Software-defined networking (SDN) controllers respond to network conditions by pushing new flow rules to switches. And that, say Italian researchers, creates an unexpected security problem.
The researchers were able to persuade their SDN environment to leak information that sysadmins probably don't want out in public, including network virtualisation setups, quality of service policies, and more importantly, security tool configuration information such as "attack detection thresholds for network scanning".
Even a single switch's flow table, they write, can provide this kind of information, as well as serving as a side-channel for an attacker to exploit.
The three network boffins – Mauro Conti of the University of Padova, and Sapienza University's Fabio De Gaspari and Luigi Mancini – are particularly concerned about SDN being exploited to help an attacker build a profile of the target network, in what they call a Know Your Enemy (KYE) attack.
For example, they write, an attacker could potentially:
- Connect to the passive listening ports most SDN switches include for remote debugging, to retrieve the flow table (they offer HP Procurve's dpctl utility as an example);
- Infer information about the flow table from jitter (that is, round trip time (RTT) – variance);
- Sniff control traffic, because of inadequate protection (not using TLS, or not using certificates for authentication;
- Exploit vulnerabilities that might exist in switch operating systems, such as backdoors; or
- Copy the flow table or memory content of the switch to an external location.
The paper points out that none of this is specific to particular devices: "the KYE attack exploits a structural vulnerability of SDN, which derives from the on-demand management of network flows, that in turn is one of the main features and strengths" of SDN.
Related Stories
I came across an article a few hours ago, http://www.networkworld.com/article/3121969/lan-wan/virtualizing-wan-capabilities.html
I was wondering how much of all that makes sense. It seems to put a lot of focus on the virtual buzz that exists today everywhere and it seems to be being pushed in networking as well. While I don't mind this being implemented by those who want to, I am a bit of a fanboy of the saying "Hardware is King". All this "IT as a service" doesn't seem to have much sense unless one defines what IT is. It may range from just a shared printer, to an entire rack full of servers and switches, to an entire floor full of them. Virtualised WANs and the notion of a 'WAN as a service' could be easy as a breeze to be managed, but how robust could they be? While performance needs at the network level always go up, how does this relate to virtualizing that in itself, transforming it into yet another layer down the stack? A layer which encapsulates all the other layers and which in turn may contain such a layer too. How deep would the nesting level go?
From the article:
"In the network, NFV [Network Functions Virtualization] allows routers, switches, firewalls, load balancers, content delivery systems, end-user devices, IMS [IP Multimedia Subsystem] Nodes, and almost any other network function to be run as software on virtual machines—ultimately, on shared servers, using shared storage," Honnachari explained in an executive brief.
Basically it is the promise of being able to draw a network in a CAD-like software, and push a "Run" button.
Then there is also:
In a world where every part of business is moving, ever faster, the new WAN era will be characterized by user-intuitive solutions that help businesses sense and adapt to shifting demands, allowing those businesses to achieve competitive advantage by helping them optimize their business in motion.
What could be these shifting demands to change your mind often about the WAN infrastructure on which many other things depend on? The virtual network of the International Stock Exchange traffic, anyone?
Like someone else mentioned, would any Soylentils enjoy playing "The Sims: NOC Edition"?
Previously:
Software-Defined Networking is Dangerously Sniffable [
AT&T Open Sources SDN 8.5 Million Lines of Code - to be Managed by Linux Foundation [updated]
(Score: 2, Insightful) by Anonymous Coward on Saturday August 27 2016, @09:48AM
Nobody cares, and the industry is poorer for it.
Back in the old days (ten years ago), we said "Cloud" and "Utility Computing" presented massive security risks, but that all fell on deaf ears.
Now we're desensitized to the regular data breaches, data mining, attacks on our privacy, etc.
So go ahead! Hack our software-defined networking, mirror our traffic and channel it to your servers in Fuckovistan for analysis and resale. We can't bother paying anyone to properly secure our networks anyway, and there's little risk that a data breach would hurt our stock prices.
(Score: 0) by Anonymous Coward on Saturday August 27 2016, @10:53AM
What happened between the old days (ten years ago) and now, to change everything? Facebook happened. Socialites happened. The expectation of privacy changed. Your data is public anyway. Security is irrelevant.
(Score: 0) by Anonymous Coward on Saturday August 27 2016, @04:16PM
It's also an extension of the danger-filled world that oddly makes most people happy. The world needs to be dangerous so that god can punish bad people. Bad things only happen to bad people. I think this is called the just world hypothesis [wikipedia.org].
(Score: 0) by Anonymous Coward on Saturday August 27 2016, @05:14PM
After I had a motorcycle accident (broken ankle, healed OK) in the 1980s, a friend remarked that even someone experienced and trained (I was both, from a young age) can be taken out by an unobservant car driver. I was 30 at the time. That was the end of any hope I held out for the just world hypothesis applying to me.
(Score: 2, Informative) by quietus on Sunday August 28 2016, @11:48AM