Multi Multi Multi- Multi - - -Layer Access Control Layer - - PowerPoint PPT Presentation

multi multi multi multi layer access control layer access
SMART_READER_LITE
LIVE PREVIEW

Multi Multi Multi- Multi - - -Layer Access Control Layer - - PowerPoint PPT Presentation

May 01, 2023 514 likes •725 views

Multi Multi Multi- Multi - - -Layer Access Control Layer Access Control Layer Access Control Layer Access Control for SDN for SDN- for SDN for SDN for SDN- for SDN for SDN for SDN - -based Telco Clouds -based Telco Clouds - -

slide-1
SLIDE 1

Multi Multi Multi Multi-

  • Layer Access Control

Layer Access Control Layer Access Control Layer Access Control for SDN for SDN for SDN for SDN-

  • based Telco Clouds

based Telco Clouds based Telco Clouds based Telco Clouds for SDN for SDN for SDN for SDN-

  • based Telco Clouds

based Telco Clouds based Telco Clouds based Telco Clouds

Bernd Jaeger1, Christian Röpke2, Iris Adam1, Thorsten Holz2 1: Nokia Networks 2: Ruhr-University Bochum

(result of a joint CELTIC research project called SASER (result of a joint CELTIC research project called SASER (result of a joint CELTIC research project called SASER (result of a joint CELTIC research project called SASER – – – – SAve and SEcure Routing) SAve and SEcure Routing) SAve and SEcure Routing) SAve and SEcure Routing)

slide-2
SLIDE 2

Security of the SDN Architecture SDN-based Security Functions

Often postulated: two different flavors of SDN security

SDN Security SDN Security SDN Security SDN Security

2 Nokia Networks; Ruhr-University Bochum Multi-Layer Access Control for SDN-based Telco Clouds 10/21/2015

SDN-based Security Functions

The analysis combines both aspects at the example of a SIP signaling SDN network with focus

  • n the security of the SDN architecture

Assumed are multiple applications on top of a single SDN controller, controlling a number of (partly) chained security functions in a SDN switch The applications and the SDN controller are assumed to run in a telco cloud with the worst- case threat that an application gets compromised and then acts maliciously

slide-3
SLIDE 3

Simplified SIP SDN Network

Split of Physical Network Elements into VNFs and Split of Physical Network Elements into VNFs and Split of Physical Network Elements into VNFs and Split of Physical Network Elements into VNFs and SDN SDN SDN SDN-

  • based Security Functions

based Security Functions based Security Functions based Security Functions

Physical Network Elements VNFs in a Telco Cloud

PCRF CSCF

DoS Detection

CSCF

DoS Detection

SIP Blacklist

SIP

PCRF

3 Nokia Networks; Ruhr-University Bochum Multi-Layer Access Control for SDN-based Telco Clouds 10/21/2015

PCEF PGW

Security Functions in a SDN Switch

SIP Blacklist

PCEF

SIP Blacklist

SIP Blacklist

SIP Blacklist

slide-4
SLIDE 4

UE

eNBi

UE

eNBj

Telco Cloud

SDN Ctr

Management System UE App X PCRF CSCF Northbound Interface EXT EXT EXT EXT Controller Services Southbound Interface UE Conf. Service

SIP SDN Protection

CSCF

Attacker Model

  • Malicious end user systems

exploit vulnerabilities in cloud applications

  • Attackers exploit SDN controller

vulnerabilities by sending specially crafted packets to an SDN switch triggering it to

Simplified Example: Mobile Simplified Example: Mobile Simplified Example: Mobile Simplified Example: Mobile-

  • Internet Conference

Internet Conference Internet Conference Internet Conference

4 Nokia Networks; Ruhr-University Bochum Multi-Layer Access Control for SDN-based Telco Clouds 10/21/2015

SDN Switch

SDN PCEF Blackl. Sig Data AppX traffic App X Internet AppX traffic

SDN switch triggering it to delegate these packets to the SDN controller

  • Cloud applications respectively

SDN controller extensions – intentionally or unintentionally – attack and infect other cloud applications or SDN controller components

