Academic literature on the topic 'Software defined network security'

A large amount of today's communication occurs within data centers where a large number of virtual servers (running one or more virtual machines) provide service providers with the infrastructure needed for their applications and services. In this thesis, we will look at the next step in the virtualization revolution, the virtualized network. Software-defined networking (SDN) is a relatively new concept that is moving the field towards a more software-based solution to networking. Today when a packet is forwarded through a network of routers, decisions are made at each router as to which router is the next hop destination for the packet. With SDN these decisions are made by a centralized SDN controller that decides upon the best path and instructs the devices along this path as to what action each should perform. Taking SDN to its extreme minimizes the physical network components and increases the number of virtualized components. The reasons behind this trend are several, although the most prominent are simplified processing and network administration, a greater degree of automation, increased flexibility, and shorter provisioning times. This in turn leads to a reduction in operating expenditures and capital expenditures for data center owners, which both drive the further development of this technology. Virtualization has been gaining ground in the last decade. However, the initial introduction of virtualization began in the 1970s with server virtualization offering the ability to create several virtual server instances on one physical server. Today we already have taken small steps towards a virtualized network by virtualization of network equipment such as switches, routers, and firewalls. Common to virtualization is that it is in early stages all of the technologies have encountered trust issues and general concerns related to whether software-based solutions are as rugged and reliable as hardwarebased solutions. SDN has also encountered these issues, and discussion of these issues continues among both believers and skeptics. Concerns about trust remain a problem for the growing number of cloud-based services where multitenant deployments may lead to loss of personal integrity and other security risks. As a relatively new technology, SDN is still immature and has a number of vulnerabilities. As with most software-based solutions, the potential for security risks increases. This thesis investigates how denial-of-service (DoS) attacks affect an SDN environment and a singlethreaded controller, described by text and via simulations. The results of our investigations concerning trust in a multi-tenancy environment in SDN suggest that standardization and clear service level agreements are necessary to consolidate customers’ confidence. Attracting small groups of customers to participate in user cases in the initial stages of implementation can generate valuable support for a broader implementation of SDN in the underlying infrastructure. With regard to denial-of-service attacks, our conclusion is that hackers can by target the centralized SDN controller, thus negatively affect most of the network infrastructure (because the entire infrastructure directly depends upon a functioning SDN controller). SDN introduces new vulnerabilities, which is natural as SDN is a relatively new technology. Therefore, SDN needs to be thoroughly tested and examined before making a widespread deployment.<br>Dagens kommunikation sker till stor del via serverhallar där till stor grad virtualiserade servermiljöer förser serviceleverantörer med infrastukturen som krävs för att driva dess applikationer och tjänster. I vårt arbete kommer vi titta på nästa steg i denna virtualiseringsrevolution, den om virtualiserade nätverk. mjukvarudefinierat nätverk (eng. Software-defined network, eller SDN) kallas detta förhållandevis nya begrepp som syftar till mjukvarubaserade nätverk. När ett paket idag transporteras genom ett nätverk tas beslut lokalt vid varje router vilken router som är nästa destination för paketet, skillnaden i ett SDN nätverk är att besluten istället tas utifrån ett fågelperspektiv där den bästa vägen beslutas i en centraliserad mjukvaruprocess med överblick över hela nätverket och inte bara tom nästa router, denna process är även kallad SDN kontroll. Drar man uttrycket SDN till sin spets handlar det om att ersätta befintlig nätverksutrustning med virtualiserade dito. Anledningen till stegen mot denna utveckling är flera, de mest framträdande torde vara; förenklade processer samt nätverksadministration, större grad av automation, ökad flexibilitet och kortare provisionstider. Detta i sin tur leder till en sänkning av löpande kostnader samt anläggningskostnader för serverhallsinnehavare, något som driver på utvecklingen. Virtualisering har sedan början på 2000-talet varit på stark frammarsch, det började med servervirtualisering och förmågan att skapa flertalet virtualiserade servrar på en fysisk server. Idag har vi virtualisering av nätverksutrustning, såsom switchar, routrar