Networking Issues and Vulnerabilities

Question 1

threat

Answer 1

possible danger that might explit a vulnerability

Question 2

application plane

Answer 2

apps developed for telemetry, orchestration, and other SDN operations can have security vulnerabilityes

Question 3

Control plane

Answer 3

attacker can generate traffic from spoofed IP address and send huge volume of traffed

Question 4

Data Plane

Answer 4

can posion the global view of the network by forging the LLDP packages

Question 5

TV1 Fake Traffic flows

Answer 5

faulty devices or malicious users can use DoS attack to target the TCAM

Question 6

TV2 Switch Specific Vulnerabiity

Answer 6

switch can be used to slow down the traffic in SDN environments. or can insert forged traffic requests

Question 7

TV 3 Control Plane Communication attack

Answer 7

control plane doesn’t require TLS/SSL. t6his is can lead to compromised CA which would essentially create a botnet

Question 8

TV4 Controller vulnerabilites

Answer 8

controller is most important component in the SDN environment

Question 9

TV5 lack of trust between controller and management app

Answer 9

Controller and management plane applications lack a builtin mechanism to establish trust. The certi fi cate creation and trust veri fi cation between network devices in the SDN environment can be different from the trust framework between normal applications.

Question 10

Security mechanisms in SDN

Answer 10

1 - replications
2 - diversity
3 - automated recovery
4 - dynamic device association
5 - controller switch trust
6 - controller app plane trust
7 - security domains

Question 11

Diversity

Answer 11

diversity improves the robustness of intrusion tolerance

Question 12

Automated recovery

Answer 12

in the case of security attacks, leading to service disruption, the proactive and reactive security recovery mechanism can help in maintaining optimal service availability

Question 12

Dynamic device association

Answer 12

if one instance of a controller fails, the switch should be able to dynamically associate with the backup controller. helps with faults, and other feautures like load balancing

Question 13

SDN data plane attacks

Answer 13

1 - side channel attacks
2- DoS
3 - Topology poisoning attacks

Question 13

Controller Switch Trust

Answer 13

in basic scenarios, the controller can maintain a whitelist of switches that are allowed to send control plane specific messages.

in more complex scenarios can use PKI to establish trust between control and data plane devices

Question 13

controller-app plane trust

Answer 13

should use autonomic trust management mechanisms based on mutual trust and delegated trust

Question 13

security domains

Answer 13

help in segmenting the network in differentl level of trust and containment of the threat to only the affected section in the SDN framework

Question 14

side channel attack

Answer 14

attacker can observe the processing time of the control plane in order to learn the network config

Question 15

Topology poisoning attack

Answer 15

two stage data plane attack. can help an attacker establish a previously non existent link between the switches
1st attack - attacker captures the openflow LLDP packets and filters out the LLDP syntax
2nd attack - sends forged LLDP packets to the controller.

Question 16

Side channel countermeasure

Answer 16

rely on response time pattern. propose timeout proxy on the data plane to normalize control plane delay. response time can also be randomized

Question 17

Distributed security and microsegmentation

Answer 17

is a method of breaking traditional data center and cloud network into logical elements and managing each element separately

Microsegmentation provides software management architecture - prevents lateral movement