Hands-on Activities
These lab exercises target one or more of the network security problems including but not limited to denial-of-service, unauthorized access, configuration issues, man-in-the-middle, etc. They are designed to test a student’s ability to relate their knowledge of SDN with the technical hints and reference materials included in the guidelines to devise the required security solution. The exercises include tutorials to help students explore various features and capabilities of the controller (i.e., ONOS). The activity manuals also include guidelines for testing the solution to help 1) students evaluate their own approach at each step as they make progress towards perfecting their solution and 2) instructors to evaluate them. Instructors are also provided with a demonstration of an approach to implement the solution for each activity for reference. Each activity in the lab also includes a “hackathon” section that is dedicated to help build the level of competency in graduate students that is required to practically address the many variations in the security issue(s) which they would unavoidably face as future industry professionals.
Lab Environment
Our lab environment consists of several software tools that we have bundled in a Virtual Machine (VM) configured to run on VirtualBox. These tools mainly include:
1) OpenvSwitch (OVS): A virtual-switch software that helps in virtualization, emulation, configuration and troubleshooting of Openflow-enabled SDN switches.
2) Open Network Operating System (ONOS): A java-based controller platform for deploying applications in an SDN operated network.
3) Mininet: A software that orchestrates SDN controllers and switches such as ONOS and OVS respectively to emulate an SDN operated network.
4) Docker: A software for application containerization To virtualize different types of applications in this network including the controller (i.e., ONOS)
Other tools include an IDE for developing SDN applications and networking tools including hping, iperf, ssh, tc, ip, arp and ethtool available as commandline utilities in Linux. Students are expected to use this VM as their workspace for the lab activities.
To learn more about the VM, the labs or get access to them, please email us.
Getting Started
As a precursor to the proposed lab activities, we provide two guided activities to help students explore the concepts of SDN in the practical sense before moving forward to address its complex security issues.
1. MAC tracker
Students are instructed to develop a controller module to capture the MAC address of network hosts and then publish them using the controller’s southbound and northbound interfaces respectively. This activity gives an example of end-to-end flow of information in an SDN operated network.
2. Reactive Forwarding
Students are instructed to develop a controller module to adaptively set up flow-paths across switches to establish communication between network hosts as and when required. Unlike proactive forwarding, reactive forwarding assumes a dynamic state of the network and helps reduce unnecessary waste of switch memory. This activity gives an example of practical deployment of flow-paths in SDN.
Lab Activities
Lab 1: Unauthorized Access by Compromised Controllers
Problem Definition: Network control is often distributed across multiple controllers in practice for scalability and resiliency purposes. This requires coordination between controllers that control different parts of a network for synchronous execution of network policies. Lack of proper coordination could result in a breach in the form of a man-in-the-middle (MITM) attack contemplated by a set of rogue controllers and network hosts to hijack parts of a network.
Lab 2: Unauthorized Access by Unauthorized Applications
Problem Definition: The SDN paradigm enables multiple tenants to operate on the same network. A tenant here is assumed to run as an application module in the controller that uses its resources to install network policies (flows) in the network. Typically, it is given a set of roles and privileges in practice that determines its scope. However, tenants are often assumed to be trusted since they exist as modules inside the controller. This could potentially enable them to cause unauthorized operations in the network.
Lab 3: DoS Attack Detection and Mitigation
Lab 4: Network Configuration Issues
Problem Definition: The SDN paradigm promotes the ability for a network to offload its configuration and policies to a variety of applications. While some of these applications function from within the controller, such as tenants, others function externally over its northbound interfaces (NBI). These interfaces are often designed to be open-ended so as to welcome a variety of external applications. Unlike tenants, these applications cannot be trusted. Without proper management, they pose a risk of potentially compromising the consistency of network state, configuration, and policies.
Lab 5: ARP Spoofing Attack Mitigation
Problem Definition: Address Resolution Protocol (ARP) is widely used for mapping IP addresses to MAC addresses in the network switching domain. The stateless nature of this protocol however introduces a form of vulnerability that could be exploited by adversaries to launch a range of DoS and MITM attacks. ARP spoofing or cache poisoning is one such form of attack that raises concern in both traditional and SDN networking paradigm. SDN promotes network programmability to introduce a new dimension to the solution space to address this problem.
Lab 6: Moving Target Defense
Problem Definition: Communication between hosts in a network depends on the ability of 1) the hosts to identify each other and 2) the network to identify the paths between them. Typically services such as DNS are deployed to aid with (1) and a routing process such as Dijkstra’s shortest path algorithm is employed to aid with (2) in the network. However, the knowledge of existence of such services and mechanisms in the network poses as a vulnerability that, given enough time, enables an adversary to discover targets and predict the path between them to stage an attack and intercept their communication. Moving Target Defense (MTD) is a term used for a range of mechanisms to introduce unpredictability in the network as a means to eliminate these vulnerabilities.
Lab 7: ML-based Network Intrusion Detection System
Problem Definition: Networks are constantly under the threat of various types of malicious attacks at every layer of the TCP-IP stack. Even the individual attack modes have a variety of signatures, the set of which cannot always be accurately or feasibly detected by any particular mechanism or heuristic. This has motivated network designers to employ learn-ability in the design of Network Intrusion Detection System (NIDS) today. The premise is that, with proper supervision, a variety of Machine Learning (ML) tools and models can be programmed into an NIDS to predict classes of traffic in order to detect malicious behavior.
Lab 8: Closed Loop Automation
Problem Definition: Closed loop automation (CLA) is a high-level term for introducing a range of feedback mechanisms to seamlessly automate control across parts of a system and its resources. The controllers in SDN have mainly two sources of feedback for their operations: 1) underlying network and 2) its various applications. Automating control without addressing the feedback has the potential to introduce a variety of security issues. For instance, indiscriminately allocating and switching between network resources for services that share the same network introduces the risk of potentially violating service level agreements.