och brandväggar. Gemensamt för all denna utveckling är att den har i tidigt stadie stött på förtroendefrågor och överlag problem kopplade till huruvida mjukvarubaserade lösningar är likvärdigt robusta och pålitliga som traditionella hårdvarubaserade lösningar. Detta problem är även något som SDN stött på och det diskuteras idag flitigt bland förespråkare och skeptiker. Dessa förtroendefrågor går på tvären mot det ökande antalet molnbaserade tjänster, typiska tjänster där säkerheten och den personliga integriten är vital. Vidare räknar man med att SDN, liksom annan ny teknik medför vissa barnsjukdomar såsom kryphål i säkerheten. Vi kommer i detta arbete att undersöka hur överbelastningsattacker (eng. Denial-of-Service, eller DoS-attacker) påverkar en SDN miljö och en singel-trådig kontroller, i text och genom simulering. Resultatet av våra undersökningar i ämnet SDN i en multitenans miljö är att standardisering och tydliga servicenivåavtal behövs för att befästa förtroendet bland kunder. Att attrahera kunder för att delta i mindre användningsfall (eng. user cases) i ett inledningsskede är också värdefullt i argumenteringen för en bredare implementering av SDN i underliggande infrastruktur. Vad gäller DoS-attacker kom vi fram till att det som hackare går att manipulera en SDN infrastruktur på ett sätt som inte är möjligt med dagens lösningar. Till exempel riktade attacker mot den centraliserade SDN kontrollen, slår man denna kontroll ur funktion påverkas stora delar av infrastrukturen eftersom de är i ett direkt beroende av en fungerande SDN kontroll. I och med att SDN är en ny teknik så öppnas också upp nya möjligheter för angrepp, med det i åtanke är det viktigt att SDN genomgår rigorösa tester innan större implementation.

Doctor of Philosophy<br>Department of Electrical and Computer Engineering<br>Don M. Gruenbacher<br>Caterina M. Scoglio<br>As today's networks are no longer individual networks, networks are less robust towards failures and attacks. For example, computer networks and power networks are interdependent. Computer networks provide smart control for power networks, while power networks provide power supply. Localized network failures and attacks are amplified and exacerbated back and forth between two networks due to their interdependencies. This dissertation focuses on finding solutions to enhance network robustness. Software-defined networking provides a programmable architecture, which can dynamically adapt to any changes and can reduce the complexities of network traffic management. This architecture brings opportunities to enhance network robustness, for example, adapting to network changes, routing traffic bypassing malfunction devices, dropping malicious flows, etc. However, as SDN is rapidly proceeding from vision to reality, the SDN architecture itself might be exposed to some robustness threats. Especially, the SDN control plane is tremendously attractive to attackers, since it is the "brain" of entire networks. Thus, researching on network robustness helps protect network from a destructive disaster. In this dissertation, we first build a novel, realistic interdependent network framework to model cyber-physical networks. We allocate dependency links under a limited budget and evaluate network robustness. We further revise a network flow algorithm and find solutions to obtain a basic robust network structure. Extensive simulations on random networks and real networks show that our deployment method produces topologies that are more robust than the ones obtained by other deployment techniques. Second, we tackle middlebox chain problems using SDN. In computer networks, applications require traffic to sequence through multiple types of middleboxes to accomplish network functionality. Middlebox policies, numerous applications' requirements, and resource allocations complicate network management. Furthermore, middlebox failures can affect network robustness. We formulate a mixed-integer linear programming problem to achieve a network load-balancing objective in the context of middlebox policy chain routing. Our global routing approach manages network resources efficiently by simplifying candidate-path selections, balancing the entire network and using the simulated annealing algorithm. Moreover, in case of middlebox failures, we design a fast rerouting mechanism by exploiting the remaining link and middlebox resources locally. We implement proposed routing approaches on a Mininet testbed and evaluate experiments' scalability, assessing the effectiveness of the approaches. Third, we build an adversary model to describe in detail how to launch distributed denial of service (DDoS) attacks to overwhelm the SDN controller. Then we discuss possible defense mechanisms to protect the controller from DDoS attacks. We implement a successful DDoS attack and our defense mechanism on the Mininet testbed to demonstrate its feasibility in the real world. In summary, we vertically dive into enhancing network robustness by constructing a topological framework, making routing decisions, and protecting the SDN controller.

