With software-defined networking, the SDN administrator is the only person who can access the SDN controller to...
get a better view of how traffic behaves in the network. The administrator can reroute big data to a better-performing network device, increase bandwidth to get data to the user's destination faster, and power down idle network devices.
But no matter how well the administrator configures the SDN controller, there is always a possibility that hackers can overtake it, mess up the traffic and ultimately render the network system useless. Hackers can find ways to exploit vulnerabilities that have been overlooked by the administrators. It doesn't matter how SDN is deployed -- the SDN controller is a vulnerable target for potential cyberattacks, making SDN controller security essential.
To improve SDN controller security, the administrator's best bet is to consider a risk management plan that consists of five steps to mitigate high and medium risks to economically acceptable levels. Here are the suggested steps to take.
Step 1: Identify assets
The first step in building a risk management plan for SDN controller security is to identify assets and place them in proper categories, such as:
- Human assets -- including the SDN controller administrator -- and backup personnel.
- Hardware assets -- including the controller console and physical network devices.
- Software assets -- including applications, northbound APIs and southbound APIs.
- Documentation assets -- including SDN configuration guides and security policies.
- Facility assets -- including the locations of the SDN console -- (primary and backup) -- and network devices.
Each asset should be assigned a dollar value. The type of value to be determined depends on the type of asset being identified. Depreciation method is used to determine the hardware's value. The administrator's average salary per month is another example.
Step 2: Identify vulnerabilities and threats
The next step is to identify vulnerabilities that hackers could exploit to conduct SDN attacks:
- Overtake the system as root users with access to root commands.
- Impersonate a host by spoofing topology. Most SDN controllers include host tracking, allowing hosts to migrate between different physical network locations. Knowing host tracking does not require validation, authentication or authorization, the impersonator can trick the controller to believe the host has migrated to a physical network location. The controller does not know this location is controlled by the impersonator. To get to the target host, the impersonator must know its MAC address.
- Divert network flows in the data plane to an already busy network device in order to cause a denial of service.
- Interfere with conflicts between multiple SDN network services.
Determine what type of attack the hacker could launch against the identified assets, whether they are passive, insider, close-range or active.
Step 3: Assess risks
The administrator needs to assess the probability of a hacker exploiting vulnerabilities for each asset type. She should conduct annual loss expectancy to determine the probability that a risk will occur in a year. The higher the likelihood of a risk being exploited, the greater the potential business impact on the network.
A very high risk indicates a hacker can exploit vulnerabilities. The resulting business impact would definitely be catastrophic, resulting in loss of a company's revenues and/or reputation. A medium risk indicates it is possible a hacker may be able to exploit a vulnerability. If there are more medium-risk assets than high-risk assets, the resulting impact should be manageable. A low risk indicates it is improbable a hacker would exploit a vulnerability. The impact for an asset would be insignificant and, may be excluded from the overall risk assessment.
Step 4: Apply countermeasures
The next step is to apply cost-effective countermeasures or security controls to mitigate risks. When planning for countermeasures, start with highest risks and then work down to medium and low risks. Divide countermeasures' strengths into layers of defense. Each layer of countermeasures will present unique obstacles that hackers will have difficulty overcoming during attack attempts.
With layered countermeasures in place, the administrator should be able to:
- Defend the network's boundaries.
- Segment the network to separate critical SDN network areas from less-critical areas.
- Authenticate and authorize the controller's host tracking.
- Restrict user and API access.
- Perform periodic system integrity controls.
Residual risks remain after the countermeasures have been applied. To better control them, major residual risks should be, for example, transferred to asset insurance. Minor residual risks may be accepted.
Step 5: Monitor changes
The administrator should use SDN analytics to monitor for possible changes in traffic flows and performance. The results should help in identifying new vulnerabilities and assessing new risks due to the hacker's new intentions of exploiting security loopholes in new technologies. New high risks include risk factors rated less than high in a previous risk assessment. The administrator should periodically check for new threats and any updates that may require stronger countermeasures.
Following the steps in this risk management plan should help the administrator to improve SDN controller security. They should be periodically reviewed for new risks, vulnerabilities and countermeasures. SDN and SDN controller security improvement is a continuous process.
About the author:
Judith M. Myerson is a security and systems engineering professional that has researched and published articles on a wide range of security, risk management and Internet of Things topics. She is the author of RFID in the Supply Chain, and is CRISC (Certified in Risk and Information System Control) and a member of OPSEC and ISACA.