Network Security and SDNsNetwork Control Security Models
Stanford University Palo Alto, Ca May 21, 2013
Carter Bullard QoSient, LLC [email protected]
Carter Bullard [email protected]• QoSient - Research and Development Company
– US DoD, IC, DARPA, DISA / Cyber Security – Very Large Scale Defensive Architecture (Operations, Performance, Security) – High Performance Network Security Research – DARPA CORONET Optical Security Architecture
– Telecommunications / End-to-End Performance Optimization – FBI / CALEA Data Wire-Tapping Working Group
• QoS / Security Network Management - Nortel / Bay • QoS / Security Product Manager – FORE Systems • CMU/SEI CERT
– Network Intrusion Research and Analysis – Principal Network Security Incident Coordinator
• NFSnet Core Administrator (SURAnet) • Standards Efforts
– Editor of ATM Forum Security Signaling Standards, IETF Working Group(s), Internet2 Security WG, NANOG
Network Security and SDNs
• Issues in Modern Network Security
• Network Security and Emerging Technology
• How do SDNs fit into the equation
• What are we doing at Stanford??
Network Security
Network Security•Network security has had an interesting 125+ year history
• 1889 - First man-in-the-middle mediated DoS / hijack attack
• 1903 - First telecom hacking incident
• 1983 - Trusted Computer System Evaluation Criteria - DoD 5200.28-STD
• 1988 - Collapse of NSFnet - Morris Worm
• 19xx - An infinite number of problems
•Security for the Network itself • Network element security
• Routers, switches, bridges, gateways, hubs, repeaters
• Control and Management Plane Security • Network services security
•Security services provided by the Network
What is Network Security
There is no industry consensus on what ‘network’ security is.
•Network Security Policy Enforcement – Access Control - Mandatory and
Discretionary •Protecting Critical Network Infrastructure
– Physical and functional Integrity – Reliability, Survivability, Responsiveness, and
Recoverability •Providing security services to the user
– End-point Assurance (NAC) – Integrity and Confidentiality Assurances
•Network Security Incidence Response
Theoretical Security Threats and Countermeasures
CountermeasureThreat
Unauthorized Degradation of
ServiceRepudiation
Use Modification Disclosure
Authentication X
X
Integrity
X
Confidentiality
X
Access Control X X X X
Non-Repudiation (audit)!
X
X
X X X
Cryp
togr
aphic
Primary Security Countermeasure
Secondary Security Countermeasure
Derived from ITU-T Recommendation X.805 Security Architecture for Systems Providing End-to-End Communications
Network Security Threats
These are the primary issues in each area, but these are not at all a complete list
•Threat exploitation is/are traditional crimes – Trophy / Nuisance / Extortion / Theft / Espionage / Warfare – Theft of service, unauthorized access
•Targets – Networks with Exploitable Assets – Specific Network Customers – Network Service Providers
•Attacker psychological profiles are well understood • Individual
• 15-20 year old male - demonstration of control/power • 20-40 year old male - traditional criminal activity
• Groups •Disjoint collection with single/multiple leader(s) •Coordinated •Highly Motivated •Can be well funded (corporate/gov’t espionage)
Network Attack Methods
These are the fundamental attack methods, which are generally combined to generate complex attack strategies
• Traffic Analysis • Eavesdropping • QoS Degradation
• Resource exhaustion • Transport Delay Induction • Service Denial
• Spoofing • Physical / Virtual Integrity Modification • Man-in-the-middle • Control plane modification • Management plane compromise
Network Protection Strategies Prevent, Detect, Respond and Resolve
This is THE mantra of the cyber security community and constitutes the principle mode of operation
•Prevent – Effective countermeasures to real threats – Vulnerability exploitation reduction – This has been the primary security focus
• Cryptography • Firewalls • Software Updates
– No prevention scheme is 100% reliable •Detect
– Real time cyber situational awareness – Exhaustive analytics for complex detection – After the fact network forensics
•Respond and Resolve – The most critical part of any security architecture – National Cyber Incident Response Plan - 2010
Who is Defining Network Security
US is used here only as an example. !Many countries and multi-national organizations have their own formal security specification efforts
• US National Security Agency (NSA) • National Information Assurance Partnership
• US Department of Defense • US Department of Homeland Security
•Information Analysis and Infrastructure Protection –National Security Telecommunications Advisory
Committee (NSTAC) – National Communications System (NCS)