Suite à l'introduction de divers services Internet, les réseaux informatiques ont été reconnus ‏comme ayant joué un rôle essentiel dans la vie moderne au cours du dernier demi-siècle. Le ‏développement rapide et la convergence des technologies informatiques et de communication ‏créent le besoin de connecter divers périphériques avec différents systèmes d'exploitation ‏et protocoles. Il en résulte de nombreux défis pour fournir une intégration transparente ‏d'une grande quantité de dispositifs physiques ou d'entités hétérogènes. Ainsi, les réseaux ‏définis par logiciel (Software Defined Networks, SDN) en tant que paradigme émergent ont ‏le potentiel de révolutionner la gestion des réseaux en centralisant le contrôle et la visibilité ‏globale sur l'ensemble du réseau. Cependant, les problèmes de sécurité demeurent une préoccupation ‏importante et empêchent l'adoption généralisée du SDN.‏‏ Pour identifier les menaces, nous avons effectué une analyse en 3 dimensions pour évaluer ‏la sécurité de SDN. Dans cette analyse, nous avons repris 9 principes de sécurité pour ‏le contrôleur SDN et vérifié la sécurité des contrôleurs SDN actuels avec ces principes. ‏Nous avons constaté que les contrôleurs SDN, ONOS et OpenContrail sont relativement plus ‏sécurisés que les autres selon notre méthodologie d'analyse. Nous avons également trouvé ‏le besoin urgent d'atténuer le problème d'injection d'applications malveillantes. Par conséquent, ‏nous avons proposé une couche d'amélioration de la sécurité (Security-enhancing layer, couche SE) ‏pour protéger l'interaction entre le plan de contrôle et le plan d’application. ‏‏Cette couche SE est indépendante du contrôleur et peut fonctionner avec OpenDaylight, ONOS, ‏Floodlight, Ryu et POX, avec une faible complexité de déploiement. Aucune modification de ‏leurs codes sources n'est requise dans leur mise en œuvre alors que la sécurité globale du ‏contrôleur SDN est améliorée. Le prototype I, Controller SEPA, protège le contrôleur ‏SDN avec l'authentification de l'application réseau, l'autorisation, l'isolation des ‏applications et le blindage de l'information avec un coût additionnel négligeable de moins ‏de 0,1% à 0,3%. Nous avons développé le prototype II de la couche SE, appelé Controller DAC, ‏qui rend dynamique le contrôle d'accès. Le controller DAC peut détecter l'utilisation ‏abusive de l'API en comptabilisant les opérations de l'application réseau avec un coût ‏additionnel inférieure à 0,5%.‏‏ Grâce à cette couche SE, la sécurité globale du contrôleur SDN est améliorée mais avec un ‏coût additionnel inférieure à 0,5%. De plus, nous avons tenté de fournir un framework de ‏déploiement d'application réseau sécurisé pour le contrôleur SDN avec un orchestrateur. ‏Tout d'abord, nous avons sécurisé le contrôleur SDN en utilisant la file d'attente de ‏messages pour remplacer les interfaces populaires actuelles, y compris les RESTful APIs ‏et les APIs internes, à l'aide d'une interface orientée événement décomposable. Avec cette ‏nouvelle interface northbound, l'orchestrateur peut déployer les applications réseau dans ‏le bac à sable(sanbox) avec contrôle des ressources et contrôle d'accès. Cette approche ‏peut efficacement protéger contre les menaces, qui incluent les attaques d'épuisement des ‏ressources (Resource exhaustion attacks) et le traitement des données sur le contrôleur SDN ‏actuel. Nous avons également implémenté une application réseau déployée par l'orchestrateur ‏pour détecter une attaque spécifique à OpenFlow, appelée attaque par contournement de priorité, ‏pour évaluer l'utilité de l'interface norttbound. À long terme, le temps de traitement d'un ‏message packet_in dans cette interface est inférieur à cinq millisecondes mais l'application ‏réseau peut être complètement découplée et isolée du contrôleur SDN.