1.Literature Review on Software Defined Networking.
SDN literature must be written.
Your literature must be supported by at most three (3) academic (Journal/Conference papers) papers that reflect the current state.
2. Identify three future or current security concerns in SDN
You will find three security issues in this section.
These issues can either be taken from the state-of-the art or created by your own innovative thinking.
This section should again be supported with at least two (2) references.
3.Propose a solution for one of these threats.
You will need to expand your knowledge of SDN in this section.
This section will ask you to identify a security problem and to propose a solution.
Software Defined Network
SDN (Software Defined Network) is an approach to computer networking. It allows the network manager, on a centralized basis, to manage the entire network as well as all network services.
These network services are managed using abstraction of high-level functionality. This is done through decoupling of a system that has the primary purpose of decision making regarding how traffic should be managed.
It is the basis for traffic congestion forwarding to the destination.
Every Software Defined Networking comes with a protocol.
This protocol is OpenFlow. It includes various techniques like Network Virtualization platform, Nicira, and Cisco’s Open Network Environment.
Software-defined Networking is very important today for its architecture which claims to be dynamic, manageable cost-effectively, adaptable and suitable for today’s high-bandwidth and dynamic computer applications.
Such architectures enable network managers to decouple the control over forwarding and networking functions. It also allows for the programming of direct control and abstraction of the underlying infrastructure from applications and services.
OpenFlow protocol can be taken as the functional component towards building the SDN system and as the requirements of architecture in the following .
The Software Defined Networking controller can centralize the network intelligence. These are software-based and provide a global network view as well as a bird eye. They also look like an application engine and can be public to a single switch.
Because the control over the network is separate from that of forwarding, it can be programmed directly.
Software Defined Networking is a way to simplify the design and operation of a network. The implementation can be done using open standards, as the basic instructions for the implementation can be provided through SDN controllers.
Network traffic can be dynamically adapted to meet changing demands and requirements. Administrators allow traffic adjustment dynamically.
Software Defined Networking makes it possible for network managers to program the controller directly in order to configure, manage, optimize, and secure the network resources. It is simple and quick through dynamic and automatic programs of the Software Defined Networking.
Network architectures of the past are not able to meet today’s dynamic computing, storage, enterprise data centres, carrier environments, complex networks and other requirements.
SDN is driven by many factors such as the ones listed below.
Information Technology Consumerization
Both mobile and computer user use different devices to access the corporate network.
This presents a challenge to Information Technology to accommodate the increased number of personal devices. To meet compliance mandates, the protection of corporate data and intellectual property is also necessary.
Dynamically changing traffic patterns
Enterprise data centres have high-speed traffic patterns that are dynamic.
The enterprise data centres are different from client server applications, which allow for large and frequent communication between clients and servers. An advanced version of the same is required to manage complex and large traffic patterns, such as the current pattern of east-west and north-south.
The network traffic patterns are constantly changing by users to allow them to access corporate content from any device, at any time.
The enterprise data center managers have begun to consider different models for utility computing. This could include hybrid or private cloud, as well as public or private cloud. It would also increase traffic in WAN.
Enterprises are open to the possibility of using the public and private clouds that will allow for a rapid growth of similar services.
Because the demand is increasing, enterprises are interested in the agility of accessing the applications, infrastructure, or other IT resources.
Companies must also plan for auditing and security requirements of cloud services.
For computing, storage, and network resources, elastic scaling is necessary. This can be done with common tools.
Big Data and Increased Bandwidth
Big data and large datasets processing requires massive parallel processing. It must be able to manage thousands servers simultaneously and it must have a direct connection.
Similar needs require massive and significantly increased network capacity at data centres.
This has made it a difficult problem. It is possible to imagine unimaginable scaling levels for the network in order to maintain constant connectivity among computing devices.
SDN Architecture and Components
Software Defined Architecture offers the following architecture with a high-level view.
SDN applications are programs that establish communication between the network controller and the SDN controller to produce desired network behaviour.
Internal decisions may be used to provide the abstraction of the network view for the purposes.
Drivers of SDN application logic or NBI logic are required by the applications .
SDN applications can expose to the control layers of an abstracted network that provides one or more NBIs to some extent, through respective NBI agent.
These applications could expose to the abstracted control layer of the network that offers one or several NBIs to higher level through the respective agents.
SDN controllers are responsible for logical centralization. They also in-charge of translating the application layers of SDN requirements down into the SDN data path and providing the SDN applications with an abstract view, including statistics and events.
The controller is composed of the NBI agents and Control to Data-Plane Interface. It also has control logic.
Datapath is a network device that reveals the visibility and uncontented of logically over the advertised forwarding capacities and data processing.
The representation logically includes the resources of the substrate as a whole or subset.
The datapath contains zero or one function of traffic processing, or engine set of several, for forwarding traffic and agent CDPI.
Such engines and functions often include simple forwarding in between termination functions or external interfaces, and internal traffic processing.
They are contained within a single network element which is integrated communication physical combination resources, managed completely as one unit.
Datapaths can also be linked to the various physical networks and their components.
