Securing software-defined WAN through analyzing network attack surfaces

Abstract

Today's Software-Defined Networking (SDN) is expanding its deployment area to wide area networks (WAN) to improve bandwidth utilization or optimize routing paths in large-scale networking environments. This paradigm, also known as Software-Defined WAN (SD-WAN), is a widely accepted concept in a variety of networking companies such as Google, Microsoft, and AT\&T. However, despite of its significant benefits, we posit that the security aspect of SD-WAN has been understudied so far. This dissertation aims to explore the security issues of SD-WAN by analyzing network attack surfaces from the two SD-WAN layers: (i) data-layer and (ii) control-layer. In the data-layer, we focus on the architectural bottlenecks in WANs, such as core switches and links whose failure causes significant disruption to entire networks. Then, we propose two network topology obfuscation systems, BottleNet and EqualNet so that adversaries cannot discover such bottlenecks from a network topology. In the control-layer, we posit that adversaries can abuse the East-West interfaces used for communication between distributed controllers. To this end, we propose to design an attack injection system for distributed controllers, Ambusher that systematically finds attack scenarios from distributed SDN controllers by learning internal states of a cluster. Even though our research is insufficient to address all security problems in SD-WAN, we believe that this dissertation takes an important step toward enhancing the security of SD-WAN.