‏‏<br>The rapid development and convergence of computing technologies and communications ‏create the need to connect diverse devices with different operating systems and protocols.‏ This resulted in numerous challenges to provide seamless integration of a large amount of ‏heterogeneous physical devices or entities. Hence, Software-defined Networks (SDN), as an ‏emerging paradigm, has the potential to revolutionize the legacy network management and‏ accelerate the network innovation by centralizing the control and visibility over the network. ‏However, security issues remain a significant concern and impede SDN from being widely‏ adopted.‏‏To identity the threats that inherent to SDN, we conducted a deep analysis in 3 dimensions‏ to evaluate the security of the proposed architecture. In this analysis, we summarized 9‏security principles for the SDN controller and checked the security of the current well-known‏ SDN controllers with those principles. We found that the SDN controllers, namely ONOS ‏and OpenContrail, are relatively two more secure controllers according to our conducted ‏methodology. We also found the urgent need to integrate the mechanisms such as connection ‏verification, application-based access control, and data-to-control traffic control for securely ‏implementing a SDN controller. In this thesis, we focus on the app-to-control threats, which ‏could be partially mitigated by the application-based access control. As the malicious network ‏application can be injected to the SDN controller through external APIs, i.e., RESTful APIs, or ‏internal APIs, including OSGi bundles, Java APIs, Python APIs etc. In this thesis, we discuss ‏how to protect the SDN controller against the malicious operations caused by the network‏ application injection both through the external APIs and the internal APIs. ‏We proposed a security-enhancing layer (SE-layer) to protect the interaction between the‏ control plane and the application plane in an efficient way with the fine-grained access control, ‏especially hardening the SDN controller against the attacks from the external APIs. This‏ SE-layer is implemented in the RESTful-based northbound interfaces in the SDN controller‏ and hence it is controller-independent for working with most popular controllers, such as‏ OpenDaylight, ONOS, Floodlight, Ryu and POX, with low deployment complexity. No‏ modifications of the source codes are required in their implementations while the overall security ‏of the SDN controller is enhanced. Our developed prototype I, Controller SEPA, protects well‏ the SDN controller with network application authentication, authorization, application isolation,‏ and information shielding with negligible latency from less than 0.1% to 0.3% for protecting‏ SDN controller against the attacks via external APIs, i.e, RESTful APIs. We developed also‏ the SE-layer prototype II, called Controller DAC, which makes dynamic the access control.‏ Controller DAC can detect the API abuse from the external APIs by accounting the network‏ application operation with latency less than 0.5%. Thanks to this SE-layer, the overall security of the SDN controller is improved but with a latency of less than 0.5%. However, the SE-layer can isolate the network application to communicate the controller only through the RESTful APIs. However, the RESTful APIs is ‏insufficient in the use cases which needs the real-time service to deliver the OpenFlow messages. ‏Therefore, we proposed a security-enhancing architecture for securing the network application‏ deployment through the internal APIs in SDN, with a new SDN architecture dubbed SENAD. In‏ SENAD, we split the SDN controller in: (1) a data plane controller (DPC), and (2) an application ‏plane controller (APC) and adopt the message bus system as the northbound interface instead ‏of the RESTful APIs for providing the service to deliver the OpenFlow messages in real-time.‏ (...)

