计算机科学 ›› 2017, Vol. 44 ›› Issue (6): 121-132.doi: 10.11896/j.issn.1002-137X.2017.06.021
武泽慧,魏强,王清贤
WU Ze-hui, WEI Qiang and WANG Qing-xian
摘要: 软件定义网络(Software Defined Network,SDN)的控制与转发分离、统一配置管理的特性使其网络部署的灵活性、网络管理的动态性以及网络传输的高效性均有大幅提升,但是其安全性方面的问题却比较突出。综述了基于OpenFlow的SDN在安全方面的研究现状,首先根据SDN的三层架构分析了其脆弱性,介绍SDN不同平面面临的安全威胁,并根据网络攻击的流程来介绍当前主要的攻击手段,包括目标网络探测、伪造欺骗实现网络接入以及拒绝服务攻击和信息窃取;其次,针对不同攻击环节,分别从探测阻断、系统加固、攻击防护3个方面对当前主要的防御手段进行论述;最后,从SDN潜在的攻击手段和可能的防御方法两方面来探讨未来SDN安全的研究趋势。
[1] FEAMSTER N,REXFORD J,ZEGURA E.The road to SDN:an intellectual history of programmable networks[J].ACM SIGCOMM Computer Communication Review,2014,4(2):87-98. [2] MCKEOWN N,ANDERSON T,BALAKRISHNAN H,et al.OpenFlow:enabling innovation in campus networks[J].ACM SIGCOMM Computer Communication Review,2008,8(2):69-74. [3] Juniper Networks.Contrail:A SDN Solution Purpose Built for the Cloud[EB/OL].(2015-08-16) [2016-03-10].http://www.juniper.net/us/en/products-services/sdn/contrail. [4] Icebeen谷歌利用SDN实现数据中心互联[EB/OL].(2014-05-31) [2016-03-10].http://www.educity.cn/net/1417699.html . [5] 36氪.Nicira:网络虚拟化—互联网的下一波革命[EB/OL].(2012-04-22) [2016-03-10].http://www.199it.com/archives/33042.html. [6] 邹铮.Facebook推出其“Wedge”开放数据中心交换机[EB/OL].(2014-06-23) [2016-03-10].http://network.chinabyte.com/225/12992725.shtml. [7] 吴中.华为发布2014系列SDN解决方案[EB/OL].(2014-03-11) [2016-03-10].http://www.wuzhongzx.com/zxzx/show.php?itemid=718892. [8] 华为敏捷网络.HNC2015|华为发布全球首个基于SDN架构的敏捷物联解决方案[EB/OL].(2015-05-21) [2016-03-10].http://www.wtoutiao.com/p/e78rQ1.html. [9] FABBI M.Ending the Confusion About Software-Defined Networking:A Taxonomy[EB/OL].(2013-3-10) [2016-03-10].http://www.gartner.com/id=2367616. [10] JARRAYA Y,MADI T,DEBBABI M.A survey and a layered taxonomy of software-defined networking[J].IEEE Communications Surveys & Tutorials,2014,6(4):1955-1980. [11] ZUO Q Y,CHEN M,ZHAO G S,et al.Research on OpenFlow-based SDN Technologies[J].Journal of Software,2013,4(5):1078-1097.(in Chinese) 左青云,陈鸣,赵广松,等.基于 OpenFlow的SDN技术研究[J].软件学报,2013,4(5):1078-1097. [12] DHAWAN M,PODDAR R,MAHAJAN K.SPHINX:Detecting security attacks in software-defined networks[C]∥Proceedings of the 2015 Network and Distributed System Security Sympo-sium.2015:69-85. [13] SDN AP.ETSI NFV架构解读[EB/OL].(2013-10-20) [2016-03-10].http://www.sdnap.com/sdnap-post/2856.html. [14] PORRAS P,CHEUNG S,FONG M,et al.Securing the Software-Defined Network Control Layer[C]∥Proceedings of the 2015 Network and Distributed System Security Symposium.2015:116-130. [15] Floodlight.Floodlight Project[EB/OL].(2014-02-21) [2016-03-10].http://www.projectfloodlight.org/floodlight. [16] SHIN S,GU G.Attacking software-defined networks:A first feasibility study[C]∥Proceedings of the Second ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking.ACM,2013:165-166. [17] SHU Z,WAN J,LI D,et al.Security in Software-Defined Networking:Threats and Countermeasures[J].Mobile Networks & Applications,2016,0(1):1-13. [18] WANG M M,LIU J W,CHEN J,et al.Software defined networking:Security model,threats and mechanism[J].Journal of Software,2016,7(4):969-992.(in Chinese) 王蒙蒙,刘建伟,陈杰,等.软件定义网络:安全模型、机制及研究进展[J].软件学报,2016,7(4):969-992. [19] ALSMADKI I,XU D.Security of software defined networks:A survey[J].Computers & Security,2015,3(1):79-108. [20] HONG S,XU L,WANG H,et al.Poisoning Network Visibility in Software-Defined Networks:New Attacks and Countermea-sures[C]∥Proceedings of the 2015 Network and Distributed System Security Symposium.2015:51-67. [21] ONF.Software-Defined Networking:The New Norm for Networks[EB/OL].