Trust Anchors in Software Defined Networks

TL;DR

This paper proposes a security framework for software-defined networks that isolates core security assets in secure environments, ensuring protection against attacks with minimal runtime performance impact.

Contribution

It introduces a novel approach to protect security credentials in SDN by leveraging isolated execution environments, enhancing security without significant performance degradation.

Findings

Negligible impact on runtime performance.

Moderate deployment performance impact.

Effective protection of security assets.

Abstract

Advances in software virtualization and network processing lead to increasing network softwarization. Software network elements running on commodity platforms replace or complement hardware components in cloud and mobile network infrastructure. However, such com- modity platforms have a large attack surface and often lack granular control and tight integration of the underlying hardware and software stack. Often, software network elements are either themselves vulnerable to software attacks or can be compromised through the bloated trusted computing base. To address this, we protect the core security assets of network elements - authentication credentials and cryptographic context - by provisioning them to and maintaining them exclusively in isolated execution environments. We complement this with a secure and scalable mechanism to enroll network elements into software defined networks. Our evaluation results show a negligible impact on run-time performance and only a moderate performance impact at the deployment stage.