SDN Security Introduction 2017.10.06 Speaker：Cheng-Yu Wang (王承宇) Advisor：Ke, Kai-Wei

Outline Introduction SDN 架構簡介 Cyber Attack 種類 Example 1：A Novel Design On-Demand Service and Security Switch Distributed Denied-of-Service attack (DDoS) Example 2：Design of the multi-level security network switch system which restrict covert channel Data transmit among hosts with different security level Reference

Introduction SDN 架構簡介 Cyber Attack 種類

SDN 架構簡介 SDN(軟體定義網路)主旨為讓網路便於操 作和管理，根據不同的網路條件變化需 求，增加其靈活性。 Openflow 協定將傳輸路徑規劃和數據轉 發，分為control plane以及data plane兩部 分，數據轉發留在switch內，傳輸路徑 規劃則交由controller。 不同application，所需要的網路需求和設備不盡相同，例如VM(Virtual Machine) controller規劃完路徑後會設置路由表至switch中。 Southbound API用的是Openflow。 Openflow是一個協議規範所訂定的API，作為controller和switch間溝通的橋樑。

SDN 架構簡介 (cont'd.) Openflow Switch Flow table Group table Meter table Multi table、Eviction、 Vacancy… Flow table: 為control plane控制 data plane的方式，openflow的核心功能，負責儲存data plane forwarding、routing條件、動作等資訊(即flow entry)，data plane依此表判斷執行 Group table: 為將 action 集合整合至一張表並給予該集合一 ID，而 action 可指定該 ID 即可執行該 action 集合，此表可應用於 load balance、failover 等實際情境 Meter table: 則提供流量控制的功能，使 OpenFlow 具有處理 QoS、DiffServ 的能力 Multi table: 加強openflow處理封包的流程 Eviction: flow table沒有空間，新的flow entry會取代舊有不重要的flow entry Vacancy: flow table空間接近滿時，發出通知給controller決定如何處理

SDN 架構簡介 (cont'd.) Match field、Priority、Counter、Instruction、timeout、Cookie、flag

Cyber Attack 種類 資訊安全六大指標 STRIDE Threat List Type Examples Security Control Spoofing Threat action aimed to illegally access and use another user's credentials, such as username and password. Authentication Tampering Threat action aimed to maliciously change/modify persistent data, such as persistent data in a database, and the alteration of data in transit between two computers over an open network, such as the Internet. Integrity Repudiation Threat action aimed to perform illegal operations in a system that lacks the ability to trace the prohibited operations. Non-Repudiation Information disclosure Threat action to read a file that one was not granted access to, or to read data in transit. Confidentiality Denial of service Threat aimed to deny access to valid users, such as by making a web server temporarily unavailable or unusable. Availability Elevation of privilege Threat aimed to gain privileged access to resources for gaining unauthorized access to information or to compromise a system. Authorization 資訊安全六大指標

Cyber Attack 種類 (1/6) (cont'd.) spoofing(欺騙)：利用其他使用者的名字、密碼等等進行身分驗證 Authentication(身分識別)：辨別使用者身分 IP spoofing、ARP spoofing… Solution：進行嚴謹的身分認證 IP spoofing: 偽造source ip來傳送封包，使用其他電腦IP位址取得資訊和存取權限，可以隱藏攻擊的真實來源 ARP: address resolution protocol，位置解析，用IP位址對應到可在網路中辨識的MAC address ARP spoofing: 攻擊者可在區域網路上竄改封包，可以讓特定電腦或所有電腦無法正常連線

Cyber Attack 種類 (2/6) (cont'd.) tampering(竄改)：惡意的改變／修改持久性數據(e.g. database)，或加入替代 的數據，於雙方電腦在網路上傳送的資料中 Integrity(資料完整性)：資料傳送途中或儲存必須沒有經過竄改或偽造 counter falsification, rule installation, modification affecting data plane falsification[ˋfɔlsəfəˋkeʃən] 竄改；偽造