(2013-04-01) [2016-03-10].http://www.bigswitch.com/sites/default/files/sdn_resources/onf-whitepaper.pdf. [22] Big Switch networks.The Open SDN Architecture[EB/OL].(2012-10-08) [2016-03-10].http://www.bigswitch.com/sites/default/files/sdn overview.pdf. [23] Open Networking Foundation,OpenFlow Switch Specification[EB/OL].(2016-01-08) [2016-03-10].https://www.opennetworking.org/sdn-resources/openflow. [24] BOZAKOV Z,SANDER V.OpenFlow:A Perspective for Buil-ding Versatile Networks[J].Network-Embedded Management and Applications,2013,2(5):217-245. [25] LARA A,KOLASANI A,RAMAMURTHY B.Network Innovation using OpenFlow:A Survey[J].Communications Surveys Tutorials,2013,8(99):1-20. [26] SONKOLY B,GULYAS A,NEMETH F,et al.OpenFlow Virtualization Framework with Advanced Capabilities[C]∥Proceedings of the 2012 European Workshop on Software Defined Networking.IEEE,2012:18-23. [27] AZODOLMOLKY S.软件定义网络:基于OpenFlow的SDN技术解密[M].机械工业出版社,2014. [28] XIA W,WEN Y,FOH C H,et al.A survey on software-defined networking[J/OL].http:ieeexplore.ieee.org/iel71973917061782106834762.pdf. [29] NARISETTY R,DANE L,MALISHEVSKIY A,et al.Open-Flow Configuration Protocol:Implementation for the of Management Plane[C]∥ Research and Educational Experiment Workshop.2013:66-67. [30] HU F,HAO Q,BAO K.A survey on software-defined network (SDN) and OpenFlow:from concept to implementation[J/OL].http://pdfs.semanticscholar.org/6292/0d0511da12988322403e1fba98dfa3c95aa34.pdf. [31] SHAER E,HAJ S.FlowChecker:Configuration Analysis andVerification of Federated OpenFlow Infrastructures[C]∥Proceedings of the 3rd ACM Workshop on Assurable and Usable Security Configuration.ACM,2010:37-44. [32] KREUTZ D,RAMOS F,ESTEVES P,et al.Software-definednetworking:A comprehensive survey[J].Proceedings of the IEEE,2015,3(1):14-76. [33] PICKETT G.Abusing Software Defined Networks[EB/OL].(2015-10-09) [2016-03-10].https://www.blackhat.com/us-15/briefings.html. [34] BENTON K,CAMP L,SMALL C.OpenFlow vulnerability assessment[C]∥Proceedings of the Second Acm Sigcomm Workshop on Hot Topics in Software Defined Networking.2013:15-21. [35] RPKE C,HOLZ T.SDN Rootkits:Subverting Network Ope-rating Systems of Software-Defined Networks[M].Springer International Publishing,2015:339-356. [36] WANG H,XU L,GU G.FloodGuard:A DoS Attack Prevention Extension in Software-Defined Networks[C]∥ Proceedings of Dependable Systems and Networks.IEEE,2015:239-250. [37] YAP K K.n-casting using openflow[EB/OL].(2014-10-08)[2016-03-10].http://archive.openflow.org/wp/n-casting-mobility-using-openflow. [38] JAFARIAN H,SHAER E,DUAN Q.Openflow random hostmutation:transparent moving target defense using software defined networking[C]∥Proceedings of the First Workshop on Hot Topics in Software Defined Networks.ACM,2012:127-132. [39] KAMPANAKIS P,PERROS H,BEYENE T.SDN-based solutions for Moving Target Defense network protection[C]∥ Proceedings of the World of Wireless,Mobile and Multimedia Networks.IEEE,2014:1-6. [40] KHURSHID A,ZHOU W,CAESAR M.VeriFlow:VerifyingNetwork-Wide Invariants in Real-Time[C]∥Proceedings of the first Workshop on Hot Topics in Software Defined Networks.ACM,2012:49-54. [41] PORRAS P,SHIN S,YEGNESWARAN V.A Security Enforcement Kernel for OpenFlow Networks[C]∥Proceedings of ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking.ACM,2012:10-17. [42] FAYAZBAKHSH K,SEKAR V,YU M,et