Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security Cloud Networking IT

SDN Switches Not Hard To Compromise, Researcher Says 105

alphadogg writes: Software-defined switches hold a lot of promise for network operators, but new research due to be presented at Black Hat will show that security measures haven't quite caught up yet. Gregory Pickett, founder of the Chicago-based security firm Hellfire Security, has developed several attacks against network switches that use Onie, the Linux-based Open Network Install Environment that competes with OpenDaylight. Being able to exploit the vulnerability to put malware on SDN switches would have full visibility into all of the traffic running through the switch, enabling large-scale spying.
This discussion has been archived. No new comments can be posted.

SDN Switches Not Hard To Compromise, Researcher Says

Comments Filter:
  • by Anonymous Coward

    I recall thinking "Oh, no" when I saw the first HP presentation on the subject...

    • Re:Not Supprising (Score:5, Insightful)

      by Mikkeles ( 698461 ) on Wednesday August 05, 2015 @07:24PM (#50259887)

      So long as "features" count for more than security, this will continue.

      • Re: (Score:2, Interesting)

        So long as "features" count for more than security, this will continue.

        So long as people waste their time and resources guarding wires rather than systems this will continue. Most of the need for SDN in the first place originates with fools continuing to pursuit castle defense during the space age.

        --
        "Finally, we will access, disclose and preserve personal data, including your content (such as the content of your emails, other private communications or files in private folders), when we have a good faith belief that doing so is necessary."

    • I recall thinking "Oh, no" when I saw the first HP presentation on the subject...

      Yep.

      If you can software define the entire switch (or other network device), you can software design an invisible-to-the-rest-of-it tap component for it. B-b

      • Re: (Score:2, Insightful)

        by Anonymous Coward

        You can do this as well for current 'hardware defined' network components. All switch fabric ICs that I know of can transfer packet data to the host cpu, this is normally used to implement the high end L3 features (and of course to allow access to the management CLI/GUI). If you can update the host CPU firmware with a tap component it will be as invisible as this SDN hack. I even know of one ASIC where you could in theory make it capture all data, put ETH/IP/UDP header before it and then send it out. The ho

  • by gweihir ( 88907 ) on Wednesday August 05, 2015 @07:35PM (#50259929)

    If and when the human race learns to code software that is very hard or impossible to compromise, SDN may have a place, but before that, it is an exceptionally bad idea. It is also not a new bad idea, but an old one that has been renamed. For example, "Active Networking" did try this thing before.

    • If and when the human race learns to code software that is very hard or impossible to compromise, SDN may have a place, but before that, it is an exceptionally bad idea. It is also not a new bad idea, but an old one that has been renamed. For example, "Active Networking" did try this thing before.

      No system or network is perfectly secure and a SDN can be protected just like any other sensitive and imperfect infra can be protected.

      • You might still be able to follow Hoare's maxim and make a system so that there are obviously no deficiencies in it.
    • You do understand that all networks are running software today right? More importantly big networks are incredibly hard to upgrade in a timely fashion; primarily due to the problem that in most cases you have to take part of the network offline. Even in fully redundant networks the politics slow the whole upgrade process down. I look forward to the time when we can run a cluster of controllers and upgrade them in service.

  • Onie =! OpenDayLigth (Score:2, Interesting)

    by Anonymous Coward

    As far as I'm concerned, OpenDayLight is not a bare-metal OS installed on the network assets running the Data Plane... ODL is an SDN controller running on the Management Plane. "SDN Ready" switches in general are just regular switches compatible with OpenFlow... the article doesn't make much sense. Let see...

  • Given the amount of security updates we had on Linux servers those days, it is not surprising a lot of vulnerabilities exists in embedded Linux systems.

    It would require a lot of work from distribution maintainers and system administrators to keep that stuff ahead of the vulnerability curve?

  • by Zondar ( 32904 ) on Wednesday August 05, 2015 @07:42PM (#50259981)

    ... plane outside the confines of the device and make it communicate over a common (not hardened and not separate) channel/network.

  • by Karmashock ( 2415832 ) on Wednesday August 05, 2015 @09:28PM (#50260365)

    ... to the control interface from a specific port. And then you plug that port into one of your servers that is deep in your security bubble by default... and then you VNC or RDP into that when you want to access the SDN.

    Its when you allow access through any port that things become stupid.

    • And then you leave the root keys, and the details on how to access and configure the server, on a trivially accessable wiki, especially with root keys stored unencrypted by developers and admins by policy "because we trust the people we work with" and "because we have a firewall".

