IU leads effort securing software-defined networks

IU lab is currently the largest test bed for software-defined networking in the world

The Department of Defense has awarded $910,000 to a team of computer security experts at Indiana University to study critical issues and vulnerabilities associated with software-defined networking, the next-generation open software interface for controlling the forwarding behavior of networks.

 

IU Bloomington School of Informatics and Computing professor L. Jean Camp will lead the team that also includes Martin Swany and Christopher Small. Swany is an associate professor of computer science and director of IU's Indiana Center for Network Translational Research and Education, or InCNTRE, where Small is a network researcher.

 

Google and Facebook are just two companies using software-defined networks, in this case the network protocol OpenFlow. In 2011, IU opened a software-defined networking laboratory at InCNTRE to study how well OpenFlow products and the software-defined networking products from different vendors work together. The lab is currently the largest test bed for software-defined networking in the world.

 

"Google uses SDN networks for its data centers; their physical networks are secure, and everyone in the organization is trusted," Camp said. "But like the Internet in the 1980s, the lack of technical security is a result of the organizational and economic environment, so avoiding the same vulnerabilities and trust failures that occur now in the current Internet for future software-defined Internet connections require understanding the security now."

 

SDN works by providing network administrators control over network traffic without physical access to the network's hardware, in turn simplifying networking, enhancing opportunities for network virtualization, improving efficiency of data transfer and allowing for fine-grained control over network forwarding behavior. This is done by decoupling the control plane - the router component that decides where a data packet is sent and how it interacts with others based on path-determining algorithms - from the data plane, which has packet-forwarding nodes that move traffic to selected destinations.

 

"Next-generation networking will utilize software as much as hardware, and these resulting software-defined networks will have incredible potential," Camp said. "They can make networks more secure, more reliable and more manageable. However, if the security in these networks is not done well, attackers will take advantage of the same potential. That is, attacks could be more affordable, more reliable and easier to manage."

 

Analyzing possible vulnerabilities is a challenge when building resilience into a system that, on one hand, allows network operators and researchers to customize their own networks while, on the other hand, permitting modern computer science principles to build more dependable and functional networks. One of the primary charges of the new work will be to identify and illustrate the resolution of what Camp called "an exemplary security challenge" that would be essential to realizing the full potential for SDN.

 

"For example, a primary security issue is that since the control plane is no longer physically contained in a single device -- it instead actually traverses the network -- you've provided an additional attack surface," Camp said.

 

Using an OpenFlow network, the IU team will conduct threat modeling related to OpenFlow protocols like device authentication; to individual devices like switches, controllers and even participants; and to multi-controller environments, or the system as a whole.

 

Funding for the one-year project comes from the Department of Defense's Defense Advanced Research Projects Agency.