges and countermeasures. Journal of Network and Computer Applications, 68, 126-139. https://doi.org/10.1016/j.jnca.2016.04.011

Luo, J. T., Wu, C., Jiang, Y., & Tong, J. W. (2015). Name Label Switching Paradigm for Named Data Networking. Ieee Communications Letters, 19(3), 335-338. https://doi.org/10.1109/lcomm.2014.2387344

Masoudi, R., & Ghaffari, A. (2016). Software defined networks: A survey [Review]. Journal of Network and Computer Applications, 67, 1-25. https://doi.org/10.1016/j.jnca.2016.03.016

Nisar, K., Jimson, E. R., Hijazi, M. H., Welch, I., Hassan, R., Aman, A. H. M., Sodhro, A. H., Pirbhulal, S., & Khaf, S. (2020). A survey on the architecture, application, and security of software defined networking: Challenges and open issues [Review]. Internet of Things, 12, 27, Article 100289. https://doi.org/10.1016/j.iot.2020.100289

Shi, Y., Dai, F., & Ye, Z. (2017, 11-13 Nov. 2017). An enhanced security framework of software defined network based on attribute-based encryption. 2017 4th International Conference on Systems and Informatics (ICSAI),

Shin, S., Yegneswaran, V., Porras, P., & Gu, G. (2013). AVANT-GUARD: scalable and vigilant switch flow management in software-defined networks Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security, Berlin, Germany. https://doi-org.ezproxy.csu.edu.au/10.1145/2508859.2516684

Singh, J., & Behal, S. (2020). Detection and mitigation of DDoS attacks in SDN: A comprehensive review, research challenges and future directions. Computer Science Review, 37, Article 100279. https://doi.org/10.1016/j.cosrev.2020.100279