Fault Detection and Network Security in Software-Defined Networks with OpenFlow

Due to the rigid architecture of most switches and routers, which provide functionality
only for a certain application scenario, the flexibility of deploying new network functions
is limited. The advent of programmable networks, which is described as Software-Defined
Networking (SDN), allows the extension and control of networks based on a flexible con-
trol plane, which is based on software and acts as a network operating system with
network applications running on top of it.
In this thesis we focussed on SDN based on the concept of the OpenFlow protocol. In or-
der to deploy such networks in operational environments and datacentres, the challenges
concerning network management are still lacking a sufficient analysis and are further
investigated in this thesis, which examines the reliability and maintainability of SDN,
as well as new security issues that are introduced with this architecture. The second
contribution of this thesis is to provide solutions to some of the addressed challenges,
with a focus on fault detection and network security.
With regard to fault detection, we discuss the information content and monitoring as-
pects of flow entries that are located on the network devices, but are managed from the
network controller. This involves applying methods from information theory to deter-
mine faults and attacks by observing the logical topology, and correlation facilities to
determine errors that relate to the data plane.
In network security, current approaches mostly rely on security appliances that are de-
ployed at different locations in the network. We analyse the extend to which SDN can
be leveraged to provide new ways of thwarting network attacks, and investigate the pos-
sibilities for controller-based packet inspection to detect malicious communications in
the network. This includes the extraction of hidden communication patterns originating
from a stealthy backdoor.
The freedom of extending controller software to meet new network service requirements
comes at a high cost. Since the reliability of the network must be assured, tools are
required to debug and test the software after each alteration step. We propose a solu-
tion that instruments network applications with additional code for logging purposes,
guaranteeing certain correctness properties. In combination with a database system, our
framework can be leveraged to allow network debugging or anomaly detection.