Master Thesis Dynamic Defense In-Depth Model to Enhance SDN Security

Abstract

The traditional long-established networks and networking techniques are no longer suitable for future ever-expanding networking requirements, specifically, the automation and programmability of network communications. Software-Defined Networking (SDN) is the most agreeable solution for that. SDN intelligence is a logically centralized controller that applies a standard open Application Programming Interface (API) to directly control the packet handling functions of network devices. OpenFlow is currently the main and widely known communication protocol in SDN architecture. As a result of such centralization, the SDN architecture subjected the controller as a single point with more attack surfaces for each layer. This entails the search for more security and protection procedures for the SDN architecture without sacrificing its swift response to changing business requirements. This thesis aims to enhance the protection of the division's concept in SDN architecture, which reduces the creation of more attack surfaces that can be targeted by malicious activities. Thus, the research focuses on the design of a dependable SDN controller model via Defense In-Depth (DID) techniques, including the requirements for a secure, resilient, and robust controller. The Dynamic Defense In-Depth (DDiD) model deployment is proposed for the SDN control layer to enhance overall OpenFlow protocol security. Detailed measurable threats and protection mechanisms, according to the DDiD model, were investigated and implemented using a simulation environment (mininet). Also, the thesis presents a proof of concept evaluation mechanism using entropy for Denial of Service DoS attacks to confirm the applicability of secure structure requirements to the SDN controller layer. The DDiD resulted in a higher standard deviation value between normal traffic and attack traffic than the current SDN architecture, with a diverging value of ±0.02 and utmost ~59.51% difference in a better level of protection .The obtained results confirm the promising potential of achieving the required security goals.