Dagstuhl Seminar 16361
Network Attack Detection and Defense – Security Challenges and Opportunities of Software-Defined Networking
( Sep 04 – Sep 09, 2016 )
Permalink
Organizers
- Marc C. Dacier (QCRI - Doha, QA)
- Sven Dietrich (City University of New York, US)
- Frank Kargl (Universität Ulm, DE)
- Hartmut König (BTU Cottbus, DE)
Contact
- Annette Beyer (for administrative matters)
Dagstuhl Seminar Wiki
- Dagstuhl Seminar Wiki (Use personal credentials as created in DOOR to log in)
Shared Documents
- Dagstuhl Materials Page (Use personal credentials as created in DOOR to log in)
Schedule
Software-defined networking (SDN) provides a way for virtualizing the network infrastructure to make it simpler to configure and manage. It separates the control and data plane in routers and switches with the aim to control network flows from a centralized control application, running either on a server or on a virtual machine. This allows admins to specify rules for an optimal handling and routing of network traffic, data packets, and frames according to given user requirements from diverse applications. SDN has attracted a great attention both in industry and academia since the beginning of the decade. This attention remains undiminished. Especially in industry, there are great expectations regarding the promises of SDN.
While the requirement for security has been acknowledged early on, work on actual solutions is only recently gaining full attention. Opinions differ widely. Some believe that the security problems introduced by SDN are manageable – that SDN can even bring security benefits; others think that Pandora's Box has been opened with SDN and SDN-enabled networks can never be secured properly.
No doubt, there are a number of serious security problems as the following examples show. SDN controllers represent single points of failures. They might be subject to distributed denial of service attacks. Compromising the central control could give an attacker command of the entire network. SDN controllers are configured by network operators. Configuration errors may unpredictably influence the physical network. Furthermore, the idea of introducing ‘network applications’ that interact with the controller to modify network behavior seems like a complexity nightmare in terms of required authentication and authorization schemes. Also ensuring fairness in allocation of network resources in the face of egoistic participants can be considered a security issue. Along the same line, members of the security community worry about the possibility to intentionally design SDN applications that could eventually be turned into attack weapons or simply be misused by malicious attackers.
On the other hand, SDN is also considered by many researchers as an effective means to improve the security of networks. SDN controllers can be used, for instance, to store rules about the permission of certain requests which cannot be decided at the level of a single switch or router because this requires full overview over network status or additional information and interactions which are not contained in the current protocol versions. This allows preventing attacks like ARP spoofing, MAC flooding, rogue DHCP server, and spanning tree attacks.
These two contrary facets of SDN security will be the key ingredients for an extremely lively and successful seminar.
The objectives of the proposed seminar are threefold:
Objective 1We want to foster a discussion on the specific security challenges of software-defined networking. Based on possible attacker models, we will consider various threats, such as malware propagation, denial of service attacks, targeted attacks, to discuss their impact in the context of SDN. Moreover, we will discuss how the traditional security zones protected by firewalls and specific security policies change in the context of SDN networks and virtualization.
Objective 2Based on the outcome of objective 1, we want to discuss appropriate measures for securing SDN infrastructures, in particular, the requirements to firewall technology, intrusion detection, malware detection, and network monitoring. We will also discuss the question how a security architecture for SDN networks should look like.
Objective 3In a next step, we want to discuss how SDN can be used to improve the security of networks. In particular we intend to focus on novel methods and approaches which benefit from a centralized view on the network to detect and prevent attacks. We also would like to find answers on the question how an SDN-based network monitoring infrastructure should look like.
The seminar will foster the exchange of ideas between academic researchers and industry practitioners. Therefore, we plan a special industry day on Thursday, September 8th, 2016.
Areas of interest include, but are not limited to the following:
- Security risks of software defined networking
- Attack scenarios and attacker models
- Definition of security policies in the context of SDN
- Requirements to firewalls for securing SDN-enabled networks
- Security architectures for SDN
- Design of attack resilient SDN-based networks
- Use of SDN for attack detection and prevention
From September 4 through 9, 2016, more than 40 researchers from the domains of computer networks and cyber security met at Schloss Dagstuhl to discuss security challenges and opportunities of software-defined networking (SDN).