• Committee on National Security Systems •Subcommittee on Telecommunications Security
• National Institute of Standards • Telecommunications Industry
X.805: Security Architecture for End-to-End Communications
• Vulnerabilities can exist in each Layer, Plane and Dimension • 72 Security Perspectives (3 Layers x 3 Planes x 8 dimensions)
Infrastructure Security
Applications Security
Services Security
End User SecurityControl/Signaling Security
Management Security
Security Layers
Infrastructure Security
Applications Security
Services Security
End User SecurityControl/Signaling Security
Management Security
Security Layers
Acc
ess
Man
agem
ent
8 Security Dimensions
Dat
a C
onfid
entia
lity
Com
mun
icat
ion
Secu
rity
Inte
grity
Avai
labi
lity
Priv
acy
Aut
hent
icat
ion
Non
-rep
udia
tion
Acc
ess
Con
trol
8 Security Dimensions
Dat
a C
onfid
entia
lity
Com
mun
icat
ion
Secu
rity
Dat
a In
tegr
ity
Avai
labi
lity
Priv
acy
Aut
hent
icat
ion
Non
-rep
udia
tion
THREATS
ATTACKS
Destruction
Disclosure
Corruption
Removal
Interruption
VULNERABILITIES
3 Security Planes
3 Security Layers
Ninth Global Standards Collaboration (GSC-9) Meeting Seoul, Korea 9-13 May, 2004
X-805 Architecture
Infrastructure Security
Applications Security
Services Security
THREATS
VULNERABILITIES
ATTACKS
Destruction
Disclosure
CorruptionRemoval
Infrastructure Security
Applications Security
Services SecurityVULNERABILITIES
InterruptionVulnerabilities Can Exist In Each Layer
3 - Applications Security Layer: • Network-based applications accessed by
end-users • Examples:
– Web browsing – Directory assistance – Email – E-commerce
• Each Security Layer has unique vulnerabilities, threats • Infrastructure security enables services security enables applications security
2 - Services Security Layer: • Services Provided to End-Users • Examples:
– Frame Relay, ATM, IP – Cellular, Wi-Fi, – VoIP, QoS, IM, Location services – Toll free call services
1 - Infrastructure Security Layer: • Fundamental building blocks of networks services
and applications • Examples:
– Individual routers, switches, servers – Point-to-point WAN links – Ethernet links
US Cyber Security Focus•Comprehensive National CyberSecurity Initiative (CNCI)
•Shifting the US focus from CyberCrime to CyberWarfare
•Strategy and technology focused on new issues •Public sector defense, with nation state threats and
countermeasures •New emphasis on military concepts in Cyber Security
• Shift from detection to prevention • Possible retaliatory mechanisms
•Multi-billion dollar budget has had a significant impact •Redefine CyberSecurity for most of the public •Compete for best/brightest in security research •Determine a new direction for commercial security products
Cyber Situational AwarenessGen. Keith Alexander, Director of the National Security Agency and Commander of U.S. CYBERCOM, summed-up the value of situational awareness by stating, “We need real-time situational awareness in our networks… to see where something bad is happening and to take action there at that time.” !
Cyber situational awareness is about three things: • Visibility into all security related data
• events, configurations, network traffic, system performance, … • Correlation of that data to see how different aspects of security
information are related • Using that intelligence to make effective real-time decisions
Making it happen requires discipline, and a change in traditional security thinking.
What does this all mean ?•Security is a process, not a technology
•Recursive, iterative formal improvement process •Involves Identification, Analysis, Planning, Tracking and Control
•Security is not a distinct independent process •Security is focused on assets and assuring asset capabilities •Security is really more about 5 nines service availability than
it is about hacking, cracking, [X]acking
•Security is a well defined and serious effort •You just can’t make this stuff up
• Security is really hard to do • Most ideas just aren’t good ideas, many are really bad.
Practical Network Security•Network Security is about 2 basic concepts
• Assuring the network service for network customers • Leveraging the network to provide countermeasures
•Networks provide reachability as a service • Security is about maximizing desired reachability
• Operations and performance optimization
• Security is about minimizing undesired reachability • Separation and Compartmentalization
•Network based countermeasures • Access control - Mandatory and Discretionary • Networks provide a great opportunity for audit
Network Security and Emerging Technology
ATM networking was THE technology for network security and security services. Huge investment by Gov’t and Industry to try to do it right.
