Software Defined Networks Security

Software-Defined Networking (SDN) is an emerging network architecture where network control is decoupled from forwarding and is directly programmable. SDNs are dynamic, manageable, and adaptable networks, particularly suitable for the high-bandwidth, dynamic nature of today’s network applications. SDN are usually defined in a three-layer architecture: the Application Layer consists of the end-user applications, the Control Layer supervises the network forwarding and provides control functionalities through an open interface, and finally the Infrastructure Layer, that includes the low level network elements and devices that provide packet switching and forwarding. This new network paradigm introduces several benefits: asa Cloud-ready infrastructure, SDN provides more control and flexibility over the network, the reduction of hardware management and operating costs at the Administrator side and the possibility to provide security and access control in a more granular fashion. In addition, by leveraging SDN it is very easy to collect in almost real-time network usage information useful to support attack detection algorithm.

Figure 1. SDN Security (from CISCO Learning Center)

The Cybersecurity lab is particularly active on the SDN side in defining SDN agents able to improve policy enforcement, anomaly detection and attacks mitigation. The final objective is the definition and deployment of state of the art intrusion prevention applications, able to detect and reject malicious intruders before they could affect network critical functions. In addition, the Cybersecurity lab is devoting many efforts in identifying and facing new security challenges that the adoption of the SDN paradigm involves, such as the single point of failure threat in the Control plane, resource exhaustion attacks, authentication mechanisms between layers and many others Switch-related, Controller-related and Channel-related threats.