A Security Evaluation Framework for Software-Defined Network

Architectures in Data Center Environments

Igor Ivki

´

c

1,2

, Dominik Thiede

2

, Nicholas Race

1

2

University of Applied Sciences Burgenland, Eisenstadt, Austria

Data Center (DC) network requirements. Virtualisation is one of the key drivers of that transformation and

enables a massive deployment of computing resources, which exhausts server capacity limits. Furthermore,

the increased network endpoints need to be handled dynamically and centrally to facilitate cloud computing

functionalities. Traditional DCs barely satisfy those demands because of their inherent limitations based on

the network topology. Software-Defined Networks (SDN) promise to meet the increasing network require-

ments for cloud applications by decoupling control functionalities from data forwarding. Although SDN

solutions add more flexibility to DC networks, they also pose new vulnerabilities with a high impact due

to the centralised architecture. In this paper we propose an evaluation framework for assessing the security

level of SDN architectures in four different stages. Furthermore, we show in an experimental study, how the

framework can be used for mapping SDN threats with associated vulnerabilities and necessary mitigations in

ter (DC) network architecture (Bilal et al., 2012).

One of the main drivers for cloud computing is vir-

tualisation, which enables a massive deployment of

computing resources like Virtual Machines (VMs)

(Eswaraprasad and Raja, 2017). However, the rise

of cloud computing impacts legacy Data Center Net-

works (DCN) since the number of network endpoints

increases, and the Central Processing Unit (CPU)

capacity and amount of Random-Access Memory

(RAM) of the servers become limiting factors. Ad-

Software-Defined Networks (SDN) aim at provid-

ing solutions for these challenges by adding more

emerging architecture that decouples the control plane

from the data plane. This separation facilitates the

shift of the network control from network devices

towards a logically centralised software-based en-

tity called an SDN controller. The SDN controller

resides in the control plane, where centralised for-

warding tables are calculated and pushed to the net-

work elements living in the data plane. Through the

applications (Chica et al., 2020). Even though the new

SDN architecture opens up new possibilities, it also

brings new security challenges.

Compared to traditional network architectures

consisting of many distributed forwarding devices the

network intelligence is now aggregated in a single vir-

tualised SDN controller. This centralisation of the

network control is one of the most significant advan-

tages and, at the same time, the biggest weakness of

the SDN topology. A successfully launched cyber-

attack where the SDN controller or application is

compromised has the potential to affect the entire net-

work (Al-Saghier, 2019). Network security is highly

prioritised in DC environments; especially when criti-

cal infrastructures are involved, a DC outage resulting

from an attack could have disastrous consequences.

In this paper we present a Security Evaluation

pudiation, Information Disclosure, Denial of Service

(DoS), Elevation of Privilege (STRIDE) and Process

for Attack Simulation and Threat Analysis (PASTA)

(UcedaVelez and Morana, 2015). Next, a risk and im-

pact evaluation is executed for each identified threat

and vulnerability, including ranking each risk by its

severity by using the Common Vulnerability Scoring

System (CVSS). Based on the results of the CVSS,

attack scenarios are modelled for the highest-ranked

risks. Furthermore, we verify the impact of the mod-

security solution.

The remainder of this paper is organised as fol-

lows: Section 2 summarises the related work in the

field. Next, in Section 3, we present the Security Eval-

uation Framework and explain how it can be used to

evaluate the security of SDN-components. Further-

more, we show the general applicability of the pro-

posed framework in an experimental study in Section

4. Finally, in Section 5 we conclude our work and

give an outline of future work in the field.

proposed solutions for each of the six security risks

to mitigate them. Based on that they sketched a sam-

ple of secure SDN design for two network domains.

Their design integrated multiple SDN controllers for

redundancy together with traditional and new protec-

tion solutions, including Intrusion Detection Systems

(IDS), firewalls, and access control via Authentica-

tion, Authorisation, Accounting (AAA) servers. Nev-

ertheless, they considered just one threat analysis ap-

proach based on six generic Threat Categories (TCs),

which leads to unrecognised security flaws that are

not part of the STRIDE categories.

