LUP Student Papers

Improving the security of exposed safety critical systems using SDN

• Mark

Abstract

The purpose of this thesis is to study if software defined networks (SDN) can
function as a second layer of defence in safety critical sensor networks. SDNs are
controlled and topologically defined by a logically centralised control unit. The
centralised control logic makes it possible to control the behaviour of the network,
and react to network events. In this thesis we examine if and how SDNs can be used
to isolate a compromised host from the network. As the intended use case requires
galvanic isolation of the devices we test and find that the solution is compatible
with the use of media converters and optic fibre. We evaluate the security of
SDNs compared to traditional networks and implement a proof of concept using
the... (More)

The purpose of this thesis is to study if software defined networks (SDN) can
function as a second layer of defence in safety critical sensor networks. SDNs are
controlled and topologically defined by a logically centralised control unit. The
centralised control logic makes it possible to control the behaviour of the network,
and react to network events. In this thesis we examine if and how SDNs can be used
to isolate a compromised host from the network. As the intended use case requires
galvanic isolation of the devices we test and find that the solution is compatible
with the use of media converters and optic fibre. We evaluate the security of
SDNs compared to traditional networks and implement a proof of concept using
the OpenFlow protocol and Open vSwitch. We find that SDNs could be used to
isolate compromised hosts and provide security benefits, but the uncovered method
is too immature to be used in a safety critical network. (Less)

Popular Abstract

Software defined networks (SDN) have a lot in common with traditional networks.
The main difference is how the packet forwarding devices, for example switches,
work. In a traditional network the switch is responsible for both forwarding the
data and figuring out where to forward it. In a software defined network a distinction is made between the two jobs. The switch is only responsible for forwarding the data and a new device, a controller, is introduced. The controller contains the logic deciding if and where to forward the data, and the switch has to ask the controller what it should do.
Separating the control logic from the switch makes the network easier to pro-
gram. This means that applications can be used to monitor the network... (More)

Software defined networks (SDN) have a lot in common with traditional networks.
The main difference is how the packet forwarding devices, for example switches,
work. In a traditional network the switch is responsible for both forwarding the
data and figuring out where to forward it. In a software defined network a distinction is made between the two jobs. The switch is only responsible for forwarding the data and a new device, a controller, is introduced. The controller contains the logic deciding if and where to forward the data, and the switch has to ask the controller what it should do.
Separating the control logic from the switch makes the network easier to pro-
gram. This means that applications can be used to monitor the network and alert
the controller if something seems odd. The controller can in turn react by redis-
tributing traffic or isolating parts of the network. In a large network this means that traffic in different parts of the network can be coordinated. Another benefit of the separation is that the network traffic governing how the network works can be kept more protected.
The purpose of this thesis is to look at if SDN can be used to improve security
in a safety critical network by acting as a second layer of defence if the network would be breached. By setting up a small network we show that it is possible to isolate units which do not follow the rules of the network. We use two different methods to isolate the units, forbidding the traffic from the start and letting an intrusion detection system alert the controller. However, we also find that it is likely possible to bypass the isolation mechanism and that it is not sufficient for a safety critical network.
Another requirement of the network is that the devices should be
galvanically isolated. Galvanic isolation means that no current flows between the devices. This is a requirement from The Swedish Armed Forces since the current generates an electromagnetic field which could be used to listen to the communication from a large distance. By inserting media converters into the network and using optic fibre to transfer the signal we show that the media converters do not prevent the network from functioning as intended. Their impact on the performance of the network could depend on the hardware used. In the implemented configuration the potential impact is smaller than the variation which occurs between attempts. We evaluate the security of the implemented network using a threat modelling tool called STRIDE which facilitates finding vulnerabilities in systems by looking at different categories of threats. We find that the biggest issue with the implementation is that traffic could be forged tricking the controller into isolating healthy parts of the network. If an attacker succeeded in this the SDN solution would in practice make it easier for an attacker to shut down the entire network. If it would be a good idea to implement an SDN solution depends on if these issues could be solved, the complexity of the network, and the quality of the intrusion detection
system. (Less)