Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Security Evaluation in Software-Defined Networks

Igor Ivkić, Dominik Thiede, Nicholas Race, Matthew Broadbent, Antonios Gouglidis

TL;DR

Software-Defined Networking promises flexibility for data center networks but concentrates control in a single point, creating notable security risks. This paper introduces an SDN Security Evaluation Framework with four stages—Threat & Vulnerability analysis using STRIDE and an adapted PASTA, Risk & Impact analysis via CVSS v3.1, Attack Modelling, and Threat & Vulnerability Mitigation—alongside an experimental Mininet/ONOS testbed. It delivers both per-threat mitigations and centralized security solutions (PbSA, Blockchain-based SDN, TENNISON) and provides a comprehensive Threat-Vulnerability-Mitigation correlation map to guide remediation. The work provides a practical methodology for DC operators to assess, prioritize, and mitigate SDN security threats in real-world deployments, with extensions to enumerate and test additional attack scenarios.

Abstract

Cloud computing has grown in importance in recent years which has led to a significant increase in Data Centre (DC) network requirements. A major driver of this change is virtualisation, which allows computing resources to be deployed on a large scale. However, traditional DCs, with their network topology and proliferation of network endpoints, are struggling to meet the flexible, centrally managed requirements of cloud computing applications. Software-Defined Networks (SDN) promise to offer a solution to these growing networking requirements by separating control functions from data routing. This shift adds more flexibility to networks but also introduces new security issues. This article presents a framework for evaluating security of SDN architectures. In addition, through an experimental study, we demonstrate how this framework can identify the threats and vulnerabilities, calculate their risks and severity, and provide the necessary measures to mitigate them. The proposed framework helps administrators to evaluate SDN security, address identified threats and meet network security requirements.

Security Evaluation in Software-Defined Networks

TL;DR

Software-Defined Networking promises flexibility for data center networks but concentrates control in a single point, creating notable security risks. This paper introduces an SDN Security Evaluation Framework with four stages—Threat & Vulnerability analysis using STRIDE and an adapted PASTA, Risk & Impact analysis via CVSS v3.1, Attack Modelling, and Threat & Vulnerability Mitigation—alongside an experimental Mininet/ONOS testbed. It delivers both per-threat mitigations and centralized security solutions (PbSA, Blockchain-based SDN, TENNISON) and provides a comprehensive Threat-Vulnerability-Mitigation correlation map to guide remediation. The work provides a practical methodology for DC operators to assess, prioritize, and mitigate SDN security threats in real-world deployments, with extensions to enumerate and test additional attack scenarios.

Abstract

Cloud computing has grown in importance in recent years which has led to a significant increase in Data Centre (DC) network requirements. A major driver of this change is virtualisation, which allows computing resources to be deployed on a large scale. However, traditional DCs, with their network topology and proliferation of network endpoints, are struggling to meet the flexible, centrally managed requirements of cloud computing applications. Software-Defined Networks (SDN) promise to offer a solution to these growing networking requirements by separating control functions from data routing. This shift adds more flexibility to networks but also introduces new security issues. This article presents a framework for evaluating security of SDN architectures. In addition, through an experimental study, we demonstrate how this framework can identify the threats and vulnerabilities, calculate their risks and severity, and provide the necessary measures to mitigate them. The proposed framework helps administrators to evaluate SDN security, address identified threats and meet network security requirements.
Paper Structure (19 sections, 11 figures, 7 tables)

This paper contains 19 sections, 11 figures, 7 tables.

Table of Contents

  1. Introduction
  2. Related Work
  3. Literature Review on Evaluating Security in SDN
  4. Summary
  5. Framework and Testbed
  6. Stage 1 – Threat & Vulnerability Analysis
  7. Stage 2 – Risk & Impact Analysis
  8. Stage 3 – Attack Modelling
  9. Stage 4 – Threat & Vulnerability Mitigation
  10. Experimental Testbed
  11. Threat & Vulnerability Analysis (Stage 1)
  12. Risk & Impact Analysis (Stage 2)
  13. Attack Modelling (Stage 3)
  14. Threat & Vulnerability Mitigation (Stage 4)
  15. Policy-based SDN Security Architecture
  16. ...and 4 more sections

Figures (11)

  • Figure 1: A Three-Layered SDN Topology consisting of a Data Layer, a Control Layer and an Application Layer (adapted from Xia et al., 2015).
  • Figure 2: Security Evaluation Framework for SDN Architectures in DC Environments (Ivkić et al., 2023).
  • Figure 3: PASTA Model Adaption for the Threat and Vulnerability Analysis (adapted from Verspriter, 2022).
  • Figure 4: CVSS Scoring Flow with Severity Base Score Mapping (adapted from First, 2019)
  • Figure 5: SDN Testbed using Mininet, ONOS Controller and VPLS Services for Network Isolation (Ivkić et al., 2023).
  • ...and 6 more figures