      • No... The only people that can touch the server are people that are hand picked and trusted. Can they do bad things? Sure. You have to trust someone. But a senior admin betraying you is not the same thing as a shithead hacker walking into your operation and writing "I WAS HERE" with his urine.

        The trick is to backstop exposed systems to the security of secured systems. Where in the security is not actually breached unless the secure systems are breached. And then you make breaching those a matter of certain

        • > No... The only people that can touch the server are people that are hand picked and trusted.

          You seem to be _extremely_ optimistic about most security enviromments. I don't deny that your guidelines are sensible and appropriate, or that they are rigorous and thoughtful. But they're violated, in practice and in policy even in most so-called "secure" environments. As most networks grow and mature, there are extremely frequent holes drilled and policies violated for the ease and convenience of the administ

  • by swb ( 14022 ) on Wednesday August 05, 2015 @09:32PM (#50260379)

    It kind of seems cloud-ish in its specifics.

    Is it a generic switching backplane that allows arbitrary software loads and more elaborate centralized configuration, perhaps enabling more exotic topologies?

    How far are we away from this now? Most switches anymore seem like specialist PCs with a zillion NICs that boot some variant of linux or bsd and allow for pretty exotic topologies as it is, limited only by the interconnect hardware they have.

    Or is it something tied to virtualization where its meant to describe networks that only exist in hypervisor clusters?

    • by Anonymous Coward

      You know how something like a Cisco 6k L2/L3 switch/router can route and switch, and when it routes the first packet in a flow it can then store the decision out on the blades so that subsequent packets simply get switched, and that routing decision is done using routing logic on a generalized processor in the supervisor module while the switching is done by ASICs? Now imagine that the same thing happens but where the control-plane decision happens using some off-board service that controls all the switche

      • by Anonymous Coward

        As I understood it, just a few months ago, only a few SDNs actually were switching on the ASICS, and they were not the freebies.

        Have things changed, and is it now possible to use the ASICs from most SDN projects ?

        • by Anonymous Coward

          Depends what you want to do. Most current not extremely-high-end switch fabric ASICs can do approximately what an expensive L2/L3 managed switch can do. This gets you there for 99.9% of traffic. Some exotic configuration can probably not be handled by the ASIC, but these few packets then go through the CPU. As long as you are switching streams (eg, wait for trigger packet, update asic config) the performance loss is minimal. If you are doing heavy per packet things then they all have to go through the CPU.

    • How far are we away from this now? Most switches anymore seem like specialist PCs with a zillion NICs that boot some variant of linux or bsd and allow for pretty exotic topologies as it is, limited only by the interconnect hardware they have.

      And that's just the switches. Have a look at a really advanced network device, like the F5 Big-IP load balancer. That loads Linux plus a proprietary real time OS called TMOS, is a full proxy for most common traffic types like TCP, and as a full proxy it can intercept an

  • word came down a few months ago from on high - we need to learn how to do SDN and become experts at it - we have none of it in our environment and no one knows how to support it or what our use for it would be - and we're the network guys but Cisco must be trying to sell us something

    or Somewhere...someone...got their hands on a Network Week magazine - one of our dumbass Level 1 phone dorks musta left it in the john.

  • Software-defined switches .. a solution in search of a problem .. discuss ...
    • I don't get it either. I can understand wanting to dynamically open firewall ports here and there (which is also dangerous, and another subject), but I don't get why you'd need to mess with vlans and such like dynamically. When I worked on massive scale, the architects talked about "data centre holes" where you had space available but couldn't use it because of limitations in the network. I assume SDNs solve that problem, but then so does HAProxy instead of using hardware load balancers.

      Either way, I could

    • There are actually uses. a robust virtualization server can support an SDN to set up a completely internal testing network. This can be far faster, and far cheaper, than bringing in new switches and new cabling and new configuration environments.

      • by swb ( 14022 )

        You can do this now with VMware, create a vSwitch with no NICs attached and connect machines that can only talk to each other. I think distributed vSwitches can carry this further and extend these across nodes, although as a more expensive licensed feature people usually map these internal test networks to an isolated VLAN so they can span nodes.

    • Cloud computing tied to networking leads to the need to reconfigure the network very flexibly and potentially frequently. This is where SDN comes in.

      Suppose you have a big beefy virtualization host. You run a bunch of VMs on it, some of which might themselves be acting as full-fledged routers pushing gigabits/sec of packets. (Yes, this is possible right now.) You want to have strict control over which VMs can talk to which other VMs, you want to control which virtual networks can connect to which physica

Sendmail may be safely run set-user-id to root. -- Eric Allman, "Sendmail Installation Guide"

Working...