Software-Defined Networking - Literature review Example

Software-Defined Networking Student’s Name Course Professor’s Name University City Date Software-Defined Networking Introduction Nowadays, networked computer systems demands have dramatically taken a complete turn from the basic hosting of applications on a server to more sophisticated computing environments such as remote data storage devices, and cloud-based networks. Meanwhile, such advanced computing environments demand more advanced planning methods, more computing resources as well as more labor. In a bid to quickly reconfigure and design the way resources or data is handled within a network, developers, and network programmers have come up with Software-Defined Networking (SDN) which is one of the latest networking architecture using standardized application programming interfaces (API) [1]. With the use of API, it is possible to quickly interface and reconfigure the network, its components such as switches and pull data as instructed via network applications the likes of email systems. Apparently, SDN has brought significant changes and improvements in computer networking, which makes it imperative to understand its unique benefits through a review of literature as well as some of the security issues facing SDN. Furthermore, owing to the security issues that will be identified, it becomes crucial to propose a theoretical security framework. Literature Review Gladisch & Kellerer conducted a study with the aim of understanding the relationship between SND and Network Function Virtualization, especially in their application [2]. Over the past decade, Gladisch & Kellerer claims that there have been complaints regarding the complexity of the internet, limited mobility, limited security integration in the Internet architecture as well as laxity in innovation [2]. To curb these problems in the usage of the internet, a Clean Slate Program was started in Stanford University aiming to enhance Open Flow and SDN, improving data center networks, mobile internet, and social networking. The initial proposal towards Software Defined Networking was separating control and forwarding in networks as well as develop a program that would enable the control plane to adopt an open software architecture. The result of the initiative was that serve performance and computing became more powerful. Apparently, for the first time, open stack 3 enabled server virtualization and data centers to realize multiple vendor-driven initiatives [2]. Furthermore, since mobile networks require run virtualized network functions such as packet inspections and gateways in a simplified manner, the adoption of SDN and network function virtualization offers the plausible concepts that are integral in realizing this aspect. Kirkpatrick conducted research to determine the effectiveness of software defined networking in enabling programmers to quickly reconfigure network resource usage [3]. Kirkpatrick claims that regarding the way mobile applications are built, it is possible to think the idea of SDN as somehow analogous. The truth is, using SDN, it is possible to reach via network switches through an application programming interface reconfiguring the network’s resources to suits the needs of the programmer [3]. Depending on the manner in which switches are deployed, it becomes quicker to reprogram. This I contrary to the traditional ways where dedicated switches dominated the process through which data was transmitted, in a bid to direct various packets between the connected devices. Apparently, the switches come in two planes the first one being the forwarding plane also known as the data plane. The task of the data plane is routing of data packets to the network destination. Secondly, there is the control plane. The control plane plays the role of creating the routing tables, responsible for determining how various packets reaches or are sent to their respective destinations. Furthermore, the control plane manages connections between switches and as well is responsible for defining the quality of service and handling exceptions and errors from a variety of packets. Additionally, Kirkpatrick found out that SDN is responsible for decoupling links existing between the data instructions and the switch, hence capable of adding an API between the switch and the data routing instructions [3]. Through the property of decoupling links, SDN enables the existence of virtual switches which eventually are not attached to any hardware device. Virtual switches enable programmers or users use higher-level applications in pulling huge data as well as reconfiguring network resources. With the ability to adopt virtual switches, SDN appears a three tiered or else what is termed as stack architecture [3]. As a three-tiered architecture, the topmost tiers consists of the high-level instructions and applications, the second or else the middle tier hosts the controller responsible for directing data traffic and the last third tier holds the virtual and physical switches. One or more interface is attached to each control device which enhances communication between the device and other components. Furthermore, the interfaces are directionally described in accordance with their relationships. For example, in SDN, northbound interfaces are those interfaces where communication is with a higher level component, and consequently, communication between a network competent with a lower level component is allowed by a southbound interface [3]. Furthermore, Klepac, Hegr & Bohac conducted a study to determine the ability of software defined networking in enhancing the availability of services [4]. Klepac et al. observed that the traditional networking systems over time have depicted inability to respond promptly to the immense growth in client demands that befall cloud providers and data centers. To avoid the problems depicted by traditional networking concepts lacking agility, the use of the concept of software-defined networking has come in handy. According