Application-Aware Multimedia Security TechniquesView this Special Issue
Software-Defined Networking: An Evolving Network Architecture—Programmability and Security Perspective
Software-defined networking is an evolving network architecture beheading the traditional network architecture focusing its disadvantages in a limited perspective. A couple of decades before, programming and networking were viewed as different domains which today with the lights of SDN bridging themselves together. This is to overcome the existing challenges faced by the networking domain and an attempt to propose cost-efficient effective and feasible solutions. Changes to the existing network architecture are inevitable considering the volume of connected devices and the data being held together. SDN introduces a decoupled architecture and brings customization within the network making it easy to configure, manage, and troubleshoot. This paper focuses on the evolving network architecture, the software-defined networking. Unlike a generic view on the evolving network, which makes work as a review, this work addresses various perspectives of the architecture leaving it an intermediate work in between the review of the literature and implementation, contributing towards factors like the design, programmability, security, security behaviors, and security lapses. This paper also analyses various weak points of the architecture and evolves the attack vectors in each plane leaving a conclusion to further progress towards identifying the impacts of the attacks and proposing mitigation strategies.
With the increased requirements, the connected devices over a period of time suffocates in executing its operations as intended. Being many reasons stated for this condition, listing a few proven causes as such the volume of data, the exponential increase in connected devices, and the need for high-speed processing of data. In addition to all these operational factors, security is being one of the highlighted reasons throughout this scenario as it voids any mitigation proposals in the recent past .
This paper addresses the existing architecture of the connected devices and the recent developments held over the past decade to mitigate the suffocation. Focusing on the recent developments, there are various exciting proposals, in which this paper addresses one of the proposals which is software-defined networking (SDN). In the domain of networks, the SDN approach is considered as another trending endeavor to address the existing challenges faced in the traditional connected devices .
As it is one of the evolving architectures, various flaws were identified in the due course and were made open to the research forums to come up with mitigation methods. These flaws again focus on various operations within the network models. To be more precise in achieving both quantitative and qualitative progress in the work, this work funnels down after its discussion on traditional network architecture and SDN architecture into the security aspects. As there is already adequate proven research on the security aspects of traditional network architecture, this paper limits itself to focusing on the security aspects of SDN architecture. Further funneling down, within the security aspects of SDN architecture, this work concentrates on identifying and addressing the security problems on the grounds of the application layer in the architecture .
Thus, this work concludes by bringing in a spotlight on one of the key security issues in the trending SDN architecture over the past decade leaving scope for further research on mitigating the issue. This key security issue is unique to the SDN architecture as it is a possibility because of the architecture’s decoupled approach in dealing with the systems and its feasibility to support programmability features. The flow of this paper is structured as stated in Figure 1. It starts from introducing the evolving network architecture and its efficiency towards network programmability followed by its various security issues and factors within the SDN architecture and diving towards the vital part of this work and analyzing the security issues, its types, and impact. This paper in its final part concludes by leaving progressive pathway for other researchers to move forward and propose various solutions to mitigate the addressed security issue effectively.
2. Evolving Architecture: In the Perspective of Design and Programmability
There are two deviant points that have to be made clearer while discussing and understanding the evolving network architecture. This section will walk through and help to gain crystal clear insights on the two aspects of evolving network architectural design. While thinking out of the box from the existing traditional network architectural (Banjar et al. ) design, the main focus could be to overcome the problems which are currently experienced such as exponential growth of the connected devices, the volume of data it generates, and the capacity of the devices to manage the overwhelming data which successively could be categorized within quality of service, load balancing, resource management, and Ssecurity. There are various international standards, proprietary protocols, and algorithms implemented in the existing network architecture to overcome the above-stated issues . They, at one point, execute or function as anticipated overcoming the problems. However, in another dimension or perspective, they further make the network architecture more complex.
The networking domain, a couple of decades ago, was in a similar situation but for a different problem. The depletion of IPv4 addresses leads to the design of IPv6 protocol. Even though the problem was well mitigated by proposing the most secured and scalable IPv6 addressing scheme, it stills raises challenges in completely adopting IPv6 and aborting IPv4 . It took over the next decade after the solution being proposed on a problem to effectively implement in the real-time operations not completely but at least to a wide level. This experience is kept in consideration while new scopes were defined to the current problems or issues being faced in the network architecture.