La conception originale d'Internet n'a pas pris en compte les aspects de sécurité du réseau, l’objectif prioritaire était de faciliter le processus de communication. Par conséquent, de nombreux protocoles de l'infrastructure Internet exposent un ensemble de vulnérabilités. Ces dernières peuvent être exploitées par les attaquants afin de mener un ensemble d’attaques. Les attaques par déni de service distribué (DDoS) représentent une grande menace; DDoS est l'une des attaques les plus dévastatrices causant des dommages collatéraux aux opérateurs de réseau ainsi qu'aux fournisseurs de services Internet. Les réseaux programmables (SDN) ont émergé comme un nouveau paradigme promettant de résoudre les limitations de l’architecture réseau actuelle en découplant le plan de contrôle du plan de données. D'une part, cette séparation permet un meilleur contrôle du réseau et apporte de nouvelles capacités pour mitiger les attaques par DDoS. D'autre part, cette séparation introduit de nouveaux défis en matière de sécurité du plan de contrôle. L’enjeu de cette thèse est double. D'une part, étudier et explorer l’apport du SDN à la sécurité afin de concevoir des solutions efficaces qui vont mitiger plusieurs vecteurs d’attaques. D'autre part, protéger le SDN contre ces attaques. À travers ce travail de recherche, nous contribuons à la mitigation des attaques par déni de service distribué sur deux niveaux (intra et inter-domaine), et nous contribuons au renforcement de la sécurité dans le SDN<br>The original design of Internet did not take into consideration security aspects of the network; the priority was to facilitate the process of communication. Therefore, many of the protocols that are part of the Internet infrastructure expose a set of vulnerabilities that can be exploited by attackers to carry out a set of attacks. Distributed Denial-of-Service (DDoS) represents a big threat and one of the most devastating and destructive attacks plaguing network operators and Internet service providers (ISPs) in stealthy way. Software defined networks (SDN) is an emerging technology that promises to solve the limitations of the conventional network architecture by decoupling the control plane from the data plane. On one hand, the separation of the control plane from the data plane allows for more control over the network and brings new capabilities to deal with DDoS attacks. On the other hand, this separation introduces new challenges regarding the security of the control plane. This thesis aims to deal with DDoS attacks while protecting the resources of the control plane. In this thesis, we contribute to the mitigation of both intra-domain and inter-domain DDoS attacks, and we contribute to the reinforcement of security aspects in SDN

Enterprise wide area network (WAN) is a private network that connects the computers and other devices across an organisation's branch locations and the data centers. It forms the backbone of enterprise communication. Currently, multiprotocol label switching (MPLS) is commonly used to provide this service. As a recent alternative to MPLS, software-dened wide area networking (SD-WAN) solutions are being introduced as an IP based cloud-networking service for enterprises. SD-WAN virtualizes the networking service and eases the complexity of conguring and managing the enterprise network by moving these tasks to software and a central controller. The introduction of new technologies causes concerns about their security. Also, this new solution is introduced as a replacement for MPLS, which has been considered secure and has been in use for more than 16 years. Thus, there is a need to analyze the security of SD-WAN, which is the goal of this thesis. In this thesis, we perform a security analysis of a commercial SD-WAN solution, by finding its various attack surfaces, associated vulnerabilities and design weaknesses. We choose Nuage VNS, an SD-WAN product provided by Nuage Networks, as the analysis target. As a result, many attack surfaces and security weaknesses were found and reported, especially in the Customer Premises Equipment (CPE). In particular, we found vulnerabilities in the CPE's secure bootstrapping method and demonstrated some attacks by exploiting them. Finally, we propose mitigation steps to avoid the attacks. The results of this thesis will help both the service provider and the SD-WAN solution vendor to know about the attack surfaces and weaknesses of SD-WAN before o ering it to their customers. We also help in implementing the temporary countermeasures to mitigate the attacks. The results have been presented to the service provider and the vendor of the SD-WAN product.