UE - User Equipment PCRF – Policy & Charging Rules Function SDN Ctr – SDN Controller eNB – eNodeB (base station) PCEF – Policy & Charging Enforcement Function EXT - Extension Sig – Signaling CSCF – Call Session Control Function

  • Blackl. - Blacklist
slide-5
SLIDE 5

UE

eNBi

UE

eNBj

Telco Cloud

SDN Ctr

Management System UE App X PCRF CSCF Northbound Interface EXT EXT EXT EXT Controller Services Southbound Interface UE Conf. Service

SIP SDN Protection

Attacker Model

  • Malicious end user systems

exploit vulnerabilities in cloud applications

  • Attackers exploit SDN controller

vulnerabilities by sending specially crafted packets to an SDN switch triggering it to

Simplified Example: Mobile Simplified Example: Mobile Simplified Example: Mobile Simplified Example: Mobile-

  • Internet Conference

Internet Conference Internet Conference Internet Conference

EXT Controller Services

5 Nokia Networks; Ruhr-University Bochum Multi-Layer Access Control for SDN-based Telco Clouds 10/21/2015

SDN Switch

SDN PCEF Blackl. Sig Data AppX traffic App X Internet AppX traffic

SDN switch triggering it to delegate these packets to the SDN controller

  • Cloud applications respectively

SDN controller extensions – intentionally or unintentionally – attack and infect other cloud applications or SDN controller components

UE - User Equipment PCRF – Policy & Charging Rules Function SDN Ctr – SDN Controller eNB – eNodeB (base station) PCEF – Policy & Charging Enforcement Function EXT - Extension Sig – Signaling CSCF – Call Session Control Function

  • Blackl. - Blacklist
slide-6
SLIDE 6

UE

eNBi

UE

eNBj

Telco Cloud

SDN Ctr

Management System UE App X PCRF CSCF Northbound Interface EXT EXT EXT EXT Controller Services Southbound Interface UE Conf. Service

SIP SDN Protection

App X PCRF

Attacker Model

  • Malicious end user systems

exploit vulnerabilities in cloud applications

  • Attackers exploit SDN controller

vulnerabilities by sending specially crafted packets to an SDN switch triggering it to

Simplified Example: Mobile Simplified Example: Mobile Simplified Example: Mobile Simplified Example: Mobile-

  • Internet Conference

Internet Conference Internet Conference Internet Conference

EXT

6 Nokia Networks; Ruhr-University Bochum Multi-Layer Access Control for SDN-based Telco Clouds 10/21/2015

SDN Switch

SDN PCEF Blackl. Sig Data AppX traffic App X Internet AppX traffic

SDN switch triggering it to delegate these packets to the SDN controller

  • Cloud applications respectively

SDN controller extensions – intentionally or unintentionally – attack and infect other cloud applications or SDN controller components

UE - User Equipment PCRF – Policy & Charging Rules Function SDN Ctr – SDN Controller eNB – eNodeB (base station) PCEF – Policy & Charging Enforcement Function EXT - Extension Sig – Signaling CSCF – Call Session Control Function

  • Blackl. - Blacklist
slide-7
SLIDE 7

SIP SDN Protection

Telco Cloud

agement System App X PCRF CSCF EXT EXT EXT EXT Northbound Interface SDN-specific EXT Interface PE criptor Application Layer Control Layer

Multi Multi Multi Multi-

  • Layer Access Control

Layer Access Control Layer Access Control Layer Access Control

  • A Policy Enforcement (PE) unit provides

protection against malicious behavior of northbound applications and SDN controller extensions, provided by means of a descriptor from an independent management system

