Techniques for securing software defined networks and services

Karmakar, Kallol Krishna

Title: Techniques for securing software defined networks and services
Creator: Karmakar, Kallol Krishna
Relation: University of Newcastle Research Higher Degree Thesis
Resource Type: thesis
Date: 2019
Description: Research Doctorate - Doctor of Philosophy (PhD)
Description: Software Defined Network (SDN) is rapidly developing to be a disruptive technology in the world of networking. It provides various promising features such as dynamic network programmability, network virtualisation and more effective network management. The separation of the control plane from the data plane in SDN results in the network switches becoming simpler forwarding devices with the more sophisticated control logic implemented in software in a logically centralised Controller. This decoupling in SDN enables the design of new and innovative network functions and protocols. Although SDN offers many advantages in dealing with the complexities of current networks, a critical issue in SDN at present is that of security; SDN security is still in its development stage. Securing networks is becoming more challenging to businesses, especially with bring your own devices (BYOD), increased cloud adoption and the Internet of Things (IoT). The contributions of the thesis fall in the areas of a new security architecture for distributed SDN, specification of fine-grained path and flow based security policies, security techniques for detection of attacks in distributed SDN infrastructure, trust model and key management framework for SDN as well as the application of the proposed SDN security architecture and mechanisms for managing IoT infrastructures. A major contribution is the formulation of a policy-based security architecture for a distributed SDN environment. We propose an Authorisation Policy-based Security Architecture (APbSA) which enables specification of enforceable access policy constraints on communications and flows between end users/devices and services in SDNs across multiple domains. The APbSA is a trusted component of the security architecture and forms part of the SDN Controller. Another significant component of the security architecture is the security component in the SDN switches. We have developed a security-enhanced OpenFlow switch with security component that can monitor the state of the switch and validate the flow rules as well as protect the flow traffic for confidentiality and integrity using encryption mechanisms. Policy-based language for specifying policies is another contribution of this thesis. The policy language allows fine granular policy specifications based on a variety of attributes of users, devices/switches, services, location as well as security labels associated with the switches and Controllers in different domains. A novel feature of such a language based policy approach is that it allows the specification of path and flow based policies to achieve secure flow of packets and secure management of paths in a distributed SDN. Such path based policies are not only relevant in security critical applications but also useful in normal applications which may have different requirements for different types of traffic. The proposed architecture allows secure virtual partition of the network to achieve separation of flows and services, thereby reducing the attack surface in SDN. The architecture helps to detect threats arising from malicious traffic generated by end hosts leading to attacks against switches and the Controllers; it also helps to detect and prevent unauthorised flows and unauthorised access to services in a distributed SDN. Then we present a key management framework for distributed OpenFlow switches. First, the framework allows the Controller to securely send command instructions to the switches and install the flow rules in the switches. With the added functionality of encryption mechanisms, the switch can provide confidentiality and integrity services. Furthermore, the key management protocols allow authentication of switches and validation of origin of flows from the neighbouring switches. Then we address the issue of trust on the switches by the SDN Controller. We have developed a trust model that can be used to evaluate the trustworthiness of the OpenFlow switches. The trust model involves the use of property-based attestation based on the state of the switches as well as switch behaviour based on evidences of past transactions. We have used subjective logic in our trust model to determine the trust value of the switch. The trust model is, in turn, used to make decisions as to whether and how to route sensitive flows through different paths in the SDN. Then the thesis presents a comprehensive integrated security architecture for SDN which combines the previously designed security services such as policy-based authorised flows, authentication and attestation of switches, mechanisms for attack detection as well as confidentiality and integrity of communications. A novel feature of this integrated architecture is that it is able to respond to changes in attacks by dynamically updating the security policies accordingly. In particular, we have illustrated that when attacks happen, the feedback between the various security components in the integrated architecture helps to change the authorisation policies dynamically to counteract these attacks. Hence such an integrated security architecture can help to enhance the resiliency of SDN. Finally, we have extended the APbSA architecture with a lightweight authentication protocol using elliptic curve cryptography and OAuth protocol to develop an SDN-IoT security solution for IoT devices accessing network services. We have analysed the security and performance of the proposed SDN-IoT security solution and have shown that it is able to counteract IoT device specific attacks such as Mirai.
Subject: software defined network security; policy-based network security; security architecture; SDN attacks
Identifier: http://hdl.handle.net/1959.13/1408434
Identifier: uon:35841
Language: eng
Full Text

Hits: 566
Visitors: 1473
Downloads: 1107

		Thumbnail	File	Description	Size	Format
View Details Download			ATTACHMENT01	Thesis	4 MB	Adobe Acrobat PDF	View Details Download
View Details Download			ATTACHMENT02	Abstract	269 KB	Adobe Acrobat PDF	View Details Download