In enterprise networks, all aspects of the network, such as placement of security devices and performance, must be carefully considered. Even with forethought, networks operators are ultimately unaware of intra-subnet traffic. The inability to monitor intra-subnet traffic leads to blind spots in the network where compromised hosts have unfettered access to the network for spreading and reconnaissance. While network security middleboxes help to address compromises, they are limited in only seeing a subset of all network traffic that traverses routed infrastructure, which is where middleboxes are frequently deployed. Furthermore, traditional middleboxes are inherently limited to network-level information when making security decisions. Software-defined networking (SDN) is a networking paradigm that allows logically centralized control of network switches and routers. SDN can help address visibility concerns while providing the benefits of a centralized network control platform, but traditional switch-based SDN leads to concerns of scalability and is ultimately limited in that only network-level information is available to the controller. This dissertation addresses these SDN limitations in the enterprise by pushing the SDN functionality to the end-hosts. In doing so, we address scalability concerns and provide network operators with better situational awareness by incorporating system-level and graphical user interface (GUI) context into network information handled by the controller. By incorporating host-context, our approach shows a modest 16% reduction in flows that can be processed each second compared to switch-based SDN. In comparison to enterprise networks, residential networks are much more constrained. Residential networks are limited in that the operators typically lack the experience necessary to properly secure the network. As a result, devices on home networks are sometimes compromised and, unbeknownst to the home user, perform nefarious acts such as distributed denial of services (DDoS) attacks on the Internet. Even with operator expertise in residential networks, the network infrastructure is limited to a resource-constrained router that is not extensible. Fortunately, SDN has the potential to increase security and network control in residential networks by outsourcing functionality to the cloud where third-party experts can provide proper support. In residential networks, this dissertation uses SDN along with cloud-based resources to introduce enterprise-grade network security solutions where previously infeasible. As part of our residential efforts, we build and evaluate device-agnostic security solutions that are able to better protect the increasing number of Internet of Things (IoT) devices. Our work also shows that the performance of outsourcing residential network control to the cloud is feasible for up to 90% of home networks in the United States.

Monitoring software actions is one of the most studied approaches to help security researchers understand how software interacts with the system or network. In many cases, monitoring is an important component to help detect attacks that use software vulnerabilities as a vector to compromise endpoints. Attacks are becoming more sophisticated and network use is growing dramatically. Both host-based and network-based monitoring are facing different challenges. A host-based approach has more insight into software's actions but puts itself at the risk of compromise. When deployed on the server endpoint, the lack of separation between different clients only further complicates the monitoring scope. Compared to network-based approaches, host-based monitoring usually loses control of a software's network trace once the network packet leaves the endpoint. On the other hand, network-based monitoring usually has full control of a software's network packets but confronts scalability problems as the network grows. This thesis focuses on the limitations of the current monitoring approaches and technologies and proposes different solutions to mitigate the current problem. For software-defined networking, we design and implement a host-based SDN system that achieves the same forwarding path control and packet rewriting functionality as a switch-based SDN. Our implementation empower the host-based SDN with more control in the network even without using any SDN-enabled middleboxes, allowing SDN adoption in large-scale deployments. We further corroborate flow reports from different host SDN agents to address the endpoint compromise problem. On the server endpoint, we leverage containers as a light-weight environment to separate different clients and build monitoring infrastructures to narrow down the monitoring scope that have the potential to facilitate further forensic analysis.

