当前位置：网站首页>SDN specific network security issues

SDN specific network security issues

2022-06-09 22:16:00 【InfoQ】

because SDN Adopt a different architecture from the traditional network , therefore SDN It is difficult to find a corresponding relationship between network security and traditional network security technology .SDN The network adopts the application plane 、 Three layer structure of control plane and data plane , And adopt many new implementation technologies and methods , And inside these layers 、 The communication and protocol between layers will become the potential target of network attackers .

One 、SDN Security of the architecture

because SDN It subverts the traditional network in terms of architecture , The data plane is separated from the control plane , The control plane controls the data exchange process of the data plane through the logic centralized controller , Therefore, the security of the controller in the control plane will directly affect the availability of network services 、 Reliability and data security . From the perspective of network security , The safety risks of the controller are shown in the following aspects ：

Because the network security equipment and the protected nodes 、 Physical connections between networks are no longer used , Therefore, an attacker can bypass the security mechanism required by the security policy through stream redirection .

Attackers can eavesdrop on traditional networks 、 worm 、 Malicious code and other methods , steal SDN The network administrator's account and password enter the controller , Illegal operation , Implement network attacks .

Exploit the security vulnerability or open interface of the controller , The attacker injects or issues wrong instructions , Request to change the application system , The sent request parameters are inconsistent with the business logic , The implementation of DoS attack .

An attacker listens on an insecure open interface , Steal sensitive data or modify packet contents , You can also use man in the middle attacks , Replay or modify data request .

If the application interface does not adopt a security check mechanism , It is easy to be exploited by attackers , Send a large number of useless flow tables to network devices , trigger DDoS attack .

Two 、 The security of the data plane

The key risk area in the data plane is southward API, for example OpenFlow、Open vSwitch、 Database management protocol （OVSDB） etc. .OVSDB Is a tool for managing data plane network elements , At the same time, it also makes network security no longer limited to network equipment suppliers , Instead, it significantly increases the attack surface of the network infrastructure . What I'm talking about here “ Attack surface ” It refers to the exploitable vulnerability in the system . Network security may be compromised by insecure southbound protocols , An attacker can add an illegal stream to the stream table , Conduct attacks such as traffic spoofing or data eavesdropping . A more direct attack is the destruction of the southward API, Enable an attacker to directly control the entire network element . Against this kind of attack , Transport layer can be used TLS agreement , Provide three kinds of security protection for data transmission ：

confidentiality
： Ensure that the data of the transport layer will not be eavesdropped or leaked .

Message integrity
： Ensure that the data of the transport layer will not be tampered with or replaced .

Identification
： Verify the identity of both communication parties through public key certificate , Helps prevent fraudulent controller activity , And deceptive streams initiated by attackers in network devices .

3、 ... and 、 The safety of the control plane

stay SDN In the system , All right, management 、 layout 、 Routing and network traffic control , Are concentrated in a single controller or several distributed controllers . If an attacker can successfully penetrate the controller , You can gain control over the whole network . therefore ,SDN The controller must be a key protection target . The research of controller safety technology mainly involves the following aspects ：

DDoS Attack protection
： A highly available controller architecture can reduce DDoS The impact of the attack . To achieve this goal , First, we should strengthen our understanding of DDoS Research on attack detection methods , Second, research is taking place DDoS Then how to use redundant controllers to make up for the failure of controllers .

Access control
： Research on access control technology of controller , There are mainly role-based access control （RBAC）、 Property based access control （ABAC） etc. .

Malicious code protection
： Virus against controller 、 worm 、 Trojan horse and other protection technologies .

Network security devices
： Firewall for controller 、IDS And IPS、 Network audit and forensics .

Four 、 The security of application plane

North to the interface API And protocols are also an important target for attackers . If the network attacker successfully breaks through the northbound interface , You can gain control of the network infrastructure , The consequences will be more serious .

SDN The security protection of the application plane has two goals ： One is to prevent unauthorized users and applications from accessing the controller ; The second is to prevent attackers from exploiting the vulnerabilities of the application system , Gain control of the application plane . In response to this question , Possible protection techniques include ： One is to authenticate the access right of the application system to the control plane through identity authentication , Second, hackers may attack the communication between the application system and the controller , use TLS Or similar protocols to ensure the security of communication .

SDN Loopholes in any part of the architecture and inadequate consideration , It is possible to form a pair of SDN Potential safety hazards . With SDN The rapid development of technology and its application ,SDN The research on the security issues of will also continue to evolve and develop .

原网站

版权声明
本文为[InfoQ]所创，转载请带上原文链接，感谢
https://yzsam.com/2022/160/202206092137475206.html