  • On Application Layer the Policy Enforcement

unit restricts the allowed instruction set according to an application profile

  • On Control Layer the allowed instruction set of

7 Nokia Networks; Ruhr-University Bochum Multi-Layer Access Control for SDN-based Telco Clouds 10/21/2015

SDN Ctr

Managem

SDN Switch

Controller Services Southbound Interface Controller-specific EXT Service SDN-specific EXT Interface PE Descript Control Layer

  • On Control Layer the allowed instruction set of

SDN controller extensions is reduced by high- level permissions in an SDN controller independent fashion

  • SDN controller independence can be achieved

by providing an additional layer that adapts the high-level permissions to the respective SDN controller specifics

slide-8
SLIDE 8

SIP SDN Protection

Assigning Applications to Forwarding Tables Assigning Applications to Forwarding Tables Assigning Applications to Forwarding Tables Assigning Applications to Forwarding Tables

Telco Cloud

Management System App X PCRF CSCF EXT EXT EXT EXT Controller-specific EXT Service Northbound Interface PE SDN-specific EXT Interface Descriptor

  • A first step to increase security is to separate the flow

rules of the respective applications into separate Forwarding Tables (FT)

  • With that Forwarding Tables are decoupled unless they

work on the same traffic stream. If so, they are still able to affect each other.

  • But even if the Forwarding Tables are completely

decoupled from each other, they are still not protected

App X PCRF CSCF

8 Nokia Networks; Ruhr-University Bochum Multi-Layer Access Control for SDN-based Telco Clouds 10/21/2015

SDN Ctr

Ma Controller Services Southbound Interface Controller-specific EXT Service

SDN Switch

AppX traffic App X Blackl. De PCEF

decoupled from each other, they are still not protected against attacks because each of the applications in the Telco Cloud can be potentially compromised and then send malicious instructions to the SDN controller

  • This may e.g. result in DoS attacks (drop *.*), in

illegitimate service consumption attacks, in manipulation of traffic integrity or in eavesdropping attacks by copying the traffic to an unauthorized destination

App X FT3 PCEF FT1 Blackl. FT2

slide-9
SLIDE 9

SIP SDN Protection

Working of Policy Enforcement Working of Policy Enforcement Working of Policy Enforcement Working of Policy Enforcement -

  • 1

1 1 1

Descriptor

========================================================================== Descriptor: Application Profile; Method Multiple Pipelined Forwarding Tables ========================================================================== Source Address Prot. Prio Action Dest Addr. ========================================================================== Application: PCRF, SE-Threshold=100; assign Forwarding Table 1 (FT1)

  • Single Element of user address range SIP/Voice

Prio2 drop

  • All Elements of user address range SIP

Prio1 goto FT2

  • All Elements of user address range Voice

Prio1 forward

  • Conf. Server

========================================================================== Application: CSCF, SE-Threshold=100; assign Forwarding Table 2 (FT2)

  • Single Element of user address range SIP

Prio2 drop+error

  • All Elements of user address range SIP

Prio1 forward CSCF ==========================================================================

Telco Cloud

SDN Ctr

Management System App X PCRF CSCF EXT EXT EXT EXT Controller Services Southbound Interface Controller-specific EXT Service Northbound Interface PE SDN-specific EXT Interface Descriptor

PCRF

9 Nokia Networks; Ruhr-University Bochum Multi-Layer Access Control for SDN-based Telco Clouds 10/21/2015

  • Forw. Table 1

NBI Instruction: All users of user address range Voice Prio1 drop

Reject, because ‘drop’ not allowed ! Compliant? Reject, Alarm Process Instruction

========================================================================== Forwarding Table 1 (FT1) NBI Commands

  • Source Address

Prot. Prio Action Dest Addr.