to Klepac et al., SDN is instrumental in minimizing service downtime while in the meantime, live virtual machine migrations are performed [4]. These migrations are brought about by the need to transition from maintaining servers with physical hosts to visualized servers that are entirely hosted by a cloud provider. In their research Klepac et al. focused on a single use case and that is the enhancement of service availability during a live Virtual Machine migration [4]. Running the application through an ONOS SDN controller, information from several sources namely Open-Nebula orchestrator and libvirt virtualization is gathered. Following SDN principles, the application is allowed to performs topology changes. Eventually, an alternative topography that utilizes virtual switches is formed and latency, as well as packet loss, measured. Furthermore, it was found out that it is more possible to implement security policies like port security using SDN. Lastly, Klepac et al. concluded that the principle advantage that SDN has over traditional networking is its ability to program networks which [4]. Security Issues in SDN Although SDN promises much in increasing network agility and programmability, it is imperative to pay careful attention to the security issues possible to be faced as we exploit this new networking paradigm. According to Dabbagh, Hamdaoui, Guizani & Rayes, one of the security threats facing SDN is on the forwarding plane and mostly on the Switch DoS [1]. Due to the limitation facing current switches in storage capacity, it becomes impossible storing all the rules by the controller in these switches; thus SDN employs a reactive caching mechanism. This process entails a mechanism where in case an incoming rule lacks the requisite rule in the switch; the packet is stored temporarily and a query sent to the controller for the matching rule for the packet. Once the controller sends the rule, the forwarding table of the switch stores this rule to allow an effective and direct flow processing in the subsequent packets. This tendency of storing packets in the switch’s buffer makes them vulnerable to a DoS attack. The DoS attack happens when a malicious user floods these switches with large packets filling the buffer and eventually resulting to the dropping of legitimate packets that many be belonging to new flows. Secondly, there is the threat which may be termed as man-in-the-middle attack which is likely to occur when unencrypted communication messages are sent via the link that connects the forward planes from the controller. Such a link is susceptible for the attacker to eavesdrop. Worse, the attacker is capable of tampering with rules sent via this link or fabricates new rules, enabling the attacker to gain full control of the switch. In the man-in-the-middle attack, the attacker inserts a node between the controller and the switch to aid in intercepting communication [1]. Thirdly, according to Shu, Wan, Li, Lin, Vasilakos and Imran, there is the imminent threat that is presented by the centralization of SDN’s control plane such as Distributed Denial of Services (DDoS) Attack [5]. DDoS attacks often happen whenever a number of compromised hosts are distributed in the network, flooding the switches with packets. Apparently, the switch tables will not be having all rules thus multiple queries will be sent to the controller. These many queries will eventually utilize the processing power of the controller causing the dropping or delay of legitimate queries. Theoretical Security Framework against Man-in-the-Middle Attack The major security threat in man-in-the-middle security issue is identifying forged, and normal flow rules and the ability to eliminate these forged rules before substantial damages are caused in the network system [5]. First, it is imperative to come up with a configuration validation tool that is capable of identifying any configuration errors in the switches. Apparently, this software will be able to create models of the switches in the network, then through the use of a binary decision model checking technology, conduct end to end verification and analyses of the switches’ configurations. The software will thus be able to identify any misconfigurations in these switches. Furthermore, applying the analysis and verification algorithm, the software will be able to detect collisions in the forwarding rules. In the case of malicious attacks, this software can be able to verify the legitimacy of any modification via digital signatures, and this will be made possible via tracking of routing data. Conclusion The paper addresses some of the key functions of SDN which makes it more preferable compared to the traditional networks. SDN is set to eventually or completely replace traditional networking owing to the promises it holds concerning networking simplicity, elasticity as well as breaking the barriers that deterred programmability. Consequently, though this new paradigm in network architecture comes with many benefits, it also faces several security issues, especially in this early design stage. It is, therefore, imperative for developers and programmers to address these security threats and institute countermeasures that will assure users security when using SDN services. List of References [1]M. Dabbagh, B. Hamdaoui, M. Guizani and A. Rayes, "Software-defined networking security: pros and cons", IEEE Commun. Mag., vol. 53, no. 6, pp. 73-79, 2015. [2]A. Gladisch and W. Kellerer, "Software defined networking and network function virtualization", it - Information Technology, vol. 57, no. 5, 2015. [3]K. Kirkpatrick, "Software-defined networking", Communications of the ACM, vol. 56, no. 9, p. 16, 2013. [4]M. Klepac, T. Hegr and L. Bohac, "Enhancing Availability of Services Using Software-Defined Networking", AEEE, vol. 13, no. 5, 2015. [5]Z. Shu, J. Wan, D. Li, J. Lin, A. Vasilakos and M. Imran, "Security in Software-Defined Networking: Threats and Countermeasures", Mobile Networks and Applications, 2016. Read More