Iqbal et al. (2019) identified several SDN vulner-

limited to data encryption via Secure Sockets Layer

(SSL)/Transport Layer Security (TLS), ciphers like

Advanced Encryption Standard (AES) and Data En-

cryption Standard (DES) and role-based authorisation

adapted from FortNOX3 instance. Iqbal et al. (2019)

outlined a summary showing the correlation between

attack scenario, affected SDN layer/interface, and se-

curity. However, in contrast to the approach of Ruffy

et al. (2016), the threat analysis and countermeasure

proposal from Iqbal et al. (2019) is solely based on a

between the controller and the networking devices,

and (4) threats against communications between dif-

ferent SDN controllers. Based on those categories

they determined five attack scenarios and four secu-

rity requirements to prevent the successful execution

of the attacks. They developed a policy-based security

application that resides on the northbound interface of

the SDN controller to meet the previously identified

security requirements. Furthermore, they analysed

the performance of their policy-based security archi-

tecture as well as discussed, the capabilities to coun-

teract various security attacks and meet different se-

curity requirements using policy-based mechanisms.

Even though the approach is promising, their policy-

based mechanism provides one option to overcome

threat vectors, and attack surfaces on all three SDN

layers and the interfaces in between. In this re-

gard, they discussed to what extent SDN can increase

network security and how SDN security can be im-

proved. In addition, they briefly discussed potential

flaws and inconsistencies still present in the design of

security mechanisms for SDN. Moreover, they men-

tioned potential attack scenarios and their possible

impact on the network. However, they did not con-

sider the technical implementation of those attacks

and how the network impact can influence their SDN.

nel, and agent host. Furthermore, misconfiguration,

malware, and insider attacks were categorised as at-

tack vectors. Finally, he provided a Proof-of-Concept

(PoC) SDN testbed and evaluated the impact on the

network when running different attack scenarios.

Sjoholmsierchio et al. (2021) focused on strength-

ening SDN security by improving the TLS encryption

for OpenFlow. According to them, TLS is currently

the only mechanism for protecting the control chan-

nel and is only considered an optional basis. Based

proxy. Finally, they simulated a downgrade attack

in a Mininet-emulated SDN environment and demon-

strated how their proposed security mechanism could

be used to detect and prevent these attacks. Their re-

sults showed a higher security level on the control

channel at the cost of increased communication la-

tency by 22% compared to standard TLS.

Shaghaghi et al. (2020) presented a brief overview

of the latest security enhancements in the SDN data

plane. Furthermore, they identified five character-

istics of SDN that can have the most impact on its

security. These characteristics include a centralised

controller, open programmable interfaces, forwarding

device management protocol, third-party network ser-

vices and virtualised logical networks. They provided

highlighted the data plane security challenges, solu-

tion requirements, and existing solutions.

gested solution decentralises the control plane while

maintaining a network-wide view. Furthermore, their

mechanism guarantees authenticity, traceability, and

accountability of application flows and provides fine-

grained access control of network-wide resources and

a secure controller-switch channel. They achieved

this by adding a Blockchain layer between the con-

trol and data plane. In addition, they added attribute-

based encryption for access control at the northbound

interface and a high-performance securely authenti-

cated protocol, called HOMQV, for communication

ities and sketched a design of a secure and depend-

able SDN controller platform. They identified seven

different attack vectors and discussed several mecha-

nisms to address their threats. Their proposed con-

troller platform design introduced three SDN con-

trollers (instead of one) to improve the system’s de-

pendability through replication. In addition, their de-

sign sketch included the requirement that the switches

need to associate with more than one controller dy-

namically. Moreover, they explained that the repli-

Prathima Mabel et al. (2019) gave a brief in-

sight into vulnerabilities of OpenFlow and counter-

measures to secure the SDN controller, data plane,

and OpenFlow channel. Furthermore, they presented

the “flow tracer”-solution for securing the SDN con-

troller from being misused. Their solution can iden-

tify and isolate fraudulent flow entries that a hacker

may inject. In addition, the flow tracer encrypts the

packets towards the data plane using symmetric key

encryption. Finally, they simulated a DoS attack in

the Mininet emulator to validate their proposed solu-

tion. Overall, they showed that this single mechanism

can be an effective countermeasure since it can im-

prove the security of the SDN controller, data plane

and OpenFlow channel.

