The progression of virtualization technology has produced a high demand for similar capabilities in network communication. Traditional networking technologies in switching and routing devices provide limited abilities for the virtualization space due to the lack of controlling and tailoring network traffic on virtual machines (VM).
Software-defined networking (SDN) has become a solution for this high demand in virtualization but it presents concerns for robustness and the security posture of the networking architecture.
SDN segments itself into three areas of networking – application, control and infrastructure (Data) planes. Switches and controllers are two main SDN components; both operate a software solution, such as (but not limited to) Open vSwitch and Floodlight within either a VM or hardware-orientated product.
The configurations of these SDN systems are critical for enhancing the
security posture of an organization but unbeknownst to many administrators, the architecture by itself presents areas of weaknesses and concerns.
The framework of SDN identifies the controller as the brains of the operation, that is, if the system ceases to function, switching devices would slowly be unable to decisively direct network traffic (flow) to their appropriate destination as they heavily rely on the instructions and judgment of the controller. Additionally, SDN switching systems direct traffic based on flow insertion techniques driven by the Open Flow protocol, which is managed by the controller and interpreted by the switch.
From an operational perspective, vulnerability research in causing a controller to crash would be catastrophic for an organization and thus presents motivation to increase awareness for further studies.
The process of evaluating each SDN component helped identify additional security concerns, including plain text communication schemes, discovery protocol weaknesses, fundamental security flaws and concerns raised by the planes of the SDN environment. Additionally, through fuzzing, the controller by itself was susceptible to Denial-of-Service (DoS).
My presentation at BSides Las Vegas 2017 on the topic of
Pwning Software-Defined Networking provides a primer into the paradigm of SDN with examples of vulnerability research attempts and fuzzing of SDN software systems.
This presentation targets an audience of individuals who have some networking knowledge and wish to further advance their palette in the SDN paradigm as well as people who want to explore the vulnerability research perspective of SDN.
See this talk on Tuesday, July 25, 2017, at 19:00 - 19:25 PT at Common Ground (Florentine F), 255 E Flamingo Road, Las Vegas, NV 89169.
About the Author: Tommy Chin is a Security Researcher at Grimm. His research interest focuses towards networking, machine learning, signal processing, and target tracking. Tommy enjoys the occasional conversation of security over a cocktail drink where he fancies a White Russian or a Double Whiskey Sour. He has presented at a number conferences, most recently at ShmooCon. His educational experience is in the fields of Computing Security, Applied Networking and System Administration, and Mathematics. He is always looking for collaborators to conduct new research angles or ideas with.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
