Software Defined Network
SDN or Software Defined Network is an approach of computer networking and it allows the network manager to manage the entire network and network services, on centralized basis. These network services are well managed with the abstraction of high level functionality and are performed through decoupling of the system that has the primary function of decision making, regarding the ways of managing the traffic, through allowing enough traffic from certain computer systems . It underlies for the process of congested traffic forwarding to the traffic to the destination, at final end.
Every Software Defined Networking has a protocol, associated with it. This protocol is OpenFlow and it also includes various techniques such as Network Virtualization platform, by Nicira and Cisco’s Open Network Environment.
Software Defined Networking is quite significant at present day for the architecture that purports to be dynamic, manageable, cost-effective, adaptable and seeks to be suitable and compatible for today’s computer applications that have high-bandwidth and dynamic nature. Such architectures help the managers of networking for network control decoupling and enable the control over the forwarding and networking functions, towards enabling the control to be programmable in direct ways and make possible the abstraction of the underlying infrastructure from the applications and services of networking .
Here, OpenFlow protocol is taken as the functional element towards building the SDN solution and also the needs of the architecture as the following .
The network intelligence can be logically centralized in the controller of the Software Defined Networking that are based on software and maintains a global network view and bird eye that look to be applications engines and public to a single logical switch.
As the control of the network can be decoupled from the function of forwarding, the control of networking can be directly programmable.
Vendor-Neutral and Open-Standards-based
The Software Defined Networking simplifies the network design and operation, usually, when the implementation is done through open standards as the basic instructions can be provided through SDN controllers, instead of multiple devices and protocols that are specific to vendors.
The traffic flow that is network wide is enabled to be dynamically adjusted towards meeting the changing demands and needs, as the administrators enable the traffic adjustment dynamically, from forwarding to gain abstract control.
Software Defined Networking enables the network managers to program the controller, directly, towards configuring, managing, optimizing and securing the network resources, quickly, simply and through dynamic and automated programs of the Software Defined Networking.
Today’s network traditional architecture is incapable and so ill-suited for today’s complex and vulnerable networks, needs of dynamic computing, storage needs, carrier environments and enterprise data centres. SDN has got several driving needs for its paradigm, as the following.
Consumerization of Information Technology
Both the mobile and computer device user employ different personal devices, such as smartphones, tablets and networks to access corporate the corporate network. It becomes as challenge for the Information Technology for accommodation of these increased personal devices, while the intellectual property as well as the corporate data protection is needed to be done to meet the compliance mandates .
Dynamically Changing Traffic Patterns
The traffic patterns are highly dynamic in nature, in the enterprise data centres. As differed from the client server applications of today, where huge and bulk communication is happening in between the server and client, advanced version of the same is needed to manage the complex and huge traffic in the present pattern of north-south and east-west. Moreover, the network traffic patterns are kept changed by the users very often, towards accessing corporate content and applications, from varied devices for connecting anywhere and anytime. So, the enterprise data center managers do contemplate some models for utility computing, which may include either private or public cloud or hybrid cloud, which would increase additional traffic in the WAN.
Cloud Services Incline
Enterprises have inclined interest to embrace the services of the public and private cloud that result in great growth of the similar services. Their interest is in agility to access of the applications, infrastructure and other IT resources, since the demand has been increasing consistently. But the companies need to plan for auditing and security requirements for the cloud services, in addition to the mergers and business reorganizations considerations, which would eventually change the assumptions so dynamically. Hence, elastic scaling is needed for the resources of network, storage and computing, with tools common suit from common viewpoint.
Increased Bandwidth & Big Data
Towards big data and mega datasets handling, it needs huge parallel processing to manage thousands of servers and so it needs direct connection for access among them. The similar need demands for huge and much increased additional data centres’ network capacity. Eventually, it has become an interesting challenge that could be unimaginable scaling levels of the network to maintain consistent connectivity among the computing devices, with no breaks.
SDN Architecture And Components
Software Defined Architecture has the following architecture, with high-level view.
Figure: SDN Architecture
SDN applications have the programs for establishing communication for the network requirements to the desired network behaviour directly, explicitly, programmatically to the SDN controller, through NorthBound Interface. The applications may also consume the abstraction of the network view towards for making the purpose, by internal decisions. The applications need drivers of one or more SDN application logic and NBI logic . SDN applications may expose to the control layer of abstracted network that provide one or more NBIs to a great extent, through respective NBI agents.
These applications may expose to the abstracted network control layer that offer one or more NBIs to higher levels through the respective agents of the NBI.
The objective of the SDN controller is to act as an entity to logical centralization and also to in-charge that translates the application layer of the SDN requirements down to the SDN data paths and provide the SDN applications with the abstract view of the network, including the statistics and events. The controller has the NBI agents, Control to Data-Plane Interface and control logic of one or more.
Datapath of SDN is the network device expose the visibility and uncontented logically, over the advertised forwarding capabilities and data processing. The resources of substrate, in a whole or subset are encompassed by the representation logically. The datapath has zero or one functions of traffic processing, engine set of one or more, for forwarding the traffic and agent of CDPI. Such engines and functions usually include simple forwarding in between the termination functions or external interfaces and internal traffic processing. They are contained in a single network element that is resources of integrated communication physical combination, managed entirely as a single unit. Datapaths are also related with the multiple physical networks and its elements.
Control to Data-Plane Interface of SDN is an interface that, which is present in the middle of SDN controller and datapath. It provides the following.
- Statistics reporting
- Capabilities advertisement
- Event notification
- Programmatic control for forwarding operations
The primary functions of the CDPI are the implementations in a interoperable, open ways and vendor-neutral.