al.FlowTags:enforcing network-wide policies in the presence of dynamic middlebox actions[C]∥ Proceedings of the 2nd ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking.ACM,2013:19-24. [43] REITBLATT M,FOSTER N,REXFORD J.Consistent Updates for Software-Defined Networks:Change You Can Believe in[C]∥Proceedings of the 10th ACM Workshop on Hot Topics in Networks.ACM,2011:71-76. [44] MATTOS F,DUARTE B.AuthFlow authentication and access control mechanism for software defined networking[J].Annals of Telecommunications,2016,0(21):1-9. [45] WANG J,WANG Y,ZANG L.Towards a Security-Enhanced Firewall Application for OpenFlow Networks[C]∥Proceedings of Cyberspace Safety and Security.Springer,2013:92-103. [46] SON S,SHIN S,GU G.Model Checking Invariant Security Pro-perties in OpenFlow[C]∥Proceedings of 2013 IEEE International Conference on Communications.2013:33-39. [47] KAZEMIA P,CHANG M,WHYTE S,et al.Real time network policy checking using header space analysis[C]∥ Proceedings of USENIX Symposium on Networked Systems Design and Implementation.2013:69-74. [48] KAZEMIAN P,CHANG M,ZENG H,et al.Real Time Net-work Policy Checking Using Header Space Analysis[C]∥Proceedings of the 10th USENIX Conference on Networked Systems Design and Implementation.USENIX Association,2013:99-112. [49] CANINI M,VENZANO D,REXFORD J,et al.A NICE way to Test OpenFlow Applications[C]∥Proceedings of the 9th USENIX conference on Networked Systems Design and Implementation.USENIX Association,2012:10-16. [50] KUZNIAR M,CANINI M,KOSTIC D.OFTEN Testing OpenFlow Networks[C]∥Proceedings of the 2012 European Workshop on Software-Defined Networking.IEEE,2012:54-60. [51] SHIN S,PORRAS P,YEGNESWARAN V,et al.FRESCO:Modular compostable security services for software-defined networks[C]∥Proceedings of Network and Distributed Security Symposium.2013:91-97. [52] ONF.OpenFlow switch specification version 1.0.0[EB/OL].(2012-12-31) [2016-03-10].http://archive.openflow.org/wp/documents. [53] BRAGA R,MOTA E,PASSITO A.Lightweight DDoS flooding attack detection using NOX/OpenFlow[C]∥Proceedings of Local Computer Networks (LCN).2010:408-415. [54] RAMACHANDRAN S,SHANMUGAM V.Impact of DoS Attack in Software Defined Network for Virtual Network[J].Wireless Personal Communications,2016,3(1):1-14. [55] YAO G,BI J,XIAO P.Source address validation solution with OpenFlow/NOX architecture[C]∥Proceedings of 19th IEEE International Conference on Network Protocols (ICNP).IEEE,2011:7-12. [56] NAOUS J,STUTSMAN R,MAZIERES D,et al.Delegatingnetwork security with more information[C]∥Proceedings of the 1st ACM Workshop on Research on Enterprise Networking.ACM,2009:19-26. [57] HASSAS S,GANJALI Y.Kandoo:a framework for efficient and scalable offloading of control applications[C]∥Proceedings of the 1st Workshop on Hot Topics in Software Defined Networks.ACM,2012:19-24. [58] RADWARE.DefenseFlow[EB/OL].(2013-1-31) [2016-03-10].http://www.radware.com/Products/DefenseFlow. [59] KREUTZ D,RAMOS M,VERISSIMO P.Towards Secure and Dependable Software-Defined Networks[C]∥Proceedings of the ACM SIGCOMM Workshop on Hot Topics in Software Defined Etworking (HotSDN).2013:213-219. [60] SHIN S,YEGNESWARAN V,PORRAS P,et al.AVANT-GU-ARD:scalable and vigilant switch flow management in software-defined networks[C]∥Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security.ACM,2013:413-424. [61] LIM S,HA J,KIM H,et al.A SDN-oriented DDoS blocking scheme for