Networking Issues and Vulnerabilities Flashcards
threat
possible danger that might explit a vulnerability
application plane
apps developed for telemetry, orchestration, and other SDN operations can have security vulnerabilityes
Control plane
attacker can generate traffic from spoofed IP address and send huge volume of traffed
Data Plane
can posion the global view of the network by forging the LLDP packages
TV1 Fake Traffic flows
faulty devices or malicious users can use DoS attack to target the TCAM
TV2 Switch Specific Vulnerabiity
switch can be used to slow down the traffic in SDN environments. or can insert forged traffic requests
TV 3 Control Plane Communication attack
control plane doesn’t require TLS/SSL. t6his is can lead to compromised CA which would essentially create a botnet
TV4 Controller vulnerabilites
controller is most important component in the SDN environment
TV5 lack of trust between controller and management app
Controller and management plane applications lack a builtin mechanism to establish trust. The certi fi cate creation and trust veri fi cation between network devices in the SDN environment can be different from the trust framework between normal applications.
Security mechanisms in SDN
1 - replications
2 - diversity
3 - automated recovery
4 - dynamic device association
5 - controller switch trust
6 - controller app plane trust
7 - security domains
Diversity
diversity improves the robustness of intrusion tolerance
Automated recovery
in the case of security attacks, leading to service disruption, the proactive and reactive security recovery mechanism can help in maintaining optimal service availability
Dynamic device association
if one instance of a controller fails, the switch should be able to dynamically associate with the backup controller. helps with faults, and other feautures like load balancing
SDN data plane attacks
1 - side channel attacks
2- DoS
3 - Topology poisoning attacks
Controller Switch Trust
in basic scenarios, the controller can maintain a whitelist of switches that are allowed to send control plane specific messages.
in more complex scenarios can use PKI to establish trust between control and data plane devices
controller-app plane trust
should use autonomic trust management mechanisms based on mutual trust and delegated trust
security domains
help in segmenting the network in differentl level of trust and containment of the threat to only the affected section in the SDN framework
side channel attack
attacker can observe the processing time of the control plane in order to learn the network config
Topology poisoning attack
two stage data plane attack. can help an attacker establish a previously non existent link between the switches
1st attack - attacker captures the openflow LLDP packets and filters out the LLDP syntax
2nd attack - sends forged LLDP packets to the controller.
Side channel countermeasure
rely on response time pattern. propose timeout proxy on the data plane to normalize control plane delay. response time can also be randomized
Distributed security and microsegmentation
is a method of breaking traditional data center and cloud network into logical elements and managing each element separately
Microsegmentation provides software management architecture - prevents lateral movement