  • Anton of user address range

SIP/Voice Prio2 drop

  • Bernhard of user address rang SIP/Voice

Prio2 drop

Zora of user address range SIP/Voice Prio2 drop

  • All users of user address range SIP

Prio1 goto FT2

  • All users of user address range Voice

Prio1 forward

  • Conf. Server

==========================================================================

Ctr

Southbound Interface

SDN Switch

slide-10
SLIDE 10

SIP SDN Protection

Working of Policy Enforcement Working of Policy Enforcement Working of Policy Enforcement Working of Policy Enforcement -

  • 2

2 2 2

Descriptor

========================================================================== Descriptor: Application Profile; Method Multiple Pipelined Forwarding Tables ========================================================================== Source Address Prot. Prio Action Dest Addr. ========================================================================== Application: PCRF, SE-Threshold=100; assign Forwarding Table 1 (FT1)

  • Single Element of user address range SIP/Voice

Prio2 drop

  • All Elements of user address range SIP

Prio1 goto FT2

  • All Elements of user address range Voice

Prio1 forward

  • Conf. Server

========================================================================== Application: CSCF, SE-Threshold=100; assign Forwarding Table 2 (FT2)

  • Single Element of user address range SIP

Prio2 drop+error

  • All Elements of user address range SIP

Prio1 forward CSCF ==========================================================================

Telco Cloud

SDN Ctr

Management System App X PCRF CSCF EXT EXT EXT EXT Controller Services Southbound Interface Controller-specific EXT Service Northbound Interface PE SDN-specific EXT Interface Descriptor

PCRF

10 Nokia Networks; Ruhr-University Bochum Multi-Layer Access Control for SDN-based Telco Clouds 10/21/2015

  • Forw. Table 1

NBI Instruction: All users of user address range Voice Prio1 drop

Reject, because ‘drop’ not allowed !

NBI Instruction: User 1 of user address range SIP Prio2 drop User 2 of user address range SIP Prio2 drop ….. User 100 of user address range SIP Prio2 drop

  • --------------------- Threshold --------------------

User 101 of user address range SIP Prio2 drop

  • ----------------------- Alarm! ---------------------

Allow Reject, Alarm Compliant? Reject, Alarm Process Instruction

========================================================================== Forwarding Table 1 (FT1) NBI Commands

  • Source Address

Prot. Prio Action Dest Addr.

  • Anton of user address range

SIP/Voice Prio2 drop

  • Bernhard of user address rang SIP/Voice

Prio2 drop

Zora of user address range SIP/Voice Prio2 drop

  • All users of user address range SIP

Prio1 goto FT2

  • All users of user address range Voice

Prio1 forward

  • Conf. Server

==========================================================================

Ctr

Southbound Interface

SDN Switch

slide-11
SLIDE 11

A Descriptor can make use of all Forwarding Table entries such as described below:

  • Match Fields: to match against packets (e.g. ingress port, source address, destination address, protocol,

ports, optionally metadata specified by a previous Forwarding Table)

  • Priority: matching precedence of flow entry
  • Counters: updated when packets match
  • Instructions: to modify the action set or pipeline processing
  • Timeout: maximum time before flow is expired by the switch

SIP SDN Protection

Applicability of Policy Enforcement Applicability of Policy Enforcement Applicability of Policy Enforcement Applicability of Policy Enforcement

Telco Cloud

Match Fields Priority Counters Instructions Timeouts

11 Nokia Networks; Ruhr-University Bochum Multi-Layer Access Control for SDN-based Telco Clouds 10/21/2015

Telco Cloud

SDN Ctr

Management System

SDN Switch

App X PCRF CSCF Southbound Interface PE Descriptor

Compliant?