Software-defined networking has attracted a great attention both in industry and academia since the beginning of the decade. This attention keeps undiminished. In 2014, IDC predicted that the market for SDN network applications would reach $1.1bn. Especially in industry, the vision of "programming computer networks" has electrified many IT managers and decision makers. There are great expectations regarding the promises of SDN. Leading IT companies, such as Alcatel-Lucent, Cisco systems, Dell, Juniper Networks, IBM, and VMware, have developed their own SDN strategies. Major switch vendors already offer SDN-enabled switches.
Software-defined networking provides a way to virtualize the network infrastructure to make it simpler to configure and manage. It separates the control plane in routers and switches, which decides where packets are sent, from the data plane, which forwards traffic to its destination, with the aim to control network flows from a centralized control application, running on a physical or virtual machine. From this controller, admins can write and rewrite rules for how network traffic, data packets, and frames are handled and routed by the network infrastructure. Routers and switches in a sense become "slaves" of this application-driven central server. SDN-enabled networks are capable of supporting user requirements from various business applications (SLAs, QoS, Policy Management, etc.). This is not limited to the network devices of a certain vendor. It can be applied to devices from various vendors if the same protocol is used. Most SDN infrastructure utilizes the widely-used OpenFlow protocol and architecture to provide communication between controllers and networking equipment.
Security-related aspects of software-defined networking have only been considered more recently. Opinions differ widely. Some believe that the security problems introduced by SDN are manageable - that SDN can even bring security benefits; others think that Pandora's Box has been opened where SDN and SDN-enabled networks can never be secured properly.
No doubt, there are a number of serious security problems as the following examples show. SDN controllers represent single points of failures. The controllers as well as the connections between controllers and network devices might be subject to distributed denial of service attacks. Compromising the central control could give an attacker command of the entire network. The SDN controllers are configured by network operators. Configuration errors can have more complex consequences than in traditional settings because they may unpredictably influence the physical network infrastructure. Furthermore, the idea of introducing ‘network applications’ that interact with the controller to modify network behavior seems like a complexity nightmare in terms of required authentication and authorization schemes. Finally, the SDN paradigm is a major turn around with respect to the basic design rules that have made the Internet successful so far, namely a well-defined layered approach. Whereas in today’s world, applications have no say in routing decisions, SDN’s promise for highly flexible and application-tailored networking requires a way for applications to optimize networking decisions for their own benefits. However, it is unclear to what extent fairness can be ensured, how conflicting decisions can be resolved, etc. Along the same line, members of the security community worry about the possibility to intentionally design SDN applications that could eventually be turned into attack weapons or simply be misused by malicious attackers. Whether these fears are substantiated or not is something which has not received any scrutiny so far.
On the other hand, SDN is also considered by many researchers as an effective means to improve the security of networks. SDN controllers can be used, for instance, to store rules about the permission of certain requests which cannot be decided at the level of a single switch or router because this requires full overview over network status or additional information and interactions which are not contained in the current protocol versions. Attacks that can be detected this way are ARP spoofing, MAC flooding, rogue DHCP server, and spanning tree attacks. Also, by enabling the creation of virtual networks per application, people speculate that intrusion detection techniques relying on the modeling of the normal behavior of network traffic will become much easier to implement and more reliable in terms of false positive and negatives. Similarly, SDN apps could offer a very simple and effective way to implement quarantine zones for infected machines without cutting them off completely from the network since the quarantine could be customized at the application level (letting DNS and HTTP traffic for a given machine go through but not SMTP, for instance).
These two contrary facets of SDN security were the key ingredients for an extremely lively and very fruitful seminar. The seminar brought together junior and senior experts from both industry and academia, covering different areas of computer networking and IT security. The seminar started with two invited talks by Boris Koldehofe (TU Darmstadt, DE) and Paulo Jorge Esteves-Veríssimo (University of Luxembourg, LU) on the basics and security aspects of software-defined networking. After that we organized six working groups to discuss in two rounds the Good and the Bad of using SDN from the security point of view. Based on the outcome of the working groups and a plenary discussion, we formed another four working groups to discuss required research directions. The first six working groups focus on the following issues: (1) centralization in SDN, (2) standardization and transparency, (3) flexibility and adaptability for attackers and defenders, (4) complexity of SDN, (5) attack surface and defense, and (6) novelty and practicability. The research direction working groups dealt with (1) improving SDN network security, (2) a secure architecture for SDN, (3) secure operation in SDN-based environments, and (4) SDN-based security. The discussion in the working groups was supplemented by short talks of participants to express their positions on the topic or to report about ongoing research activities. Based on the talks, discussions, and working groups, the Dagstuhl seminar was closed with a final plenary discussion which summarized again the results from the working groups and led to a compilation of a list of statements regarding the security challenges and opportunities of software-defined networking. The participants agreed that SDN provides new possibilities to better secure networks, but also offers a number of serious security problems which have to be solved for being SDN a successful technology. The outcome of these discussions and the proposed research directions are presented in the following.