To overcome the complexity of the existing network architecture, a new approach is proposed, which is the network programmability. This is a feature that allows or supports programmability within a network helping to overcome resource management issues, security, and so on by programming and virtualizing  the network. So far before this concept, programmability and virtualization are supported within the network architecture at a limited scale. If they are already available, the difference is it was already available but not customizable. This statement helps to clarify a common myth that programming and virtualization are new concepts. Network programmability comes with a combination of various entities like the architectures, the protocols, support towards multiple programming languages and scripts, web coding tools, and the application programming interfaces. These entities help in a different order at different levels within the network to establish communication within the network devices in a comparatively simple way to the existing traditional network architecture .
The protocols like OpenFlow are used in network programming where it places itself as an intermediate between the programs and the forwarding devices to establish communication. Similar to the protocols, network programming also supports multiple programming languages and scripts like C, C++, Java, and Python. Along with these supportable resources, the network programming is also enriched with the web interface called REST application programming interface and with a collection of library resources, the JAVA API (ARC). These entities add a strong core to network programming leveraging it to subdue the existing legacy traditional network architecture.
On addressing the capacity of overpowered network programming ability which exhibits a completely different face of a network domain, the other deviant is also equally placed amongst the interest of an infinite research community, which is software-defined networking. The history of software-defined networking leaves traces and tracks of various attempts which were made in over 30 years since now in overcoming the issues and complexity of traditional network architecture design. Various projects like GeoPlex  an initiative of ATandT and Supranet Transaction Server  from Ericson in the early 2000’s are evidences of the traces and tracks.
Software-defined networking could be reckoned as a further enhancement of the network programming, which is intended to facilitate the network with software programs more efficiently. The statement “efficiently” is deliberately stated here because of the approach of software-defined networking’s decoupled architecture. Software-defined networking architecture decouples the root of traditional network architecture , the control, and the data plane.
Even though various attempts were made in the past, the term software-defined networking was coined in the late 2000s and supported by open network foundation  since 2011. ONF is an international consortium led by a group of over 200 companies as members to formulate standards and make the new approach more viable. Similar to ONF is the Open Day Light which also focuses on ensuring various common industry standards . Talking about the standards, OpenFlow is a standard proposed by ONF which helps in establishing communication between the data and the control plane. Open Stack is another software platform that focuses on cloud computing to facilitate infrastructure services as and when required [14, 15].
Figure 2 clearly states the decoupled architecture. The forwarding devices are separated from the controlling devices in the architecture facilitating an eagle-eye view and control over the network. The software-defined networking architecture works with the physical devices disassociated from the controller . The physical devices, like switches in the network, are only forwarding devices that would predominantly reduce the complexity of resource utilization and controllability of the network.
The controller, as its name states, would control the network by sending instructions to all the forwarding devices based on the updated topology view and the commands executed by the applications which are customized as per the network sitting over the controller. The main purpose of the controller would be to initially configure the network, manage the network, and monitor and troubleshoot the network if required . The API’s help in communicating between the controller and the data plane, in this case, is OpenFlow and marked as Southbound API.
These intended operations of the controller like configuring, managing, and monitoring would be automated using customized programming features by the applications sitting above the controller in the application plane. The communication between the application and the controller is marked as northbound API. However, compared with the standards established within the Southbound API’s, the Northbound APIs still lag behind and are more vendor-specific APIs.
By stating the architecture of software-defined networking and the capabilities of network programming marking with the existing traditional networking architecture, this paper has clarified the two deviant points categorizing the evolving network architecture. In the upcoming sections, the security aspects are discussed with adequate merits .
3. Evolving Architecture: In the Perspective of Security, Behavior, and Lapses
Being in the position of evolving network architecture, the SDN architecture brings in various advantages compared with the traditional networking architecture. As discussed in the previous section, the decoupled design itself is an added advantage in the aspect of security . Because of its decoupled design, the controller places itself in a dominant position having an eagles-eye view over the network and able to control the flow of data. Controlling the data flow includes various factors of operating a network including inspecting the packets entering the network and balancing the load within the forwarding devices.
