SDN攻防技术探析

信息安全研究 ›› 2019, Vol. 5 ›› Issue (4): 333-339.

SDN攻防技术探析

彭光彬¹,陈敏²,白勇³

1. 重庆机电职业技术学院
2. 重庆机电职业技术学院信息工程学院
3. 重庆机电职业技术学院智慧信息研究院

收稿日期:2019-04-08 出版日期:2019-04-15 发布日期:2019-04-08
通讯作者: 彭光彬
作者简介:彭光彬网络规划设计师，主要研究方向为计算机网络、云计算技术、数据挖掘等.pen10@163.com 陈敏讲师，主要研究方向为软件技术、计算机网络、云计算技术等. 56376878@qq.com 白勇副教授，主要研究方向为智能融合、云计算、大数据等. cqbaiyong@163.com

An Analysis of SDN Attack and Defense Technology

Received:2019-04-08 Online:2019-04-15 Published:2019-04-08

摘要/Abstract

摘要： 传统网络先天性的创新与演进困难，使得软件定义网络(software-defined network, SDN)越来越受欢迎.但随着SDN技术的发展以及SDN网络的相继投入使用，SDN的安全问题日渐突出.从SDN网络体系结构及安全模型入手，分析、总结了SDN网络的应用平面、控制平面、数据平面及北南向接口的安全问题及网络攻击方法，并据此提出了相应的应对策略和方法：定期检测程序漏洞及恶意代码，严格认证与授权，确保控制器安全，抵御DoS/DDoS攻击，解决流规则不合法性及不一致问题，确保数据安全，实施SDN安全最佳实践以及使用DELTA框架评估SDN安全等.

关键词: 软件定义网络(SDN), SDN安全, 网络攻防技术, SDN控制器, SDN安全最佳实践

Abstract: The congenital difficulty of innovation and evolution on traditional network makes SDN (software-defined network) more and more popular. However, with the development of SDN technology and the successive deployment use of SDN, the security of SDN has become increasingly serious. From the architecture and security model of SDN, this paper analyses and summarizes the security problems and possible methods about network attackson application plane, control plane, data plane and north/south interface of SDN, and puts forward the corresponding strategies and methods of security: periodically detecting vulnerabilities and malicious codes in SDN applications, strictly authenticating and authorizing, ensuring security of every controller, resisting DoS/DDoS attacks, avoiding illegality and inconsistency of flow rules, ensuring security of data, implementing SDN security best practices, and evaluating SDN security using DELTA framework.

Key words: SDN(software-defined network), SDN security, network attack and defense technology, SDN controller, SDN security best practices

彭光彬陈敏白勇. SDN攻防技术探析[J]. 信息安全研究, 2019, 5(4): 333-339.

参考文献

[1] Benzekki K, EI Fergougui A, Elbelrhiti Elalaoui A. Software-defined networking (SDN): A survey[J].Security and Communication Networks, 2016, 9(18):5803-5833 [2] 王涛,陈鸿昶,程国振.软件定义网络及安全防御技术研究[J].通信学报,2017,38(11):133-160 [3] Dawoud A, Shahristani S, Raun C. Software-Defined Network Controller Security: Empirical study [C] //Proc of Int Conf on Information Technology and Applications (ICITA). Piscataway, NJ: IEEE, 2017 [4] Yao Guang, Bi Jun, Guo Luyi. On the cascading failures of multi-controllers in software defined networks [C] //Proc of the 21st Int Conf on Network Protocols (ICNP). Piscataway, NJ: IEEE, 2013 [5] Scott-Hayward S, Kane C, Sezer S. OperationCheckpoint:SDN application control [C] //Proc of the 22nd Int Conf on Network Protocols. Piscataway, NJ: IEEE, 2014: 618-623 [6] Porras P, Shin S, Yegneswaran V, et al. A security enforcement kernel for OpenFlow networks[C]// Proc of the 1st Workshop on Hot Topics in Software Defined Networks(HotSDN).New York:ACM, 2012:121-126 [7] Shin S, Porras P, Yegneswaran V, et al. FRESCO: modular composable security services for software defined networks [C] //Proc of Network & Distributed Security Symp (NDSS). Reston, VA: ISOC, 2013 [8] Canini M, Venzano D, Pereni P, et al. A nice way to test openflow applications [C] //Proc of Usenix Symp on Networked Systems Design & Implementation(NSDI). Berkeley, CA: USENIX Association, 2012 [9] Kuzniar M, Canini M, Kostic D. OFTEN testing openFlow networks [C] //Proc of 2012 European Workshop on Software Defined Networking. Piscataway, NJ: IEEE, 2012:54-60 [10] 王蒙蒙,刘建伟,陈杰，等.软件定义网络:安全模型、机制及研究进展[J] .软件学报,2016,27(4) : 969-992 [11] Al-Shaer E, Al-Haj S. FlowChecker: Configuration analysis and verification of federated openflow infrastructures [C] //Proc of the 3rd ACM Workshop on Assurable and Usable Security Configuration. New York: ACM, 2010:37-44 [12] 周亚东,陈凯悦,冷俊园，等.软件定义网络流表溢出脆弱性分析及防御方法[J] .西安交通大学学报,2018,51(10) : 53-58 [13] 李兆斌,李伟隆,魏占祯，等. SDN数据安全处理机制关键模块的研究与实现[J]. 计算机应用，2018,38( 7) :1929 -1935 [14] Scott-Hayward S, Natarajan S, Sezer S. A survey of security in software defined networks [J]. IEEE Communication Surveys & Tutorials, 2016, 18(1):623-654 [15] Lee S, Yoon C, Lee C, et al. DELTA: A security assessment framework for software-defined networks [C] //Proc of Network and Distributed System Security Symp(NDSS). Reston, VA: ISOC, 2017