Cyber Attack 種類 (3/6) (cont'd.) Repudiation(否認)：在系統上執行違法動作卻缺乏能力來追蹤 Non-repudiation(不可否認性)：使用者無法否認做過的事情 Rule installation, modification for source address forgery Solution：監視、擷取記錄與分析

Cyber Attack 種類 (4/6) (cont'd.) Information disclosure(資訊接露)：讀取不被允許存取的資料 Confidentiality(機密性)：確保機密資料傳送的安全和隱密性，避免沒 有經過授權的使用者無意或有意的揭露資料內容 Side channel attacks to figure out flow rule setup Solution：採用SSL等安全性協定 旁路攻擊意旨利用物理中獲取的資訊(時間資訊、功率消耗、聲音…)，而非用暴力破解或演算法這種理論性破解。

Cyber Attack 種類 (5/6) (cont'd.) Denial of service(阻斷服務)：使目標系統資源耗盡，使服務中斷或停止 Availability(可用性)：資料保持在可用的狀態，服務不能中斷 SYN flooding, UDP flooding, ICMP flooding… SYN flooding: 利用TCP連線時three-way handshake，攻擊者發出不正確來源IP位址SYN封包，接收者發出SYN ACK卻等不到ACK，送到網路資源耗盡，影響一般使用者存取系統 ICMP: Internet control message protocol，一種錯誤偵測與回報機制，目的是讓我們能夠檢測網路連線狀況，確保連線的準確性。 UDP flooding: 攻擊者產生任意port number的UDP封包，目的端接收後找不到應用程式來處理，便回復ICMP封包給來源卻找不到，所以ICMP封包充斥整個網路且影響頻寬，接收者也一直處於尋找可處理UDP封包的應用程式和回傳ICMP封包給錯誤的來源地的忙碌狀態。 ICMP flooding: 利用ping of death，利用ping的方式，產生很大的封包攻擊主機，超過IPv4規定最大封包大小，導致大部分電腦沒辦法處理，buffer溢出，可能會造成系統當機

Cyber Attack 種類 (6/6) (cont'd.) Elevation of privilege(提升特權)：提升權限到能存取非自己權限可以取 得的資源，或危及到系統 Authority(存取權限控制)：依照身分給予適當權限 飛彈誤射、controller設計上的缺陷

A Novel Design On-Demand Service and Security Introduction Internet Technology System Architecture Experiment Internet technology: 包含openflow、autonomic(自主系統)以及LISP(Locator/ID separation protocol)

Introduction Growing on-demand service and security issues Using Openflow, Autonomic, and Locator/ID separation technologies to support on-demand service and network security Openflow-based DDoS defender 實作出openflow-based ddos defender來實現自治的自我保護的結構

Internet Technology Openflow Autonomic system (自治系統) Network-awareness Building a fundamental block LISP (Locator/ID separation protocol) ID, identifier, “who” LOC, locator, “where” Openflow controller可以新增移除flow table內的flow entry再給Openflow switch新的設定，也就是openflow具有programmable的特性 Network-awareness: 就是具有預警功能，偵測到惡意行為可以做適當的處理 Building a fundamental block: 我只要留基礎的功能，有其他功能需求再去catch external operation LISP在network layer和transport layer新增identity layer來表達identifier和locator的關係。 ID: 可辨識的節點，host, server, router等等，他是永久且和application layer以及transport layer有關係。 LOC: 提供要去哪裡取得此節點的資訊。他是暫時且和network layer有關係。

System Architecture 攻擊目標、架設ddos defender的位置

System Architecture (1/2) (cont'd.) A、On-demand provision (1) request cloud service (2) trigger CRM (3) provisioned for user's need 使用者透過web portal要求雲端服務 Portal會觸發CRM(顧客關係管理)系統提供服務資源、Openflow controller(NOX)提供網路資源 網路和服務資源快速提供給使用者

System Architecture (1/2) (cont'd.) 2. Portal做驗證、帳號管理、授權，再forward VM request 3. CRM通知VMM提供VM的core number, disk size, RAM size和作業系統給客戶端

System Architecture (2/2) (cont'd.) B、Security LISP could be used as user identification Safety connection could be provisioned and added to OpenFlow switch flow table (解釋詳細步驟)