• Asynchronous Transfer Mode for SONET 1990-2000’s • Connection oriented L2/L3 networking for data. • Huge effort to “build in” security from the beginning.
• Theoretical / formal methods based approach • Effort spent on secure signaling and security services
• End-to-end and Hop-to-Hop authentication, authorization, access control, security service negotiation, confidentiality, integrity, accountability, and availability
• Security model leveraged existing TMN management features for service initiation, maintenance and termination.
• Very mature accountability framework • Introduced integrated security services chaining
Network Security and ATM
Optical Network Security
Optical networks, O-O-O, proved to be a great platform for focusing on network security, because optical networks just can’t provide much in the way of security services.
•Prevention • Vulnerability exploitation reduction
•Optical limiting amplifiers •Bandwidth limiting filters •Crosstalk minimizing components
• Adoption of transmission techniques that are effective against certain attacks
•acclimated modulations •coding (anti-jamming mechanisms) •signal constraint (bandwidth/frequency/strength) •diversity mechanisms (frequency hopping, etc).
• Secure architecture and protocol adoption •Detection
• Passive Statistical Analysis of Data •Wideband Power Anomaly Detection •Optical Spectral Analysis (OSA) Methods
• Active Signals Devoted to Tapping Detection •Pilot Tone Methods •Optical TDR Methods
Network Security and SDNs
SDN Security
SDNs provide an exciting opportunity for new strategies and communications capabilities. !SDNs have the potential to completely break everything.
•Clean slate approach suggests that we’ll have to start again.
•The approach is to adopt sound practices in the development of key core technology. • Secure architecture and protocol adoption • Leverage existing funding efforts • Adoption of effective protection techniques • Built in security now means built in support for
formal optimization processes • Vulnerability analysis
•Once you have something defined and working • Beat it to death, over and over and over again !!!
SDN Architecture
Industrial Control Systems Operational Architecture
NIST Special Publication 800-82 Guide to Industrial Control Systems (ICS) Security - 2011
Industrial Control System Security• NIST Special Publication 800-82 Rev 1
Guide to Industrial Control Systems (ICS) Security - May 2013
http://csrc.nist.gov/publications/nistpubs/800-82/SP800-82-final.pdf
• DHS - Common Cybersecurity Vulnerabilities in Industrial Control Systems Control Systems Security Program, National Cyber Security Division - May 2011
• DoD - Security Control Overlays for Industrial Control Systems CNSSI No. 1253 - Jan 2013
Rank CSSP Site Assessment ICS-CERT Incident Response CSET Gap Areas
1 Credentials Management Network Design Weaknesses Lack of formal documentation
2 Weak Firewall Rules Weak Firewall Rules Audit and Accountability (Event Monitoring)
3 Network Design Weaknesses
Audit and Accountability (Event Monitoring)
Permissions, Privileges, and Access Controls
Table EX-1. Most common weaknesses identified on installed ICS
Figure EX-1. Comparison of ICS software security weaknesses
SDNs and ICS Security• Application of ICS security engineering to SDNs
can deal with most of the obvious issues in SDN security
• Secure controller function and design • Secure application / controller relationships (NBIs) • Secure controller / network element channels
(CDPI) • Strong identification and authorization models
• Emerging ICS strategies may be applicable to distributed SDN controller architectures.
• Secure controller / controller relationships • ICS systems may provide some experience for
reliable, survivable, securable SDN architectures.
