It never ceases to amaze me how far we have come in just a few years in this age, where (almost) everything is connected and is accessible from the Internet. New -trends in digital computing technology require uninterrupted service, high bandwidth, and dynamic management (e.g.. big data, mobile devices, social networking, cloud computing, etc). However, despite their widespread adoption, traditional networks are complex, very hard to manage, and error-prone. It is cumbersome to configure the network according to pre-defined standards and to re-configure it in the event of failure, maintenance, or upgrading. Also, current network systems are vertically integrated, with the control and the data planes being lumped together, making it more difficult to work on. In all this interconnectivities come malicious intents; whether they be legitimate or illegal is another thing altogether. It would then be a factor of what side you find yourself on, deliberately or without your control.

MCSE Training – Resources (Intense)

Software-defined networking (SDN) is a phenomenon and emerging trend that intends to change this log jam by breaking the vertical synthesis, disjoining the network’s control strata or planes from the underlying routers and switches, thereby allowing the ability to program the network with ease. SDN is characterized by its two distinguishing features, separating the control strata or planes from the data strata or planes and providing programmability or modification for network application development. SDN makes it easier to create and introduce new innovations in networking, simplifying network management and promoting network evolution. This does not mean it is without its Achilles heels; nevertheless, we are going to take a critical look at its framework and get wiser, and see what can be improved upon a few more years around the corner.

What Does Software Defined Networking Mean?

The term SDN (software-defined networking) was first proposed to be representative of the ideas and work in and around OpenFlow at Stanford University. The Open Networking Foundation (ONF), a non-profit consortium dedicated to the advancement, standardizing, and commercializing of SDN, defines it as a network architecture in which a network control plane is made independent from the forwarding plane and is directly programmable. SDN is pronounced by two characteristics, namely separation of the control plane from the data planes, and programmability of the control plane.

SDN’s uniqueness resides in the fact that it provides programmability through separation of the control and data planes. Specifically, SDN offers simple network devices that are easy to program rather than making networking devices more complex as in the case of active networking. Since SDN involves separation of control and data planes in the network architectural design, it also means network control can be done separately on the control plane without it affecting the flow of data. Consequently, network intelligence can be separated from the switching devices and assembled on controllers that are now controlled by software.

SDN can be categorized by three core aspects, which are:

Forwarding:

The forwarding aspect allows forwarding of packets as desired by the network application while hiding configuration and details of the underlying hardware.

Distribution:

This aspect shields SDN programs from illogical or erratic distribution, thereby making distribution control logical and well defined.

Specification:

This allows an application to showcase the required network characteristics without being responsible for implementing the behavior itself. This can be achieved by virtualizing and through the use of programming languages.

Objective of SDN

With its inherent decoupling of the control plane from the data plane, SDN offers greater control of a network’s operation through programming. This feature brings the potential benefits of enhanced configuration, improved performance turnout, and encouraged better innovation in a network’s architecture and operations. The control enforced by SDN, apart from packet forwarding at the switching level, also includes link tuning at the data link level, thereby breaking the barrier of layers. Software defined network permits real-time and centralized control of a network based on both instant network status collation and user defined policies. This further leads to optimized network configurations and improved network operations performance.

The benefits of SDN are enhanced by the fact that SDN offers a convenient platform for ICT experimentations for new techniques and encourages new network designs because of its network programmability and the ability to define and design isolated virtual networks through the control plane.

SDN Architecture Layers

SDN has a three-layer architecture that includes an infrastructure layer, a control layer, and an application layer stacking in that order, from the bottom up.

1. The Infrastructure Layer

This consists of switching devices, e.g., routers in the data plane. The switching devices are responsible for handling packets based on the rules provided by a controller. Secondly, they collect the network status, and they take the cache of the data and store it in local storage or designated device(s) before sending them to the controllers. The network’s status information may include information such as traffic statistics, network topology, network usage, etc.

a. Switching devices:

Such as switches and routers, which are interconnected to form a single network. The switching devices are interconnected through different transmission media, including Ethernet cables, copper wires, fiber-optic, and wireless radio.

b. Memory:

One of the main challenges of the control plane is how to efficiently conserve onboard memory. Switching devices in large networks would need a larger memory space and, as a result, constant clearing of accumulated data and storage device upgrades have to be carried out to avoid memory exhaustion. In the event of filled memory space, packets would have to be dropped or directed to controllers for further decisions on how to process them, resulting in a slow network performance. SDN solves this problem through the use of programmed instructions for the controllers in order to reduce memory usage.

c. Transmission Media:

SDN should embrace all possible transmission media, including wired, wireless, and optical devices, in order to provide a universal coverage. However, different transmission media have their own configuration and management specifications. As such, SDN should integrate with these technologies, no matter the configuration required.

d. Data Plane:

The main function of the data plane is packet forwarding. Upon receiving a packet of data, the switching device first confirms the forwarding rule that matches with the packet and then forwards the packet to next server or router accordingly.

