Logically Centralized Security for Software-Defined Networking

Software-Defined Networking (SDN) decouples the control and data planes of traditional networks, logically centralizing the functional properties of the network in the SDN controller. While this centralization brought advantages such as a faster pace of innovation, it also disrupted some of the natural defenses of traditional architectures against different threats. Until now, SDN research has essentially been concerned with the functional side, despite some specific works relating to non-functional properties like ‘security’, ‘dependability’, or ‘quality of service’.
Security is an essential non-functional property of SDN. The lack of reliable security-by-design mechanisms can quickly lead to the compromise of the entire network. For instance, most of the current security mechanisms in SDN controllers lead to exploitable vulnerabilities that allow adversaries to easily control or even shut down the entire control plane. The growing concern regarding insider threats substantially amplifies the problem. The reason lies in the fact that current Software-Defined Networks (SDNs) (e.g., OpenFlow-enabled networks) rely on weak protection mechanisms. To address these crucial security issues in the SDN control plane, it is necessary, though not sufficient, that we start by securely identifying, authenticating, and authorizing all devices before allowing them to become part of the network.
Though SDN security is the central tenet of this thesis, we believe that the problem is much more generic. In essence, there is still a lack of a systematic approach to ensuring such relevant non-functional properties as security, dependability, or quality of service. Current approaches are mostly ad-hoc and piecemeal, which has led to efficiency and effectiveness problems. This reflection led us to claim that the successful enforcement of non-functional properties as a pillar of SDN robustness calls for a systematic approach. We further advocate, for its materialization, the re-iteration of the successful formula behind SDN– ‘logical centralization’.
In consequence, we propose ANCHOR, a subsystem architecture for SDN that promotes the logical centralization of non-functional properties. We start by presenting the general concept and architectural principles, suggesting how they can satisfactorily enhance the current state of the art with regard to any non-functional property (security, dependability, performance, quality of service, etc.). We claim and justify that centralizing such mechanisms is vital for their effectiveness, by allowing us to: define and enforce global policies for those properties; reduce the complexity of controllers and forwarding devices; ensure higher levels of robustness for critical services; foster interoperability of the non-functional property enforcement mechanisms; and finally, better foster the resilience of the architecture itself. We focus on ‘security’ as a use case in the rest of the thesis, discussing the specialization of the ANCHOR architecture to logically-centralized enforcement of security properties. However, by presenting a principled solution to the main problem of the thesis (SDN security), we also show the effectiveness of the general ANCHOR concept, opening avenues for further research on its extension to other desirable non-functional properties, such as dependability and Quality of Service (QoS).
We identify the current security gaps in SDNs, and investigate the adequate security mechanisms that should populate the architecture middleware, globally and consistently. ANCHOR sets out to provide — in a homogeneous manner to all controllers and forwarding devices — essential security mechanisms such as strong entropy, resilient pseudo-random generators, secure device registration, association and recommendation, amongst other crucial services. We present the design of those mechanisms and protocols. With the objective of promoting generalized use of encryption and authentication in the control plane, we additionally propose and describe a secure control plane communication infrastructure, Keep It Simple and Secure (KISS), based on a novel lightweight mechanism for generating cryptographic secrets — integrated Device Verification Value (iDVV). iDVV can be used in a number of ways, in a number of protocols, and outperforms widely used alternatives. In the context of this thesis, the KISS infrastructure is set up by ANCHOR and used to ensure the security of interactions amongst it, controllers and forwarding devices.
Being conceptually logically-centralized, ANCHOR presents a single-point-of-failure (SPoF) challenge, which we address, through incremental measures, some of which can be selectively present in concrete designs. As a baseline, we harden the design, by endowing it with robust functions in the different modules. We increase assurance by discussing and informally proving correctness of all mechanisms and algorithms, and we also formally verify the main algorithms through a proof-assistant. By only using symmetric cryptography, we make the system Post-Quantum Secure (PQS). We also embed measures to achieve Perfect Forward Secrecy (PFS) in all algorithms, protecting pre-compromise communications in the presence of successful attacks. Finally, for higher criticality systems, we take additional algorithmic and architectural measures to mitigate the effects of possible security failures. We provide for Post-Compromise Security (PCS) through the semi-automatic restart of operation after a full compromise of ANCHOR. We present as well a design of resilience mechanisms — the continued prevention of failure/compromise by automatic means — through fail-fast recovery techniques.
The prototypes’ implementation aspects and the evaluation of the two fundamental pieces of our work (ANCHOR and KISS) are performed in the respective chapters. The above-mentioned discussion and informal proof of correctness of all mechanisms and algorithms is given in appendices. We also formally machine- verified the main algorithms.