”Common Criteria” and Software Defined Network Security

«Common criteria» (ISO 15408) is a universally recognized and broadly applicable approach to information security solutions management and evaluation. «Common criteria» leans on developing a shared conceptual basis for key security solution modules including protection profiles and security targets. Conceptual basis development implies defining the following elements: security objectives and assumptions (for the environment and the object), threats and security policies, as well as functional and assurance requirements. The specifics of SDN (software defined network) security solutions is largely driven by fundamental architectural principles of SDN technology itself − primarily by the separation of control and data flows, − and by conditions imposed by Open Flow protocol application. However, proactive (threats and policies), passive (objectives and assumptions) and reactive (requirements) aspects of security management remain highly relevant for this type of security solutions. This paper discusses the Common Criteria application specifics for assessing the SDN security and practical MTUCI (Moscow Technical University of Communications and Informatics) experience in the development of the protection profile. A new class of network attacks on SDN switches and controllers can involve either data or control components. In addition to traditional vulnerabilities, centralization of management functions paves way for new security threats by isolating controller activity and administrative message exchange. Therefore, identifying and analyzing threats, policies and requirements specific to SDN control module security becomes an emerging priority.

1. ISO/IEC 15408-1:2005 Information technology - Security techniques - Evaluation criteria for IT security - Part 1: Introduction and general model, https://www.iso.org/standard/40612.html.

2. Anwer B., et al., "A Slick Control Plane for Network Middleboxes", Open Networking Summit, 2013, http://nextstep-esolutions.com/Clients/ONS2.0/pdf/2013/researchtrack/posterpapers/final/ons2013-final51.pdf.

3. Fayazbakhsh S., et al., "FlowTags: Enforcing Network-Wide Policies in the Presence of Dynamic Middlebox Actions", HotSDN'13, ACM, 2013, http://www.cs.columbia.edu/~lierranli/coms6998-8SDNFall2013/papers/Flowtags-HotSDN2013.pdf.

4. Qazi Z.A., et al., "SIMPLE-fying Middlebox Policy Enforcement Using SDN", SIGCOMM, ACM, 2013.

5. ONF Threat Analysis for the SDN Architecture. Version 1.0, TR-530, July 2016, https://www.opennetworking.org/wp-content/Threat_Analysis_for_the_SDN_Architecture.pdf.

6. Pilyugin P., Smeliansky R., "Modern security issues in SDN", 2-nd International Conference on Information Technologies, Systems and Networks. ITSN-2017 (Chisinau, Republic of Moldova, 17 - 18 October 2017).

7. ONF Security Foundation Requirements for SDN Controllers. Version 1.0, TR-529, July 2016, https://www.opennetworking.org/wp-content/Security_Foundation_Requirements_for_SDN_Controllers.pdf.