- Johanna Amann (ICSI - Berkeley, US) [dblp]
- Kpatcha Mazabalo Bayarou (Fraunhofer SIT - Darmstadt, DE) [dblp]
- José Jair C. de Santanna (University of Twente, NL) [dblp]
- L. Jean Camp (Indiana University - Bloomington, US) [dblp]
- Georg Carle (TU München, DE) [dblp]
- Radoslaw Cwalinski (BTU Cottbus, DE) [dblp]
- Marc C. Dacier (QCRI - Doha, QA) [dblp]
- Hervé Debar (Télécom & Management SudParis - Evry, FR) [dblp]
- Sven Dietrich (City University of New York, US) [dblp]
- Falko Dressler (Universität Paderborn, DE) [dblp]
- Marc Eisenbarth (Arbor Networks - Waco, US)
- Felix Erlacher (Universität Innsbruck, AT) [dblp]
- Paulo Jorge Esteves-Veríssimo (University of Luxembourg, LU) [dblp]
- Dieter Gollmann (TU Hamburg-Harburg, DE) [dblp]
- Peter Herrmann (NTNU - Trondheim, NO) [dblp]
- Marko Jahnke (CERT-BPOL - Swisttal, DE) [dblp]
- Mattijs Jonker (University of Twente, NL) [dblp]
- Frank Kargl (Universität Ulm, DE) [dblp]
- Thomas Kemmerich (Norwegian University of Science & Technology, NO) [dblp]
- Issa Khalil (QCRI - Doha, QA) [dblp]
- Jan Kohlrausch (DFN-CERT Services GmbH, DE) [dblp]
- Boris Koldehofe (TU Darmstadt, DE) [dblp]
- Hartmut König (BTU Cottbus, DE) [dblp]
- Tobias Limmer (Siemens AG - München, DE) [dblp]
- Claas Lorenz (genua GmbH - Kirchheim bei München, DE) [dblp]
- Thomas Lukaseder (Universität Ulm, DE) [dblp]
- Evangelos Markatos (FORTH - Heraklion, GR) [dblp]
- Michael Meier (Universität Bonn, DE) [dblp]
- Michael Menth (Universität Tübingen, DE) [dblp]
- Simin Nadjm-Tehrani (Linköping University, SE) [dblp]
- Rene Rietz (BTU Cottbus, DE) [dblp]
- Christian Röpke (Ruhr-Universität Bochum, DE) [dblp]
- Christian Rossow (Universität des Saarlandes, DE) [dblp]
- Ramin Sadre (University of Louvain, BE) [dblp]
- Thomas Scheffler (Beuth Hochschule für Technik - Berlin, DE) [dblp]
- Björn Scheuermann (HU Berlin, DE) [dblp]
- Sebastian Schmerl (Computacenter - Erfurt, DE) [dblp]
- Bettina Schnor (Universität Potsdam, DE) [dblp]
- Robin Sommer (ICSI - Berkeley, US) [dblp]
- Radu State (University of Luxembourg, LU) [dblp]
- Jens Tölle (Fraunhofer FKIE - Wachtberg, DE) [dblp]
- Alexander von Gernler (genua GmbH - Kirchheim bei München, DE) [dblp]
- Han Xu (Huawei Technologies - München, DE) [dblp]
- Emmanuele Zambon (SecurityMatters B.V., NL) [dblp]
Related Seminars
- Dagstuhl Seminar 12502: Securing Critical Infrastructures from Targeted Attacks (2012-12-09 - 2012-12-12) (Details)
- Dagstuhl Seminar 14292: Network Attack Detection and Defense: Securing Industrial Control Systems for Critical Infrastructures (2014-07-13 - 2014-07-16) (Details)
- Dagstuhl Seminar 23431: Network Attack Detection and Defense – AI-Powered Threats and Responses (2023-10-22 - 2023-10-27) (Details)
Classification
- networks
- security / cryptology
Keywords
- Security
- software defined networking
- OpenFlow protocol
- programmable networks
- attack detection
- targeted attacks
- network monitoring
- intrusion detection
- vulnerability analysis
- malware assessment
- denial-of-service attack detection and response