Skip to Main content Skip to Navigation

Securing network applications in software defined networking

Abstract : The rapid development and convergence of computing technologies and communications ‏create the need to connect diverse devices with different operating systems and protocols.‏ This resulted in numerous challenges to provide seamless integration of a large amount of ‏heterogeneous physical devices or entities. Hence, Software-defined Networks (SDN), as an ‏emerging paradigm, has the potential to revolutionize the legacy network management and‏ accelerate the network innovation by centralizing the control and visibility over the network. ‏However, security issues remain a significant concern and impede SDN from being widely‏ adopted.‏‏To identity the threats that inherent to SDN, we conducted a deep analysis in 3 dimensions‏ to evaluate the security of the proposed architecture. In this analysis, we summarized 9‏security principles for the SDN controller and checked the security of the current well-known‏ SDN controllers with those principles. We found that the SDN controllers, namely ONOS ‏and OpenContrail, are relatively two more secure controllers according to our conducted ‏methodology. We also found the urgent need to integrate the mechanisms such as connection ‏verification, application-based access control, and data-to-control traffic control for securely ‏implementing a SDN controller. In this thesis, we focus on the app-to-control threats, which ‏could be partially mitigated by the application-based access control. As the malicious network ‏application can be injected to the SDN controller through external APIs, i.e., RESTful APIs, or ‏internal APIs, including OSGi bundles, Java APIs, Python APIs etc. In this thesis, we discuss ‏how to protect the SDN controller against the malicious operations caused by the network‏ application injection both through the external APIs and the internal APIs. ‏We proposed a security-enhancing layer (SE-layer) to protect the interaction between the‏ control plane and the application plane in an efficient way with the fine-grained access control, ‏especially hardening the SDN controller against the attacks from the external APIs. This‏ SE-layer is implemented in the RESTful-based northbound interfaces in the SDN controller‏ and hence it is controller-independent for working with most popular controllers, such as‏ OpenDaylight, ONOS, Floodlight, Ryu and POX, with low deployment complexity. No‏ modifications of the source codes are required in their implementations while the overall security ‏of the SDN controller is enhanced. Our developed prototype I, Controller SEPA, protects well‏ the SDN controller with network application authentication, authorization, application isolation,‏ and information shielding with negligible latency from less than 0.1% to 0.3% for protecting‏ SDN controller against the attacks via external APIs, i.e, RESTful APIs. We developed also‏ the SE-layer prototype II, called Controller DAC, which makes dynamic the access control.‏ Controller DAC can detect the API abuse from the external APIs by accounting the network‏ application operation with latency less than 0.5%. Thanks to this SE-layer, the overall security of the SDN controller is improved but with a latency of less than 0.5%. However, the SE-layer can isolate the network application to communicate the controller only through the RESTful APIs. However, the RESTful APIs is ‏insufficient in the use cases which needs the real-time service to deliver the OpenFlow messages. ‏Therefore, we proposed a security-enhancing architecture for securing the network application‏ deployment through the internal APIs in SDN, with a new SDN architecture dubbed SENAD. In‏ SENAD, we split the SDN controller in: (1) a data plane controller (DPC), and (2) an application ‏plane controller (APC) and adopt the message bus system as the northbound interface instead ‏of the RESTful APIs for providing the service to deliver the OpenFlow messages in real-time.‏ (...)
Document type :
Complete list of metadata

Cited literature [152 references]  Display  Hide  Download
Contributor : Abes Star :  Contact Connect in order to contact the contributor
Submitted on : Wednesday, February 5, 2020 - 2:14:08 PM
Last modification on : Saturday, June 19, 2021 - 3:49:28 AM
Long-term archiving on: : Wednesday, May 6, 2020 - 3:53:43 PM


Version validated by the jury (STAR)


  • HAL Id : tel-02468016, version 1


Yuchia Tseng. Securing network applications in software defined networking. Cryptography and Security [cs.CR]. Université Sorbonne Paris Cité, 2018. English. ⟨NNT : 2018USPCB036⟩. ⟨tel-02468016⟩



Record views


Files downloads