retical solution to detect SDN threats through data

mining. The three mentioned SDN drawbacks in-

dleboxes in SDN. Their proposed solution, called

Table 1: Summary of Related Work on Evaluating Security in SDN (template adapted from Scott-Hayward et al., 2013).

identified in the first step, the next step requires to

categorise them based on their impact to the DC en-

vironment. Threats with similar impact are then com-

bined to TCs which enables a faster risk and impact

analysis. In order to achieve such classification, the

outcomes from the STRIDE and PASTA analysis are

compared to eliminate possible redundancies. The ap-

proach to defining the TCs follows the reverse way

compared to the PASTA analysis. During the PASTA

assessments, root and sub-threats were determined,

tem (CVSS). For applying the CVSS scoring system,

the National Vulnerability Database (NVD) provides

a CVSS calculator which calculates a score in the

range between 0 and 10. Based on that score the

severity of the TCs can be mapped to one of the fol-

lowing five categories:

Table 2: CVSS Scoring with Severity Base Score Mapping.

Severity Base Score Range

Critical 9.0 - 10.0

High 7.0 - 8.9

the overall score represents the severity under consid-

eration of the environmental metric group. In case the

overall score is higher than the base score, the TC has

a higher impact on the environment as assumed by the

threat examination and vice versa. Summarising, the

second stage of the Security Evaluation Framework

uses a standardised approach (CVSS) to calculate the

severity and impact on SDN DC environments of the

previously identified threats and vulnerabilities.

After identifying threats and vulnerabilities and com-

pleting a risk and impact analysis, the third stage

focuses on the creation of attack scenarios validat-

ing their impact against an SDN testbed. The over-

all goal at this stage is to validate the results from

the risk and impact analysis by modelling attacks for

on the calculated CVSS score. For instance, the at-

tacks are modelled for the most likely and most crit-

ically ranked threats first before evaluating the other

(less likely and less critical) ones. Summarising, the

third stage suggests conducting an experimental study

where attacks are modelled which provides an addi-

tional measure to ensure the correctness of the SDN

Security Evaluation Framework.

The final stage of the framework provides counter-

components and prevent several types of attacks (e.g.,

Policy-based SDN Security). Mitigations within the

first category can be directly mapped to the SDN iden-

tified threats from Stage 1 of the Security Evalua-

tion Framework. Such a correlation supports the user

of this framework in applying necessary countermea-

sures to mitigate identified threats and vulnerabilities

pends on the administrator to enable them.

The second category of mitigations provides a

more central solution. Instead of applying counter-

measures against each identified SDN threat, a more

generic solution can be implemented to secure the

network against several attack types of multiple SDN

components. These solutions usually go along with

a complex and more time-consuming integration of

external systems. On the one hand, this approach

prevents several threats with one solution. On the

other hand, implementing such mitigations requires

external systems that have the potential of introduc-

ing new vulnerabilities to the SDN. Summarising, the

4 PROOF-OF-CONCEPT STUDY

For the PoC evaluation a testbed was implemented

and network namespace features as provided by re-

cent Linux kernels. Mininet simulates links as vir-

tual ethernet pairs which reside in the Linux kernel

and connect the switches with the hosts. The Open

vSwitch (OVS) is software-based and uses the Open-

Flow controller communication protocol which is a

key feature for SDN simulation (Mininet, 2022).