botnet-based attacks[C]∥Proceedings of Ubiquitous and Future Networks (ICUFN).IEEE,2014:63-68. [62] MORENO A,MAURO C,FABIO D,et al.LineSwitch:Effi-ciently Managing Switch Flow in Software-Defined Networking while Effectively Tackling DoS Attacks[C]∥Proceedings of the 10th ACM Symposium on Information.ACM,2015:199-204. [63] GIOTIS K,ARGYROPOULOS C,ANDROULIDAKIS G,et al.Combining OpenFlow and sFlow for an Effective and Scalable Anomaly Detection and Mitigation Mechanism on SDN Environments[J].Computer Networks,2013,1(10):73-87. [64] XING T,HUANG D,XU L,et al.Snortflow:A openflow-based intrusion prevention system in cloud environment[C]∥Procee-dings of the Research and Educational Experiment Workshop (GREE).IEEE,2013:89-92. [65] XING T,XIONG Z,HUANG D,et al.SDNIPS:Enabling Software-Defined Networking Based Intrusion Prevention System in Clouds[C]∥Proceedings of the International Conference on Network and Service Management.2014:308-311. [66] MEHDI A,KHALID J,KHAYAM A.Revisiting traffic anomaly detection using software defined networking[C]∥Procee-dings of the Procee-dings of the 14th International Conference on Recent Advances in Intrusion Detection.2011:161-180. [67] DOTCENKO S,VLADYKO A,LETENKO I.A fuzzy logic-based information security management for software-defined networks[C]∥Proceedings of the 16th International Confe-rence on Advanced Communication Technology (ICACT).IEEE,2014:167-171. [68] HU H X,AHN G J,HAN W,et al.Towards a reliable SDNfirewall[C]∥Open Networking Summit 2014 (ONS).2014:23-24. [69] HUY H,HANZ W,AHNZ G,et al.Building robust firewalls for software-defined networks[C]∥2014 ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking (HotSDN).2014. [70] JAVID T,RIAZ T,RASHEED A.A layer2 firewall for software defined network[C]∥ 2014 Conference on Information Assu-rance and Cyber Security (CIACS).IEEE,2014:39-42. [71] DANGOVAS V,KULIESIUS F.SDN-Driven Authenticationand Access Control System[C]∥The International Conference on Digital Information,Networking,and Wireless Communications (DINWC2014).The Society of Digital Information and Wireless Communication,2014:20-23. [72] TOSEEF U,ZAALOUK A,ROTHE T,et al.CBAS:Certificate-based AAA for SDN experimental facilities[C]∥2014 Third European Workshop on Software Defined Networks (EWSDN).IEEE,2014:91-96. [73] LIU X,XUE H,FENG X,et al.Design of the multi-level security network switch system which restricts covert channel[C]∥Proceedings of the IEEE 3rd International Conference on Communication Software and Networks (ICCSN).IEEE,2011:233-237 [74] WANG J,WU Z,ZENG T,et al.Covert channel research[J].Journal of Software,2010,1(9):2262-2288. [75] LEE S,WANG H,WEATHERSPOON H.PHY covert chan-nels:can you see the idles[C]∥Proceedings of the Usenix Conference on Networked Systems Design and Implementation.USENIX Association,2014:173-185. [76] JAJODIA S,GHOSH A K,SUBRAHMANIAN S,et al.Moving Target Defense II:Application of Game Theory and Adversarial Modeling[J].Advances in Information Security,2012,0(1):196-203. [77] CASOLA V,DE BENEDICTIS A,ALBANESE M.A moving target defense approach for protecting resource-constrained distributed devices[C]∥ Proceedings of the Information Reuse and Integration (IRI).IEEE,2013:22-29. [78] NAMAL S,AHMAD I,GURTOV A,et al.Enabling SecureMobility with OpenFlow[C]∥ Proceedings of the IEEE Software Defined Networks for Future Networks and Services.IEEE,2013:179-204. |
No related articles found! |
|