SDN Security Under Scrutiny

August is the time of year when security-minded professionals grit their teeth and await the research presented at the annual Black Hat USA and DEF CON security conferences. These are the premier places to find out about the latest hacking trends, vulnerabilities and exploits. This year, software-defined networking caught the attention of security researchers at Black Hat.

Gregory Picket of Hellfire Security held a session entitled "Staying Persistent in Software-Defined Networks," which contained information about exploiting the Open Network Install Environment (ONIE). ONIE is based on Linux and is used as a way to boot a basic operating system on a white-box switch to retrieve a more robust network operating system. With ONIE, a switch can boot and retrieve network operating systems from Big Switch Networks, Cumulus Networks, and many other manufacturers.

In his session, Picket explained how to exploit some of the shortcomings of ONIE, including the lack of authentication and encryption. Some of these missing capabilities were already known to at least one networking vendor. Rob Sherwood, CTO of Big Switch, posted a blog outlining current the security methodology to combat weaknesses in ONIE. Rob discussed how Big Switch hardware uses the management network port to load its network operating system through ONIE. Rob's comments about having "air gap" security for the management network serve more as a workaround to prevent exploits of ONIE right now.

Using device firmware and pre-boot environments is the current hack du jour for the exploit community. Being able to insert malicious code before the operating system is fully loaded is a very attractive proposition. Operating system- level security software can't operate in a pre-boot environment. Firmware is considered to be a known/good piece of the system by almost every other part of the software. Introducing an attack vector there allows it to persist, even if the entire system is reloaded or upgraded.

Even in the event of detection, complete removal would almost certainly involve the replacement of hardware, which is more palatable in a white-box environment due to lower costs, but still not very attractive to an organization.

The security issues with ONIE stem from the need to accelerate development to keep pace with the rapid nature of software-defined networking development. ONIE is a wonderful piece of software that allows white-box switches to enjoy the freedom to boot multiple network operating systems. It allows organizations to test white-box environments with ease and removes the need to have complicated loading procedures for software. ONIE takes the guesswork out of getting white-box switches up and running and lets professionals concentrate on configuration.

Adding critical features to be competitive with commercial network switches overrides any potential security issues for the immediate development cycle. If a customer is willing to switch to white-box switches with SDN-enabled network operating systems given a specific feature set, the development team will be spending their time writing those features.

Those worried about the security implications of ONIE need not worry for long. According to Sherwood, work has already begun on a hardened version of ONIE that will incorporate checksum validation for both bootloader and operating system software. This new secure version will almost certainly include support for authentication and system hardening to prevent the kinds of exploits outlined by Pickett.

Software-defined networking isn't immune from the challenges of security. What sets SDN apart is that the rapid development cycles for software and lack of need for support from specific proprietary hardware.  White-box switches have a common architecture that aids in rapid software development. This means that security issues can be patched quickly and ultimately mitigated in a few release cycles, which may amount to weeks instead of months or even years.

There will always be security challenges in networking, but  SDN -- especially when enabled by white-box switches -- will help networking professionals address those challenges more quickly.