This centralized control point of SDN architecture allows to effectively respond to security flaws within the network comparing to the traditional network architecture. Focusing on security becomes a very important point irrespective of the size of the network, the volume of data being handled within the network, and so on. In a generic perspective, a network’s capabilities would be measured based on its resilience, redundancy, availability, scalability, resource utilization, and so on. However, all these metrics will be void if the network is vulnerable to attacks . This brings the importance to analyze the behavior and lapses with respect to security measures within the SDN architecture.
This evolving architecture has centralized control, which could be an advantage in responding to any vulnerabilities. In the same way, the network as a whole is controlled in a central architecture, and an attack on the centralized controllers would in no time bring out the network. In this case, the advantage of SDN architecture on all aspects compared with the traditional networking architecture itself becomes a weak point in the perspective of security . To understand the infrastructure more precisely in the aspect of security, the behavior of the architecture in the view of handling data within the networks needs in-depth view .
In SDN architecture, the packet when ingresses towards the interface matches with the forwarding device’s flow table. When a successful match is found in the flow table, based on the information related to the path of the destination, the packets will flow through the network. When there is no match in the flow table with the ingress packets, they will be tagged with a “packet-in” message and will be forwarded to the control plane. The controller, based on its information received through the customized applications and the protocols, will forward the packets to the network by updating the forwarding devices' flow tables in the data plane. This behavior of SDN architecture is the advantage that overcomes the traditional network architecture by its efficient data flow within the forwarding planes.
This brings in the valid point deliberately showing multiple points within the SDN architecture where the decision of data movement depends on . These are classified as different scenarios so that the lapse of the architecture in the aspect of security or, in other words, the weak points and vulnerabilities could be identified. To further address the security vulnerabilities within the architecture and to pave the way for future scope of this work entropy-based algorithms , machine-learning approaches and genetic algorithms  could be considered within the architecture.
SDN security scenario classified in Table 1 helps to understand the lapses within the SDN architectures all hierarchical levels in a briefer overview. In the study by Casado et al. , looking in-depth within each plane could pave a path to discuss and analyze various weak points which could be distinguished as subweak points within the different planes. Not only the weak points but also the attacks could be analyzed and determined if the lapses are identified. As this paper purposes to address the SDN architecture’s security aspects and paves a pathway to address the security issues, this part skips the in-depth analysis of the weak points within each plane [27, 28].
Based on the above analysis relating to the architecture of the evolving SDN architecture, its design, programmability, behavior, and lapses, it is clearly visible that each hierarchical planes are vulnerable and are exposed to attacks which in-turn potentially reduces the overall efficiency of the architecture . In the next section, the above-briefed scenario is taken, and the possibilities of attacks and its types are discussed concluding the work opening to future research contributions in mitigating the attacks and enhancing the evolving network architecture.
4. Evolving Architecture: Possibilities of Attacks, Types, Outcomes, and Analysis
The views from various existing literatures depict the current situation of the evolving network architecture. After considering the facts from the various research literatures, continuous assessments are done thoroughly in this work reckoning the architecture of software-defined networking architecture, and weak points were identified in all the hierarchical levels of the architecture. Continuously addressing the weak points does not constitute that SDN architecture is inefficient. . The weak points and other discussions are majorly focused on the security aspects of the network and not the potential network operations and functions. Comparing to the traditional network architecture, the evolving SDN architecture overcomes the existing problems more efficiently. The need here is to enhance the security flaws to make the network more productive and secured .
In the earlier section, the identified weak points are further analyzed to look out for the possibilities of attacks, their type, and the impact that they could cause on the efficient functioning of the network. As stated during the beginning of this work, this part of the work remains the vital part discussing precisely the attacks, their types, and the impact they could cause to the entire network paving a path to further analyze each and every type of attack stated and work further to propose mitigation strategies to each type of attacks [32, 33].
In today’s scenario, where attacks are peeking in a sky rate, the pandemic situations around the globe  also provide more flexible endurance for the attackers to succeed. A couple of years ago, today’s situations like working from home and accessing cloud storage were not considered as an aspect within the infrastructure. . This obviously forces the organizations to increase their budgets in infrastructures and its security. This proportionally increases the chances of the existing network architectures to move towards evolving network architecture irrespective of its size, being an enterprise, data centers, SoHo networks, and so on.