2. The Control Layer

The control layer bridges the infrastructure layer and the application layer, via its two interfaces—one for downward interaction with the infrastructure layer (i.e., the south-bound interface) by specifying rules for controllers to access the various functions provided by the switching of devices, and upward interaction with the application layer.

a. Programming Language:

The key function of the control layer is to analyze application requirements into packet forwarding rules. This function requires a communication protocol, e.g., a programming language, between the control layer and the application layer above it. Therefore, it is imperative to provide a high-level language for SDN applications to interact with the controllers. The language instructions should specify a comprehensive syntax for SDN applications to easily understand their requirements and network management strategies. Advanced programming languages such as C++, Java, and Python could be used for application development, which usually includes a software development kit (SDK) with libraries for desirable features, such as security protocols.

b. Rules Update:

An SDN controller is responsible for generating packet forwarding rules, analyzing the rules, and forwarding them to appropriate switching devices for operation. However, forwarding rules need to be updated because of configuration changes and dynamic network issues control, such as directing traffic from one server to another for optimal load balancing.

c. Network Status Collation:

In the upward flow, controllers collect network statistics information to build a broad view of the entire network and provide the application layer with necessary information for it to operate optimally. The main network status data include traffic statistics, such as run-time, packet number, data size, and bandwidth.

d. Policy and Rule Validation:

Consistency in policies and rules is an important step toward stabilizing the routing choices in SDN networks. This is due to the fact that, in SDN networks, multiple applications can connect to the same controller and multiple controllers can be configured for overall network improvement. In an event where there are many rules placed on the system, the policies and rules should be validated to identify and avoid potential conflicts.

3. The Application Layer

This layer contains applications that are designed to optimize user experience. Through the programmable platform that is provided by the SDN control layer, SDN applications are able to access and control switching devices at the infrastructure layer. SDN applications can be used to optimize the process, which includes dynamic access control, with mobility and migration, along with server load balancing and network virtualization.

a. Adaptive Routing

A network’s main function is packet switching and routing. Traditionally, switching and routing designs are based on a distributed approach. However, such distributed designs have many bottlenecks, including complex implementation, slow convergence, and limited ability to achieve broad network control. As an alternative solution, SDN on the other hand offers a closed set of loop controls, feeding the applications with regular timely global network status information and permitting applications to control the network.

b. Load Balancing

Load balancing is a widely used technique to achieve better server utilization. It is a regular practice of load balancing techniques in data centers to deploy front-end load balancer technologies to handle the forwarding of a client’s request to a particular set of servers based on some matrix or replica to optimize throughput, cut down on response time, and ensure that overloading of the network does not happen. However, dedicated load balancers are usually very expensive. SDN provides an alternative method or approach by configuring of the network to process traffic distribution.

OPENFLOW

OpenFlow was first set up to enable easy network experiments in a campus network and is currently used in most SDN practices. Early experiments using OpenFlow were mainly aimed at creating a separate software-controllable network through software-controlled forwarding of packets. Implementation of a separate software-controllable network using OpenFlow is the starting point of what we now call “software-defined networking”.

OpenFlow’s idea of creating a separate network solely to be used for network control birthed the key concept of SDN and laid the foundation for network programmability and logically centralized control panel. SDN and OpenFlow concepts and design principles go hand in hand with each other. On one hand, many concepts in SDN are based on the design of OpenFlow; as the conceptual framework of SDN becomes clearer and more mature, it influences the development of OpenFlow.

SDN for Cloud Computing

Cloud computing provides systems usage, data storage, and other resources on demand and the attendant charges on these usages; it also provides server and network virtualization. SDN provides opportunities to extend the service of the Infrastructure as a Service (IaaS) model beyond computing and storage services to include a rich set of other network services for more innovative and efficient cloud computing. Data center networks for cloud computing have requirements, and these include scalability (this means to scale out, by function of size to accommodate more) for large-scale deployment (as in for enterprises), location independence, and meeting the requirements of dynamic resource provisioning.

Network Security

Traditional network security practices deploy firewalls and proxy servers to protect a physical network. Due to the vast number of devices connected to a network, ensuring exclusive accesses by legitimate applications that consume network resources involves the implementation of a series of network-wide policy and tedious configuration of firewalls, proxy servers, and other devices. SDN provides a convenient platform to centralize, merge, and check policies and configurations to ensure that the implementation meets required standards, thus preventing security threats. Moreover, SDN provides better ways to detect and defend attacks due to its ability to collect network status and analysis of traffic patterns for potential security threats.