SDN Controller to Dataplane Interface is an interface which can be found between SDN controllers and datapath.
It does the following:
Advertisement about Capabilities
Notification about an event
Programmatic Control for Forwarding Operations
CDPI is primarily responsible for the implementation of interoperable, open methods and vendor-neutral solutions.
SDN’s Northbound Interfaces are the interfaces located in the middle of applications and controllers.
It gives an abstract view of a network and supports expression enablement and network direct requirements.
It can occur at all levels and across all functionality data sets.
NBI interface is also expected when interfaces are implemented in vendor-neutral and interoperable ways.
SDN has been a preferred and chosen option for many companies. However, there are many issues that SDN presents. The majority of them relate to security and traditional networking.
Some of them are new .
The problem lies in the attacks on the architecture layers.
These attacks, which were anticipated over the SDN layers are the following.
Many times the target for attack is within the network.
Usually, an attacker can access the network without authorization, either electronically or physically. They may attempt to compromise the host or use a fuzzy attack to attack the network elements.
There are many protocols and APIs for southbound that can be used to control the communication among the network elements.
These protocols have the goal of allowing users to develop their own security protocols and protect the network element communication. However, some protocols are still vulnerable as new protocols are being developed.
Hackers eventually use these protocols to control and manipulate the flow of data and create new flows.
Hackers might spoof these new flows in order to allow traffic to be permitted to certain types of traffic that are not allowed to the network .
The attacker can initiate traffic by bypassing the flow and traffic steering. This allows the traffic to navigate through the firewall.
It would be possible to leverage the ability to monitor traffic and put the attacker under control.
It eventually helps the attacker in Man in Middle attack.
SDN controllers are the obvious targets of attackers.
There are many reasons.
It is possible to spoof the new flows by using either northbound APIs or southbound API messages sent to the network devices.
If the attacker did the same thing from a legitimate control, the attacker would be permitted to flow traffic over the SDN to their will and could bypass the security policies.
The attacker may also attempt to degrade or interrupt the controller’s services by implementing similar techniques.
This causes slow responses to Packet_In messages or bogs them down. Also, the speed of sending Packet_Out mails is lowered.
Linux, which is the operating system used by the SDN controllers, is the most common.
But, if SDN operations are carried out in other operating systems and are used frequently, then vulnerabilities to the operating platform become SDN vulnerabilities.
The controllers are often deployed into the production using default passwords, or easier passwords, and without any security configurations.
These passwords are often not used by the engineers of the SDN. It could break.
Therefore, the SDN system is left with the vulnerable configuration.
An attack on the Northbound protocol security is possible.
Most controllers of the SDN have many northbound APIs. They can use JSON or REST, Java, C and Python.
If hackers can leverage this vulnerable northbound API, they will be able control the SDN controller, as well as the SDN networks.
The hacker could create new policies to allow SDN control if the controller does not provide northbound API security.
REST API uses default passwords which make it trivial to determine.
If the SDN deployment is not modified by the password, which is the default, hackers can create their own packets for controller interface. They can query the configuration of SDN environments and replace it with the new.
Framework Of Security for One Issue
Protection measures, such as Out-of Band, can be used to secure network traffic control.
This network supports the controller protocol security via the communications of northbound as well as southbound.
SSH or TLS would be used for the security of the controller’s management as well as communications at northbound.
It is possible to establish communication between applications and controller using authenticable or encryption methods.
 A. Shaer (Ehab, A. Haj) and Saeed., “FlowChecker – Configuration analysis and verification for federated OpenFlow infrastructures”.
Proceedings of the 3rd ACM workshop “Assurable and usable security configuration”, 2010.
 Benton-Kevin, Camp, L. Jean Small, Chris and Chris “Openflow vulnerabilities assessment”.
Proceedings of the second ACM SIGCOMM workshop “Hot topics in software defined networking”, 2013.
 Bernardo & Chua “Introduction & Analysis SDN and NFV Security Architectures SA-SECA”
AINA 29th IEEE.
 Rodrigo Mota, Rodrigo Mota, Edjard Pasito and Alexandre “Lightweight DDoS flooding attacks detection using NOX/OpenFlow”.
Local Computer Networks (LCN), IEEE 35th Conference, 2010.
OpenFlow Applications Testing: This is a NICE way to test them.
 F.J. Ros, P.M. Ruiz. “Five nines in southbound reliability within software defined networks”, proceedings of HotSDN’14, 2014.
 Feamster Nick “Outsourcing Home Network Security”.
Proceedings of the ACM SIGCOMM Workshop on Home Networks, 2010, 2010.
Haranas Mark. “16 Hot Networking Products Putting the Sizzle” In SD WAN.
 Jin Ruofan Wang and Bing “Malware detection on mobile devices using software defined networking”.
Research and Educational Experiment Workshops (GREE), 2013 Second GENI.
 Sherwood Rob Gibb, Glen Yap, Kok–Kiong Appenzeller Guido Casado Martin McKeown Nick Parulkar Guru.
Tech. OpenFlow Switch Consortium