Les réseaux programmables (SDN) sont un paradigme émergent qui promet de résoudre les limitations de l'architecture du réseau conventionnel. Dans cette thèse, nous étudions et explorons deux aspects de la relation entre la cybersécurité et les réseaux programmables. D'une part, nous étudions la sécurité pour les réseaux programmables en effectuant une analyse de leurs vulnérabilités. Une telle analyse de sécurité est un processus crucial pour identifier les failles de sécurité des réseaux programmables et pour mesurer leurs impacts. D'autre part, nous explorons l'apport des réseaux programmables à la sécurité. La thèse conçoit et implémente un pare-feu programmable qui transforme la machine à états finis des protocoles réseaux, en une machine à états équivalente pour les réseaux programmables. En outre, la thèse évalue le pare-feu implémenté avec NetFilter dans les aspects de performances et de résistance aux attaques d’inondation par paquets de synchronisation. De plus, la thèse utilise l'orchestration apportée par les réseaux programmables pour renforcer la politique de sécurité dans le Cloud. Elle propose un Framework pour exprimer, évaluer, négocier et déployer les politiques de pare-feu dans le contexte des réseaux programmables sous forme de service dans le Cloud<br>Software Defined Networking (SDN) is an emerging paradigm that promises to resolve the limitations of the conventional network architecture.SDN and cyber security have a reciprocal relationship. In this thesis, we study and explore two aspects of this relationship. On the one hand, we study security for SDN by performing a vulnerability analysis of SDN. Such security analysis is a crucial process in identifying SDN security flaws and in measuring their impacts. It is necessary for improving SDN security and for understanding its weaknesses.On the other hand, we explore SDN for security. Such an aspect of the relationship between SDN and security focusses on the advantages that SDN brings into security.The thesis designs and implements an SDN stateful firewall that transforms the Finite State Machine of network protocols to an SDN Equivalent State Machine. Besides, the thesis evaluates SDN stateful firewall and NetFilter regarding their performance and their resistance to Syn Flooding attacks.Furthermore, the thesis uses SDN orchestration for policy enforcement. It proposes a firewall policy framework to express, assess, negotiate and deploy firewall policies in the context of SDN as a Service in the cloud

Questa tesi ha l’obiettivo di comprendere e valutare se l’approccio al paradigma SDN, che verrà spiegato nel capitolo 1, può essere utilizzato efficacemente per implementare dei sistemi atti alla protezione e alla sicurezza di una rete più o meno estesa. Oltre ad introdurre il paradigma SDN con i relativi componenti basilari, si introduce il protocollo fondamentale OpenFlow, per la gestione dei vari componenti. Per ottenere l’obiettivo prestabilito, si sono seguiti alcuni passaggi preliminari. Primo tra tutti si è studiato cos’è l’SDN. Esso introduce una potenziale innovazione nell’utilizzo della rete. La combinazione tra la visione globale di tutta la rete e la programmabilità di essa, rende la gestione del traffico di rete un processo abbastanza complicato in termini di livello applicativo, ma con un risultato alquanto performante in termini di flessibilità. Le alterazioni all’architettura di rete introdotte da SDN devono essere valutate per garantire che la sicurezza di rete sia mantenuta. Le Software Defined Network (come vedremo nei primi capitoli) sono in grado di interagire attraverso tutti i livelli del modello ISO/OSI e questa loro caratteristica può creare problemi. Nelle reti odierne, quando si agisce in un ambiente “confinato”, è facile sia prevedere cosa potrebbe accadere, che riuscire a tracciare gli eventi meno facilmente rilevabili. Invece, quando si gestiscono più livelli, la situazione diventa molto più complessa perché si hanno più fattori da gestire, la variabilità dei casi possibili aumenta fortemente e diventa più complicato anche distinguere i casi leciti da quelli illeciti. Sulla base di queste complicazioni, ci si è chiesto se SDN abbia delle problematiche di sicurezza e come potrebbe essere usato per la sicurezza. Per rispondere a questo interrogativo si è fatta una revisione della letteratura a riguardo, indicando, nel capitolo 3, alcune delle soluzioni che sono state studiate. Successivamente si sono chiariti gli strumenti che vengono utilizzati per la creazione e la gestione di queste reti (capitolo 4) ed infine (capitolo 5) si è provato ad implementare un caso di studio per capire quali sono i problemi da affrontare a livello pratico. Successivamente verranno descritti tutti i passaggi individuati in maniera dettagliata ed alla fine si terranno alcune conclusioni sulla base dell’esperienza svolta.