Policy Server
CallController
Connection Controller
End Station
Policy Server
Call Controller
Call Control
Policy Control
Connection Control
Data Plane
LAN / CAN / MAN / WAN
ccccEnd
Station
Network Control Plane Reference Model
Abstract Control Plane
• Call controller (Session Layer) • Sets up and manages a communication relationship
between two or more parties. (ITU-T REC H.323 Packet Based Multimedia Systems. June 2006)
•Policy controller • Represents, deploys, manages and enforces policies to
control resource access and use. (IETF RFC 3060 Policy Core Information Model. February 2001)
• Connection controller • Provides connection routing, creation, modification,
restoration and deletion services. (OIF ASON/GMPLS E-NNI, UNI Implementation Agreements. September 2005)
BGP
DomainName Server DNS
STP
MPLS Network
RSVP-TE/LDPIS-IS-TE
BGP
IS-IS-TEOSPF
Root Servers
AAA
OSPF
ARPEndStation
Connection Controller
End Station
Policy Server
Call Controller
Call Control
Policy Control
Connection Control
Data Plane
Network Reference Implementation
BGP
DomainName Server DNS
STP
MPLS Network
RSVP-TE/LDPIS-IS-TE
BGP
IS-IS-TEOSPF
Root Servers
AAA
OSPF
ARPCloudSystem
Connection Controller
End Station
Policy Server
Call Controller
Call Control
Policy Control
Connection Control
Data Plane
Network Reference Implementation
BGP
DomainName Server DNS
STP
MPLS Network
RSVP-TE/LDPIS-IS-TE
BGP
IS-IS-TEOSPF
Root Servers
AAA
OSPF
ARPCloudSystem
Connection Controller
End Station
Policy Server
Call Controller
Call Control
Policy Control
Connection Control
Data Plane
Distributed Cloud Implementation
CloudSystem
CloudSystem
CloudSystem
CloudSystem
BGP
DomainName Server
MPLS-TE Network
SDNIS-IS-TE
BGP
IS-IS-TESDN
SDNCloudSystem
Connection Controller
End Station
Policy Server
Call Controller
Call Control
Policy Control
Connection Control
Data Plane
Distributed Cloud Utilizing SDN WAN Google B4 Like Network
CloudSystem
CloudSystemCloud
SystemCloud
System
CloudSystemCloud
System
SDN Security Services
SDNs feature set looks promising for developing new security methods. !Need to understand SDNs a lot better before we can use it to protect something.
• New dials provide new opportunities for network service optimization. • We can use highly reactive and adaptive control • Opportunity to build-in strong attachment
authentication and authorization • Security services chaining looks to be powerful
• Security Challenges of SDNs • Dynamism is the complete antithesis of security • New dials for the bad guys to turn • Security chaining requires path assurance
guarantees • New complex control enables the insider to
have greater potential impact
National Information Assurance Partnership Common Criteria Evaluation & Validation Scheme
•SDN Technology Protection Profiles • Protection profile for Network Devices v 1.1 PP_ND_V1.1
• T.UNAUTHORIZED_ACCESS • T.UNAUTHORIZED_UPDATE • T.UNDETECTED_ACTIONS • T.ADMIN_ERROR • T.TSF_FAILURE
• General-Purpose Operating System Protection Profile PP_GPOS_V3.9
•When SDNs are used to provide security services • Network Device Protection Profile (NDPP) Extended Package VPN Gateway 1.1
• Network Device Protection Profile (NDPP) Extended Package Stateful Traffic Filter Firewall 1.0
• Enterprise Security Management - Identity and Credential Management 2.1
• Enterprise Security Management - Policy Management 2.1
• Protection Profile for Enterprise Security Management - Access Control Version 2.1
SDN Architecture
SDN Vulnerability•A primary problem with the SDN model is a possible lack
of exclusive control to the network element forwarding engine.
• If there is any way that a flow cache can be inserted into the forwarding logic without the involvement of the SDN controller … game over.
• If you can’t prevent it, you need to be able to detect these hidden variables.
• Detection requires high level of SDN situational awareness at the control, management and data planes.
•This is what the insider will do. •If history is any guide, for some SDN controllers, and
possibly some hardware, its already been done.
What are we doing in Stanford ?
Advances in TechnologyNetwork Virtualization
Stanford SDN Implementation•Stanford campus SDN network use case in 2010
• An SDN monitoring infrastructure was identified as critical to Stanford’s successful SDN deployment and integration.
• Monitoring involved collecting available information • Data plane - active sensing
• Stanford relies on some dedicated monitor nodes running ping and wget between each other to collect information about the switch_cpu_utilization, flow_setup_time, RTT, wget_delay, and loss_rate. These were collected before and after OpenFlow migration.
• Control plane - extractive sensing • Most controllers archive flow-level information based on incoming
packet_in and flow_exp messages. That information can be queried using Representational State Transfer (REST) or other API. The main statistics we collect are for the flow_arrival_rate and active_flows.
• Correlating two data models to realize operational state of SDN
Stanford SDN Monitoring Infrastructure
SDN Situational Awareness
I’m getting involved to improve on the SDN monitoring capabilities to get better operational and security awareness into Stanford network. !