Northbound Interfaces of SDN are considered as the interfaces kept in middle of the applications and controller of the SDN. It provides the abstract view of the network and supports the behaviour of the network direct requirements and expression enablement. It can occur at levels of any abstraction and across the data sets of functionality. NBI interface is also expected in interfaces implementation in a vendor-neutral, interoperable and open ways.
SDN has been a preference and choice for many organizations, however, there are several issues raised by the SDN and among them, most of them are the security issues, related to the traditional networking. And some of them are the new issues .
The major issue is the attacks made on the architecture layers. These attacks, which are anticipated over the SDN layers, are the following.
Data Plane Layer Attacks
Many a times, the target for the elements of the network is found inside the network, itself. Usually, the attacker access the network unauthorized, either virtually or physically over the network and sometimes try to compromise the host, related to the SDN and attempt to attack or may become a fuzzy attack, which would eventually be an attack over the network elements. There are various protocols and APIs of southbound, enabled to control the communication of the network elements. Though the objective of these protocols are to build with own methods for security and secure the communication of the network elements, several protocols are not enough secured, since these are developed newly. Eventually, these protocols are instrumentalised and controlled by the hackers and attempt to instantiate new flows into the devices tables flow. Hackers may spoof the new flows towards attempting to permitting the traffic related to certain types that would not be allowed into the network . When the initiation is successful by the attacker, the attacker can bypass the flow and traffic steering and it helps the traffic in guiding through the firewall. The steering would in control of the attacker in respective direction and the capability to sniff the traffic could be leveraged. It eventually, helps the attacker for Man in the Middle attack.
Controller Layer Attack
The obvious target of the attacker is the SDN controller. The reasons are many. Instantiation of the new flows can be spoofed by northbound API or southbound API messages to the network devices. If the same is done by the attacker, from a legitimate controller, then the attacker would be allowed for the traffic flow over the SDN according to the wish of them and help bypassing the policies so easily, related to the security.
Denial of Service of the controller is also another attempt done by the attacker or similar methods are implemented for failing or interrupting the controller. So, it results in slow responses to the Packet_In events or bog it down and also sending Packet_Out messages are slowed down.
Generally, the controllers of the SDN are run on the operating system, Linux. However, if the operation of the SDN is in other operating systems, used regularly, then the vulnerabilities to the operating system become SDN vulnerabilities. Several times, the controllers deployment is done into the production, with the passwords that are either default or easier, having no security settings and configuration . Engineers of the SDN don’t usually touch them, as it may break. So, the system of the SDN is left with the configuration that is vulnerable.
SDN Layer Attacks
Northbound protocol security attack is a possible vector. Controllers of the SDN usually, have several northbound APIs that use JSON, REST, Java, C, Python, etc. In case this northbound API, which is vulnerable, leveraged by the hackers, the hacker would be able to control both the SDN controller as well as the SDN network. In case the controller does not have northbound API security, then new policies can be created by the hacker for SDN, towards gaining complete control.
Generally, default passwords are used for REST API and it becomes trivial for determination. In case the SDN deployment has no change of the password, which is default, the own packets can be created by the hacker for controller interface and can query the configuration of the SDN environment and also can replace the existing configuration with the new.
Framework Of Security For One Issue
SDN Layer Security
Network traffic control can be secured through the protection measure, called Out-of-Band. This network supports the controller manager protocols security, through the communications of northbound and southbound. SSH, TLS or any of such methods would be employed for securing the management of the controller and communications at northbound. Authenticable and encryption methods are helpful for establishing communication, in between services of the services of data request, from the applications and controller.
 A. Shaer, Ehab, A. Haj, and Saeed., "FlowChecker: Configuration analysis and verification of federated OpenFlow infrastructures". Proceedings of the 3rd ACM workshop on Assurable and usable security configuration, 2010.
 Benton, Kevin and Camp, L. Jean Small and Chris "Openflow vulnerability assessment". Proceedings of the second ACM SIGCOMM workshop on Hot topics in software defined networking, 2013.
 Bernardo and Chua, “Introduction and Analysis of SDN and NFV Security Architecture (SA-SECA)”. AINA 29th IEEE.
 Braga, Rodrigo, Mota, Edjard Passito, and Alexandre, "Lightweight DDoS flooding attack detection using NOX/OpenFlow". Local Computer Networks (LCN), 2010 IEEE 35th Conference on, 2010.
 Canini, Marco, Venzano, Daniele, Peresini, Peter, Kostic, Dejan, Rexford, Jennifer; et al. A NICE Way to Test OpenFlow Applications. NSDI, 2012.
 F.J. Ros, P.M. Ruiz, “Five nines of southbound reliability in software defined networks” proceedings of HotSDN’14, 2014.
 Feamster, Nick, "Outsourcing home network security". Proceedings of the 2010 ACM SIGCOMM workshop on Home networks, 2010.
. Haranas, Mark, “16 Hot Networking Products Putting The Sizzle" In SD-WAN. CRN, 2016 .
 Jafarian, Jafar Haadi, Al-Shaer, Ehab, Duan and Qi, "Openflow random host mutation: transparent moving target defense using software defined networking".Proceedings of the first workshop on Hot topics in software defined networks, 2012.
 Jin, Ruofan, Wang and Bing, "Malware detection for mobile devices using software-defined networking". Research and Educational Experiment Workshop (GREE), 2013 Second GENI, 2013.
 Network World, , “Securing SDN Deployments Right from the Start”, Network World [online], Available https://www.networkworld.com/article/2840273/sdn/sdn-security-attack-vectors-and-sdn-hardening.html
 Sherwood, Rob, Gibb, Glen, Yap, Kok-Kiong, Appenzeller, Guido, Casado, Martin, McKeown, Nick, Parulkar and Guru. "Flowvisor: A network virtualization layer". OpenFlow Switch Consortium, Tech. Rep, 2009