Advantages of SDN

Centralization permits SDN to alter network behavior in real time and for faster deployment of new applications and network services within hours. SDN makes it flexible and easy to configure, secure, manage, and optimize network resources via dynamic, automated SDN programs and applications. SDN promotes easy implementation of network rules and policy management. SDN can be implemented and enforced across both wired and wireless connections networks and a wide range of devices. SDN allows for a centralized control with a broad view of network activities and a feedback control with information exchange occurring at different layers interactively in the network architecture. As such, many challenges affecting network performance become manageable with properly designed central algorithms. SDN encourages innovation by providing a programmable network platform to implement, experiment, and deploy new ideas, new applications, and new revenue earning services conveniently and flexibly.

SDN Challenges

Given the promises of enhanced configuration, improved performance, and encouraged innovation, SDN is still beset by many challenges. A lot of fundamental issues such as standardization still remain to be solved. Common concerns include SDN interoperability with network devices, performance, and privacy concerns of centralized control, and lack of expert manpower to provide technical support.

SDN Security Threats

Due to the threats of cyber-attacks and the plethora of digital threats, security and dependability are top priorities in SDN. While some threat vectors are common to existing networks, others, such as attacks on the control plane or layer of communication and the logically-centralized controllers are more specific to SDN. OpenFlow networks are subject to some security and dependability problems, such as spoofing, tampering, repudiation, information disclosure, denial of service, and elevation of privileges. The assumption that the effects of threats on some applications are localized and will not affect SDN operation is a major reason for these vulnerabilities.

It is worth emphasizing that some attacks (for example, spoofing) are not SDN-specific. However, these attacks can have a larger impact in SDNs. For example, by successfully spoofing the network controller address, an attacker using a compromised controller could install his own special rules on all forwarding nodes or devices for his own malicious purposes and take over the control of the entire network within just a few minutes, and this is huge.

An attacker can also try to guess installed flow rules and subsequently, forge packets to remotely increase the network traffic counter and render the load balancing rules ineffective. Such an attack would have adverse effect on the load balancing systems.

Some other technical security concerns in SDN networks include the lack of strong security measures and access control support on most switches that the controllers guard. There is an erroneous belief that transmission control protocol (TCP) link data are secure in a physical sense. This proves to be untrue: A simple listening application configured (such as those used for network data tweak) and targeted at a host server is enough to breach the network. In addition, vulnerabilities in the controllers themselves, application development problems (bugs), such as the sudden exit of an application or the continuous allocation of system memory spaces, are enough to cause vulnerability and crash existing controllers, and can also lead to serious security breaches.

Counter Security Measures

Several countermeasures can be put in place to mitigate the security threats in SDNs. Traditional techniques such as access control, attack detection mechanisms, selective filtering (e.g., the controller decides which asynchronous messages it will accept or reject), troubleshooting, firewalls, and intrusion detection systems, can be used to mitigate the impact of or to avoid attacks. Third-party network applications should always be scanned for bad code and hidden threats.

Shorter timeouts, packet dropping, and rate limiting are techniques that can be applied on controllers and forwarding devices to mitigate a wide range of threats. Reduced timeouts can be used to reduce the effect of an attack by exploring the reactive response operation mode of the SDN network to make the controller install rules to shut down, starve, or strip an infected server of traffic. With reduced timeouts, the attacker would be forced to constantly generate a number of forged packets to evade the TTL (time to live) timeout expiration, making the attack increased, and more likely to be detected; call that entrapment by the police. And yes, I do see that on cable, and while the criminal is being whisked off, he is screaming, this is entrapment, this is entrapment. Yeah, I am laughing too.

Forensics and remediation measures such as secure logging, event correlation, and consistent reporting are very essential in SDN network security maintenance. If anything wrong happens with the network, operators should be able to quickly detect the threat, trace it, close the loopholes, and put the network to work on a secure mode as fast as possible.

References

*Software-Defined Networking: A Comprehensive Survey: Diego Kreutz (IEEE), Fernando M, V. Ramos, et al.

*Cisco Whitepaper: Software-Defined Networking: Why We Like It and How We Are Building On It.

*Introduction to Software Defined networking (SDN): Raj Jain, Washington University in Saint Louis.

*Software Defined networking and Architectures: Eugen Borcoci, University POLITEHNICA Bucharest.

Image Credit

www.mellanox.com | www.openflow.org | therandomsecurityguy.com