Northbound Interface

Reject, Alarm

Process Instruction

  • An application profile provided by means of a descriptor can improve

resistance against malicious instructions in case of compromised applications significantly

  • The presented method can help against all attacks that are verified

during Forwarding Table matching

  • The presented method can not prevent against attacks in the ‚normal

fucntion spectrum‘ of an application (e.g. block a single user that has paid his invoice and not exceeded his data volume)

  • This method is most appropriate for networks with a specified

topology and well defined application functionalities, which applies to telco networks

slide-12
SLIDE 12

SIP SDN Protection

Challenges On Control Layer Challenges On Control Layer Challenges On Control Layer Challenges On Control Layer

(i) Current sandbox systems for SDN controllers depend on low (i) Current sandbox systems for SDN controllers depend on low (i) Current sandbox systems for SDN controllers depend on low (i) Current sandbox systems for SDN controllers depend on low-

  • level permissions

level permissions level permissions level permissions

  • Examples
  • System call level permissions: sys_execve, sys_init_module, …
  • Java API level permissions: java.lang.RuntimePermission “accessDeclaredMembers”, …

Difficult to understand for SDN controller operators 50-80% of network outages are caused by human errors Sandbox misconfiguration is likely to happen in practice

12 Nokia Networks; Ruhr-University Bochum Multi-Layer Access Control for SDN-based Telco Clouds 10/21/2015

Sandbox misconfiguration is likely to happen in practice Operators may simply grant all permissions to avoid malfunctioning

(ii) Current sandbox systems are controller (ii) Current sandbox systems are controller (ii) Current sandbox systems are controller (ii) Current sandbox systems are controller-

  • specific

specific specific specific

  • Sandbox system must be implemented for each SDN controller separately
  • Interfaces and use will likely differ for each implementation

Would not one access control system for all SDN controllers be better?

slide-13
SLIDE 13

SIP SDN Protection

High High High High-

  • Level Permissions

Level Permissions Level Permissions Level Permissions

Basic set of high-level permissions:

  • readTopology, readStatistics
  • addForwardingTableEntry, delForwardingTableEntry
  • recvDataPkt, sendDataPkt
  • Easy to understand by SDN controller operators

Only necessary permissions are granted for a SDN controller extension Malicious or vulnerable components are restricted to a minimum set of critical operations

13 Nokia Networks; Ruhr-University Bochum Multi-Layer Access Control for SDN-based Telco Clouds 10/21/2015

Example:

  • A load balancer extension may need
  • recvDataPkt, readTopology, readStatistics, add/delForwardingTableEntry

With these permissions, it could rule the network

  • We therefore need further restrictions, i.e., on switch and forwarding entry level:
  • Load balancer is only allowed to access, e.g., switches 1, 2, 6 and 12
  • Load balancer is only allowed to program forwarding entries on these switches, e.g., which are

associated with the load balancer‘s backend server

slide-14
SLIDE 14

SIP SDN Protection

Controller Controller Controller Controller-

  • Independent Access Control

Independent Access Control Independent Access Control Independent Access Control

  • We add an additional layer providing a

controller-independent interface to high- level and SDN-specific controller services

  • Interface is implemented by a controller-

specific service using controller services

  • Example:
  • Controller A implements high-level

EXT EXT EXT Northbound Interface Ctrl-indep. Interface PE Controller A EXT EXT EXT Northbound Interface Ctrl-indep. Interface PE Controller B EXT EXT EXT Northbound Interface

14 Nokia Networks; Ruhr-University Bochum Multi-Layer Access Control for SDN-based Telco Clouds 10/21/2015

  • Controller A implements high-level
  • perations by its specific services
  • Controller B implements the interface

layer by services of this controller This allows access control for a wide range of SDN controllers Extensions must not be implemented for each SDN controller separately

SDN Ctrl

Controller Services Southbound Interface Ctrl-specific Stub A Ctrl-indep. Interface PE

SDN Ctrl

Controller Services Southbound Interface Ctrl-specific Stub B Ctrl-indep. Interface PE Controller Services

slide-15
SLIDE 15

SIP SDN Protection

Control Layer Protection Control Layer Protection Control Layer Protection Control Layer Protection

Telco Cloud

agement System App X PCRF CSCF Packet-In handler EXT Northbound Interface SDN-specific EXT Interface PE criptor Appl. Layer Control Layer

Scenario

  • A packet-in handler extension is vulnerable
  • Specially crafted packets trigger a switch to

delegate them towards this extension Access Control Functioning:

  • When exploiting this vulnerability, an attacker

may be able to perform critical operations:

  • Add forwarding entries allowing the

attacker to connect to internal servers.