Experiment DDoS Defender Implemented on controller Monitor flows Detect DDoS attack (解釋詳細步驟)

Experiment (cont'd.) Stage 1：The first threshold is 3000 packets for every 5 seconds Stage 2：Drop incoming packets when traffic achieve 800 PPS for 5 times continually 當traffic流量超過門檻，則會啟動第二階段 當flow entry 發生 time-out，DDoS Defender會回到正常狀態

Experiment (cont'd.) Emulate 100 attackers Totally send 1000 PPS Detect the attack flow and start to drop packets after 10 seconds Results shows server only receive 10,465 packets even though attackers send 30,524 packets

Design of the multi-level security network switch system which restrict covert channel Introduction L-BLP model The design of the system Experiment

Introduction Enterprises, government, or military have to prevent information flows transmitted from their own network to outside Covert channel enables the high level host transfer information to the low level host, then the system is not secure Use Filter module to check packet's content and delay the packets then restrict covert channel 解釋covert channel

L-BLP model BLP model (Security Policy) A state machine, used for enforcing access control in government and military applications L-BLP model It classes host and data into different levels System can monitor host's action to specify the host's security level L-BLP model 偏向應用在區域網路上。

The Design of the system (1/5) A、Architecture Switch透過網路連接Controller和filter Host只能連接到secure switch，不能直接連到其他裝置

The Design of the system (2/5) (cont'd.) B、Controller (1) host registering (2) flow computing (3) flow table updating Controller擁有host security level和topology structure 確定連接網路的host和switch是有經過授權的 根據topology structure計算packet flow 路徑 更新switch上flow table的資訊

The Design of the system (3/5) (cont'd.) C、Filter Restrict Information channel (1) content check module Level 1：check flags field of TCP packet's header Level 2：check unused and optional field Level 3：check sequence number and acknowledgement number Level 4：use packet retransmission or packet lose to send information (2) time delay module 檢查TCP header中的flag field，值是不是ACK或SYN，不是就丟掉&通知controller找到不合法封包。檢查data field。 (消除direct channel) 檢查unused或者optional field，IP packet: type of service, Identification, fragment offset, options, padding。 TCP header: Reserved, flag, urgent pointer, option, padding。 (由protocol本身指定，我們可以預測他的value，比較desire value和real value，不相同丟掉通知controller家黑名單) (消除大部分的covert channel) 檢查TCP header中的seq num, ack num，但很難辨識有沒有covert channel (capacity小，不好辨認) 4. 需要filter紀錄data flow的歷史紀錄，在網路idle下卻經常重傳，就可以懷疑有convert channel

The Design of the system (3/5) (cont'd.) C、Filter Restrict Information channel (1) content check module (2) time delay module This module is responsible to restrict covert timing channel Filter brings different delay to different packet in the same data flow, this can be seen as a noise Packet queue 在每個data flow會delay有兩個factor，第一個是在傳輸途中和經過switch，在網路idle下是一個static value，部會影響covert channel的capacity 第二個是filter

The Design of the system (4/5) (cont'd.) D、Secure Switch Forwarding packets If finds matching item, then the switch forwards the packet to destination, else the switch forwards the packet to the controller (解釋詳細內容)

The Design of the system (5/5) (cont'd.) E、How the system works (解釋workflow chart)

Experiment 6 personal computers, 1 Ethernet switch Controller：Ubuntu, NOX Secure switch：Ubuntu, 7 Ethernet adapter, Openflow software Filter： Ubuntu, modified Openflow software

Experiment (cont'd.) (解釋詳細流程)

Reference Chu YuHunag, Tseng MinChi, Chen YaoTing, A Novel Design for Future On-Demand Service and Security, Communication Technology (ICCT), 2010 12th IEEE International Conference on Xiong Liu, Haiwei Xue, Xiaoping Feng, Yiqi Dai, Design of the multi-level security network switch system which restricts covert channel, Communication Software and Networks (ICCSN), 2011 IEEE 3rd International Conference on