• The best approach to getting good network awareness is to engineer the sensing data model. • Purposeful sensing • What do you really want to know and do. • How quickly do you need to be aware of an event • Use real Knowledge Discovery and Data mining
techniques
• Introduce cyber security passive monitoring • Comprehensive network plane flow monitoring
• Network entity presence awareness • Reachability / Connectivity Status
• Complete control plane monitoring • Full packet capture for control plane traffic
• Enable flow based network forensics
Argus• Argus is a network activity audit system
Argus was officially started at the CERT-CC as a tool in incident analysis and intrusion research. It was recognized very early that Internet technology had very poor usage accountability, and Argus was a prototype project to demonstrate feasibility of network transactional auditing.
• The first realtime network flow monitor (1989)
• Top 100 security tools used in the Internet today • Generates detailed network resource usage logs • Source of historical and near realtime data for the
complete incident response life cycle
• Designed to provide useful data for network • Operations - Service availability and operational status • Performance - End-to-end assessment of user traffic • Security - Audit / Non-Repudiation
http://qosient.com/argus
Network Flow HistoryEvent Timeline
1Mbps 10 Mbps 100 Mbps 1Gbps 10Gbps
NSFnet TransitionNANOG / Tools
Internet 2
Openflow
Network Situational Awareness• Argus is designed to be THE network SA sensor
• Ubiquitously deployable DPI traffic sensor • Comprehensive (non-statistical) traffic awareness • Provides engineering data, not business intelligence
• Detailed network transactional performance
• Network fault identification, discrimination and mitigation
• Customer gets the primitive data, not just reports/alerts
• Near realtime and historical capabilities • Packet capture replacement
• Supporting a large number of SA applications • Advanced Network Functional Assurance (Operations)
• End-to-End transactional performance tracking (data and control plane) • Network component functional assurance (NAT, reachability, encryption) • Policy enforcement verification/validation (Access control, path, QoS)
• Advanced Network Optimization (Security and Performance) • Network entity and service identification, analysis, planning tracking and control,
including baselining, anomaly detection, behavioral analysis and exhaustive forensics
• Understanding significance of perceived elements in relation to relevant goals and objectives.
• Involves integration, correlation, knowledge generation.
Level 2 SA - Comprehension
Situational AwarenessLevel 1 SA - Perception
• The perception of elements in the environment within a volume of time and space
• Involves timely sensing, data generation, distribution, collection, combination, filtering, enhancement, processing, storage, retention and access.
Level 3 SA - Projection of Future Status
Endsley, M. R. (1995b). Toward a theory of situation awareness in dynamic systems. Human Factors 37(1), 32-64.
Model of Situational Awareness in Dynamic Decision Making
RadiumData Flow Machine Architectures
Argus Processing DesignRadium Stream Block Processor
Argus Processing DesignStream Block Processor
Distributed Situational Awareness
Comprehensive Flow IS
Argus Sensor
Complex Comprehensive AwarenessLocal and Remote Strategies
Black/Non-Visible NodeWhite/Visible Node
Data Plane
Situational Awareness Data
Network Flow Data Adoption
• Distributed flow data generation and collection
• Streaming analytic framework for data processing. • Bi-directional flow data with performance metrics
• Connectivity, Availability, Rate, Load, Loss • Host and Network Demand, PktSize, Pkt Arrival, Jitter
• Control plane performance; ARP, DHCP, DNS, Routing • Network fault identification, ICMP Tracking
• Historical repositories for long term data processing. • Behavioral baselining / Behavioral anomaly detection • Historical fault attribution
Flow Data Application to SDNs
• SDN buildout operations support • Demonstrate that SDN is actually working
• Supports network reachability / connectivity • Assessment based on user data, not test data
• Overt access control policy is indeed working • No exceptions to intended access control policy
• Goal is Data Plane / Control Plane correlation • Data plane behavior reflects known cache
support • Control Plane induced support for Data plane
behavior
Conclusions
• SDN impact on network security • Difficult to predict • Will require new methods in network
security to verify and validate SDN function • If SDNs confined to Clouds, no problem • Expanding Google B4 strategies into the LAN,
CAN, MAN and WAN, problems.
• Security for SDNs • No problem, but will take time.