Researchers from the Fraunhofer Institute for Applied and Integrated Security AISEC in Garching, near Munich, will be showing how to make SDN secure at the CeBIT trade fair in Hannover, March 16-20, 2015. A demonstrator at the Fraunhofer exhibition stand (Hall 9, Booth E40) will show how SDN and all related components can be monitored. One of these components is visualization software, which displays the network's individual components and depicts in real time how the various applications are communicating with the controller. "We can show how software influences the behaviour of different components using the controller, or, in the case of an attack, how it disrupts them", stated Christian Banse, a security expert at AISEC.
But how exactly does SDN work, and why is it so vulnerable to attack? "In the future, the plan is for a central control unit to tell the many network components what to do. To put it simply, routers, firewalls and switches lose their individual intelligence - they only follow orders from the controller", stated Christian Banse. This makes a network much more flexible, because the controller can allocate completely new tasks to a router or switch that were not intended when the component was manufactured. Plus, the tedious task of manually configuring components during installation is eliminated because components no longer need to be assigned to a specific place in the network - the controller simply uses them as needed at the moment.
Manufacturers have begun offering the first routers and switches that are SDN-compatible and have the necessary flexibility. "With all the hype surrounding the new adaptability made possible by a central control unit, SDN security has been neglected", warned Christian Banse. "That's why we're developing solutions to make SDN more secure from the outset, before such systems become firmly established." In the future, networks will be controlled solely by a central controller - Christian Banse sees this as a problem, because it might provide the perfect loophole for attackers to access the entire network. "On top of that, a whole set of new applications are being developed for SDN - for instance for firewall components or routing", stated Christian Banse. "We have make sure that these applications are reliable." It would be disastrous if, for example, outsiders were able to gain access to the company network using software installed accessing the controller.
That's why Christian Banse and his colleagues started off by analyzing the interaction of all SDN components to identify vulnerabilities. "You have to precisely define how deep into the network a new application is allowed to go, for example. Otherwise the stability and security of the network is not guaranteed." So far, there are no sufficient security standards for communication among individual SDN components, but AISEC researchers are lobbying hard for an international standard. In addition to their visualization solution, at CeBIT Christian Banse and his team will also present technical means for preventing unauthorized applications or malware from gaining access to SDN systems. They are developing ways to monitor if an app really carries out only the task for which it was intended. If it performs unplanned or undesirable activities, i.e. malware, it is rejected and blocked by the system.