Slashdot Mirror

← Back to Stories (view on slashdot.org)

SDN Switches Not Hard To Compromise, Researcher Says

Posted by timothy on from the onie-contrary-as-they-say-in-bawlamer dept.

alphadogg writes: Software-defined switches hold a lot of promise for network operators, but new research due to be presented at Black Hat will show that security measures haven't quite caught up yet. Gregory Pickett, founder of the Chicago-based security firm Hellfire Security, has developed several attacks against network switches that use Onie, the Linux-based Open Network Install Environment that competes with OpenDaylight. Being able to exploit the vulnerability to put malware on SDN switches would have full visibility into all of the traffic running through the switch, enabling large-scale spying.

11 of 105 comments (clear)

  1. Re:Not Supprising by Mikkeles · · Score: 4, Insightful

    So long as "features" count for more than security, this will continue.

    --
    Great minds think alike; fools seldom differ.
  2. SDN is not a smart idea at this time... by gweihir · · Score: 3, Insightful

    If and when the human race learns to code software that is very hard or impossible to compromise, SDN may have a place, but before that, it is an exceptionally bad idea. It is also not a new bad idea, but an old one that has been renamed. For example, "Active Networking" did try this thing before.

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    1. Re:SDN is not a smart idea at this time... by gweihir · · Score: 2

      Who let the insane one in here again?

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    2. Re:SDN is not a smart idea at this time... by Luthe_Faydwire · · Score: 2

      You do understand that all networks are running software today right? More importantly big networks are incredibly hard to upgrade in a timely fashion; primarily due to the problem that in most cases you have to take part of the network offline. Even in fully redundant networks the politics slow the whole upgrade process down. I look forward to the time when we can run a cluster of controllers and upgrade them in service.

  3. Onie =! OpenDayLigth by Anonymous Coward · · Score: 2, Interesting

    As far as I'm concerned, OpenDayLight is not a bare-metal OS installed on the network assets running the Data Plane... ODL is an SDN controller running on the Management Plane. "SDN Ready" switches in general are just regular switches compatible with OpenFlow... the article doesn't make much sense. Let see...

  4. This is what happens when you move the control... by Zondar · · Score: 4, Insightful

    ... plane outside the confines of the device and make it communicate over a common (not hardened and not separate) channel/network.

  5. Yep by Ungrounded+Lightning · · Score: 2

    I recall thinking "Oh, no" when I saw the first HP presentation on the subject...

    Yep.

    If you can software define the entire switch (or other network device), you can software design an invisible-to-the-rest-of-it tap component for it. B-b

    --
    Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
    1. Re:Yep by Anonymous Coward · · Score: 2, Insightful

      You can do this as well for current 'hardware defined' network components. All switch fabric ICs that I know of can transfer packet data to the host cpu, this is normally used to implement the high end L3 features (and of course to allow access to the management CLI/GUI). If you can update the host CPU firmware with a tap component it will be as invisible as this SDN hack. I even know of one ASIC where you could in theory make it capture all data, put ETH/IP/UDP header before it and then send it out. The host cpu would not need to be involved except for setting the initial configuration,

      There is quite some information on the internet about the internals of Cisco and other firmware. Adding 'execute magic packet payload' functionality to most devices would not require much skills.

      The trick is preventing access, rather than using an obscure invisible firmware.

      BTW: Did you know that some Realtek switch chips allow you to update their register values via ethernet? Normally this is used (on 1 port) so you can connect multiple switches to a single managed switch controller. Many unmanaged switches have it enabled by default on all ports.
      https://en.wikipedia.org/wiki/Realtek_Remote_Control_Protocol

  6. The trick is only permiting access... by Karmashock · · Score: 2

    ... to the control interface from a specific port. And then you plug that port into one of your servers that is deep in your security bubble by default... and then you VNC or RDP into that when you want to access the SDN.

    Its when you allow access through any port that things become stupid.

    --
    I've decided to stop wasting my time responding to AC trolls/sockpuppets... so if you want a response from me... login.
    1. Re:The trick is only permiting access... by Karmashock · · Score: 2

      No... The only people that can touch the server are people that are hand picked and trusted. Can they do bad things? Sure. You have to trust someone. But a senior admin betraying you is not the same thing as a shithead hacker walking into your operation and writing "I WAS HERE" with his urine.

      The trick is to backstop exposed systems to the security of secured systems. Where in the security is not actually breached unless the secure systems are breached. And then you make breaching those a matter of certain people needing to be compromised or certain physical machines being physically touched by people or hardware of ill intent. Then you control those people and that hardware. And then breaching THAT security is uncommon. Examples of it failing would be Snowden or the Iran Stuxnet situation. Snowden was given access, downloaded files, and walked off with them. I can think of ways to make that harder. And the Stuxnet thing happened because people were taking thumb drives from unsecured systems to secured systems and not running it through a protocol shift that would filter out rootkits or other nonsense designed to compromise windows or linux systems.

      --
      I've decided to stop wasting my time responding to AC trolls/sockpuppets... so if you want a response from me... login.
  7. What exactly is a SDN, anyway? by swb · · Score: 2

    It kind of seems cloud-ish in its specifics.

    Is it a generic switching backplane that allows arbitrary software loads and more elaborate centralized configuration, perhaps enabling more exotic topologies?

    How far are we away from this now? Most switches anymore seem like specialist PCs with a zillion NICs that boot some variant of linux or bsd and allow for pretty exotic topologies as it is, limited only by the interconnect hardware they have.

    Or is it something tied to virtualization where its meant to describe networks that only exist in hypervisor clusters?