Even though Mininet can emulate a rudimen-

tary SDN controller, this controller does not provide

enough functionalities for the test network. For this

troller provides a suitable base for designing a testbed

for the PoC evaluation.

The architecture of the test network is designed

as simple as possible but simultaneously complex

enough to measure the impact of the different attacks.

The test network topology consists of one SDN con-

troller connected to three switches, with links to three

VMs each (shown in Figure 2). The SDN applica-

tions are not running on a separate machine; instead,

the ONOS controller is a platform where SDN appli-

crucial functionality for SDN in DC environments.

The testbed was configured in a way that hosts can

only reach other hosts from the same VPLS. This ser-

vice is later used in the testbed to verify whether cer-

tain attack scenarios can bypass the isolation or re-

configure the service and allow the communication

between isolated hosts. In order to run different attack

scenarios (Stage 3 of the Security Evaluation Frame-

work) against the testbed, an additional node running

Kali Linux is used. Kali Linux is an open-source,

source to attack the SDN-based testbed.

As shown in Figure 1, the first stage of the Secu-

rity Evaluation Framework suggests to perform an

SDN Threat & Vulnerability Analysis using STRIDE

and PASTA. The main SDN components were inves-

tigated separately for all six threats of the STRIDE

analysis. Afterwards, the PASTA model was adapted

to analyze SDN environments. The modified PASTA

model composed of three steps was used to execute

threats have different impacts on the DC environment.

In Stage 2, the identified threats with the same im-

pact on the DC environment were aggregated into cat-

egories to eliminate impact redundancies. Next, the

on their impact severity on a DC environment. As

shown in Table 3, the TC with a critical or high sever-

ity can potentially harm the entire DC environment

and need to be mitigated first. Table 3 shows all 14

TCs, their base and overall score, and severity classes:

Table 3: CVSS Results ordered by TC-Severity (Output 2).

In Stage 3, three attack scenarios are modelled for

the three highest-ranked TCs from the previous stage.

These attack scenarios are then executed on the ex-

perimental testbed which has been deployed without

any hardening. That means no countermeasures to in-

crease the security of the testbed have been applied.

This allows to verify the impact of an attack against

the SDN in case security measures are not considered.

The following three attack scenarios have been exe-

cuted (Output 3):

first on the ONOS controller by using four tools

on the Kali VM. The fastest tool (Patator) cracked

the ONOS default password in 4 seconds, while

the slowest (THC Hydra) took ≈ 22 minutes.

mation about the SDN could be exposed when the

OpenFlow protocol is not encrypted.

For threats where the corresponding mitigations

are not applicable (M5 and M7), preventive controls

are difficult to apply since the threat exploits system

features. However, that does not mean that there is

no countermeasure present at all. Mitigations in the

second category can protect the SDN against such

threats by using a central solution. Instead of applying

countermeasures against each identified SDN threat,

(PbSA) which is a security application implemented

in the northbound interface of the SDN controller.

The main objective of the PbSA is a security policy-

based authorisation of flows in an SDN environment.

The security policies use different flow parameters to

trator can specify fine-grained security policies based

on various attributes such as users, devices, or Au-

tonomous Systems (AS). Furthermore, the PbSA en-

forces a default deny policy which drops flow requests

harajan et al., 2019).

The PbSA mitigates several threats across multi-

ple SDN layers. For instance, it can detect DoS at-

tacks, block suspicious flows and redirect the data

traffic over alternative paths. Furthermore, the archi-

tecture is capable of blocking all traffic (e.g., drop-

ping malicicious flows or denying misconfigured ser-

vices) by default that does not satisfy a permit policy

which represents an extra security layer in form of

an internal SDN firewall. Moreover, the new module

ensures a secure communication between several net-

work devices by mitigating the ”Network Sniffing”-

threat (T6) which enhances the SDN security for the

control and data plane, and the southbound interface.

Another central solution was proposed by Weng

establish the HOMQV protocol. The Blockchain