Keeping this current situation in mind, this work progresses in categorizing various types of attacks focused on this evolving network architecture. The categorization is done based on the reviews of the existing literature that addressing the types of attacks . Based on the reviews, all the possible attacks in the evolving architecture are matched with the above-stated identified weak points in the architecture, and the following types or branches are arranged. They are arranged into six categories such as (1) Access Problems, (2) Data Outflow, (3) Denial of Service Attacks and Distributed Denial of Service attacks, (4) Data Alterations, (5) Misconfigurations, and (6) Malicious Applications which are the overall categories .
These above categorized attacks are specific and could potentially make software-defined networking architecture vulnerable; however, the vulnerabilities are not limited to the above-stated attacks alone. Further adding values and contributing towards the work, few more possible attacks are listed here including compromising admin credentials, network manipulation, and man-in-the-middle attacks which might lead to activities like capturing the packets and analyzing the packets for enhanced attacks, session-related attacks, compromised applications, and the APIs. An optimized design  is vital to mitigate these categorized and noncategorized attacks.
If and in case the evolving network architecture fails to take appropriate security mitigation methods focusing on the above-stated attacks , the networks are very viable and easy to get exposed to these attack vectors. Based on the categorized and discussed attack types, to further analyze the outcome of these attacks, they are further placed over the architectures’ weak points identified in the earlier section.
The SDN attack analysis described in Table 2 gives a detailed view on the overall analysis of the types of attacks, their impact, and the outcome within the SDN architecture. With a clear view of the weak points placed at different positions within an SDN architecture, it would now be a comparatively convenient approach to further classify and move out to proceed with various methods of mitigation. Various algorithms  at different levels for different purposes could be considered in enhancing the security within the architecture. Considering the intensity of these diversified attack methods and their scopes, more automated and advanced technologies like artificial neural network  approach could also be considered in effectively mitigating the weak points. This paper with above classifications made would help diverse technology researchers to showcase their skillset  in mitigation approach.
This work concludes after the analysis of various types of attacks, classifying them based on the architectural levels of SDN gives a broader view to understand and move forward in mitigating the attacks, thus making a unique representation. This work also underlines the attacks and their impact on the evolving network architecture that the SDN architecture is exposed to various attacks and those attacks are similar to the legacy networking architecture. This again places the research at the starting point of the problem where the evolving SDN architecture is also vulnerable to the attack vectors to which the traditional network architecture is exposed too. As a fact of analysis and thorough literature studies, it is an unfortunate yes until the first point making the statement “exposed to similar threats” true. However, that does not mean that the whole research towards the evolving network architecture is forced to come back to a point where it started because, even though both these architectures are exposed to similar kinds of attack vectors, and the evolving architecture, SDN always has an upper hand advantage in mitigating these attacks. The decoupled architecture of SDN is its advantage adding along with the programmability and interoperability features. The disadvantage of this evolving network architecture will exist if it fails to take appropriate security mitigation methods focusing on the above-stated and discussed attacks. To conclude the work, furthermore research works should focus on identifying the operation of attacks in each attack vector focusing on the various planes and proposing an effective mitigation solution.
No data were used to support this study.
Conflicts of Interest
The authors declare that they have no conflicts of interest.
Omar Cheikhrouhou thanks Taif University for their support under the Taif University Researchers Supporting Project (TURSP-2020/55), Taif University, Taif, Saudi Arabia.
A. Banjar, P. Pupatwibul, and R. Braun, “Comparison of TCP/IP routing versus openflow table and implementation of intelligent computational model to provide autonomous behavior,” Computational Intelligence and Efficiency in Engineering Systems, Part II, vol. 595, Springer International Publishing, NY, USA, 2015.View at: Publisher Site | Google Scholar
P. Dutta, “Internet object caching,” in Proceedings of the 7th IEEE Intelligent Network Workshop, Bordeaux, France, May 1998.View at: Google Scholar
“Network Security,” Network Security: http://www.networxsecurity.org/members-area/glossary/s/sdn.html.View at: Google Scholar
A. Doria, J. H. Salim, R. Hass et al., Forwarding and Control Element Separation (ForCES) Protocol Specification, Internet Engineering Task Force, Fremont, CA, USA, 2010, http://www.ietf.org/r/fc/rfc5810.txt.