15 Nokia Networks; Ruhr-University Bochum Multi-Layer Access Control for SDN-based Telco Clouds 10/21/2015

SDN Ctr

Managem

SDN Switch

Controller Services Southbound Interface Controller-specific EXT Service SDN-specific EXT Interface PE Descript Control Layer

attacker to connect to internal servers.

  • Redirect internal traffic to the attacker‘s IP
  • Our system mitigates such control layer attacks:
  • Attacker can only perform a reduced set of

critical operations

  • With it, an attacker can only manipulate a

reduced set of switches

  • On such switches, an attacker can only

manipulate certain forwarding table entries

specially crafted network packets

Internet

slide-16
SLIDE 16

SIP SDN Protection

Conclusions Conclusions Conclusions Conclusions

  • Telecom providers started building telco clouds based on the emerging technologies of

NFV and SDN

  • Cloud-based functions such as telco applications and SDN controllers are potentially

vulnerable and may easier be compromised because they are logically and not physically separated

  • Therefore leaving cloud applications and SDN controller extensions with unlimited access

to critical operations can result in the adverse misuse of such operations

16 Nokia Networks; Ruhr-University Bochum Multi-Layer Access Control for SDN-based Telco Clouds 10/21/2015

to critical operations can result in the adverse misuse of such operations

  • As a consequence, SDN end user traffic can be manipulated, copied or dropped
  • We improve the security of such SDN end user traffic by restricting access to

corresponding and harmful operations on both, the application and the control layer

  • With our improvements, telco cloud providers are able to mitigate various attack

scenarios on multiple layers

slide-17
SLIDE 17
  • n

Contact Contact Contact Contact

Nokia, Munich: bernd.jaeger@nokia.com (Application Layer Access Control, main contact) iris.adam@nokia.com (Application Layer Access Control) Ruhr University Bochum:

17 Nokia Networks; Ruhr-University Bochum Multi-Layer Access Control for SDN-based Telco Clouds 10/21/2015

Ruhr University Bochum: christian.roepke@rub.de (Control Layer Access Control, main contact) thorsten.holz@rub.de (Control Layer Access Control)

slide-18
SLIDE 18

Simplified SIP SDN Network

Back Back Back Back-

  • Up Slides

Up Slides Up Slides Up Slides

18 Nokia Networks; Ruhr-University Bochum Multi-Layer Access Control for SDN-based Telco Clouds 10/21/2015

Back Back Back Back-

  • Up Slides

Up Slides Up Slides Up Slides

slide-19
SLIDE 19

Simplified SIP SDN Network

ETSI NFV Reference Architecture ETSI NFV Reference Architecture ETSI NFV Reference Architecture ETSI NFV Reference Architecture

Os - Ma Or - Vnfm SecO - Vi SecO- Vnfm SecO - Ma Or- Vi Service, VNF &

  • Infrastruct. Descript.

NFV Orchestrator

ETSI NFV Reference Architecture

Security Orchestrator

Security Service Central Management Security Profile Management Trust Management Security Policy Management and Automation Credential Management Hardening Security Status

OSS/BSS

19 Nokia Networks; Ruhr-University Bochum Multi-Layer Access Control for SDN-based Telco Clouds 10/21/2015

VNF Manager EM VNF EM VNF SEM VSF

Virtual Computing Virtual Storage Virtual Network Computing Hardware Storage Hardware Network HW (SDN) Virtualization Layer (Security Functions) Vn - Nf Vi - Ha

VNF Manager

VNF Manager

EM PNF SEM PSF

Ve - Vnfm Nf - Vi Vi - Vnfm

Physical Network

Virtualized Infra- strucure Manager(s)

Execution reference points Main NFV reference points Other reference points