Open Networking Foundation, Open Networking Foundation, Open Networking Foundation, Menlo Park, CA, USA, 2011, https://www.opennetworking.org/about/onf-overview.
S. Shin, V. Yegneswaran, P. Porras, and G. Gu, “AVANT-GUARD: scalable and vigilant switch flow management in software-defined networks,” in CCS ‘13: Proceedings of the 2013 ACM SIGSAC Conference on Computer and Communications Security, pp. 413–424, Berlin, Germany, November 2013.View at: Publisher Site | Google Scholar
S. Shin and G. Gu, “CloudWatcher: network security monitoring using OpenFlow in dynamic cloud networks (or: how to provide security monitoring as a service in clouds?),” in Proceedings of the 2012 20th IEEE International Conference on Network Protocols (ICNP), Austin, TX, USA, October 2012.View at: Publisher Site | Google Scholar
M. Casado, T. Garfinkel, A. Akella et al., “SANE: a protection architecture for enterprise networks,” in Proceedings of the 15th USENIX Security Symposium, vol. 15, Vancouver, B. C., Canada, July 2006.View at: Google Scholar
B. Nordquist, An-Introduction-to-Software-Defined-Networking, Storagecraft, Draper, UT, USA, 2019, https://blog.storagecraft.com/an-introduction-to-software-defined-networking/.
P. Göransson and C. Black, Software Defined Network, A comprehensive approach, Morgan Kaufmann Publishers, Burlington, MA, USA, 1 edition, 2014.
Open Networking Foundation, Principles and Practices for Securing Software-Defined Networks Version No. 1.0 ONF Document Type: TR (Technical Recommendation), Open Networking Foundation, Menlo Park, CA, USA, 2015, https://opennetworking.org/.
M. Boujelben, O. Cheikhrouhou, M. Abid, and H. Youssef, “Establishing pairwise keys in heterogeneous two-tiered wireless sensor networks,” in Proceedings of the 2009 Third International Conference on Sensor Technologies and Applications, pp. 442–448, Athens, Greece, June 2009.View at: Publisher Site | Google Scholar
A. Shaghaghi, M. A. Kaafar, R. Buyya, and S. Jha, “Software-defined network (SDN) data plane security: issues, solutions, and future directions,” in Handbook of Computer Networks and Cyber Security, B. Gupta, G. Perez, D. Agrawal, and D. Gupta, Eds., Springer, Cham, Switzerland, 2020.View at: Publisher Site | Google Scholar
B. R. Murlidhar, R. K. Sinha, E. T. Mohamad, R. Sonkar, and M. Khorami, “The effects of particle swarm optimisation and genetic algorithm on ANN results in predicting pile bearing capacity,” International Journal of Hydromechatronics, vol. 3, no. 1, p. 69, 2020.View at: Publisher Site | Google Scholar
O. B. Fredj, O. Cheikhrouhou, M. Krichen, H. Hamam, and A. Derhab, “An OWASP top ten driven survey on web application protection methods,” in Risks and Security of Internet and Systems, J. Garcia-Alfaro, J. Leneutre, N. Cuppens, and R. Yaich, Eds., pp. 235–252, Springer International Publishing, Cham, Switzerland, 2021.View at: Publisher Site | Google Scholar
I. Jemal, O. Cheikhrouhou, H. Hamam, and A. Mahfoudhi, “Sql injection attack detection and prevention techniques using machine learning,” International Journal of Applied Engineering Research, vol. 15, pp. 569–580, 2020.View at: Google Scholar
Hiscox, Hiscox Cyber Readiness Report, Hiscox, NY, USA, 2020.
M. Safa, M. Ahmadi, J. Mehrmashadi et al., “Selection of the most influential parameters on vectorial crystal growth of highly oriented vertically aligned carbon nanotubes by adaptive,” International Journal of Hydromechatronics (IJHM), vol. 3, no. 3, pp. 238–251, 2020.View at: Publisher Site | Google Scholar